Hacker News new | ask | show | jobs
by CiPHPerCoder 3280 days ago
Most (if not all) people who signed that letter, myself included, are capable of reverse engineering and analyzing Android apps (i.e. WhatsApp).

You don't need access to the source code to perform this analysis.

Furthermore, if you can verify that the app does what it advertises, you don't need to trust their infrastructure. E2E takes care of that.
3 comments
willstrafach 3280 days ago
More emphasis should be put on this. Those who know how to reverse engineer apps already look at the code, regardless of source code availability. But posting some machine code to debunk the original story would not do much good, seeing as those who might be unsure would likely not know how to read assembly.
link
jolic 3280 days ago
It's still not entirely accurate, or at least conclusive, that WhatsApp effectively protects people against mass surveillance. It might be that there's enough other sources, messages aren't that valuable in the first place or even that mass surveillance itself, between target surveillance and everyone being a public person, isn't that important to protect people against.

I think it's much easier to conclude that WhatsApp protects peoples messages from leaking or being abused by providers and other "softer" merits.

link
CiPHPerCoder 3280 days ago
> It's still not entirely accurate, or at least conclusive, that WhatsApp effectively protects people against mass surveillance.

Yes, it is.

Mass surveillance is, by its very nature, defeated by E2E encryption even without identity verification.

Are you thinking of targeted surveillance?

link
jolic 3280 days ago
I'm saying that both the claim that "WhatsApp is effective" and that "it is effective against mass surveillance" might be untrue even if it is effective at E2E encryption.

You can argue that WhatsApp itself de facto doesn't effectively protect (against mass surveillance) because it only works with instant messages and a lot of data isn't instant messages. You can argue that there is still mass surveillance of metadata. And that governments could enact secret laws to force vendors to engage directly in mass surveillance of their customers through the OS (less likely in the US, more so in China, especially as Google isn't present).

Sure, it's a nitpick. It's implied that it's effective because it's a good way to use E2E. But it not necessarily explored in the article whether it effectively protects people. I'm sure someone thinks that PGP was effective against mass surveillance too. So it becomes and issue over what you think is worth protecting.

link
dingaling 3280 days ago
> are capable of reverse engineering and analyzing Android apps (i.e. WhatsApp).

Did you do that before signing the letter?

> Furthermore, if you can verify that the app does what it advertises...

Without reproducible builds you can only verify the specific version of the app on your device. It's quite a leap from there to say 'Whatsapp is safe for you, too, regardless of your use-case'.

link