[kennywinker]

Sure, absolutely. But those things are no reason to be lax on security. All those people are going to care if rampant spoofing, account hijacking, etc. starts.

The security holes seem to fit that nasty sweet spot where they are easy enough for someone to do, if they target you, but hard to do on a massive scale (matching IMEI/MAC to ph. no.), so it seems unlikely to me that users will actually experience problems. Unless it gets a reputation with users as hackable, this wont actually effect their success.

aka: how dumb things become wildly successful.

That said, what will effect success, and what is "right" are not always the same thing.

[bovik]

The basic decision to not require account creation (and hence no login/password) is a key design decision that makes the app onboarding experience so pleasant. Now given that as a product requirement, what exactly would you use as encryption key other than information you can glean from the phone itself (IMEI, UDID etc.). These are numbers tied to the hardware and possible but not trivial to spoof (as you pointed out). It seems like a reasonably enough compromise for a consumer great chat sapp.

Also, for what it's worth, their biggest competitors in the field (viber, kakao etc.) picked up on that successful tactic and also don't require account creation at startup. Wonder if they've found some better ways to provide secure chat.