So much jelly in this comment. They obviously made good product decisions to get to this point. A few blips along the way will happen, when you are focusing on much more important things.
Your entire SMS history is available to any app with permissions. Most people don't even know that, or are not bothered by it. This is literally feature parity with default SMS. WhatsApp is about messaging that is simple and functional. Security is not even a main selling point.
If you want security, there are apps for that. Good luck getting your friends to use it.
Hrm. I'm torn both ways. I think a world with whatsapp is less oppressive than a world without whatsapp, even if people can spy on it, tap into it, etc- because it allows people to communicate where they previously might not have been able to. A world with secure whatsapp would, of course, be even better than a world with insecure whatsapp.
> I think a world with whatsapp is less oppressive than a world without whatsapp, even if people can spy on it, tap into it, etc- because it allows people to communicate where they previously might not have been able to.
That's a fair stance. I don't have strong feelings vis a vis WhatsApp, so this is more of a general statement :
I think the illusion of secure communication is more dangerous than insecure communication. People who think they can't be spied on will expose themselves in ways they otherwise wouldn't.
It is not a few blips. They have consistently shown to be unable to implement any kind of effective cryptography. Take this case as an example. They seem to have tried to prevent such kind of attack by encrypting the data on the SD Card with a static key. How hard would it have been to generate a random key and save the key on the internal storage?
An other example is the transport, i.e. client-to-server encryption. Even their new protocol looks like it has been hacked up by someone who learned his/her cryptography by 5 hour wikipedia reading: https://blog.thijsalkema.de/blog/2013/10/08/piercing-through... . You would think that for a market value of 19x10^9 dollar you could afford to hire a single cryptographer or IT security specialist. Especially after you have been criticized for your bad security for years.
> If you want security, there are apps for that. Good luck getting your friends to use it.
We are not even talking about difficult usability decisions here where strong end-to-end encryption has to be visible in the user interface to allow fingerprint checking. This is about the most fundamental security measures, like if you connect to your server use TLS (and check the certificate) or if you encrypt something don't use the same key everywhere.
weixiyen seems to be ignorant of, or omitted, the fact that there's a difference between "read text messages" and "read the SD card" permissions. If some Flappy Bird clone wants to read/write the SD card, maybe users don't care, but they might decide it has no legitimate reason to read their messages.
If one wanted to criticize Android for having such broad SD card permissions, there may be an argument there, but given the current state of things, it's trivial for apps to securely encrypt files they put on the SD card (they store the key in internal storage, which is much better-protected.)
>They obviously made good product decisions to get to this point.
Which is the problem with this kind of "market". It's basically theft, yes, stolen merch does sell well. Join the game, this is how the rules are played, take a page from the CIA's book. Have fun!
Your entire SMS history is available to any app with permissions. Most people don't even know that, or are not bothered by it. This is literally feature parity with default SMS. WhatsApp is about messaging that is simple and functional. Security is not even a main selling point.
If you want security, there are apps for that. Good luck getting your friends to use it.