[wyldfire]

Presumably the device generates a keypair and then needs to exchange with the remote device somehow? I assumed both devices connect to WhatsApp and it delivers what is ostensibly the pub keys from each of the parties to each of them?

[pfg]

This can be detected if the sender and the recipient attempt to verify their keys out of band (i.e. in person or through some other trusted communication channel). WhatsApp allows you to do that.

[dingaling]

Out of band but not out of app. It's the WhatsApp app that generates and presents the 'security code' or key fingerprint for comparison.

It's not like SSH in which separate and discrete components generate the keypair and verify fingerprint on connection.

[pfg]

That's moving the goalposts. A backdoor in the app itself is a whole different matter - both legally (give us these records/change these records in your database vs. build software according to our spec and ship it to your customers, which is similar to Apple vs. FBI and might not be constitutional) and technically.

I also don't see the difference between this and SSH. If your SSH server or client is backdoored/compromised, you have no control over what happens with your plaintext, no matter what the fingerprint verification tells you. The only difference is that one is open source, so the likelihood that a backdoor is detected is probably higher, though I don't think this means a) there is no backdoor and b) a backdoor in a closed-source app cannot be detected.

[arrakeen]

it uses the diffie-hellman key exchange: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exc...