Good post - although for posterity retrieving a phone number doesn't work as described in all cases. Calling `getLine1Number()` on a GSM phone will return the MSISDN, but not all carriers store the MSISDN on the SIM (for security reasons), so it will in some cases return null. This is a somewhat moot point, because there are other ways to find mobile numbers!
As you point out, this is almost certainly an Android specific implementation, because there's no way to get either the MSISDN or the IMEI through iOS using the public API (if it was to transpire that WhatsApp were using private calls to obtain them then that would be another story entirely).
MSISDN file on the SIM card (EFmsisdn) is optional and has default access rights allowing you to modify it with just a PIN(CHV1) code (see 3GPP TS 51.011). Therefore, information stored in this file is not very reliable, since everyone knowing the PIN code of the card can change it's content. I do not think it has anything to do with the security reasons...
I do not see anything wrong with using IMEI as a seed for a password generation, the problem is that this number should be encrypted using proper encryption method and not just transformed using MD5 hash function.
WhatsApp in fact is using NSClassFromString to get access to the private class UITextEffectsWindow ;P. However, I don't think it doing anything to get access to CoreTelephony and pull the IMEI.
Another piece of evidence for this is an article published on a website I found while searching for the API endpoints that WhatsApp is connecting to; this person pulled apart the Android client.
In this article there are a few API calls that are discussed, including v1/exist.php and v1/code.php: the former takes an argument sim=MSISDN and the latter takes both sim=MSISDN and imsi=IMSI.
However, on my device (iOS), all of the other fields are being sent (including the MCC and MNC, which you can apparently get using the public CTCallCenter API) except those sim and imsi fields.
(Note: the actual service seems to run over XMPP, and I did not bother figuring out how I'd man-in-the-middle that to figure out my password, so maybe they do something really sneaky at a later step.)
