WhatsApp and Signal have long been considered secure messaging platforms, but their delivery receipt mechanisms still leak subtle timing information. device-activity-tracker exploits this by sending carefully crafted probe messages and measuring the round-trip time (RTT) to classify a target device’s state as online, standby, or offline. This approach reveals a real privacy vulnerability that remains exploitable as of late 2025.
What device-activity-tracker does and how it works
device-activity-tracker is a security research tool implemented in TypeScript. It targets WhatsApp and Signal by exploiting a timing side-channel in their delivery receipt protocols. The core idea is to send probe messages—specifically, delete requests or reactions to non-existent message IDs—and measure the RTT until the client acknowledgment (CLIENT ACK) is received.
Under the hood, this RTT measurement reflects the target device’s responsiveness and network state, allowing classification into online (active), standby (background or low power), or offline states. The tool dynamically computes a threshold based on 90% of the rolling median RTT to adapt to varying network conditions, making the classification more robust.
The repo leverages the @whiskeysockets/baileys library to interact with the WhatsApp protocol programmatically. For visualization, it uses a React frontend to display real-time device activity status, which helps researchers monitor the side-channel effects live.
This repo is based on academic research from the University of Vienna and SBA Research published in 2024, demonstrating a practical exploitation of a privacy vulnerability long theorized but not openly implemented in a public tool.
Technical strengths and the tradeoffs
The standout feature of this project is its clever use of the delivery receipt timing side-channel. Unlike classical message interception or metadata analysis, this approach uses legitimate protocol features in an unexpected way.
The code quality is pragmatic and focused on research utility rather than production readiness. TypeScript provides type safety for the asynchronous protocol interactions, while @whiskeysockets/baileys handles the low-level WhatsApp communication reliably.
The dynamic threshold algorithm (90% of median RTT) to classify device states is a neat heuristic that adapts to network jitter and latency fluctuations. This reduces false positives and makes the side-channel attack more effective in real-world conditions.
However, the tradeoff is that this method depends heavily on timing accuracy and network stability. In noisy or high-latency networks, the device state classification may degrade. Additionally, it requires a WhatsApp account and the ability to send probe messages, which limits stealth and scale.
The React frontend is minimal but functional, providing a clear view of device state changes over time. While it doesn’t aim for a polished UX, it serves well for researchers needing real-time feedback.
Quick start
The repo includes straightforward setup instructions for users familiar with Node.js environments.
# Install dependencies
npm install
cd client && npm install && cd ..
Requirements: Node.js 20+, npm, WhatsApp account
Docker (Recommended)
The easiest way to run the application is using Docker:
# (Docker commands are mentioned but missing details in the README excerpt, so omitted here)
Manual Setup
Web Interface
# (No explicit commands provided in the README excerpt for manual setup of the web interface)
This means your best bet is installing dependencies with npm as shown and running the backend and frontend separately or together per the repo documentation.
Verdict
device-activity-tracker is a solid proof-of-concept that brings academic research on timing side-channels in messaging apps into practical form. It is relevant for security researchers, privacy advocates, and anyone interested in the nuanced attack surfaces of encrypted messaging protocols.
The approach trades off stealth and scalability for clarity and reproducibility, making it unsuitable for large-scale surveillance but perfect for controlled experiments. The dynamic threshold algorithm is the key technical insight here, balancing accuracy with real-world network variability.
Limitations include its dependency on network conditions and the need for an actual WhatsApp account to send probe messages, which may limit adoption outside research contexts.
Overall, this repo is worth understanding if you care about messaging privacy or want to study timing side-channels. The code is surprisingly clean for a research tool, and the real-time React frontend adds useful visibility into the attack’s effects.
→ GitHub Repo: gommzystudio/device-activity-tracker ⭐ 4,937 · TypeScript