This entire conflict just seems completely absurd to me - why on earth are the 72 "experts" who signed the open letter so quick to trust WhatsApp without access to the source code?
The experts (no scare quotes needed, they really are experts) were commenting on the story's facts as presented. There was no need to read the source of whatsapp, as the facts as stated in the original article were overblown and based on fundamental misunderstandings of cryptography.
The entire story was based on the question of "what do you do when someone you're communicating with using encryption changes keys?" Whatsapp chose to dynamically use the new key, rather than fail & force the user to verify the new key in some out-of-band way. This was described as a "backdoor" in the guardian story. That was simply false. Even calling it a vulnerability is a mis-understanding of how cryptography works and of the risk involved in that design decision.
Thank you for actually replying instead of downvoting...and I'll admit, the scare quotes may have been a bit too much!
That said, the open letter plainly states "WhatsApp effectively protects people against mass surveillance."
How do they know? From this, and the entire tone of the letter, it looks to me like they're still implicitly trusting that WhatsApp does what it claims to do. I see absolutely no reason to do so, and am utterly baffled that top security experts do.
More emphasis should be put on this. Those who know how to reverse engineer apps already look at the code, regardless of source code availability. But posting some machine code to debunk the original story would not do much good, seeing as those who might be unsure would likely not know how to read assembly.
It's still not entirely accurate, or at least conclusive, that WhatsApp effectively protects people against mass surveillance. It might be that there's enough other sources, messages aren't that valuable in the first place or even that mass surveillance itself, between target surveillance and everyone being a public person, isn't that important to protect people against.
I think it's much easier to conclude that WhatsApp protects peoples messages from leaking or being abused by providers and other "softer" merits.
I'm saying that both the claim that "WhatsApp is effective" and that "it is effective against mass surveillance" might be untrue even if it is effective at E2E encryption.
You can argue that WhatsApp itself de facto doesn't effectively protect (against mass surveillance) because it only works with instant messages and a lot of data isn't instant messages. You can argue that there is still mass surveillance of metadata. And that governments could enact secret laws to force vendors to engage directly in mass surveillance of their customers through the OS (less likely in the US, more so in China, especially as Google isn't present).
Sure, it's a nitpick. It's implied that it's effective because it's a good way to use E2E. But it not necessarily explored in the article whether it effectively protects people. I'm sure someone thinks that PGP was effective against mass surveillance too. So it becomes and issue over what you think is worth protecting.
> are capable of reverse engineering and analyzing Android apps (i.e. WhatsApp).
Did you do that before signing the letter?
> Furthermore, if you can verify that the app does what it advertises...
Without reproducible builds you can only verify the specific version of the app on your device. It's quite a leap from there to say 'Whatsapp is safe for you, too, regardless of your use-case'.
The entire story was based on the question of "what do you do when someone you're communicating with using encryption changes keys?" Whatsapp chose to dynamically use the new key, rather than fail & force the user to verify the new key in some out-of-band way. This was described as a "backdoor" in the guardian story. That was simply false. Even calling it a vulnerability is a mis-understanding of how cryptography works and of the risk involved in that design decision.