Comment by cookiengineer

10 hours ago

Why did you not mention that the WhatsApp apk, even on non-google play installed devices, loads google tag manager's scripts?

It is reproducibly loaded in each chat, and an MitM firewall can also confirm that. I don't know why the focus of audits like these are always on a specific part of the app or only about the cryptography parts, and not the overall behavior of what is leaked and transferred over the wire, and not about potential side channel or bypass attacks.

Transport encryption is useless if the client copies the plaintext of the messages afterwards to another server, or say an online service for translation, you know.

3 comments

cookiengineer

tptacek 10 hours ago

There's a whole section, early, in the analysis Albrecht posted that surfaces these concerns.

cookiengineer 8 hours ago
Where in the document is that? Can you provide a page number or section title?
- jibe 4 hours ago
  
  ^f