[bovik]

The basic decision to not require account creation (and hence no login/password) is a key design decision that makes the app onboarding experience so pleasant. Now given that as a product requirement, what exactly would you use as encryption key other than information you can glean from the phone itself (IMEI, UDID etc.). These are numbers tied to the hardware and possible but not trivial to spoof (as you pointed out). It seems like a reasonably enough compromise for a consumer great chat sapp.

Also, for what it's worth, their biggest competitors in the field (viber, kakao etc.) picked up on that successful tactic and also don't require account creation at startup. Wonder if they've found some better ways to provide secure chat.