Netskope Global Technical Success (GTS)
Use Case - Implementing Steering bypass for WhatsApp's native agent traffic on the Android platform
Netskope Cloud Version - 117
Objective
Create a Certificate Pinned Application for WhatsApp Android Native Agent and add it into the Netskope client steering configuration
Prerequisite
Netskope CASB Inline/SWG license is required
Context
How can WhatsApp traffic from Android devices be excluded from routing through Netskope?
Details
WhatsApp, being a certificate-pinned app, can be excluded or bypassed from the steering configuration on Android devices.
Lab Recreate
Step 1 - Click over new certificate pinned app
Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> App Definition
Step 2 - Add the required details
Name - 1WhatsApp]
Platform - Android
Definition - com.whatsapp, com.whatsapp.w4b
Note - The process names for WhatsApp on the Android platform are com.whatsapp & com.whatsapp.w4b
Step 3 - Add Certificate Pinned Application steering exception
Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Steering Configuration >>> Exceptions >>> Certificate Pinned Application
Step 4 - Add the required details
Certificate Pinned Application - lWhatsApp]
Custom App Domains - There are 2 options -
Option A - You can find all the list of all the domains the process - com.whatsapp & com.whatsapp.w4b, trying to connect
Option B - Or add an * entry
Select - Bypass
Question - How can I determine all the domains that the processes com.whatsapp and com.whatsapp.w4b are attempting to connect to?
Answer -
Netskope Client logs
File name - nsdebuglog.log
Sample
Based on my research, I've identified the following domains related to com.whatsapp and com.whatsapp.w4b. However, please note that this list may not be complete, so you might consider ‘Option B’
| whatsapp.com, whatsapp.net, wa.me, mmg.whatsapp.net, static.whatsapp.net, media-gig4-1.cdn.whatsapp.net, media-gru1-2.cdn.whatsapp.net, dit.whatsapp.net, c.whatsapp.net, media-lim1-1.cdn.whatsapp.net, mmg.whatsapp.net, graph.whatsapp.com, g.whatsapp.net, g-fallback.whatsapp.net, mmx-ds.cdn.whatsapp.net, media-mia3-1.cdn.whatsapp.net, media.feoh1-1.fna.whatsapp.net, media-bog2-1.cdn.whatsapp.net, media-gru1-1.cdn.whatsapp.net, scontent.whatsapp.net |
Step 5 - Please ensure that the Netskope Client on your Android device retrieves any pending Netskope Client agent updates before starting any testing
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- Netskope Engineering is continuously working on product enhancements. In the future, additional controls may become available to address some of the limitations mentioned earlier. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.