(no title)

https://cybersecuritynews.com/track-android-users-covertly/

An audit of 'they can't read it cryptographically' but the app can read it, and the app sends data in all directions. Push notifications can be used to read messages.

It is reproducibly loaded in each chat, and an MitM firewall can also confirm that. I don't know why the focus of audits like these are always on a specific part of the app or only about the cryptography parts, and not the overall behavior of what is leaked and transferred over the wire, and not about potential side channel or bypass attacks.

Transport encryption is useless if the client copies the plaintext of the messages afterwards to another server, or say an online service for translation, you know.

Now, of course, this assumes the client hasn't been simultaneously compromised to hide that. But it's defense in depth at the very least.

It is worth noting that this may be eroding as we speak: https://www.livemint.com/technology/tech-news/whatsapp-could... (Jan 24 2026) reports that Whatsapp is developing a way for one member to share historical messages en masse with a new group member. While this is manually triggered by the sender at the moment, it presents an enticing attack surface on technical, social-engineering, and political fronts to erode retroactive security much more rapidly going forward.

(And it goes without saying that if you think you're exempt from needing to worry about this because you're not involved in certain types of activity, the speed at which policies are evolving around the world, and the ability to rapidly process historical communications data at scale, should give you pause. "Ex post facto" is not a meaningful principle in the modern AI-enabled state.)

Why not

"Our work is based primarily on the WhatsApp web client, archived on 3rd May 2023, and version 6 of the WhatsApp security whitepaper [46]."

Did not even look at the continously changing mobile app, only looked at part of the minified Javascript in the web client

Not sure what this accomplishes. Are the encryption protocols used sound, is the implementation correct. Maybe, but the app is closed source and constantly changing

But users who care want to know about what connections the software makes, what is sent over those connections, to whom it is sent and why. There is no implicit trust as to Meta, only questions. The source code is hidden from public scrutiny

For example, the app tries to connect to {c,e8,e10,g}.whatsapp.net over TCP on port 80

The app has also tried to connect over UDP using port 3478/STUN

These connections can be blocked and the user will still be able to send and receive texts and make and receive calls

Meta forces users to install new mobile app, i.e., untrusted, unaudited code, multiple times per year. This install grows in size by over 100%

For example, there were at least four different apps (subsequent versions) forced on users in 2023, five in 2024 and four in 2025

In 2023 the first was 54.06MB. In 2026, it is now 126MB

thank you for your work.

I’ve been looking for this everywhere the past few days but I couldn’t find any official information relating the use of https://signal.org/docs/specifications/pqxdh/ in the signal protocol version that WhatsApp is currently using.

Do you have any information if the protocol version they currently use provides post-quantum forward secrecy and SPQR or are the current e2ee chats vulnerable to harvest now, decrypt later attacks?

Thanks for your time.

Then it's not fully investigated. That should put any assessments to rest.