How do we know Whatsapp is E2EE?

I read everywhere that Whatsapp is E2EE.

But Whatsapp is not open source. This means that there is no way to know what’s inside.

If there is no way to know what’s inside,
how do we know Whatsapp provides end to end encryption?

NB:

  • I’m not here to be taught the disadvantages of Whatsapp. I know them.
  • I’m not here neither to start a new IM war as I know it can fire up easily! :wink:
  • I’m here just to get an answer to the question in bold.

Thanks!

2 Likes

You can do mitm and try to decrypt whatsapp

1 Like

Only by having the source code can you confirm it is E2EE, which we cant because we are not the Whatsapp dev.

Also even if it is E2EE, if the implementation is borked, it is good as unencrypted. Who has access to the actual encryption keys? If you dont have access to the key or if the admins have access to it, then another person can decrypt and access the messages in it.

Maybe a 3rd party audit can vouch for it but the findings will be buried in legal-speak which needs knowledge, attention to detail and reading between the lines in order to uncover bad designs. Also, after the actual audit, nothing stops FB from altering code to whatever they want.

A good way to test is to file a case against your (or another) account and have the courts subpoena an encrypted message. If you can see the message in court, it is not true/proper E2EE. However, there may also be laws which prevent a case involving just Joe Average from spilling decryption capabilities if it is in the US interest to keep decryption capabilities a secret.

That’s exactly what I’m thinking. As the public doesn’t have access to the code, the public cannot confirm it is E2EE.

I’m not saying Whatsapp is not E2EE.
I’m not saying Whatsapp is E2EE.

The whole point of this post is to understand why everybody says that Whatsapp is E2EE when we don’t have access to the source code.

Thanks

Back in the days, sent url over and counted how many locations retrieved it without recipient interaction.

Well, it’s closed source so you CAN’T verify that.

but maybe it’s, because they backup your chat in plaintext then later they announced it will be encrypted too