Can Your Company Spy on WeChat Chats? Protocol Analysis Reveals the Truth

Recently a friend asked whether a company can see the content of WeChat chats when using the corporate network.

In short, WeChat uses private protocols that appear as long byte streams in protocol analysis tools, making it difficult to interpret without deeper inspection.

Web Version of WeChat

Protocol Analysis Result

Protocol analysis software can extract and decrypt the chat content, as shown in the captured screenshots.

Real Chat Content

Exactly the same!

Experiment Conclusion

Protocol analysis software can decrypt the chat messages.

Experiment Analysis

The web version communicates via standard browsers (Chrome, Firefox, IE), which use standard protocols that can be decoded.

When SSL/TLS encryption is present, Fiddler acts as a man‑in‑the‑middle, presenting a forged certificate to the browser, establishing an SSL/TLS tunnel with the client, then another tunnel with the WeChat server, decrypting and re‑encrypting the traffic.

Browser establishes SSL/TLS tunnel with Fiddler

Fiddler establishes SSL/TLS tunnel with WeChat server

Fiddler acts as a relay, decrypting then re‑encrypting messages

Fiddler must forge the server certificate

Computer must install and trust Fiddler’s self‑signed root certificate

Mobile Version of WeChat

Protocol Analysis Result

The mobile app does not use TLS + HTTP (HTTPS); it uses plain HTTP.

Each packet looks like this:

The HTTP header is plaintext, while the HTTP body appears as a chaotic byte stream.

No chat content is found, and Fiddler shows no response when a message is sent.

This suggests the message packets are not HTTP/HTTPS but likely raw TCP or UDP.

Official confirmation from WeChat R&D indicates TCP transport with two connection types:

Long connection: TCP + private protocol + MMTLS + business layer

Short connection: TCP + HTTP + MMTLS + business layer

Short connections exist for compatibility with older versions; long connections are fully private, so Fiddler cannot capture them because it only handles HTTP/HTTPS.

Wireshark can capture the TCP packets of the long connection, but the payload after the TCP header is unintelligible.

MMTLS Explained

MMTLS is a simplified version of TLS 1.3 that removes client authentication, keeping only server authentication.

ECDSA Public Key

ECDSA is used to verify the server’s identity; any MMTLS handshake signed with the server’s private key can be verified with the embedded ECDSA public key, proving the message originates from the genuine WeChat server.

The client authenticates the server without a CA, using the pre‑installed ECDSA public key.

Static ECDH Public Key

For zero‑RTT (0 RTT) messaging, the client generates its own ECDH key pair and nonce, combines them with the server’s pre‑installed nonce, and can compute the pre‑master, master, and session keys locally, encrypting the message immediately.

The server receives the client’s ECDH public key and nonce, uses its own ECDH private key and the stored nonce to compute the same session key and decrypt the message.

MMTLS adds no extra latency, enabling 0 RTT communication.

Because the client forces the use of the server’s ECDSA public key, Fiddler cannot impersonate the server; if forced, the client will drop the connection, making WeChat unusable.

Final Conclusion

Web version of WeChat on a company network can be monitored by the company, regardless of using a corporate or personal computer.

Web version on a 4G network bypasses the corporate network, so the company cannot see the chats.

Mobile version uses a private protocol with embedded server public keys; it is secure on both company and 4G networks, preventing the company from viewing the content.