Just because of an PN I got I want to give, independent from the rest of the dev-talk here, some thoughts on security with the to-develop WhatsApp client. Everyone of us who had a little bit intenser look at WhatsApp should have noticed some security leaks I think. Maybe even more than the one you find scattered on the web. We may should spend some thoughts about how we could try to prevent everybody using these security issues to fake others accounts, log into existing accounts and so on. We shouldn't be that naiv to think that WhatsApp would be more secure when we don't make these public but what I mean is just preventing that tons of script-kiddies are playing around feeling cool that they can hack WhatsApp. As said: everybody really willing to find the security isses will find them. I also think that if we wouldn't totaly crash the "security" system WhatsApp has we may be more toleranted by WhatsApp regarding the inofficial client. Security always is a very difficult theme to talk about, especally how to proceed with found issues. For my part there are two main reasons why I would try to kepp them "secret" in our case: We actually are using some of them to make the inofficial client work and the said prevention of script kiddies and with that maybe the friendliness of WhatsApp. Issues we don't need to make the client work and also are minor issues we may can report to WhatsApp independent from our client-work without link to the threads here etc. (but as the history of found issues shows they seem to don't really care about them) The difficulty I now see is that if we would write in public what these issues exactly are so that the one working on the client(s) can consider them in their clients we would make it in ways needless. But writing them just a few persons always excludes the other developers. How the single finder of the security issues is handling it is his decision I would say but at least I woudn't write an "How-To hack WhatsApp" For my part the issue I think everybody is aware of and is a minor one we should consider is the registration of new accounts. With the known way we can fake accounts with numbers we don't own. The idea of letting the user choose if an automaticly generated password should be used during the registration or if an own password should be used (make an md5 of the password and it shouldn't stand out during registration) is an option I would support. But everything else that connects the account to an specific phone should be left by the default as the WhatsApp client is also doing it. This way should be okay for everybody wanting an WhatsApp client for the N900/N9 I think (and it would be the easiest to use for an non-developer). There aren't more options you have to change. Maybe an option of hiding or sending the MCC/MNC would be discussible but I would just use 0's as default. I hope that every developer currently working on WhatsApp agrees with my position, at least the main ideas. If not it would be nice to have a small discussion about security here regarding how far we can offer options to the client without threatening the abuse by some people feeling cool because they can do things they shouldn't do...