Comment by medstrom
2 years ago
Also WhatsApp is closed-source, so you can only take their word for whether the E2E is really E2E -- and it's owned by Facebook.
2 years ago
Also WhatsApp is closed-source, so you can only take their word for whether the E2E is really E2E -- and it's owned by Facebook.
There’s really nothing stopping someone from publishing an instrumented / modded binary to a mobile App Store unless there’s a user-verifiable build chain, even if it is open-source. Even if the backend IS e2ee, the UI can be extended to keylog / etc. The App Store provider can be in on it too.
DNS can be filtered to provide some degree of control and traffic inspection, but there’s always DNS over HTTPS, tunneling, and so on and so forth.
I’d be surprised if Signal was doing it, since getting caught at it would totally destroy their reputation, but I’d honestly be surprised if WhatsApp didn’t have at least a backdoor for it.
For Signal, open source since 2016
https://signal.org/blog/reproducible-android/
Unless you espcially meant by ”App Store”, by Apples App store, it is Apple to blame in that case because it is not possible due to the encryption of app binaries.
I wasn't speaking specifically about Signal nor about a particular storefront. I'm glad Signal has at least a reproducible build on one platform. That doesn't change my main point: "it's open source" is NOT a guarantor of this AT ALL without usable build verification.
1 reply →
Why wouldn’t you trust Zuck’s word? He seems like an honourable