Hacker News new | past | comments | ask | show | jobs | submit login

WhatsApp allegedly uses an implementation of the OpenWhisper encryption system that Signal created (and still uses). However as there is no source code available unlike Signal, there's no way to verify if WhatsApp "really" is using it (or using it correctly).



It's certainly better to have source, but this seems like a matter of degree? You don't really know what's in Signal unless you compile it yourself, and/or they have reproducible builds and you verify checksums. Instead you're trusting that the source matches the binary, and probably also that someone else who knows more about crypto is reviewing the source carefully.

In the modern world we basically outsource everything, including trust and verification. An open, social process of verification can be better, though.


But it's _so_ much better than GPG and the WoT where you have to ... verify..... everything........... yourself...........


Is there a way to verify that the Signal app in the app store was compiled from the published Signal sources?


Yes, this is generally called "reproducible builds". Signal has reproducible builds for Android, here is how to build it and compare against the one on your phone:

https://github.com/signalapp/Signal-Android/blob/master/Repr...


This is true, but that also doesn't answer the question. It still leads to a possibility. The hack could also sidestep OW in some other way and only be WA specific, but still begs the question. Security is a constant cat and mouse game, so if someone says: "well, that only affects WhatsApp, it won't affect us -- even though we use the same underlying structure." sounds kinda naive.


Couldn't you determine by looking at the code in the APK, at least for Android?


It might be a bit difficult (but not impossible) to do that... the APK you download is not the APK that the developer uploads to the Play store. Usually, developers upload a "bundle," and then Google optimizes it by stripping out irrelevant media, i18n, etc., to deliver a smaller optimized APK to the end user.

So you can't just generate an MD5 of your APK and match it against the store description like the good old days when you could make sure your Linux ISO was legit, but there's probably some way to make it work?

EDIT: It might be possible to circumvent Google's bundling/optimizing by just uploading a regular old APK, but IIRC that was becoming more difficult these days. Unfortunately I'm not an Android dev expert.


Yes, "no way to verify" is a bit strong. Not as easy to verify is true (but: if you review the source, you'd also have to build the app yourself).




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: