Hacker News new | past | comments | ask | show | jobs | submit login

This main flagrant or off-topic, but something that nags at me when thinking about truly secure messaging apps from the App Store:

Even with perfect e2e encryption protocol added, what's preventing WhatsApp developers (FB) from adding in a feature of the app:

if local.user is "TargetUser007" { takeDeviceSnap(); sendDeviceSnapshotToFBOverSameEncryption(); }

Wouldn't this not be ever verifiable unless you ARE that specific user and it's too late?




Yes. Richard Stallman calls these “Universal Back Doors”: https://www.gnu.org/proprietary/proprietary-back-doors.en.ht...


You'd also have to make sure they were the only user that received that binary.

Otherwise you'd have to hope that no one reverse engineered the binary and noticed the oddly specific comparison there.


You might be able to disguise it as debugging/development code that was mistakenly left in there. And instead of a hardcoded list of targets it could pull down the values in a more creative way. But at the end of the day that probably wouldn't stop a talented reverse engineer from figuring out what was going on.


Are reverse engineering techniques currently greater than known ability to obfuscate compiled iOS code?


And it'd have to work for other platforms, too. Android is Java right? Which is even easier to RE.


Android apps can also contain native code. Indeed, WhatsApp includes such libraries, to help with Curve25519 encryption, video encoding, voice over IP, and other functionality.


But it should be straightforward enough to see if text messages or UI elements (suppress key change notification) are being change depending on the output of those libraries.


Yes


I'm sure some security researcher somewhere has run the app through a debugger/disassembler to verify exactly this.


Has it happened before in a similar case?


who's doing that research?


Somebody, there's always somebody else.

Right?


Same as if the app was open source, no?


The millions of eyeballs who would otherwise be meticulously studying the source code.


I think you mean the dozens of eyeballs.


The guy who found this "vulnerability", for example?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: