Comment by cosmicgadget
15 hours ago
> if there's a secondary pathway, it's probably for telemetry etc.
Seems like a good channel upon which to piggyback user data. Now all you have to do is obfuscate the serialization.
> It's difficult to hide subtleties in decompiled code.
Stripped, obfuscated code? Really? Are we assuming debug ability here?
> All secrets are out in the open at that point. There are no black boxes in mobile app code.
What about a loader with an encrypted binary that does a device attestation check?
I've lost track of our points of disagreement here. Sure, it's work, but it's all doable.
Obfuscated code is more difficult to unravel in its orginal form than the decompiled form. Decompiled code is a mess with no guideposts, but that's just a matter of time and patience to fix. It's genuinely tricky to write code that decompiles into deceptive appearances.
Original position is that it'd be difficult to hide side channel leakage of chat messages in the WhatsApp mobile app. I have not worked on the WhatsApp app, but if it's anything like the mobile apps I have analyzed, I think this is the correct position.
If the WhatsApp mobile apps are hairballs of obfuscation and misdirection, I would be a) very surprised, and b) highly suspicious. Since I don't do this work every day any more, I haven't thought much about it. But there are so many people who do this work every day, and WhatsApp is so popular, I'd be genuinely shocked if there were fewer than hundreds of people who have lightly scanned the apps for anything hairbally that would be worth further digging. Maybe I'm wrong and WhatsApp is special though. Happy to be informed if so.