End-to-end (E2E) code needs to be open source and venders that don't agree to an audit should be considered insecure; holds true for What's App, which declined to allow their E2E code to be audited.

Also, message metadata is still being leaked by all of these E2E implementations and needs to be fixed.

That's just an utterly ridiculous proposition.

By that logic the entire application would need to be open source, because nobody would start out by targeting the crypto if they wanted to spy on someone.

Ideally it would be possible to use third party clients to connect, and so anyone could use a fully open source solution if they wanted.

That's fair!

But you need far more than just the crypto code to create a client, I think open source protocol specs would already achieve this.

And my main complaint was with the claim that open sourcing their crypto code would somehow make a meaningful difference to the security of these applications to the extent where you could consider all applications that haven't done so "insecure".

I don't think I get your complaint

Without open-sourcing the crypto, they could be just doing rot16($message) for all we know. Open-source is a requirement for being considered secure. It doesn't mean they aren't secure if they aren't open-source, but that you shouldn't consider it so, because you don't know if it is or not.

> I don't think I get your complaint

> Without open-sourcing the crypto, they could be just doing rot16($message) for all we know.

There are two things you can do:

1. Watch the outbound traffic and attempt known-plaintext attacks

2. Reverse engineer the app

Neither is particularly difficult. Most Android apps are trivial to break apart using Lobotomy. A large swath of software security folks specialize in binary auditing.

Has anyone done that and produced a fully open source app to connect to whatsapp?

https://github.com/tgalal/yowsup for example