Everyone seems thrilled that WhatsApp has announced they they have switched to E2E encryption developed by Open Whisper. Is there a way I can verify this is happening?
Most of the comments so far focus on the fact that WhatsApp is a closed-source system. And just to be clear, it would absolutely be better to have source code. Source code gives you a 1000-foot view of the application and lets you spot obvious problems quickly.<p>But source code can also lie to you. To really understand what the application is doing, you need to do what security auditors do irrespective of source code availability. Namely:<p>1. Disassemble the application binary.<p>2. Debug the running application.<p>3. Observe the network traffic.<p>Here's another thing to think about. Suppose the source code were available. How could you trust that the source code provided matches the compiled binary running on your phone? You would need to perform the above steps to verify.
I suppose, <i>if</i> they published the algorithm they claim to use, and <i>if</i> you can stub out the app's random number source (say LD_PRELOAD or the like), and <i>if</i> you can sniff the app's network traffic (again, LD_PRELOAD might be necessary if it's encrypted, assuming they're not using a statically linked SSL library), and <i>if</i> they don't perform one of any number of trivial modifications to the algorithm (such as adding a fixed salt), you might be able to, for a given message, confirm that for that message, they encrypt it identically to how the algorithm they claim to use would encrypt it.<p>But that's a lot of ifs, and doesn't prove there's no backdoor that's currently disabled.
I think a lot of people here have missed the point a little. It's very easy to subvert E2E encryption of this sort, because no Whatsapp user has any way of verifying that they're talking to another Whatsapp user beyond the Whatsapp servers saying so.<p>The actual apps could carefully perform the E2E encryption, but Whatsapp could easily MITM the data if (say) requested to by an outside agency, without the app being any the wiser.<p>It's impractical to verify - you'd have to have the source to Whatsapp's servers, guarantees their SSL keys haven't been compromised, etc etc etc.
If you want to easily do traffic inspection and forensic analysis of stored data for iOS and Android, you can check out the free Community Edition of our mobile app testing lab [1].<p>Disclaimer, co-founder here.<p>[1] <a href="https://www.nowsecure.com/apptesting/community/" rel="nofollow">https://www.nowsecure.com/apptesting/community/</a>
You cannot verify that WhatsApp isn't cheating without a source code analysis. And it's even worse, WhatsApp is a doughter company of Facebook, so WhatsApp is falling under Section 215 US Patriot Act.<p>In short: it's not Facebook's or WhatsApp's fault, but they're forced to cheat if there is the requirement from US officials.<p>While there may be E2E encryption in WhatsApp, there is no way to get it trustworthy.
Several people have already raised the very good point that ultimately, we need the source code to be certain.<p>However, can we really be sure when we have the source? I don't think so. The codebase is likely to be large, especially when you start looking at dependencies such as the crypto libraries they may be using (unless you want to assume they are safe themselves), and it has been shown that humans are actually quite bad at finding vulnerabilities in code that is written to obscure its real purpose.<p>The Underhanded C Contest is a yearly contest that puts this to the test. Participants are given a spec for a small piece of software, and must write a program in C that appears on code review to work correctly, but in fact subverts the requirements in some way. This has been remarkably successful.<p>Sure, having the code is better than not having the code, but I think that gives us less security than many assume it does.
While you can never be certain that WhatsApp uses e2e encryption without a proper source code review but you can do the following to atleast check it on your side by doing the following.
1. Install Charles webproxy
2. Configure your device to decrypt the https traffic of whatsapp ( install the ssl certificate and configure proxy)
2.5 Enable ssl proxy for whatsapp.
3. Monitor whatsapp's traffic using charles web proxy.
4. If you can see random encrypted text somewhere in the request or response they are using e2e encryption.<p>I'll try it tomorrow might even write about it here or somewhere depending on the results.
As to "Use Free Software": the OTR protocol currently stands the test against various agencys and holds strong.
I suggest to use software that makes use of it, e.g. ChatSecure.
Also, If you wan't someone who's not a random person on the internet telling you this: go watch the talk of Jacob Appelbaum and Laura Poitras from the 31C3.<p>The Problem with closed source software is an will always be, that we can never be certain of it's security (at least not without reverse engineering every version and fully understanding it).