Comment by quesera

Comment by quesera 16 hours ago

2 replies

View on Hacker News

I'm curious why you think it's handwavy.

I've done this work on other mobile apps (not WhatsApp), and the work is not out of the ordinary.

It's difficult to hide subtleties in decompiled code. And anything that looks hairbally gets special attention, if the calling sites or side effects are interesting.

(edit for edit)

> That's certainly the only way messages could be uploaded to Facebook!

Well, there's a primary pathway which should be very obvious. And if there's a secondary pathway, it's probably for telemetry etc. If there are others, or if it isn't telemetry, you dig deeper.

All secrets are out in the open at that point. There are no black boxes in mobile app code.

cosmicgadget 16 hours ago

> if there's a secondary pathway, it's probably for telemetry etc.

Seems like a good channel upon which to piggyback user data. Now all you have to do is obfuscate the serialization.

> It's difficult to hide subtleties in decompiled code.

Stripped, obfuscated code? Really? Are we assuming debug ability here?

> All secrets are out in the open at that point. There are no black boxes in mobile app code.

What about a loader with an encrypted binary that does a device attestation check?

Reply View 1 reply
  • quesera 15 hours ago

    I've lost track of our points of disagreement here. Sure, it's work, but it's all doable.

    Obfuscated code is more difficult to unravel in its orginal form than the decompiled form. Decompiled code is a mess with no guideposts, but that's just a matter of time and patience to fix. It's genuinely tricky to write code that decompiles into deceptive appearances.

    Original position is that it'd be difficult to hide side channel leakage of chat messages in the WhatsApp mobile app. I have not worked on the WhatsApp app, but if it's anything like the mobile apps I have analyzed, I think this is the correct position.

    If the WhatsApp mobile apps are hairballs of obfuscation and misdirection, I would be a) very surprised, and b) highly suspicious. Since I don't do this work every day any more, I haven't thought much about it. But there are so many people who do this work every day, and WhatsApp is so popular, I'd be genuinely shocked if there were fewer than hundreds of people who have lightly scanned the apps for anything hairbally that would be worth further digging. Maybe I'm wrong and WhatsApp is special though. Happy to be informed if so.

    Reply View 0 replies