[jusepal]

If debunking security and/or privacy claims, and indirectly, to prove security and/or privacy claims is as simple as reverse engineering binaries then the very concept of open source for better privacy and/or security itself would be moot. Its outrageous to even suggest that.

[ylk]

It’s certainly not outrageous. It’s how people regularly find vulnerabilities in all kinds of closed-source software.

[jusepal]

It certainly is for proving privacy claims. Even finding vulnerability by reverse engineering is to debunk security claims, not to strengthening it.

[ylk]

The topic has been e2ee, which is first and foremost about security. You can have e2ee without privacy, as is likely the case with WhatsApp.

You certainly can “prove” and “disprove” “security” by reverse engineering, to the same extent a source code review can (or even more, since you’re looking at what’s actually running on the device). It can often require a bigger time investment, but even that’s not always the case in my experience, especially if you’re working with a really bad code base.