Over the past years, my dissertation research focused on one central question: how can we independently measure and evaluate the security and privacy of modern mobile communication systems?

At first glance, this may sound like a narrow technical problem. In practice, however, it quickly became clear that today's communication ecosystem is no longer confined to "the cellular network". Communication now spans multiple layers: the radio access network, Internet-based operator services such as Voice-over-Wi-Fi (VoWiFi), and increasingly dominant over-the-top (OTT) messaging platforms like WhatsApp or Signal.

As part of my dissertation, I therefore approached the ecosystem from several different vantage points. I investigated security and privacy issues at the radio layer, analyzed Internet-facing VoWiFi deployments, and finally examined large-scale OTT messaging infrastructures. Together, these perspectives revealed a broader pattern: modern communication has become deeply centralized, and weaknesses in one layer increasingly affect all the others.

The final piece of this puzzle was our most recent work, accepted at NDSS 2026: "Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy". Beyond the paper itself, the research also received broad international media attention, including coverage in WIRED.

Looking Beyond the Cellular Network

Historically, cellular operators controlled large parts of the communication stack: voice calls, SMS, signaling infrastructure, billing, and identity management. Today, however, a substantial share of communication happens through OTT platforms that bypass traditional operator-controlled channels entirely.

From a user perspective, this transition feels natural. Messaging apps are convenient, globally available, and feature-rich. But from a security and resilience perspective, the shift has profound implications.

In my earlier work, I showed how VoWiFi deployments inherited Internet-style problems such as weak cryptographic configurations and key reuse across operators. Later, I investigated metadata leaks in instant messengers and weaknesses in WhatsApp's end-to-end encryption bootstrapping. These studies already suggested that communication systems are no longer isolated layers; instead, they form a tightly interconnected ecosystem.

The current WhatsApp enumeration paper pushes this realization even further.

Enumerating a Global Communication Platform

WhatsApp relies on phone numbers as its global identity layer. To support contact discovery, the service must answer a seemingly simple question: is this phone number registered on WhatsApp?

Our work shows that this mechanism can be abused at enormous scale.

Using WhatsApp's XMPP API, we were able to enumerate roughly 3.5 billion active WhatsApp accounts and collect associated metadata such as device information, profile details, and cryptographic key material. Importantly, this was possible without bypassing authentication or exploiting software vulnerabilities in the traditional sense. Instead, the issue emerged from the combination of massive centralization, globally unique identifiers (phone numbers), and insufficient abuse prevention.

The implications go far beyond a single messaging app.

Phone numbers are deeply tied to the cellular ecosystem. They are not anonymous usernames; they are globally routable identifiers linked to subscribers, SIM cards, billing relationships, and national numbering plans. If a single OTT platform allows large-scale discovery of active phone numbers, this effectively creates an Internet-scale visibility layer for the mobile ecosystem itself.

In other words: weaknesses at the OTT layer feed back into the cellular layer.

This illustrates why analyzing only the radio network or operator infrastructure is no longer sufficient. A realistic security evaluation of modern communication systems must include OTT platforms as first-class components of the ecosystem.

The Problem of Centralization

A recurring theme throughout my dissertation was centralization.

At the radio layer, roaming agreements and global dependencies create tightly interconnected infrastructures. In VoWiFi deployments, operators often rely on shared vendors and identical configurations across continents. At the OTT layer, however, centralization becomes even more extreme: billions of users depend on only a handful of globally dominant platforms. This trend is reinforced by the classic network effect: a messenger is only valuable if it can reach one's social circle. Once a platform achieves global dominance, users become effectively locked in, regardless of privacy concerns or technical shortcomings. This creates a natural tendency toward monopolization, making it extremely difficult for smaller, privacy-focused, or decentralized alternatives to gain adoption.

This concentration creates systemic risks.

A design decision, deployment mistake, or privacy weakness in one centralized platform can immediately affect a significant fraction of the world's population. The WhatsApp enumeration study demonstrates this very clearly. The issue was not confined to one country, one operator, or one deployment. Instead, it affected a globally centralized communication service used by billions of people.

At the same time, centralization reduces transparency. Researchers, regulators, and users increasingly depend on black-box systems operated by a small number of private (and often US-owned) companies. Independent measurements and auditing therefore become more important than ever.

Why Alternative Paths Matter

One of the broader lessons from this research is that communication diversity matters.

Technologies such as VoWiFi or Rich Communication Services (RCS) show that there are alternatives to fully centralized OTT ecosystems. While these technologies also have their own security challenges, they are at least based on interoperable standards and a more distributed operational model.

This does not mean that operators or standardized technologies are automatically secure. My earlier work on VoWiFi clearly demonstrated that this is not the case. However, excessive centralization introduces an additional category of risk: single points of failure that operate at Internet scale.

As communication increasingly moves online, we therefore need to think not only about cryptography and protocol correctness, but also about ecosystem structure, concentration of power, and resilience.

Closing a Dissertation, Opening New Questions

Defending my dissertation marked the end of several years spent measuring and analyzing communication systems from many different angles. The work ranged from geographically distributed cellular measurements to Internet-wide VoWiFi scans and large-scale analyses of OTT messaging infrastructures.

Looking back, the most important takeaway is perhaps not a single vulnerability or attack technique, but a broader observation: the boundaries between telecommunications and Internet platforms are disappearing.

Cellular networks, Internet infrastructure, and OTT platforms now form one deeply interconnected communication ecosystem. Understanding its security and privacy properties requires looking across all of these layers simultaneously.

The future of communication will likely become even more Internet-centric and centralized. Whether this future will also remain resilient, transparent, and privacy-preserving depends on how seriously we take the risks emerging from this convergence.

References:

[1] Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy (Gegenhuber et al., NDSS 2026): https://arxiv.org/abs/2511.20252

[2] WhatsApp Enumeration Artifacts and Statistics: https://github.com/sbaresearch/whatsapp-census

[3] Democratizing Measurement of Critical Mobile Infrastructure: Security and Privacy in an Increasingly Centralized Communication Ecosystem (Doctoral Dissertation, University of Vienna, 2026): https://arxiv.org/abs/2605.10812