A decade of enumeration attacks in WhatsApp and other recurring vulnerability patterns in mobile apps was the title of a talk by Sebastian Schrittwieser and David Schmidt (both CD Lab AsTra).
Abstract
Over the past 15 years, we have repeatedly analyzed popular mobile messengers and widely deployed mobile applications. Despite changes in platforms, development frameworks, and threat models, a striking pattern persists: the same classes of security vulnerabilities continue to reappear. While implementations evolve, the underlying attack principles remain largely unchanged. This talk presents a longitudinal view on mobile app security, with a particular focus on enumeration attacks in mobile messengers. We first analyzed such attacks in 2011 and revisited them again in 2025. Our recent analysis shows that the same fundamental attacks are still feasible today. In fact, the situation has worsened. Modern platforms expose a much larger attack surface due to richer APIs, a much larger user base, and complex backend ecosystems that have grown substantially over time.