Full version here: https://eprint.iacr.org/2025/794.pdf
We didn't review the entire source code, only the cryptographic core. That said, the main issue we found was that the WhatsApp servers ultimately decide who is and isn't in a particular chat. Dan Goodin wrote about it here: https://arstechnica.com/security/2025/05/whatsapp-provides-n...
0. https://www.propublica.org/article/how-facebook-undermines-p...
My money is on the chats being end to end encrypted and separately uploaded to Facebook.
That's a cute loophole you thought up, but whatsapp's marketing is pretty unequivocal that they can't read your messages.
>With end-to-end encryption on WhatsApp, your personal messages and calls are secured with a lock. Only you and the person you're talking to can read or listen to them, and no one else, not even WhatsApp
That's not to say it's impossible that they are secretly uploading your messages, but the implication that they could be secretly doing so while not running afoul of their own claims because of cute word games, is outright false.
well that's alright then
facebook's marketing and executives have always been completely above board and completely honest
>That's not to say it's impossible that they are secretly uploading your messages, but the implication that they could be secretly doing so while not running afoul of their own claims because of cute word games, is outright false.
And humans aren't great at keeping secrets.
So, if the claim is that there's a bunch of data, but everyone who is using it to great gain is completely and totally mum about it, and no one else has ever thought to question where certain inferences were coming from, and no employee ever questioned any API calls or database usage or traffic graph.
Well, that's just about the best damn kept secret in town and I hope my messages are as safe!
And I'm no fan of Meta...
AFAIK that was a separate app, and it was pretty clear that it was MITMing your connections. It's not any different than say, complaining about how there weren't any whistleblowers for fortinet (who sell enterprise firewalls).
>scanning other installed mobile applications
Source?
I wonder what the eula says.
There's the conspiracy theory about mentioning a product near the phone and then getting ads for it (which I don't believe), but I feel like I've mentioned products on WhatsApp chats with friends and then got an ad for them on Instagram sometime after.
Also claiming "no one else can read it" is a bit brave, what if the user's phone has spyware that takes screenshots of WhatsApp... (Technically of course it's outside of their scope to protect against this, but try explaining that to a judge who sees their claim and the reality)
Well you sure as hell should. Both Google and Apple are making class action settlement payments right now for this very thing.
https://www.bbc.com/news/articles/c4g38jv8zzwo
https://www.nbcchicago.com/news/local/payments-begin-in-95m-...
https://www.404media.co/heres-the-pitch-deck-for-active-list...
>https://www.nbcchicago.com/news/local/payments-begin-in-95m-...
Both are for voice assistants that inadvertently got activated. Extending it to imply that they're intentionally deceiving their users is a stretch.
>https://www.404media.co/heres-the-pitch-deck-for-active-list...
It's a pitch deck. For how skeptical HN is about AI startups or whatever, it seems pretty strange to take this at face value.
The difference between source code in a high-level language, and AArch64 machine language, is surmountable. The effort is made easier if you can focus on calls to the crypto and networking libraries.
Understanding program flow is very different from understanding the composition of data passing though the program.
As GP alludes, you would be looking for a secondary pathway for message transmission. This would be difficult to hide in AArch64 code (from a skilled practitioner), and extra difficult in decompiled Java.
It would be "easy" enough, and an enormous prize, for anyone in the field.
> a secondary pathway for message transmission
That's certainly the only way messages could be uploaded to Facebook!
I've done this work on other mobile apps (not WhatsApp), and the work is not out of the ordinary.
It's difficult to hide subtleties in decompiled code. And anything that looks hairbally gets special attention, if the calling sites or side effects are interesting.
(edit for edit)
> That's certainly the only way messages could be uploaded to Facebook!
Well, there's a primary pathway which should be very obvious. And if there's a secondary pathway, it's probably for telemetry etc. If there are others, or if it isn't telemetry, you dig deeper.
All secrets are out in the open at that point. There are no black boxes in mobile app code.
Seems like a good channel upon which to piggyback user data. Now all you have to do is obfuscate the serialization.
> It's difficult to hide subtleties in decompiled code.
Stripped, obfuscated code? Really? Are we assuming debug ability here?
> All secrets are out in the open at that point. There are no black boxes in mobile app code.
What about a loader with an encrypted binary that does a device attestation check?
I'd wager most of these comments are from nontechnical people, or technical people that are very far removed from security.
WhatsApp is constantly RE'd because it'd be incredibly valuable to discover gaps in its security posture, the community would find any exfil here.
Mobile applications are outside my domain so I am surprised platform security (SEL, attestation, etc.) has been so easily defeated.
I am not familiar with the state of app RE. But between code obfuscators and the difficulty of distinguishing between 'normal' phone home data and user chats when doing static analysis... I'd say it's not out of the question.
If governments of various countries have compelled Meta to provide a backdoor and also required non-disclosure (e.g. a TCN secretly issued to Meta under Australia's Assistance and Access Act), this is how I imagined they would do it. It technically doesn't break encryption as the receiving device receives the encrypted message.
This is what I've suspected for a long time. I bet that's it. They can already read both ends, no need to b0rk the encryption. It's just them doing their job to protect you from fourth parties, not from themselves.
Any large scale provider with headquarters in the USA will be subject to backdoors and information sharing with the government when they want to read or know what you are doing.
Happy to bet $100 that this lawsuit goes nowhere.
Not just the USA. This is basically universal.
This type of generalized defeatism does more harm than not.
Nation state governments do have the ability to coerce companies within their territory by default.
If you think this feature is unique to the USA, you are buying too much into a separate narrative. All countries can and will use the force of law to control companies within their borders when they see fit. The USA actually has more freedom and protections in this area than many countries, even though it’s far from perfect.
> This type of generalized defeatism does more harm than not.
Pointing out the realities of the world and how governments work isn’t defeatism.
Believing that the USA is uniquely bad and closing your eyes to how other countries work is more harmful than helpful.
The OP assumption that it's just the way it is and everyone should accept their communication being compromised is the issue.
But for your data you want to absolutely keep secret? It's probably the only to guarantee someone else somewhere cannot see it, default to assume if it's remote, someone will eventually be able to access it. If not today, it'll be stored and decrypted later.
Then why are politicians wasting time and attracting ire attempting pushing it through? Same goes for UK demanding backdoors. If they already have it, why start a big public fight over it?
Wonder what large scale provider outside USA won’t do that?
Thats just wrong. Signal for example is headquartered in the US and does not even have this capability (besides metadata)
Personally, I would never trust anyone big enough that it(in this case Meta) need and want to be deeply entangled in politics.
> There’s a lawsuit against WhatsApp making the rounds today, claiming that Meta has access to plaintext. I see nothing in there that’s compelling; the whole thing sounds like a fishing expedition.
https://bsky.app/profile/matthewdgreen.bsky.social/post/3mdg...
1. as others have said, they could be collecting the encrypted messages and then tried to decrypt them using quantum computing, the Chinese have been reportedly trying to do this for many years now.
2. with metadata and all the information from other sources, they could infer what the conversation is about without the need to decrypt it: if I visit a page (Facebook cookies, they know), then I share a message to my friend John, and then John visits the same page (again, cookies), then they can be pretty certain that the contain of the message was me sharing the link.
I no longer work at Meta, but in my mind a more likely scenario than (1) is: a senior engineer proposes a 'Decryption at Scale' framework solely to secure their E6 promo, and writes a 40-page Google Doc to farm 'direction' points for PSC. Five PMs repost this on Workplace to celebrate the "alignment" so they can also include it in their PSCs.
The TL and PMs immediately abandon the project after ratings are locked because they already farmed the credit for it. The actual implementation gets assigned to an E4 bootcamp grad who is told by a non-technical EM to pivot 3 months in because it doesn't look like 'measurable impact' in a perf packet. The E4 gets fired to fill the layoff quota and everyone else sails off into the sunset.
can analyze receivers data or receivers contact trees data which is easier to access.
The number of free or paid data sources is daunting.
But you never know.
The reality is that most users do not seem to care. For many, WhatsApp is simply “free SMS,” tied to a phone number, so it feels familiar and easy to understand, and the broader implications are ignored.
The government is pretty harsh when they find out you lied under oath. Corporate officers do not lie to the government frequently.
I don't have any proof that Meta stores WhatsApp messages but I feel it in my bones that at the very least tried to do so. And if ever that comes to light, precisely nobody will be surprised.
The amount of ambient cynicism on the internet basically makes this a meaningless statement. You could plausibly make the same claim for tons of other conspiracy theories, eg. JFK was assassinated by the CIA/FBI, Bush did 9/11, covid was intentionally engineered by the chinese/US government, etc.
The evidence is pretty clear that Facebook wants to do everything they legally can to track and monitor people, and they're perfectly okay crossing the line and going to court to find the boundaries.
Using a company like that for encrypted messaging seems like an unnecessary risk. Maybe they're not decrypting it, but they're undoubtedly tracking everything else about the conversation because that's what they do.
And I’m not even getting into the obvious negative social/political repercussions that have come directly from Facebook and their total lack of accountability/care. They make the world worse. Aside from the inconvenience for hobbyist communities and other groups, all of which should leave Facebook anyway, we would lose nothing of value if Facebook was shut down today. The world would get slightly better.
No, the best (and also most likely) outcome is you using a VPN and nothing happens, like 99.9% of pirates out there.
>Literally nothing happened.
Isn't there a lawsuit in the works?
The true wealthy live by an entirely different set of rules than the rest of us, especially when they are willing to prostrate themselves to the US President.
This has always been true to some degree, but is both more true than ever (there used to be some limits based on accepted decorum) plus they just dont even try to hide it anymore.
Quick, someone set up a Kalshi or Polymarket or whatever claiming that WhatsApp isn't E2EE.
I'll gladly bet against the total volume of people that believe it isn't E2EE -- it'll be an easy 2x for you or me.
Compromise of the client side application or OS shouldn't break the security model.
This should be possible with current API's, since each message could if needed simply be a single frame DRM'ed video if no better approach exists (or until a better approach is built).
I don't really see how it's possible to mitigate client compromise. You can decrypt stuff on a secure enclave but at some point the client has to pull it out and render it.
Easy: pass laws requiring chat providers to implement interoperability standards so that users can bring their own trusted clients. You're still at risk if your recipient is using a compromised client, but that's a problem that you have the power to solve, and it's much easier to convince someone to switch a secure client if they don't have to worry about losing their contacts.
In Europe that's called the Digital Markets Act.
Methinks you put far too much faith in the government, at least from my understanding of the history of cybersecurity :)
Think of the way DRM'ed video is played. If the media player application is compromised, the video data is still secure. Thats because the GPU does both the decryption and rendering, and will not let the application read it back.
You could put the entire app within TrustZone, but then you're not trusting the app vendor any less than you were before.
You don't build defense-in-depth by assuming something can't be compromised.
This was 2025. I'm excited for what 2026 will bring. Things are moving fast indeed.
If you are sophisticated enough to understand, and want, these things (and I believe that you are) …
… then why would you want to use WhatsApp in the first place?
In the universe where they are the same entity (walled-gardens) there is only the middleman.
In such cases you either trust them or you don’t, anything more is not required because they can compromise their own endpoints in a way you can not detect.
For WhatsApp they claim it is like Signal, with the caveat that if you have backups enabled it works like Messenger. Although interestingly if you have backups enabled the key may be stored with Apple/Google rather than Meta, it might be the case that with backup enabled your phone vendor can read your WhatsApp messages but Facebook cannot.
- WhatsApp encryption is broken
- EU's and UK's Chat Control spooks demand Meta to insert backdoor because they cannot break the encryption
The Guardian has its own editorial flavour on tech news, so expect them to use any excuse to bash the subject.
Those are not law, so no the EU doesnt demand that
Ideally, WhatsApp would fully support third-party open-source clients that can ensure that the mathematics are used as intended.
https://support.apple.com/en-us/122234
In fact on this page they still claim iMessage is end-to-end encrypted.
TUESDAY, NOVEMBER 25, 2025 Blind Item #7 The celebrity CEO says his new chat system is so secure that even he can't read the messages. He is lying. He reads them all the time.
...assuming you have icloud backups enabled, which is... totally expected? What's next, complaining about bitlocker being backdoored because microsoft can read your onedrive files?
What does that even mean? Suppose icloud backups doesn't exist, but you could still take screenshots and save them to icloud drive. Is that also "Apple has always been able to read encrypted iMessage messages"? Same goes for "other people having icloud backups enabled". People can also snitch on you, or get their phones seized. I feel like people like you and the article author are just redefining the threat model of E2EE apps just so they can smugly go "well ackshually..."
It's not hard to understand why Apple uploading every message to themselves to read by default is different from somebody intentionally taking a screenshot of their own phone.
Is icloud backups opt in or opt out? If it's opt in then would your objection still hold?
...that telegram is backdoored by the russians? The implication you're trying to make seems to be that russians must be choosing telegram because it's secure, but are ignoring the possibility that they're choosing telegram because they have access to it. After all, you think they want the possibility of their military scheming against them?
Exactly who has the ability to decrypt the backup is not totally clear.
It may be a different situation for non-Android users, Android users who are not signed in with a Google account, Android users who are not using Google Play Services, etc.
I remember that you had to extract at least two keys from the android device to be able to read "on-device" chat storage in the days of yore, so the tech is there.
If you don't have the keys' copies in the Google Drive side, we can say that they are at least "superficially" encrypted.
> Our colleagues’ defence of NSO on appeal has nothing to do with the facts disclosed to us and which form the basis of the lawsuit we brought for worldwide WhatsApp users.
According to Meta's own voluntarily published official statements, they do not.
* FAQ on encryption: https://faq.whatsapp.com/820124435853543
* FAQ for law enforcement: https://faq.whatsapp.com/444002211197967
These representations are legally binding. If Meta were intentionally lying on these, it would invite billions of dollars of liability. They use similar terminology as Signal and the best private VPN companies: we can't read and don't retain message content, so law enforcement can't ask for it. They do keep some "meta" information and will provide it with a valid subpoenoa.
The latter link even clarifies Meta's interpretation of their responsibilities under "National Security Letters", which the US Government has tried to use to circumvent 4th amendment protections in the past:
> We interpret the national security letter provision as applied to WhatsApp to require the production of only two categories of information: name and length of service.
I guess we'll see if this lawsuit goes anywhere or discovery reveals anything surprising.
The tricky part would be doing it and not getting caught though.
> the idea that WhatsApp can selectively and retroactively access the content of [end-to-end encrypted] individual chats is a mathematical impossibility
> Steven Murdoch, professor of security engineering at UCL, said the lawsuit was “a bit strange”. “It seems to be going mostly on whistleblowers, and we don’t know much about them or their credibility,” he said. “I would be very surprised if what they are claiming is actually true.”
No one apart from the firm filing the lawsuit is actually supporting this claim. A lot of people in this thread seem very confident that it's true, and I'm not sure what precisely makes them so confident.
It is not a mathematical impossibility in any way.
For example they might be able to read the backups, the keys might be somehow (accidentaly or not) leaked...
And then the part about Telegram not having end2end encryption? What's this all about?
Nowadays all of the messaging pipeline on my phone is closed source and proprietary, and thus unverifiable at all.
The iPhone operating system is closed, the runtime is closed, the whatsapp client is closed, the protocol is closed… hard to believe any claim.
And i know that somebody’s gonna bring up the alleged e2e encryption… a client in control of somebody else might just leak the encryption keys from one end of the chat.
Closed systems that do not support third party clients that connect through open protocols should ALWAYS be assumed to be insecure.
So you're posting this from an open core CPU running on an open FPGA that you fabricated yourself, right? Or is this just a game of one-upmanship where people come with increasingly high standards for what counts as "secure" to signal how devoted to security they are?
> a client in control of somebody else might just leak the encryption keys from one end of the chat.
has nothing to do with closed/open source. preventing this requires remote attestation. i don't know of any messaging app out there that really does this, closed or open source.
also, ironically remote attestation is the antithesis of open source.
“everything I ever do can be used against me in court”
…then you are not up-to-date with the latest state of society
Privacy is the most relevant when you are in a position where that information is the difference between your life or your death
The average person going through their average day breaks dozens of laws because the world is a Kafkaesque surveillance capitalist society.
The amount of information that exists about there average consumer is so unbelievably godly such that any litigator could make an argument against nearly any human on the planet that they are in violation of something if there is enough pressure
If you think you’re safe in this society because you “don’t do anything wrong“ then you’re compromised and don’t even realize it
WhatsApp has been reverse engineered extensively, they worked with Moxie's team to implement the same protocol as Signal, and you can freely inspect the client binaries yourself!
If you're confident this is the case, you should provide a comment with actual technical substance backing your claims.
Zuck thinks we're "dumb fucks". That's his internet legacy. Copying products, buying them up, wiping out competition
The PIN interface is also an HSM on the backend. The HSM performs the rate limiting. So they'd need a backdoor'd HSM.
However, most users can't be bothered to choose such a PIN. In this case they choose a 4 or 6 digit pin.
To mitigate the risk of brute force, the PIN is rate limited by an HSM. The HSM, if it works correctly, should delete the encryption key if too many attempts are used.
Now sure, Meta could insert itself between the client and HSM and MITM to extract the PIN.
But this isn't a Meta specific gap, it's the problem with any E2EE system that doesn't require users to memorize a master password.
I helped design E2EE systems for a big tech company and the unsatisfying answer is that there is no such thing as "user friendly" E2EE. The company can always modify the client, or insert themselves in the key discovery process, etc. There are solutions to this (decentralized app stores and open source protocols, public key servers) but none usable by the average person.
Every time you sign in to the web interface or resign into the app you enter it. I don’t remember an option for an alphanumeric pin or to offload it to a third party.
The Messenger PIN is rate limited by an HSM, you merely enter it through the web interface.
Of course, the HSM could be backdoored or the client could exfil the secret but the latter would be easy to discover.
Harder to do any better here without making the user memorize a master password, which tends to fail miserably in real life.
Sure, Meta can obviously read encrypted messages in certain scenarios:
- you report a chat (you're just uploading the plaintext)
- you turn on their AI bot (inference runs on their GPUs)
Otherwise they cannot read anything. The app uses the same encryption protocol as Signal and it's been extensively reverse engineered. Hell, they worked with Moxie's team to get this done (https://signal.org/blog/whatsapp-complete/).
The burden of proof is on anyone that claims Meta bypassing encryption is "obviously the case."
I am really tired of HN devolving into angry uninformed hot takes and quips.
I need to either enter my password or let the app access my iCloud Keychain to let it derive the backup encryption key.
It's also well known that they worked with the Moxie's team to implement the same E2EE protocol as Signal. So messages are E2EE as well.