Sorry to necropost, but I recently stumbled upon this interesting article from 6 months ago that I have not seen discussed on may privacy-related communities.

I quote from the article:

"According to the internal assessment, the stakes are high: 'Inspection and analysis of network traffic is completely invisible to us, yet it reveals the connections between our users: who is in a group together, who is messaging who, and (hardest to hide) who is calling who.'";

"The analysis notes that a government can easily tell when a person is using WhatsApp, in part because the data must pass through Meta’s readily identifiable corporate servers. A government agency can then unmask specific WhatsApp users by tracing their IP address";

"The internal warning notes that these attacks require all members of a WhatsApp group or both sides of a conversation to be on the same network and within the same country or 'treaty jurisdiction'";

"The assessment reveals WhatsApp has been aware of this threat since last year, and notes the same surveillance techniques work against other competing apps."

As quoted, this is not a vulnerability per se in ShitApp, but rather a threat model not considered by almost all messaging apps, since these metadata correlation attacks are always possible if the adversary controls a decent part of the network. That said, the only way this can be avoided is using cryptographic techniques like Signal's sealed sender and metadata minimisation techniques... which ShitApp is of course not using, since it's the champion of metadata generation and collection.
To quote from this other article:

"end-to-end encryption only protects against reading messages during their transit. End-to-end encryption is therefore a minimum requirement for a private messaging service [...] For them [Facebook/Meta], the value of a messaging service lies is in knowing the dynamics of the social network: who talks to whom? When? Where are the individuals when they send those messages? How frequently do they talk? Like no other, Meta knows the value of metadata; they changed their name for a reason. Meta knows all too well how to exploit and valorise this data, and mention this in their privacy policy"

So, for anyone still wondering, WhatsApp is not bad in terms of security; but that is hardly the whole picture, or even the appropriate question. Remember what former National Security Agency chief Michael Hayden said in 2014: “we kill people based on metadata”.

Sadly, more than 2 billion normies in the world use WhatsApp; and normies do not (want to) understand or cannot understand why apps like this are bad for their privacy and, in turn, for all of our daily lives, let alone be convinced to use more private and secure messaging apps like Signal, SimpleX and Threema that do apply metadata minimisation and encryption techniques.

You can repeat it like a monk in the coming years, like a prayer wheel. You won't change it. But maybe you'll enjoy it.

Let everyone do what they want. You don't have to do it.

hdishs
WhatsApp (WA) is closed source and uses not (!) the same code as Signal or Molly.
WA has a backdoor and the keys can be exchanged from the operator without giving the user a chance to know it.

In Signal you can easily check the encryption via comparing the so called 'Security number'.
And if there is a Man-in-the-middle-attack, the Security number changes instantly.

In WA the admin/operator can deactivate the deeply hidden check function to hide manipulations every time it's needed.

Don't trust WA! It is not only the secret collection and sale of all customer data, but also the hidden backdoor, which means that WA cannot offer any real end-to-end encryption.

      How about the fact that most normal WhatsApp users enable unencrypted backups of their conversations to Apple or Google, meaning those tech giants potentially have your messages stored in clear-text on their servers, even if you choose to leave backups disabled. Technically, they could be running all your "private" conversations through their AI algorithms and learning quite a bit about you. Of course, I'm probably just being paranoid about that. At least Signal does not have an option to backup messages to the cloud.

      Eagle_Owl In Signal you can easily check the encryption via comparing the so called 'Security number'.
      And if there is a Man-in-the-middle-attack, the Security number changes instantly.

      In WA the admin/operator can deactivate the deeply hidden check function to hide manipulations every time it's needed.

      Can you please link to any reputable source that claims this? I would like to cease using WhatsApp but I need a strong proof such things are happening.

        Eagle_Owl Don't trust WA

        Right.
        In fact, everyone uses WA and I have neither the desire nor the patience to play the messiah in order to convert people, but I also don't play the fool and therefore refuse to see all these people, as many people think they have to do, I use WhatsApp, but I only babble irrelevant stuff there that isn't worth protecting. I would never share anything controversial there.

          Eagle_Owl I'm a WhatsApp hater too.
          You have a source for your informations about the WhatsApp encryption?