There's no need for theoretical chat history leaks, there's already a practical one in place. Online WhatsApp backups aren't encrypted with end-to-end encryption. [1][2] WhatsApp keeps being "helpful" and aggressively suggests users turn on online chat backup, without mentioning on the same screen that this means your chat history will be uploaded without end-to-end encryption. The history is encrypted with a key that is sent to WhatsApp servers. This is used to provide a passwordless backup restore function even when you lose your phone. You contact WhatsApp with your mobile number and WhatsApp sends you back a code that is used to derive the key that was used to encrypt the backup which was sent to Apple/Google.<p>All of this makes Zuckerberg's claims that law enforcement can't read the messages because Facebook can't pretty misleading. Law enforcement could get the backup from Apple/Google and the key from WhatsApp and have access to the whole chat history. There are apps already available to help you through this process. [3]<p>--<p>[1] <i>Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in iCloud.</i> <a href="https://faq.whatsapp.com/en/iphone/20888066/" rel="nofollow">https://faq.whatsapp.com/en/iphone/20888066/</a><p>[2] <i>Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive.</i> <a href="https://faq.whatsapp.com/en/android/20887921/" rel="nofollow">https://faq.whatsapp.com/en/android/20887921/</a><p>[3] <i>Elcomsoft Explorer for WhatsApp 2.30 can now download and decrypt Android user’s encrypted WhatsApp communication histories</i> <a href="https://blog.elcomsoft.com/2018/01/extract-and-decrypt-whatsapp-backups-from-google/" rel="nofollow">https://blog.elcomsoft.com/2018/01/extract-and-decrypt-whats...</a>
I don't understand this argument. "Facebook control the WhatsApp code, therefore they can do whatever they want, therefore they can read your messages". I mean, yeah, by that metric, Signal could too, and every other encrypted messenger. We never relied on "Facebook can't change the code" for security, so I don't see how this post brings any new information to the table.<p>I don't even know why it goes into backup folder details and things, as if they matter. If Facebook wanted to change the code to read your chats, they wouldn't have to count on the existence of a specially named folder, they could just change the code to send the chats to them directly.
> it would take a good iOS developer just a few days to put in place code in both the Facebook and WhatsApp apps that could discretely copy this database from one app to the other, via their shared container.<p>Weird article. If modifying the WhatsApp app is on the table, there are trivial ways to send decrypted messages elsewhere.
I think the encryption thing was more about Facebook not being able to intercept your messages, read/store them, and remain unnoticed.
Of course they can "still" read your messages as they could rewrite the app in a few subtle ways to achieve that easily, but that's nothing new.<p>I guess that if the app starts looking for the chats within the devices, it would be much easier to spot than it would if the messages were just analyzed as they went through WhatsApp's servers (so that's what the encryption is for).
He is saying data can be access by facebook on your phone since its simply using keychain to store your message and they have access to that keychain. They could theoretically send your entire chat history to facebook. End-to-end encryption does not entail they are not snooping on your phone, just that when the message is sent, it is encrypted.
I've never programmed for an app store -- what's the security measure that ensures the Signal version you install corresponds to some trusted state of the code base?
Facebook treats our Whatsapp message content just like it's feed.<p>Here is what happened few weeks ago : I exchanged whatsapp messages with a well known founder. Lo and behold - news about him and his startup are all over my facebook feed. Some which was published years ago.<p>We live in echo chambers.
End-to-end encryption like these shouldn't be considered private as long as no one else than yourself control the private key.<p>It's not as convenient, but misplacing trust into corporation that has no interest in your privacy is dangerous.
Common sense says that since FB owns WhatsApp no one should trust it. It's no different than if China owned WhatsApp. I mean WeChat. Just common sense.
and os companies can install key loggers on your device/machine. and chipset manufacturers can backdoor the system. and so on.<p>no piece of hardware or software is safe from evil deeds of people building them.
Messages may be sent encrypted, but I bet they are analysed before being encrypted. Without an external independent audit I'm not sure I'd trust Zuck.