[ylk]

You can always go ahead and decompile the apps and then show everyone that they’re in fact lying, that story would be huge. That alone doesn’t make it true, but there have so far not been hints of them pulling weird stuff with their e2ee, unlike telegram, for example. They’re even working on improving the default mode 99% of users use e2ee chat apps with - trust on first use (TOFU): https://engineering.fb.com/2023/04/13/security/whatsapp-key-...

They probably do all kinds of horrible stuff with the metadata. I’m honestly too lazy to read the privacy policy. But I have yet to see critique of their e2ee that’s actually backed up by substance instead of people’s imaginations.

[jusepal]

If debunking security and/or privacy claims, and indirectly, to prove security and/or privacy claims is as simple as reverse engineering binaries then the very concept of open source for better privacy and/or security itself would be moot. Its outrageous to even suggest that.

[ylk]

It’s certainly not outrageous. It’s how people regularly find vulnerabilities in all kinds of closed-source software.

[jusepal]

It certainly is for proving privacy claims. Even finding vulnerability by reverse engineering is to debunk security claims, not to strengthening it.

[ylk]

The topic has been e2ee, which is first and foremost about security. You can have e2ee without privacy, as is likely the case with WhatsApp.

You certainly can “prove” and “disprove” “security” by reverse engineering, to the same extent a source code review can (or even more, since you’re looking at what’s actually running on the device). It can often require a bigger time investment, but even that’s not always the case in my experience, especially if you’re working with a really bad code base.