As of December 1, 2015, WhatsApp has a score of 2 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard. It has received points for having communications encrypted in transit and having completed an independent security audit. It is missing points because communications are not encrypted with a key the provider doesn't have access to, users can't verify contacts' identities, past messages are not secure if the encryption keys are stolen, the code is not open to independent review, and the security design is not properly documented
The EFF score card is an embarrassment which is essentially equivalent to one of those "comparison table of our competitors" on a SaaS website. That's a good analogy for it, because it uses the same questionable metrics and even more questionable ranking system that one of those tables would use. The score card gives Signal the same ranking as Cryptocat - that's an instant negative result for its usefulness.
EFF scorecard isn't meant to measure "how secure" an app is, it's supposed to measure how secure and free the application could potentially be.
Having key's held by the creator is a sure way to undermine any security model, having externally auditable code is a measure to ensure people can independently verify if code is secure or not (or if it's taking a carbon copy for it's creators) etc;
As of December 1, 2015, WhatsApp has a score of 2 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard. It has received points for having communications encrypted in transit and having completed an independent security audit. It is missing points because communications are not encrypted with a key the provider doesn't have access to, users can't verify contacts' identities, past messages are not secure if the encryption keys are stolen, the code is not open to independent review, and the security design is not properly documented
https://en.wikipedia.org/wiki/WhatsApp