An unsalted(!) md5(!) is never a perfect solution unless your goal is insecurity. The idea of using the IMEI as unique device dependant string for hash generation is good but you must make it impossible for anyone to find out how the hash is created or it is a glaring security hole (as demonstrated).

Many many apps have permissions to read the IMEI. Just as many have access to the internet. Add whatever permission is needed to find out the device's phone number and you have all you need.

I'm assuming that they (WhatsApp) were trying to make the experience as close as possible to SMS without help from the carriers, so by using the phone number (which they verify, by the way) and the phone itself as the credentials -- only one of which most people replace, and that's mostly once every 2-3 years -- is a great idea for getting users to their platform with a minimal security tradeoff, hence in my opinion a perfect solution.

And again, if an app had fooled a user for permissions to get their phone number they could probably just ask for permissions to send and receive SMS's -- which is what some banks (at least here, in Israel) use to verify online accounts.

Exactomundo!

Perhaps a better solution would be to tie it to the Google account on the phone? This could be done without requiring the user to remember any details as most people already have an account tied in.

IMEI isn't related to the phone number (IMSI is). And it's a horrible idea since IMEI isn't secret.

I should have said the phone number on the same device. And like I said in my original comment, you need some kind of access to the user for getting the IMEI (unless you work for one of the carriers, but the point still applies) so in lots of cases it would be easier to just physically do something worse on the phone itself.