WhatsApp has adopted and rolled out a new layer of security for users – built with Rust – as part of its effort to harden defenses against malware threats. WhatsApp’s experience creating and distri…
Overview
WhatsApp has deployed a Rust-based media consistency library called 'Kaleidoscope' to billions of devices globally, replacing 160,000 lines of C++ with 90,000 lines of Rust to harden defenses against malware hidden in media files. This represents what WhatsApp believes is the largest rollout of a Rust library globally, spanning Android, iOS, Mac, Web, Wearables, and more, with improved performance and memory usage over the original C++ implementation.
What You'll Learn
Why WhatsApp chose Rust over C++ for media processing security at scale
How to approach a parallel rewrite from C++ to Rust using differential fuzzing for compatibility
How media file consistency checks protect against parser differential exploits and malware
Why memory-safe languages are critical for processing untrusted inputs in security-sensitive code
How WhatsApp's defense-in-depth strategy combines multiple security layers including CFI, hardened allocators, and Rust adoption
Prerequisites & Requirements
- Understanding of memory safety concepts and common vulnerabilities in C/C++ (buffer overflows, use-after-free)
- Basic familiarity with Rust programming language and its ownership model
- Understanding of media file formats (MP4, PDF) and how parsers process them(optional)
- Experience with cross-platform library development and deployment(optional)
Key Questions Answered
Why did WhatsApp choose Rust for its media processing security library?
How did WhatsApp migrate from C++ to Rust without breaking compatibility?
What is WhatsApp's Kaleidoscope media security system?
What was the Stagefright vulnerability and how did it influence WhatsApp's security strategy?
What challenges did WhatsApp face deploying Rust at scale across billions of devices?
How does WhatsApp's defense-in-depth approach to security work beyond Rust adoption?
How does Rust compare to C++ for WhatsApp's media processing in terms of code size and performance?
Key Statistics & Figures
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Key Actionable Insights
1When processing untrusted inputs (media files, user uploads, network data), prioritize using memory-safe languages like Rust for the parsing layer. WhatsApp found that the majority of their high-severity vulnerabilities came from memory safety issues in C/C++ code that handled untrusted data.This is especially critical for code that runs automatically without user interaction, such as media download handlers, file format validators, and content parsers.
2Use differential fuzzing and parallel development when migrating critical libraries from C/C++ to Rust, rather than attempting incremental rewrites. WhatsApp developed the Rust version alongside the C++ version, using differential fuzzing and extensive tests to ensure behavioral compatibility.This approach allows you to validate correctness before cutting over and avoids the risk of introducing subtle behavioral differences that an incremental rewrite might miss.
3Implement layered media file validation that goes beyond format compliance, including checks for file type masquerading (spoofed extensions/MIME types), embedded malicious content within structurally valid files, and risk indicators specific to high-risk formats like PDFs.WhatsApp's Kaleidoscope system demonstrates that format checks alone won't stop every attack, but this defense-in-depth approach mitigates many threats from malicious clients and attachments.
4Don't rely solely on OS-level security patches to protect your users. Build application-level defenses that can be deployed independently and more rapidly than OS updates. WhatsApp learned this lesson from the 2015 Stagefright vulnerability, where users took months to update their operating systems.Application-level media validation gave WhatsApp the ability to protect users from OS vulnerabilities much faster than waiting for OS patches to propagate through device ecosystems.
5When adopting Rust for cross-platform deployment, plan for the initial binary size increase from the Rust standard library and invest in build system support for all target platforms early. WhatsApp treated this as a long-term bet that paid off across Android, iOS, Mac, Web, and Wearables.The upfront investment in build infrastructure enables broader adoption of Rust across the organization over time, as WhatsApp is now accelerating Rust adoption to other teams and products.
6Adopt a three-pronged strategy for reducing memory safety risk in existing codebases: minimize attack surface, invest in hardening remaining C/C++ code (CFI, hardened allocators, safer APIs), and default to memory-safe languages for all new code.This parallel approach addresses both the legacy codebase and future development, ensuring that security improvements don't wait for a complete rewrite while progressively reducing overall risk.