[air]

You can inspect the WhatsApp binary and prevent updates. Having to trust the server is a big deal.

[FabHK]

And that's indeed the point of end-to-end encryption: that you don't have to trust the server.

[UncleMeat]

You still trust the server, unless the encryption is done with code that wasn't delivered from the server. E2E prevents your content from being stolen in a data breach or from being accessed if the server was fine when you sent a message but compromised later.

[FabHK]

Good point. The (variously named) security code should allow you to withdraw even that trust (assuming you verify the security code and the binary on your client...), right. Or does it? If the server knows the secret, it can invisibly MITM you, right?

[Spivak]

Unless you're independently verifying the keys in meatspace you're still trusting the server.

[anfedorov]

How easy is this, in practice? Has anyone inspected the WhatsApp binary? How much of it?

[willstrafach]

I have. It is a pain in the ass but certainly doable.

I am experienced with iOS, but honestly it is a big app so those who are familiar with Android could do this better, as I believe they actually have decompilers versus needing to read the compiled ARM code.