Hacker News new | past | comments | ask | show | jobs | submit login

WhatsApp's "E2E" code is from Signal, which is open source.

This zealous belief that all secure cryptography must be open source is something I hear a lot from open source advocates, but not so much from cryptography engineers.




Is the encryption/decryption code in WhatsApp open-source? I haven't been able to find it. My assumption was that they conform to the Signal encryption protocol, which is openly specified, but that the code they use to do so is not open-source.


Yes, it is. It's linked directly from the paper (https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...) that documents their use of the protocol.

It's the exact same code we use in Signal: https://github.com/whispersystems/libsignal-protocol-java


The value is not just the public display of the source code for auditing, but the validation that what you are running was indeed compiled from that code.


This is literally an impossibility. Java apps are typically obfuscated with randomization of symbol names. Each build is unique and not reproducible.

You are better off verifying the actual compiled and distributed apk files than verifying the source.


It's impossible?

https://whispersystems.org/blog/reproducible-android/


Simply open sourcing the code doesn't give that validation.


Not completely but I can certainly look at it, compile, and then side-load it onto my device knowing it's what it said it was.


You keep saying this, but how do we know they are actually using the code from Signal without access to source and reproducible builds? Last time you told me it was easy and legal to reverse engineer the code. I then asked you what tools you use to do that and you ignored the question.


To reverse engineer code? For big projects, I used IDA, like everyone else does. For smaller projects, I used Hopper, or, for architectures that IDA and Hopper didn't support, I'd postprocess binutils output.

For an example of a more sophisticated approach, look at:

https://sourcedna.com/

Remember, in this case, it's especially easy to reverse, because you have the source code; all you're doing is matching the control flow graph to the original source.


Thanks for making this response. Genuinely interested.

[To whomever down voted... I guess I get down voted for not showing gratitude immediately after he posted a reply? This is why I don't post here often. Quite mean people here.]


Do you know if there exist tools that take a binary and a source code file and attempt to automatically compare the control flow graphs?

I imagine I won't ever get to it, but that sounds like an interesting problem to try to work on.


Yes, there are. SourceDNA does a bunch of this.


If you want to look at the Android APK, you can use apktool to get back Java source. Hacked clients like WhatsApp+ even build new derivative products using that output, and spammers do it to get code they can use to inject messages onto the network without having to write their own software.

I think it's great when people further verify WhatsApp's client security, please share your analysis!


Thank you for your tip and contributions to open signal. I appreciate that you want to get encryption into as many hands as possible, even if circumstances may not be ideal.

My primary concern here is a long con. Everything is probably okay now, but after a while, people will stop looking and verifying. With WhatsApp keeping source closed, it makes that period of time shorter, I think. I will try to work your suggestion into my job :) If I'm paid to do it, I can keep doing it indefinitely, even working on tools to automate it.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: