> WhatsApp is closed source, so whatever they claim to can't be proven
E2E only requires a correctly-designed client, not a correctly-designed server.
Since any binary can always be deobfuscated, deliberately putting in a backdoor in the client would be an extremely risky PR move, especially in an app as big as WhatsApp, and one surely receiving lots of attention from security researchers.
Not to mention that OpenWhisperSystems (the creators of Signal) worked with Meta on their E2E implementation, and if you don't trust them to do right, you shouldn't trust anybody.
Let's face it, people over here just don't like Meta and love to spread FUD about them.
One trust is lost, it's hard to regain it. The fact is, the WhatsApp client is not open source, there are no reproducible builds, and only thing you have is trust in them.
If you live in an authoritarian state with a track record of spying on individual citizens, and without legal protection for the privacy of foreign citizens, it's legitimate to decide not to trust a company like Meta headquartered in the USA.
> The fact is, the WhatsApp client is not open source, there are no reproducible builds, and only thing you have is trust in them.
That is not strictly true. It is possible to reverse-engineer the client. It's unlikely that anyone will find the motivation to do so, but there's no law of physics that says they can't. You can theoretically review the code that is running on your device - it's just harder than with an open source reproducible build.
What would be the consequences, if Meta was caught doing something "funny" with e2ee? Maybe small fines, and a brief online moral panic, but I don't think people would switch to another app en masse solely because of that.
I love this optimism, I really do. But to believe that any meta product can be private is to believe that Zuck actually wants that to happen. Zuck, the guy who changes company culture every 4 years or less to suit whoever is on the white house. The reality is that with a closed source product, you can't trust ANYTHING. Just because OpenWhisperSystems worked with Meta doesn't mean anything. Meta will easily silence them legally if they wanted to. And Meta can always remove or disable the implementation as they see fit.
Are you talking about decompilation? This, is in general very difficult, and that's when the author and compiler don't want to stop you from doing it.
Go fire up jadx or ghidra or whatever you like and see if you can find the bits of code you know are there. Now try demonstrating that a bit of code isn't there.
>Let's face it, people over here just don't like Meta and love to spread FUD about them.
It's called punching upwards.
>Since any binary can always be deobfuscated, deliberately putting in a backdoor in the client would be an extremely risky PR move, especially in an app as big as WhatsApp, and one surely receiving lots of attention from security researchers
Correct me if I'm wrong, but can't a proprietary delivery mechanism such as the App or Play stores deliver a backdoored build to an individual device, then later autoupdate it to a clean one?
Builds are signed by the software publisher, not the Play Store. So the store alone couldn't corrupt releases, it would need collaboration by the publisher. (Google does have a service for app developers where they keep and manage your signing keys for you, but it's not required)
E2E only requires a correctly-designed client, not a correctly-designed server.
Since any binary can always be deobfuscated, deliberately putting in a backdoor in the client would be an extremely risky PR move, especially in an app as big as WhatsApp, and one surely receiving lots of attention from security researchers.
Not to mention that OpenWhisperSystems (the creators of Signal) worked with Meta on their E2E implementation, and if you don't trust them to do right, you shouldn't trust anybody.
Let's face it, people over here just don't like Meta and love to spread FUD about them.