Rust at Scale: An Added Layer of Security for WhatsApp

Posted by ubj 17 hours ago

Comments

Comment by londons_explore 6 hours ago

> over 3 billion people to message securely each and every day.

Whatsapp is a chat application with 3 billion daily active users.

For those of you in the US (where Whatsapp is seldom used), this is a fact worth remembering.

If you want to build products for the rest of the world, you need to know how those users think and breathe - and for 3 billion of them, Whatsapp is how they talk.

Comment by jraph 6 hours ago

What one should do about this? I mean, beside working on lowering that number.

(Asking as a European who quite stubbornly refuses to install it - there are dozens of us. Dozens!)

Edit: please don't participate in making WhatsApp even more inescapable as it is today.

Comment by harikb 5 hours ago

As a developer, I tried building an app that needs to use Whatsapp for communication. Unfortunately my phone number got blocked by the second test message. No Spam. Not marketing, just a test message to my own number. Along with it, they blocked my entire business, my LLC, and anything tied to it.

I have been trying to get hold of anyone or anything at Whatsapp. I've spent 6 months trying to navigate the bureaucracy. Facebook support claims they can't touch WhatsApp; WhatsApp support ignores the Facebook side. If you're building on WA, have a backup plan.

If any Whatsapp employee reading this can look into my WBA Account 1117362643780814

Comment by rvnx 5 hours ago

Telegram API is easier to handle as far as I know if that can somehow help (in case you want live ChatGPT or notifications for yourself in a mobile chat)

Comment by duskwuff 3 hours ago

Telegram's bot API is a lot easier to get started with for sure. It's got some rough edges once you start trying to do anything more complex, though, and the underlying MTProto API is nothing short of bizarre.

I'd urge caution before using them as a component of your business, though. Their business strategy is pretty chaotic and has relied heavily on weird cryptocurrency-adjacent plays (e.g. TON / Fragment / gifts). They've made a couple of attempts to introduce business features, but I'm not sure they've had any substantial uptake.

Comment by harikb 5 hours ago

I will look into it. But my user base is either WhatsApp or plain SMS text messaging.

Comment by yandie 4 hours ago

Yeah telegram is so easy to develop with - I was blown away. I was able to spin up a bot that checks for GE appointments with minimal effort.

Comment by mfashby 3 hours ago

Force interoperability one way or another. WhatsApp is a closed system, if I want to use an alternative I'm stuck with adversarial interoperability, so stuff like Beeper (which is great, but...) which might get my account banned. Or waiting for some legislation to force WhatsApp to open it's API and let me interact with my contacts there without being locked into their apps

Comment by darrenf 2 hours ago

There is legislation in the EU, and BirdyChat announced compatibility.

https://www.birdy.chat/blog/first-to-interoperate-with-whats...

Comment by jraph 1 hour ago

BirdyChat, the existence of which we all first became aware at the same time as that legislation and which nobody can use yet, only join a waitlist... :-)

Comment by embedding-shape 6 hours ago

I guess if you want to lower that number, you'd need to build something better, in some way. Answered as another European who've had Whatsapp forever, as some stubborn people refuse to move away from it, and also bunch of businesses use it.

Comment by 01HNNWZ0MV43FF 5 hours ago

Network effect is killer. "better" would include having more than 3 billion people already on it.

Maybe the EU or China will crack down on it. A single company shouldn't decide who gets to talk to half the world. If that company is American they will not tolerate it for long.

Personally DeltaChat is my new favorite Thing but it falls afoul of Zooko's Triangle - A WhatsApp number or POTS number is short because it's centrally controlled and you have to pay for each one. DeltaChat has public keys, so I have 20 of them, and nobody can control who gets one, but they're incredibly long... the QR codes are nightmares.

Comment by embedding-shape 5 hours ago

> Network effect is killer. "better" would include having more than 3 billion people already on it.

At one point people moved from something else to Whatsapp, and that happened before Whatsapp had 3 billion people on it. If it's good, early adopters will adopt it and want others to adopt it too, then it snowballs from there.

It has happened before, and as long as new regulation doesn't solidify Whatsapp/FB in their position, it can happen again :)

Comment by riffraff 4 hours ago

WhatsApp happened at a time when, in Europe, you paid for SMS.

WhatsApp allowed people to send SMS without paying, or rather, paying just once to buy the app, so it was instantly valuable if you just convinced your spouse or parents or a single friend to install it.

To overcome it now, you need a lot more effort (or rely on enshittification, which I'm sure will happen).

Comment by embedding-shape 4 hours ago

No, before Whatsapp, people were mostly using Facebook messages, at least where I lived at the time.

And no one was paying per SMS at the time we were using SMS for communication, almost everyone I know were on monthly plans that gave you N text messages and N minutes of calls for static sum each month.

The first people I saw who started using whatsapp, was people who were communicating across the border, because even if you had a monthly plan, those didn't include international messages. Eventually we all converged on whatsapp because that's what outside family and relatives used anyways.

Comment by vlovich123 3 hours ago

WhatsApp launched in January of 2009 compared with Facebook Chat which launched in 2008. WhatsApp saw drastically wider adoption among the general populace and paying for “N text messages per month” is precisely what people refer to as paying per message - WhatsApp had unlimited messaging.

Comment by embedding-shape 3 hours ago

Is "Facebook Chat" not the same as "Facebook Messenger", the separate chat client? Because I seem to remember a lot of people using the chat built-in into Facebook (not Messenger) a lot earlier than the standalone app/client, maybe I misrecall.

> paying for “N text messages per month” is precisely what people refer to as paying per message

Maybe I said it wrong, "N text messages per month" for me means "Pay us 10 EUR per month, send up to 5000 messages" for example. Doesn't matter how many you send, you pay the same.

While "pay per message" is "Every text message you send, costs 0.01 EUR". Maybe I'm using the wrong words, but that's how I understand it.

Most of the people who were "texters" (in my circles) were on plans offering the first way of paying, while hardly anyone was doing it the second.

Another important part, was that most telecom's had free SMS and calls if you were with the same company (and still do, AFAIK), so constant bickering about what plan people are on and why they don't change so it's free and yadda yadda.

Many people were already mostly texting for free at this point.

Comment by stavros 3 hours ago

The EU has already forced WhatsApp to be interoperable. Of course, Meta complied maliciously, making it a setting that you have to enable, but at least it's a start.

Comment by embedding-shape 2 hours ago

I guess the bean counters figured it'd be cheaper compared to ultimately paying the fine they get for maliciously following the rules. Hope the fine ends up large enough to make them wrong :)

Comment by londons_explore 6 hours ago

Make your customer support on whatsapp. "Drop us a message to change your order". Allow ordering/enquiries over whatsapp.

Send 2 factor verification pins over whatsapp - it is more reliable than SMS and generally there is a better 1:1 mapping between whatsapp accounts and real humans than phone numbers, so it is a good anti-spam or good way to distribute "first month free" type deals whilst keeping abuse low.

Obviously make sure all URL's have info cards properly rendered in Whatsapp for good share-ability.

Comment by jraph 5 hours ago

And now your customers are required to agree to Meta's term of services and to run some black box software, and you are screwed if Meta decides your business or your customers need to be kicked out.

Comment by sieabahlpark 5 hours ago

[dead]

Comment by tremon 3 hours ago

Advocate protocols over platforms. Have your government take an active interest in opening up closed communication systems and mandating third-party client access.

Comment by galangalalgol 6 hours ago

Can you describe your reasons? I haven't developed an opinion as no one here uses it.

Comment by jraph 5 hours ago

I refuse to use proprietary software as much as I can, especially when it has a strong network effect where it encourages others to join.

Meta is also a despicable company, they don't need my help to succeed.

(edit: and I haven't abandoned the idea to switch back to a Linux mobile OS at some point, and WhatsApp would be a pain)

Comment by zikani_03 3 hours ago

Where I come from (Malawi, Africa), WhatsApp is so widespread that most people prefer it over email - to the extent that people don't really check their e-mails unless it's required for work or they are applying for something. For most people, WhatsApp is the de-facto communication channel.

I help moderate a community of developers and we hit the whatsapp group limit of 1024 members and sometimes have to wait for someone to leave (intentionally or accidentally) before we can add new members. We've tried to move people onto "better" platforms like Discord or Slack but we always end up coming back to WhatsApp which is subsidized via MNOs (mobile network operators) social media data/internet bundles and for the fact that most people are just stuck on whatsapp.

Comment by signal11 2 hours ago

In markets where Whatsapp is entrenched, it’s already begun to enshittify.

They have ads and spam already (sorry, no-consent messages from businesses). This isn’t even new. [0]

There’s a clear pattern, say “we’ve rolled out strict policies”[1] and then… nothing changes on the ground, and TechCrunch writes another “they’ve fixed it” article a year later.[2]

Also their Communities feature has pretty crap UX.

Yes WhatsApp’s pervasive. But if pervasive was the end of the story, we’d all be using ICQ and AOL. The last thing any country needs is to hand over more of their lives to Facebook [sic].

[0] https://techcrunch.com/2022/10/10/in-india-businesses-are-in...

[1] https://techcrunch.com/2024/11/20/whatsapp-will-finally-let-...

[2] https://techcrunch.com/2025/10/17/whatsapp-will-curb-the-num...

Comment by axegon_ 1 hour ago

Honestly? That claim seems a bit(read A LOT) exaggerated. I haven't had whatsapp in a decade and none of my friends(scattered all over Europe) or family uses it. Viber used to be a big deal and to an extent still is in some areas of Europe. Personally I think I've talked almost everyone into migrating to Signal.

Comment by moomoo11 5 hours ago

Sure, but like with most things, maybe like 200 million max of them in NA/EU would actually bring in real money.

Comment by Capricorn2481 4 hours ago

Doesn't this description describe Facebook itself? Should we make apps more like that as well? Because they could not be more polar opposite each other.

Comment by erithax 7 hours ago

> We believe that this is the largest rollout globally of any library written in Rust.

I think that crown currently goes to https://github.com/googlefonts/fontations which is included in Chromium, not sure if it's on all platforms yet. Moreover, the translative dependencies of Fontations (click through https://crates.io/crates/fontations/0.3.0/dependencies) should have an even (slightly) larger install-base.

EDIT: from the quote you can also gather that they don't use https://github.com/signalapp/libsignal

Comment by dcsommer 5 hours ago

Just for reference, Wamedia ships on the major Meta apps and on iOS, Android, Desktop, and Web platforms.

Comment by mdriley 6 hours ago

Just a few more Rust libraries we've shipped in Chromium:

- https://github.com/image-rs/image-png

- https://github.com/webmproject/CrabbyAvif

- https://github.com/RCasatta/qr_code

- https://github.com/unicode-org/icu4x

Comment by cong-or 9 hours ago

The 160k → 90k LOC reduction is nice, but the parallel rollout is the more interesting part. Running Rust alongside the C++ version and using differential fuzzing to check equivalence is a lot more realistic than “rewrite and pray.” You get incremental validation with the old system as a fallback. Curious how long they ran both before cutting over.

Binary size is a real concern on the client side. On servers the Rust stdlib overhead usually doesn’t matter, but when you’re shipping to billions of mobile devices, every KB counts. Good to see they invested in build tooling instead of just accepting the bloat.

Comment by galangalalgol 8 hours ago

Did they say anywhere what they did? Rebuilding the stdlib as part of your build can shrink it a lot depending on how much of it you use, but that is still nightly only. Maybe they went no_std or created their own?

Comment by surajrmal 8 hours ago

They didn't but keep in mind that the app is currently 170MiB. The standard library shouldn't have added more than a few hundred kilobytes. They already likely pay similar costs for c++, but it's more worthwhile as they have a lot more c++ code total.

Also note that if you statically link to the rust std library, lto will excise the majority of it anyways, no need to rebuild it.

Comment by galangalalgol 6 hours ago

The default hello world stripped with one codegen unit and panic=abort was 342kB both nightly and stable. Adding lto dropped it 42kB in stable and 40kB in nightly. Adding build-std and only building core did not reduce it any further in size.

Comment by metaltyphoon 2 hours ago

I assume OP is taking about using -Zbuild-std on nightly. This will drop it much more.

Comment by storystarling 12 hours ago

The hardest part of a rewrite like this is usually maintaining bug-for-bug compatibility with the legacy parser rather than the actual Rust implementation. Most real-world media files are malformed in some way that the C++ code implicitly handled, so if you write a strict parser you end up breaking valid user data. Differential fuzzing seems like the only practical way to map that behavior without manually reviewing millions of edge cases.

Comment by dwattttt 12 hours ago

It sounds like it's a design goal of this "wamedia" to _not_ maintain bug compatibility with media players.

Comment by storystarling 10 hours ago

I suspect it is actually about maintaining permissiveness for malformed inputs rather than keeping security bugs. I ran into this building ingestion for a print-on-demand service where users upload technically broken PDFs that legacy viewers handle fine. If the new parser is stricter than the old one you end up rejecting files that used to work, which is a non-starter for the product.

Comment by rubymamis 6 hours ago

AI reply?

Comment by storystarling 5 hours ago

Not AI. Anyway, the real issue is permissiveness vs strict parsing—real-world files are messy.

Comment by nevi-me 13 hours ago

> We believe that this is the largest rollout globally of any library written in Rust.

I suppose this is true because there's more phones using WhatsApp than there are say Windows 11 PCs.

Given that WhatsApp uses libsignal, is it safe to assume that they haven't been using the Rust library directly?

Comment by marisen 12 hours ago

WhatsApp doesn't use libsignal, and Android is already pretty Rusty and deployed more than WhatsApp around the world (not just smartphone. Tons of "embedded" use cases also run on custom Android)

Comment by fabrice_d 3 hours ago

WhatsApp was using libsignal (the C version) when I worked on the KaiOS integration in 2017/2018.

Comment by charcircuit 6 hours ago

>deployed more than WhatsApp

If you count old Android versions before Rust was added.

Comment by 12 hours ago

Comment by pjmlp 12 hours ago

Like our gym devices that have a full tablet to run a basic application to control weights, talk about wasting money.

Comment by g947o 12 hours ago

It doesn't make sense for that device alone, but the vendor probably supplies all the different equipment in the gym. Using a tablet simplifies their supply chain, deployment, debugging/repair, app update process and simply supports more features. There are probably some connectivity features on the device, for example. When you look at all of that together, it's hard to argue it's wasting money.

It's like complaining about Electron apps. For sure I love small native apps like everyone else. But, if Electron enables a company to ship cross-platform apps and iterate faster, who am I to say no?

(I happen to have seen some of those tablets in diagnostic mode and poked around a bit. These things are much more complicated than you think.)

Comment by rswail 10 hours ago

Once you price in the cost of integration, plastics, ROHS, CE and other regulatory/certifications, the extra cost of an Android tablet which already has a lot of that starts to make sense.

If you also add in the extra ease of things like device management across fleets etc, it becomes a no-brainer for the manufacturer.

Comment by jerf 7 hours ago

The major problem with sticking an Android tablet on to exercise equipment is the difference in life spans. Android tablets are generally going to last you 4-5 years. Weight equipment should be able to last decades. There is some simple & cheap hardware that can last decades, but it is legitimately harder to program.

Even worse was an article some months back about Android tablets hooked to heating & cooling systems expected to last 20 years. There's no way those things are making it at scale.

Comment by g947o 6 hours ago

> Weight equipment should be able to last decades.

"should" or "actually can"? Do you have references to show that's the actual lifespan of the equipment, mechanically?

Comment by jerf 2 hours ago

Weight training equipment lasts decades all the time. It's just big piles of metal, it's not hard to get right.

What actually prompted the engineering-CYA "should" is if the Android tablet is controlling some sort of robotic system for selecting weight sizes, that that system might have an expected life span on par with a tablet, being a physical thing moving around some pins or something in a potentially hostile user environment. That'll break long before anything else would.

Comment by 1 hour ago

Comment by g947o 59 minutes ago

So you don't have a reference.

I'm just going to ignore this.

Comment by pjmlp 11 hours ago

Well, doesn't look like to me, and a plain ESP32 with a touch screen would do the job for displaying a weight bar with plus, minus and reset count buttons.

Comment by usrusr 10 hours ago

And then you get to a cardio unit where you want a completely different set of features and have to start over. Going lean on hardware only makes sense when you push out a very high number of units, when you have to deal with battery constraints or when you just have a lot of intertia, the combination of existing codebase and developer filter skillset.

Comment by miki123211 2 hours ago

And then you start selling in a country which demands accessibility for your equipment. Good luck getting a 20+ language human-sounding TTS system on your ESP32.

Comment by pjmlp 10 hours ago

Except all the machines have the same feature set I mentioned.

Agree that wanting to hire cheap developers is why they did it that way, the current interface is so laggy that I would bet it is Web based, on top of running Android for nothing.

Comment by rswail 9 hours ago

That's not a problem of the platform, but is a problem of the developers.

The extra cost of an Android capable tablet (maybe $200 especially wholesale) is a minimal hardware cost considering the overall price of the equipment is in the thousands.

But finding good embedded developers is a very difficult problem to solve, much easier to find Android app developers and then you get the Android eco-system for free like device management, OTA updates etc.

Put all the sensors and controls on a USB bus and you need one or two actual embedded developers to deal with the drivers and the rest of the developers can build the UI that people see.

In the case of a gym, the person buying the equipment is the customer, not you.

They want features that will make you "sticky" to the gym, plus save costs on training you on how to use the equipment.

Comment by usrusr 6 hours ago

Cardio units have neither a "weight bar" nor a repetition counter, but they have a whole universe of possible features in the realm of scripted sequences, reactions to HRM signals and even just "making time pass" features. With unbounded gimmickyness, the sky is the limit.

Personally, I'm a bit of an aficionado of close to the metal sports electronics. When I stare at gym screens I immediately notice updates that are supposed to come in once a second to get randomly delayed by what must be hundreds of millis. But I can totally see why they went that route. It's a market where feature quantity is big as a success metric and using a maintenance-friendly platform is even bigger. Wether Android actually checks that box might be debatable, but a bad embedded implementation could easily be worse, no doubt about that.

In the old days, those screens would have randomly dropped into some Windows desktop failing to operate in some kiosk mode fantasy.

Comment by pjmlp 12 hours ago

If you watch "Microsoft is Getting Rusty: A Review of Successes and Challenges" it appears the whole effort is more on the Azure side, and besides some timid adoption like GDI regions, there is a lukewarm adoption of Rust on Windows side, still pretty much a C and C++ feud.

https://www.youtube.com/watch?v=1VgptLwP588

Comment by palata 11 hours ago

> Two major hurdles were the initial binary size increase due to bringing in the Rust standard library [...].

They don't say what they did about it, do they? Did they just accept it?

Comment by sluongng 10 hours ago

I suspect they just use no_std whenever its applicable

https://github.com/facebook/buck2/commit/4a1ccdd36e0de0b69ee...

https://github.com/facebook/buck2/commit/bee72b29bc9b67b59ba...

Turn out if you have strong control over the compiler and linker instrumentations, there are a lot of ways to optimize binary size

Comment by dcsommer 5 hours ago

We invested a lot into build system optimizations to bring this number down over time, although we did accept on the order of 200 KiB size overhead initially for the stdlib. We initially launched using a Gradle + CMake + Cargo with static linking of the stdlib and some basic linker optimizations. Transitioning WhatsApp Android to Buck2 has helped tremendously to bring the size down, for instance by improving LTO and getting the latest clang toolchain optimizations. Buck2 also hugely improved build times.

Comment by palata 40 minutes ago

Thanks!

Comment by pornel 10 hours ago

Probably yes. It's ~300KB per binary, and it's a one-time cost.

It can be avoided entirely by disabling the standard library, but that's inconvenient, and usually done only when writing for embedded devices.

Usually the problem isn't the size directly, but duplication of Rust dependencies in mixed C++/Rust codebases.

If you end up with a sandwich of build systems (when you have library dependencies like C++ => Rust => C++ => Rust), each Rust/Cargo build bundles its copy of libstd and crates. Then you need to either ensure that the linker can clean that up, or use something like Bazel instead of Cargo to make it see both Rust and C++ deps as part of a single dependency tree.

Comment by surajrmal 9 hours ago

The size is not fixed. It changes based on how much of the standard library you use. Dynamically linking the standard library is also a valid option in many cases.

Comment by galangalalgol 6 hours ago

Posted elsewhere but The default hello world stripped with one codegen unit and panic=abort was 342kB both nightly and stable. Adding lto dropped it 42kB in stable and 40kB in nightly. Adding build-std and only building core did not reduce it any further in size.

Comment by galangalalgol 8 hours ago

Can it do lto on stdlib even without the nightly build-std flag?

Comment by jsheard 10 hours ago

Who knows what they did, but there are things which can be done: https://github.com/johnthagen/min-sized-rust

Comment by menaerus 11 hours ago

The whole article a bit watery which is why I read it as a PR rather than technical presentation

Comment by kpcyrd 14 hours ago

Very cool! I'm wondering if Signal is doing something similar? libsignal is implemented in Rust, but I don't know about the other parts.

Comment by I_am_tiberius 8 hours ago

> "WhatsApp provides default end-to-end encryption for over 3 billion people".

Wasn't there news lately that they can still read your messages somehow?

Comment by wongarsu 7 hours ago

WhatsApp could exfiltrate messages at the ends. But I assume the trick lies in the word "default". Didn't Skype also default to end-to-end encryption, unless there was a server flag that disabled it for that specific user (I might be fuzzy on the details)

Comment by londons_explore 6 hours ago

I don't trust un-auditable client applications...

If you want to assure me your e2e is secure, there must be at least two clients implemented by different people, with at least one of them opensource.

Whatsapp used to have this, but lately they have cracked down on third party clients.

Comment by rvnx 5 hours ago

Even if they have, this doesn't prevent from turning on a feature flag, or push an experimental build to some users.

Comment by londons_explore 3 hours ago

If there is a 2nd opensource client written by someone else, you would hope they would raise the alarm when asked to implement "feature flag 437 means send all the crypto keys to the server".

Comment by mschuster91 2 hours ago

> Whatsapp used to have this, but lately they have cracked down on third party clients.

Blame spammers on that. The amount of scammers and spammers on Whatsapp is unreal.

Comment by 4gotunameagain 8 hours ago

Every encryption is end to end if you're not picky about the ends, or metadata.

Do you trust facebook (excuse me, meta) to not snoop on your messages, and to not share them with the "intelligence" agencies ?

Comment by Fripplebubby 7 hours ago

This is not true. The IETF draft is explicit that E2EE means that the message cannot be read by any party other than the sender and the intended receiver. When companies like Meta claim they support E2EE, this is what they claim. There are no tricky semantics or legalese at play here.

Comment by monocasa 7 hours ago

To be fair zoom did claim E2EE, with one of the ends being their servers.

Comment by jolmg 2 hours ago

Do companies that claim E2EE support face consequences if they don't abide by IETF's definition? Not like IETF governs them.

Comment by rvnx 5 hours ago

> When companies like Meta claim they support E2EE, this is what they claim.

Well, that statement can only resolve to true.

These requests of data collection are perfectly legal. FBI DITU gives an order: give me all chats from *@banana.com and they receive banana.com.

From there, two choices from the perspective of a tech provider:

a) You accept. You get paid.

    You can always claim you had been coerced / are a victim, and that everything has been done by the law.

b) You refuse. It's a crime.

    You take the risk to lose over 250K per day (!) in fines, some other court scandals that will come to you, some shady private stuff (what if we learn about your secret jacuzzi ?), harassement of the team, be publicly shamed that you supported terrorists who caused actual death of Americans, etc.

    In addition, nobody will know that you are the privacy hero and you are not even sure that the data is not exfiltrated another way.

To this day, Apple, Facebook, Google still deny participating in illegal requests. They claim these were lawful requests, that have been carefully looked one-by-one.

Yes, we looked carefully and decided we won't enjoy losing 100M USD and go to jail.

The trick is that the identifier / wildcard can be very vague and wide. Or there can be multiple of them, each of them are narrow, but put one of top of the other they are super wide.

Comment by antonvs 6 hours ago

It's not entirely accurate to say "any party other than the sender and the intended receiver," since the messaging app running on the user's device can read the messages. Something like "any third party (other than the app vendor)" would be more accurate. Without actually analyze app behavior, it comes down to trusting that the vendor doesn't do anything nefarious.

Comment by londons_explore 6 hours ago

One could imagine a design where even the app vendor is untrusted... You would send an encrypted chunk direct to the GPU, which would then decrypt and render the message text in some secure environment onto the screen.

Neither the OS nor the application would know the contents of your message beyond "it's 500x700 pixels".

Similar things are done for DRM video, and widevine level 1 or 2 haven't seen many breaches despite running on a wide array of hardware open to physical attack.

Comment by antonvs 4 hours ago

Oh it's definitely possible. The (dis)incentives tend to be strongly against such secure systems, though.

Comment by londons_explore 28 minutes ago

In the messaging game, there is every incentive to be seen as the secure-est one.

If you can have an e2e chat between two iphones locked in a big glass box with a sign that says "Anyone who can hack into this conversation gets $100M", that's a really good marketing campaign.

If you can make the app use secure enclaves or whatever to take the ~100k people who write the source code of the libraries, app and OS out of the attack surface, that $100M becomes much safer.

Comment by Fripplebubby 6 hours ago

I think the draft covers this well: https://www.ietf.org/archive/id/draft-knodel-e2ee-definition...

Comment by antonvs 3 hours ago

Technical drafts will tend to get this right, where the communication often breaks down is how it's communicated to users.

Comment by rvnx 6 hours ago

As far as I remember, Google does the final signing of the APK, which is eventually the signature verified by the OS to verify if an update is valid or not.

So Google can, if ordered or willing to help, create a new release track (e.g. experimental-do-not-deleted) and add specific e-mails to that track with the "improved" version.

Nobody would be able to see that in real world, and you know what, if WhatsApp themselves are ordered, they can also create their own "test" track, it's just less covert but it would technically be working.

In all cases, Google and Apple have to respect US laws, and the laws of earning money too.

If you do not cooperative with intelligence / police services of your country, only bad things can happen.

Comment by mr_mitm 4 hours ago

Yes, the app could be compromised, or the OS, or the compiler of the app, or of the OS, or the OS of the compiler, or the CPU any of these things run on, etc. etc. None of that is relevant to the definition of E2EE.

Comment by antonvs 3 hours ago

It's relevant to how E2EE is described to users. Representing that it's not possible for anyone other than the sender or recipient to read messages is misleading and just incorrect in general.

A particularly relevant point is when it comes to government interception. E.g. it would be perfectly possible for an messaging app to have a "wiretap mode" that the vendor enables for users that are the subject of a relevant warrant.

Comment by miki123211 2 hours ago

> Do you trust facebook (excuse me, meta) to not snoop on your messages

No, but I trust some nosy German guy at TU Whatever to spend hours poking at the assembly, find that hidden flag and proudly present it at 40C3.

With enough eyeballs, all source is open (and AI will give us far more eyeballs than we have any idea what to do with).

Sure, you can have different builds distributed to different people, but the NSA can also just do that with Signal, Signal being open source makes it that much easier. FDroid mitigates this somewhat, but it's not like the NSA can't get a fake TLS certificate for their domain and MITM your communications.

Comment by aloukissas 3 hours ago

I love how Meta will do anything but prevent phishing and prepaid credit card scams in Whatsapp/Messenger

Comment by aero-glide2 11 hours ago

Quite impressive, I did not know so many bugs were due to memory access.

Comment by IshKebab 9 hours ago

To be fair the increased reliability of Rust code over C++ isn't just because of memory errors (out-of-bounds accesses, use-after-free, type confusion, etc). You also get:

* No undefined behaviour (outside `unsafe`, which is quite easy to avoid). In C++ there are many many sources of UB that aren't really memory errors directly, e.g. signed integer overflow or forgetting to `return` from a function.

* A much stronger type system.

Those two things have a really significant impact on reliability.

Comment by tialaramex 7 hours ago

Rust's "A language empowering everyone..." tagline also helps justify the heavy lifting needed to prevent you shooting yourself in the foot, because we're all able to imagine a hypothetical less experienced programmer who might make a mistake even as we swear that we'd never make it ourselves.

Comment by blub 9 hours ago

Just like Google’s Rust-in-Android blogs this reads like a PR piece (and in the case of facebook also recruitment piece) with some technical words sprinkled in for effect. The overall communication quality is that of a random startup’s “look what we did” posts.

The interesting aspects, such as how they protect against supply-chain attacks from the dependency-happy rust toolchain or how they integrated the C++ code with the Rust code on so many platforms - a top challenge as they said - remain a mystery.

Would also be interesting to hear how much AI-driven development they used for this project. My hope’s that AI gets really good at Rust so one doesn’t have to directly interact with the unergonomic syntax.

Comment by surajrmal 9 hours ago

The point of articles like this is to help build credibility for rust adoption. Rust is still not very widely adopted industry wide, and a lot of smaller players only use established technologies that bigger firms have shown works well. Rust is not inevitable, and articles like this are necessary for its future industry adoption.

Comment by blub 6 hours ago

I had already said it’s a PR piece, you’re merely rephrasing that and making it sound like a good thing.

This and the Google blogs offer zero technical insights and I haven’t learned anything from any of them.

Comment by antonvs 6 hours ago

> The interesting aspects, such as how they protect against supply-chain attacks

There are standard techniques to help manage this that apply across languages, there's no reason to reinvent that wheel.

> My hope’s that AI gets really good at Rust so one doesn’t have to directly interact with the unergonomic syntax.

"Unergonomic syntax" is the battle cry of many people resisting learning a new language. AIs have progressed far enough that they can help you in that learning process, though.

Comment by blub 6 hours ago

The dependency management and complexity/poor ergonomics are the two major technical problems with Rust. Normally the first one’s ignored while the second is downplayed, so it would have been interesting to see what (if anything) Facebook have done about them.

Not only can AIs help, but they can write most if not all the code and spare the human from learning all the intricacies of individual programming languages. Problem is, reports are contradictory on compatibility with Rust. We know they work great with simpler/friendlier languages like Go or Python.

Comment by mentalgear 10 hours ago

Cool - now we only need to get selling-you-out-for-profit-Zuckerberg out of WhatsApp to make it really trustworthy.

Comment by wrtc_dev 11 hours ago

[flagged]

Comment by randomint64 9 hours ago

That's right, Signal (https://kerkour.com/signal-app-rust), Proton (https://kerkour.com/proton-apps-rust), Matrix, Wire and many more are using a share, cross-platform Rust core and a platform-dependent UI layer.

But it's not only the security-critical paths, but also most of the business logic (see the 2 posts above).

Comment by wongarsu 10 hours ago

I agree with everything you say. But wow, does that comment sound like AI. Probably Grok?

Not saying you are AI, you might just be a heavy user who picked up the same patterns

Comment by jsheard 9 hours ago

If it were an old account I might have given them the benefit of the doubt, but they literally just joined to make this comment. There's so many green accounts popping up which reek of AI now, like I've seen ones where all of their comments are almost exactly the same length.

Comment by rob 8 hours ago

It's a brand new account that reads 100% like a ChatGPT response where the author just swapped out the em dashes for hyphens when posting, knowing it's a common "indicator" people look for.

It's more surprising to me that it seems to have already fooled a bunch of people looking at their replies to you.

Comment by 9 hours ago

Comment by m00dy 10 hours ago

I like your AI slop detector, is it part of your consciousness ?

Comment by candiddevmike 9 hours ago

The "is key - ", is a key giveaway.

EDIT to expand the evidence: It's placing unnecessary emphasis on a one off mention in the article (differential fuzzing) and then writes a bunch of bullshit around what it thinks it means (it's wrong, differential fuzzing isn't running them both in parallel during a transition, it's a testing methodology based on inputs/outputs).

Comment by braiamp 9 hours ago

Which many people use. Heck, go to Stack Overflow about 10 years back. You will see people using it. It's a style.

Comment by seritools 9 hours ago

TIL I'm an AI

Comment by jdxcode 9 hours ago

I think it's a giveaway that it's human! A hyphen is incorrect punctuation.

Comment by wongarsu 9 hours ago

According to British style guides an en-dash would be correct in that usage, and the difference between an en-dash (–) and a hyphen (-) is pretty small. Seems perfectly defensible to me unless you are publishing a book or academic journal

Comment by dewey 8 hours ago

AI is trained on human output, so that's not really a good differentiator.

Comment by happyweasel 8 hours ago

Let's see how this unwrap()s in production scnr

Comment by galangalalgol 7 hours ago

Oh come on, that was funny. It also highlights a problem with the way people write rust. If your app panics it has a bug. People throw panics in cases that can absolutely happen, a file isn't there or fails to parse, some set of inputs is mutually inconsistent these are things for error checking. Even if the correct way to handle an error you detect is to stop the app, do that instead of panicking. Panics are for things that should be impossible. Ideally they even get optimized out.

Comment by justinlords 6 hours ago

The differential fuzzing approach is clever — way safer than a big-bang rewrite. Running both versions in parallel to catch edge cases before switching over is how you actually ship rewrites without breaking production. The 160k to 90k LOC drop is impressive, but the real engineering win is the validation strategy.

On binary size, static linking with LTO should handle most of the bloat without needing custom stdlib builds.

Comment by chinathrow 6 hours ago

We really need an AI filter here on HN.

Comment by stingraycharles 5 hours ago

A comment like this works as well, let the community do its thing.

Comment by rvnx 5 hours ago

There are a couple of bots here.

Quoting a user:

    keeping it simple: a flat $15,000 to get you on the front page of Hacker News.
    [...] contact e-mail below

Expensive, but now with LLMs it's super cheap to do.

Spend a week to do a bot, get 10'000 USD of ARR for your B2B tech SaaS, and applause from your investors.

And a week is probably exaggerated, 2 days max

Comment by stingraycharles 2 hours ago

Do you have any actual evidence that these types of services are being offered for that type of price point, though?

The reason I'm asking is that I actually believe the price point is much lower. It's probably much easier to get on the front page of HN of you time the submission + upvotes well enough.