How safe is end-to-end encryption if both parties are on the same platform?


If parties A & B both use WhatsApp with the idea being that the app shouldn’t be able to determine the details of the conversation, how does E2EE prevent this?

My understanding is that it really doesn’t matter if E2EE is supported by the app in such cases. Since the app has access to both parties’ devices, it doesn’t have to read/intercept messages in transit if it can just access on device conversation thread for both, or all parties involved. Am I wrong?

In: 5

3 Answers

Anonymous 0 Comments

> Since the app has access to both parties’ devices…

It isn’t the **app** itself which there is concern about accessing messages. The app isn’t Skynet or some despot sitting in dramatic shadow wringing its hands. The worry is that the app would be sending messages to the WhatsApp server that they can access, and if they can do that then by definition the conversations are not End to End Encrypted!

Anonymous 0 Comments

That’s a very good point. You do have to trust the local app. It could totally take your messages and send them to the app company if it wanted to.

Luckily independent security researchers watch for stuff like that in lots of apps these days. Watch all the traffic coming from the app and see if it’s doing something shady. It would be catastrophic to any supposedly E2EE service to get caught doing that so they have an incentive not to

However ultimately you can’t trust that a closed source app isn’t going to find a way to do it (store messages and opportunistically send via Bluetooth to a clandestine collection hotspot stationed in your city?). You work with open source stuff and you can be much more sure your data isn’t being messed with

Anonymous 0 Comments

Neither a 3rd party, nor the service provider can snoop on your messages *in transit* and must obtaining/compromise one of the phones used to send the message.

E2EE was brought in because governments and law enforcement can force service providers to share content/information with them, and because people believed the contents of their messages were used for analytics (which they probably were!). With a warrant, a normal email provider could be forced to share your emails with law enforcement. However with E2EE the service provider doesn’t hold the encryption keys, so they can’t be compelled by law enforcement to share the message contents. They **can** be compelled to share who and when you were communicating with – but not the actual messages themselves.