The article is an interesting read, but the argument that WhatsApp is untrustable because it is closed-source is technically accurate regarding its transparency, but it is a flawed explanation for three main reasons:
1. Verification via Traffic Analysis
You don't need to see the source code to verify that encryption is working. Security researchers use black-box testing to intercept data packets leaving the device. If the encryption were fake or backdoored, the data would show identifiable patterns or plain text. To date, independent network analysis confirms that WhatsApp consistently uses the Signal Protocol to scramble message content.
2. The Scale of Scrutiny
The claim that reverse engineering is "not done in practice" is misleading. Because WhatsApp is used by billions, it is one of the most scrutinized pieces of software in history. Bug hunters, state actors, and cybersecurity firms constantly probe the binary code for vulnerabilities. While harder than reading open-source code, this constant adversarial auditing acts as a massive, unofficial security check.
3. Protocol vs. Implementation
WhatsApp uses the open-source Signal Protocol for its encryption. While the app's interface is private, the cryptographic engine is based on a peer-reviewed standard. If Meta modified the protocol to introduce a backdoor, it would likely alter the cryptographic handshake in a way that would be detectable to experts monitoring the metadata.
TL;DR: While open-source is better for transparency, WhatsApp's security is validated through network observation and external pressure, rather than just "taking Meta’s word for it."
It definitively became so when Meta (then still Facebook) acquired WhatsApp in 2014, even if they were to open source it.
The article is an interesting read, but the argument that WhatsApp is untrustable because it is closed-source is technically accurate regarding its transparency, but it is a flawed explanation for three main reasons:
1. Verification via Traffic Analysis
You don't need to see the source code to verify that encryption is working. Security researchers use black-box testing to intercept data packets leaving the device. If the encryption were fake or backdoored, the data would show identifiable patterns or plain text. To date, independent network analysis confirms that WhatsApp consistently uses the Signal Protocol to scramble message content.
2. The Scale of Scrutiny
The claim that reverse engineering is "not done in practice" is misleading. Because WhatsApp is used by billions, it is one of the most scrutinized pieces of software in history. Bug hunters, state actors, and cybersecurity firms constantly probe the binary code for vulnerabilities. While harder than reading open-source code, this constant adversarial auditing acts as a massive, unofficial security check.
3. Protocol vs. Implementation
WhatsApp uses the open-source Signal Protocol for its encryption. While the app's interface is private, the cryptographic engine is based on a peer-reviewed standard. If Meta modified the protocol to introduce a backdoor, it would likely alter the cryptographic handshake in a way that would be detectable to experts monitoring the metadata.
TL;DR: While open-source is better for transparency, WhatsApp's security is validated through network observation and external pressure, rather than just "taking Meta’s word for it."