[bovik]

To reduce round trips and ease of use for the ultimate consumer. A typical whatsapp consumer is decidedly not the geek/hipster hanging out on HN. Out of the 100+ million installs they have, I doubt any more than about 0.1% care about encrypted messages et. al. Most of them do care about a large existing user-base (network effect), ease of startup (no registration/login required), ease of connecting to other users (scan phone contact list) etc. All of those things rile up the crowd that gathers here but provides real, tangible value to the ultimate users. That's the reason they have the userbase that they do despite repeated breast-beating by the crowd here about their lax security etc.

[kennywinker]

Sure, absolutely. But those things are no reason to be lax on security. All those people are going to care if rampant spoofing, account hijacking, etc. starts.

The security holes seem to fit that nasty sweet spot where they are easy enough for someone to do, if they target you, but hard to do on a massive scale (matching IMEI/MAC to ph. no.), so it seems unlikely to me that users will actually experience problems. Unless it gets a reputation with users as hackable, this wont actually effect their success.

aka: how dumb things become wildly successful.

That said, what will effect success, and what is "right" are not always the same thing.

[bovik]

The basic decision to not require account creation (and hence no login/password) is a key design decision that makes the app onboarding experience so pleasant. Now given that as a product requirement, what exactly would you use as encryption key other than information you can glean from the phone itself (IMEI, UDID etc.). These are numbers tied to the hardware and possible but not trivial to spoof (as you pointed out). It seems like a reasonably enough compromise for a consumer great chat sapp.

Also, for what it's worth, their biggest competitors in the field (viber, kakao etc.) picked up on that successful tactic and also don't require account creation at startup. Wonder if they've found some better ways to provide secure chat.