[davisr]

"Absolutely no way"? I'm sorry to be impolite about it, but that's a bit of an exaggeration: one could jailbreak their phone, pull the binary into their computer, decompile it, and inspect it for implementation structures that would be coherent with how the two or three most popular encryption algorithms are commonly implemented. The expertise to be able to accomplish it doesn't come cheap, but it's certainly in the realm for anyone willing to invest the time.

If anyone out there does it, feel free to post your findings to http://imfreedom.org/.

I'd be willing to bet that WhatsApp has some competent programmers, and looks very similar to how Apple's built iMessage. I think everyone is entitled to the most security possible, but unfortunately when you're at the scale of WhatsApp, perfect security would make all that ultra-tantalizing data pretty hard to analyze. They're a business, they have a responsibility to their investors to grow the business, and data right now is a _big_ business.

[JupiterMoon]

So you've probably just broken the law by doing so. And you have to do this everytime the app gets updates. And you have to be sure that the encryption is actually getting used on every message. And that the key is strong and not known to Whatsapp. And also that the recipients copy of the app is behaving the same as yours. So I guess the question is, if you had something to hide would you bet your life on it?

Whereas with Textsecure. Well it just works...

[jsprogrammer]

>So you've probably just broken the law by doing so.

By modifying your own device? I don't think so.

[JupiterMoon]

Many countries have laws against reverse engineering programs. Whilst I think these laws are stupid I would prefer to just use the open source program than mess around with the closed source alternative.

[nitrogen]

According to Wikipedia[0], reverse engineering is generally legal in the US:

In the United States even if an artifact or process is protected by trade secrets, reverse-engineering the artifact or process is often lawful as long as it has been legitimately obtained.

[0] https://en.wikipedia.org/wiki/Reverse_engineering#United_Sta...

[JupiterMoon]

Actually have another look at that before you break the law on this yourself.

As far as I can see that article says that reverse engineering is legal in the case that: (1) the EULA doesn't mention it (I've no idea what Whatsapp EULA says - do you?). (2) it is done for the purpose of interoperability. What is being proposed by the GP is in fact not interoperability but security testing.

As I said before I think that the laws on this are stupid. But why worry about this when there is a great FOSS program in the same space?

[aw3c2]

And that is one country out of ~200.

[blfr]

Yes but it has 350M people living in it, half the HN, Silicon Valley, and Moxie with his team. It's not honest to say the US is just another country among 200.

[JupiterMoon]

Assuming that nothing in the thing being reverse engineered is not encrypted or protected in some fashion right?

[mightybyte]

> one could jailbreak their phone, pull the binary into their computer, decompile it, and inspect it for implementation structures that would be coherent with how the two or three most popular encryption algorithms are commonly implemented.

There's a much easier way. Turn off your phone's cellular connection, but turn on wifi and connect it to a wifi network you control. Then just sniff the packets.

[stouset]

Not unless you have discovered a novel technique for distinguishing between good crypto and bad crypto over the wire.

[higherpurpose]

At the very least I would want Whatsapp to:

1) add authentication with other users

2) make a public statement about it (believe it or not, that hasn't happened yet. Perhaps it will come when the iOS versions supports it - or perhaps it never will)

3) commit to the new encryption system in their privacy policy (make it at least somewhat legally binding - which could also be used against abusive law enforcement orders)