That said, WhatsApp using the E2E Signal protocol is immaterial if they exfilter the locally stored private keys out to their servers, which is what the redaction of that line in the whitepaper we both linked (you directly, me via that Twitter link highlighting the diff) alludes to:

> At no time does the WhatsApp server has access to any of the client's private key.

Unless one checks every update of the client's code and the matching published reproducible binary output one can't be sure that keys (or any other data for that matter, since it has full access to anything decrypted) are not exfiltrated.

Now, that line deletion could be a subtle canary because law enforcement/state actor, or that could be Meta being nefarious following the cofounders departure, or anything in between. Either way I find it a worrisome signal that this specific line has been removed.

Indeed, it is. I did not mention it because it's Apple ecosystem only, leaving a lot of people out. It appears to do many things very right, some lacking, and a few "wrong".

AIUI, with Messages backups in iCloud disabled, each device has its own key. Each message sent gets E2E encrypted with the key to each destination device and sent once for each device. So if the recipient has three devices, that's three encryptions and three messages sent. (That's how I recall someone describing it back in the day, I'm not sure today and I can't find the source of that anymore)

> Another terrible “feature” is that to have a complete history of your chats, you need to back up to iCloud.

The above means that a newly added device doesn't get access to the message history. This actually implements perfect forward secrecy! An attacker who manages to convince someone in some way to add a new device would a) be name to decrypt any old message intercepted and b) only be able to see new messages.

In that setup the only thing really lacking is being able to jointly check a contact (sender or recipient) key via a secondary channel and maybe TOFU it and displaying a warning when a contact key is added, changed, or revoked. You do get a warning for new devices added to your account but it could also apply to already added devices who unexpectedly get a new key.

Enabling backups in iCloud breaks perfect forward secrecy somewhat since the goal is being able to obtain the whole history, so an attacker managing to enroll a new device would presumably get the history. That said I also hear that this iCloud backup isn't zero-trust encrypted (technically it could be, think borg backup) but I'm really not sure about that.

> And uploading photos will quickly blow through your iCloud storage.

Not just that, it seems to do an absolutely terrible job at clearing the local cache, eating space like crazy and with no easy option to clear it: the settings app storage section is hopeless in that regard, Telegram's way of handling that manually plus the automated ones are muuuch more clear.

> For example, if you travel internationally with a different SIM card, iMessage doesn’t allow your main phone number to be used for iMessage any more.

I did not witness that when swapping SIM cards with new numbers: Messages popped up a dialog or something asking "keep using +XXXXXX" || "use +YYYYYY". I seem to recall I could even have both numbers for some time (IIRC there was a 2 week - or was it one month? - delay before a number is forcefully dropped out if you don't pop the SIM with that number back in). It was annoying the hell out of me as it was a short-lived number that was temporarily assigned while my real number was transferred between operators. My mistake though for tapping the wrong answer, but admittedly something there could use some improvement.

That was with local numbers though, the international story might be different? I would not expect that though as it would be truly an awful experience for international travelers that swap SIMs on non-multiSIM (eSIM+tray) iPhones.

And finally there's trust... it's completely closed and very hard to audit, but then again Apple owns the OS and hardware, so one could audit the app all they want, they have a much more potent vector for exfiltration.