How can application like Whatsdog detect user online status from Whatsapp?
It's actually by an undocumented API from whatsapp and you can communicate over Websockets to get the online status of people.
This article will show you how it is done and even provide a PoC for it to run in your own browser. So this PoC can be modified to be a PC application or a smartphone app.
Appreciate your answer Nico , if you are aware about current situation , _Because of Change in Server Structure of Whatsapp , Whatsdog is no longer be active_ . So my doubt is . If they were using this mechanism to retrieve user data , then Application should have to work now. because The method mentioned in link is still usable .
Then I don't know what mechanism they are/were using. But it seems that you could rework this PoC to an WhatsDog 2 app. The technology behind it is pretty simple and explanatory itself. While googling I also read somewhere that WhatsDog is a web application so they probably used the some similar technology.
While Whatsapp or Facebook Messenger don't provide an official API for online status, it's often easy to use their unofficial i.e internal API to determine it. I can't speak for Whatsapp as I'm not a user or much less familiar with their internal API, but I have played around with this in Messenger. The conceptual difference is negligible for any app that provides an online status feature so I'm going to use Facebook's Messenger as an example since I'm more familiar with it.
Here's a (comically written) blog post explaining how it's done with Facebook. If you don't feel like reading it and digging into the technical details or reading the whole thing, I'll provide a brief summary of how it works here.
On Facebook Messenger, there's a little green dot displayed beside their name which indicates that they're online, right? Just like this:
Well, the state of that dot, or rather the data that indicates their status, is fetched by an undocumented or unofficial API. That is, an API used internally which isn't intended to be used by anyone but facebook developers and thus holds no promises and will break all the time if you try to use it. That's aside the point though. The point is that there's a request that periodically goes out (i.e polled) which gives you the online status of your friends. If you poll it over time, you'll be able to tell when a user transitions from offline -> online or vice versa.
Third party applications use these APIs and poll them just as the official application does. They then, well, do whatever they want with that data. Be it logging it to graph their usage patterns, notifying you when they're online, you name it!
If this answer doesn't sate your curiosity, I encourage you to read the article I linked above. It's informative, engaging, funny, and(!) has a github repo which allows you to try it out yourself.
Shoot! You're right. I didn't link it. Edited my answer but here's the link to save you the search https://defaultnamehere.tumblr.com/post/139351766005/graphing-when-your-facebook-friends-are-awake
thank you for your answer . but my confusion is, facebook is a online website so you can run your script and get particular output from it . but whatsapp case is different . we can't connect phone 24 x 7 in web whatsapp and run our script . So there might be some mechanism that i'm not aware about .
A mobile app isn't all that different than a web app. Whatsapp is still using an API that "answers the question" of "who of my friends are online?" I am a little confused by what you're not understanding. If it's a webapp we can examine the requests going out and look for the one that's giving us data on who's online and who's not. When we find that endpoint, we just make our own calls to it. The only difference with a mobile app is that it's a little harder to examine those requests but with a tool like charles proxy or MitM Proxy it's a breeze.
As Nico says they are using a WhatsApp API. The WhatsApp client is capable of checking if your contacts are online or not - meaning there has to be some way to do it.
It is easy enough for someone decompile the code or MitM their own connections to read what the application is doing. The only added risk over a pubished API is you have no obligation to notify other parties before you change or remove it.
You should never trust secrets to a client device!