Rust at Scale: An Added Layer of Security for WhatsApp(engineering.fb.com)

159 pointsby ubj9 hours ago11 comments

cong-oran hour ago
The 160k → 90k LOC reduction is nice, but the parallel rollout is the more interesting part. Running Rust alongside the C++ version and using differential fuzzing to check equivalence is a lot more realistic than “rewrite and pray.” You get incremental validation with the old system as a fallback. Curious how long they ran both before cutting over.
Binary size is a real concern on the client side. On servers the Rust stdlib overhead usually doesn’t matter, but when you’re shipping to billions of mobile devices, every KB counts. Good to see they invested in build tooling instead of just accepting the bloat.
- galangalalgolan hour ago
  Did they say anywhere what they did? Rebuilding the stdlib as part of your build can shrink it a lot depending on how much of it you use, but that is still nightly only. Maybe they went no_std or created their own?
  - surajrmal19 minutes ago
    They didn't but keep in mind that the app is currently 170MiB. The standard library shouldn't have added more than a few hundred kilobytes. They already likely pay similar costs for c++, but it's more worthwhile as they have a lot more c++ code total.
    Also note that if you statically link to the rust std library, lto will excise the majority of it anyways, no need to rebuild it.
storystarling5 hours ago
The hardest part of a rewrite like this is usually maintaining bug-for-bug compatibility with the legacy parser rather than the actual Rust implementation. Most real-world media files are malformed in some way that the C++ code implicitly handled, so if you write a strict parser you end up breaking valid user data. Differential fuzzing seems like the only practical way to map that behavior without manually reviewing millions of edge cases.
- dwattttt5 hours ago
  It sounds like it's a design goal of this "wamedia" to _not_ maintain bug compatibility with media players.
  - storystarling3 hours ago
    I suspect it is actually about maintaining permissiveness for malformed inputs rather than keeping security bugs. I ran into this building ingestion for a print-on-demand service where users upload technically broken PDFs that legacy viewers handle fine. If the new parser is stricter than the old one you end up rejecting files that used to work, which is a non-starter for the product.
nevi-me6 hours ago
> We believe that this is the largest rollout globally of any library written in Rust.
I suppose this is true because there's more phones using WhatsApp than there are say Windows 11 PCs.
Given that WhatsApp uses libsignal, is it safe to assume that they haven't been using the Rust library directly?
- marisen5 hours ago
  WhatsApp doesn't use libsignal, and Android is already pretty Rusty and deployed more than WhatsApp around the world (not just smartphone. Tons of "embedded" use cases also run on custom Android)
  - pjmlp5 hours ago
    Like our gym devices that have a full tablet to run a basic application to control weights, talk about wasting money.
    g947o4 hours ago
    It doesn't make sense for that device alone, but the vendor probably supplies all the different equipment in the gym. Using a tablet simplifies their supply chain, deployment, debugging/repair, app update process and simply supports more features. There are probably some connectivity features on the device, for example. When you look at all of that together, it's hard to argue it's wasting money.
    It's like complaining about Electron apps. For sure I love small native apps like everyone else. But, if Electron enables a company to ship cross-platform apps and iterate faster, who am I to say no?
    (I happen to have seen some of those tablets in diagnostic mode and poked around a bit. These things are much more complicated than you think.)
    rswail2 hours ago
    Once you price in the cost of integration, plastics, ROHS, CE and other regulatory/certifications, the extra cost of an Android tablet which already has a lot of that starts to make sense.
    If you also add in the extra ease of things like device management across fleets etc, it becomes a no-brainer for the manufacturer.
    pjmlp4 hours ago
    Well, doesn't look like to me, and a plain ESP32 with a touch screen would do the job for displaying a weight bar with plus, minus and reset count buttons.
    usrusr3 hours ago
    And then you get to a cardio unit where you want a completely different set of features and have to start over. Going lean on hardware only makes sense when you push out a very high number of units, when you have to deal with battery constraints or when you just have a lot of intertia, the combination of existing codebase and developer filter skillset.
    pjmlp3 hours ago
    Except all the machines have the same feature set I mentioned.
    Agree that wanting to hire cheap developers is why they did it that way, the current interface is so laggy that I would bet it is Web based, on top of running Android for nothing.
    rswail2 hours ago
    That's not a problem of the platform, but is a problem of the developers.
    The extra cost of an Android capable tablet (maybe $200 especially wholesale) is a minimal hardware cost considering the overall price of the equipment is in the thousands.
    But finding good embedded developers is a very difficult problem to solve, much easier to find Android app developers and then you get the Android eco-system for free like device management, OTA updates etc.
    Put all the sensors and controls on a USB bus and you need one or two actual embedded developers to deal with the drivers and the rest of the developers can build the UI that people see.
    In the case of a gym, the person buying the equipment is the customer, not you.
    They want features that will make you "sticky" to the gym, plus save costs on training you on how to use the equipment.
  - 5 hours ago
    undefined
- pjmlp5 hours ago
  If you watch "Microsoft is Getting Rusty: A Review of Successes and Challenges" it appears the whole effort is more on the Azure side, and besides some timid adoption like GDI regions, there is a lukewarm adoption of Rust on Windows side, still pretty much a C and C++ feud.
  https://www.youtube.com/watch?v=1VgptLwP588
palata4 hours ago
> Two major hurdles were the initial binary size increase due to bringing in the Rust standard library [...].
They don't say what they did about it, do they? Did they just accept it?
- sluongng3 hours ago
  I suspect they just use no_std whenever its applicable
  https://github.com/facebook/buck2/commit/4a1ccdd36e0de0b69ee...
  https://github.com/facebook/buck2/commit/bee72b29bc9b67b59ba...
  Turn out if you have strong control over the compiler and linker instrumentations, there are a lot of ways to optimize binary size
- pornel3 hours ago
  Probably yes. It's ~300KB per binary, and it's a one-time cost.
  It can be avoided entirely by disabling the standard library, but that's inconvenient, and usually done only when writing for embedded devices.
  Usually the problem isn't the size directly, but duplication of Rust dependencies in mixed C++/Rust codebases.
  If you end up with a sandwich of build systems (when you have library dependencies like C++ => Rust => C++ => Rust), each Rust/Cargo build bundles its copy of libstd and crates. Then you need to either ensure that the linker can clean that up, or use something like Bazel instead of Cargo to make it see both Rust and C++ deps as part of a single dependency tree.
  - surajrmalan hour ago
    The size is not fixed. It changes based on how much of the standard library you use. Dynamically linking the standard library is also a valid option in many cases.
    galangalalgolan hour ago
    Can it do lto on stdlib even without the nightly build-std flag?
- jsheard3 hours ago
  Who knows what they did, but there are things which can be done: https://github.com/johnthagen/min-sized-rust
- menaerus4 hours ago
  The whole article a bit watery which is why I read it as a PR rather than technical presentation
I_am_tiberiusan hour ago
> "WhatsApp provides default end-to-end encryption for over 3 billion people".
Wasn't there news lately that they can still read your messages somehow?
- 4gotunameagain39 minutes ago
  Every encryption is end to end if you're not picky about the ends, or metadata.
  Do you trust facebook (excuse me, meta) to not snoop on your messages, and to not share them with the "intelligence" agencies ?
  - Fripplebubby16 minutes ago
    This is not true. The spec is explicit that E2EE means that the message cannot be read by any party other than the sender and the intended receiver. When companies like Meta claim they support E2EE, this is what they claim. There are no tricky semantics or legalese at play here.
happyweaselan hour ago
Let's see how this unwrap()s in production scnr
- galangalalgol13 minutes ago
  Oh come on, that was funny. It also highlights a problem with the way people write rust. If your app panics it has a bug. People throw panics in cases that can absolutely happen, a file isn't there or fails to parse, some set of inputs is mutually inconsistent these are things for error checking. Even if the correct way to handle an error you detect is to stop the app, do that instead of panicking. Panics are for things that should be impossible. Ideally they even get optimized out.
kpcyrd6 hours ago
Very cool! I'm wondering if Signal is doing something similar? libsignal is implemented in Rust, but I don't know about the other parts.
aero-glide24 hours ago
Quite impressive, I did not know so many bugs were due to memory access.
- IshKebab2 hours ago
  To be fair the increased reliability of Rust code over C++ isn't just because of memory errors (out-of-bounds accesses, use-after-free, type confusion, etc). You also get:
  * No undefined behaviour (outside `unsafe`, which is quite easy to avoid). In C++ there are many many sources of UB that aren't really memory errors directly, e.g. signed integer overflow or forgetting to `return` from a function.
  * A much stronger type system.
  Those two things have a really significant impact on reliability.
blub2 hours ago
Just like Google’s Rust-in-Android blogs this reads like a PR piece (and in the case of facebook also recruitment piece) with some technical words sprinkled in for effect. The overall communication quality is that of a random startup’s “look what we did” posts.
The interesting aspects, such as how they protect against supply-chain attacks from the dependency-happy rust toolchain or how they integrated the C++ code with the Rust code on so many platforms - a top challenge as they said - remain a mystery.
Would also be interesting to hear how much AI-driven development they used for this project. My hope’s that AI gets really good at Rust so one doesn’t have to directly interact with the unergonomic syntax.
- surajrmalan hour ago
  The point of articles like this is to help build credibility for rust adoption. Rust is still not very widely adopted industry wide, and a lot of smaller players only use established technologies that bigger firms have shown works well. Rust is not inevitable, and articles like this are necessary for its future industry adoption.
mentalgear3 hours ago
Cool - now we only need to get selling-you-out-for-profit-Zuckerberg out of WhatsApp to make it really trustworthy.
wrtc_dev4 hours ago
[flagged]
- randomint642 hours ago
  That's right, Signal (https://kerkour.com/signal-app-rust), Proton (https://kerkour.com/proton-apps-rust), Matrix, Wire and many more are using a share, cross-platform Rust core and a platform-dependent UI layer.
  But it's not only the security-critical paths, but also most of the business logic (see the 2 posts above).
- wongarsu2 hours ago
  I agree with everything you say. But wow, does that comment sound like AI. Probably Grok?
  Not saying you are AI, you might just be a heavy user who picked up the same patterns
  - jsheard2 hours ago
    If it were an old account I might have given them the benefit of the doubt, but they literally just joined to make this comment. There's so many green accounts popping up which reek of AI now, like I've seen ones where all of their comments are almost exactly the same length.
  - roban hour ago
    It's a brand new account that reads 100% like a ChatGPT response where the author just swapped out the em dashes for hyphens when posting, knowing it's a common "indicator" people look for.
    It's more surprising to me that it seems to have already fooled a bunch of people looking at their replies to you.
  - 2 hours ago
    undefined
  - m00dy2 hours ago
    I like your AI slop detector, is it part of your consciousness ?
  - candiddevmike2 hours ago
    The "is key - ", is a key giveaway.
    EDIT to expand the evidence: It's placing unnecessary emphasis on a one off mention in the article (differential fuzzing) and then writes a bunch of bullshit around what it thinks it means (it's wrong, differential fuzzing isn't running them both in parallel during a transition, it's a testing methodology based on inputs/outputs).
    braiamp2 hours ago
    Which many people use. Heck, go to Stack Overflow about 10 years back. You will see people using it. It's a style.
    seritools2 hours ago
    TIL I'm an AI
    jdxcode2 hours ago
    I think it's a giveaway that it's human! A hyphen is incorrect punctuation.
    wongarsu2 hours ago
    According to British style guides an en-dash would be correct in that usage, and the difference between an en-dash (–) and a hyphen (-) is pretty small. Seems perfectly defensible to me unless you are publishing a book or academic journal
    deweyan hour ago
    AI is trained on human output, so that's not really a good differentiator.