Rust at Scale: An Added Layer of Security for WhatsApp

WhatsApp has adopted and rolled out a new layer of security for users – built with Rust – as part of its effort to harden defenses against malware threats. WhatsApp’s experience creating and distri…

7 min readadvanced
--
View Original

Overview

WhatsApp has deployed a Rust-based media consistency library called 'Kaleidoscope' to billions of devices globally, replacing 160,000 lines of C++ with 90,000 lines of Rust to harden defenses against malware hidden in media files. This represents what WhatsApp believes is the largest rollout of a Rust library globally, spanning Android, iOS, Mac, Web, Wearables, and more, with improved performance and memory usage over the original C++ implementation.

What You'll Learn

1

Why WhatsApp chose Rust over C++ for media processing security at scale

2

How to approach a parallel rewrite from C++ to Rust using differential fuzzing for compatibility

3

How media file consistency checks protect against parser differential exploits and malware

4

Why memory-safe languages are critical for processing untrusted inputs in security-sensitive code

5

How WhatsApp's defense-in-depth strategy combines multiple security layers including CFI, hardened allocators, and Rust adoption

Prerequisites & Requirements

  • Understanding of memory safety concepts and common vulnerabilities in C/C++ (buffer overflows, use-after-free)
  • Basic familiarity with Rust programming language and its ownership model
  • Understanding of media file formats (MP4, PDF) and how parsers process them(optional)
  • Experience with cross-platform library development and deployment(optional)

Key Questions Answered

Why did WhatsApp choose Rust for its media processing security library?
WhatsApp chose Rust because media checks run automatically on download and process untrusted inputs, making the code a prime candidate for a memory-safe language. The majority of high-severity vulnerabilities WhatsApp published were due to memory safety issues in C and C++. Rust eliminated this class of bugs while delivering better performance and lower runtime memory usage than the original C++ implementation.
How did WhatsApp migrate from C++ to Rust without breaking compatibility?
Rather than an incremental rewrite, WhatsApp developed the Rust version of wamedia in parallel with the original C++ version. They used differential fuzzing along with extensive integration and unit tests to ensure compatibility between the two implementations. This approach replaced 160,000 lines of C++ (excluding tests) with 90,000 lines of Rust (including tests) while maintaining identical behavior.
What is WhatsApp's Kaleidoscope media security system?
Kaleidoscope is WhatsApp's ensemble of media file security checks. It verifies non-conformant structures within file types to protect downstream libraries from parser differential exploits, checks high-risk file types like PDFs for embedded files and scripting elements, detects file type masquerading through spoofed extensions or MIME types, and flags known dangerous file types such as executables for special UX handling.
What was the Stagefright vulnerability and how did it influence WhatsApp's security strategy?
Stagefright was a 2015 Android vulnerability in OS-level media file processing libraries. Because WhatsApp and other applications couldn't patch the underlying OS vulnerability and users took months to update, WhatsApp modified its existing cross-platform C++ library (wamedia) to detect non-standard MP4 files that might trigger OS bugs. This experience motivated the long-term shift toward memory-safe languages like Rust.
What challenges did WhatsApp face deploying Rust at scale across billions of devices?
Two major hurdles were the initial binary size increase from including the Rust standard library and the build system support required for WhatsApp's diverse platforms. WhatsApp made a long-term investment to build that support, ultimately deploying to Android, iOS, Mac, Web, Wearables, and more. The library is distributed monthly to billions of phones, laptops, desktops, watches, and browsers.
How does WhatsApp's defense-in-depth approach to security work beyond Rust adoption?
WhatsApp employs multiple parallel security strategies: minimizing unnecessary attack surface, investing in security assurance for remaining C/C++ code through CFI, hardened memory allocators, safer buffer handling APIs, and specialized developer training. They also conduct internal and external audits, fuzzing, static analysis, supply chain management, automated attack surface analysis, and maintain a Bug Bounty program with the WhatsApp Research Proxy.
How does Rust compare to C++ for WhatsApp's media processing in terms of code size and performance?
WhatsApp replaced 160,000 lines of C++ (excluding tests) with 90,000 lines of Rust (including tests), representing a significant reduction in code volume. The Rust version showed performance advantages and lower runtime memory usage compared to the C++ implementation, while simultaneously eliminating the memory safety vulnerabilities that were the majority of high-severity issues in their C/C++ codebase.

Key Statistics & Figures

WhatsApp end-to-end encryption users
Over 3 billion
People using WhatsApp for secure daily messaging
C++ lines of code replaced
160,000 lines
Lines of C++ code (excluding tests
Rust lines of code in replacement
90,000 lines
Lines of Rust code (including tests
Deployment platforms
6+
Android, iOS, Mac, Web, Wearables, and more platforms supported
Products using the Rust library
3
WhatsApp, Messenger, and Instagram all use the Rust media libraries

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Programming Language
Rust
Memory-safe language used to rewrite the wamedia library for secure media processing
Programming Language
C++
Original language of the wamedia cross-platform media library, being replaced by Rust
Security
Cfi (control Flow Integrity)
Protection added to remaining C/C++ code to mitigate exploitation
Platform
Android
One of the primary deployment platforms for the Rust media library
Platform
Ios
Deployment platform for the Rust media library

Key Actionable Insights

1
When processing untrusted inputs (media files, user uploads, network data), prioritize using memory-safe languages like Rust for the parsing layer. WhatsApp found that the majority of their high-severity vulnerabilities came from memory safety issues in C/C++ code that handled untrusted data.
This is especially critical for code that runs automatically without user interaction, such as media download handlers, file format validators, and content parsers.
2
Use differential fuzzing and parallel development when migrating critical libraries from C/C++ to Rust, rather than attempting incremental rewrites. WhatsApp developed the Rust version alongside the C++ version, using differential fuzzing and extensive tests to ensure behavioral compatibility.
This approach allows you to validate correctness before cutting over and avoids the risk of introducing subtle behavioral differences that an incremental rewrite might miss.
3
Implement layered media file validation that goes beyond format compliance, including checks for file type masquerading (spoofed extensions/MIME types), embedded malicious content within structurally valid files, and risk indicators specific to high-risk formats like PDFs.
WhatsApp's Kaleidoscope system demonstrates that format checks alone won't stop every attack, but this defense-in-depth approach mitigates many threats from malicious clients and attachments.
4
Don't rely solely on OS-level security patches to protect your users. Build application-level defenses that can be deployed independently and more rapidly than OS updates. WhatsApp learned this lesson from the 2015 Stagefright vulnerability, where users took months to update their operating systems.
Application-level media validation gave WhatsApp the ability to protect users from OS vulnerabilities much faster than waiting for OS patches to propagate through device ecosystems.
5
When adopting Rust for cross-platform deployment, plan for the initial binary size increase from the Rust standard library and invest in build system support for all target platforms early. WhatsApp treated this as a long-term bet that paid off across Android, iOS, Mac, Web, and Wearables.
The upfront investment in build infrastructure enables broader adoption of Rust across the organization over time, as WhatsApp is now accelerating Rust adoption to other teams and products.
6
Adopt a three-pronged strategy for reducing memory safety risk in existing codebases: minimize attack surface, invest in hardening remaining C/C++ code (CFI, hardened allocators, safer APIs), and default to memory-safe languages for all new code.
This parallel approach addresses both the legacy codebase and future development, ensuring that security improvements don't wait for a complete rewrite while progressively reducing overall risk.

Common Pitfalls

1
Relying solely on OS-level patches to protect application users from media file vulnerabilities. When the Stagefright vulnerability hit Android in 2015, WhatsApp and other apps couldn't patch the underlying OS library, and users took months to update their devices, leaving them exposed.
Building application-level media validation provides an independent defense layer that can be deployed much faster than waiting for OS update propagation across billions of devices.
2
Attempting an incremental rewrite when migrating security-critical code from C++ to Rust. Incremental rewrites risk introducing subtle behavioral differences and make it harder to validate complete compatibility between old and new implementations.
WhatsApp chose parallel development with differential fuzzing to ensure the Rust version was fully compatible before deployment, which proved more reliable for safety-critical code.
3
Underestimating the binary size and build system challenges of adopting Rust for cross-platform client-side deployment. The Rust standard library adds to binary size, and supporting diverse platforms requires significant build infrastructure investment.
WhatsApp treated this as a long-term strategic investment rather than a quick win, which ultimately enabled broader Rust adoption across the organization.
4
Only checking media file format compliance without looking for deeper risk indicators. Structurally conformant files can still contain malicious content, such as embedded files and scripting elements within valid PDFs, or file type masquerading through spoofed extensions or MIME types.
WhatsApp's Kaleidoscope system applies multiple layers of checks beyond format compliance, recognizing that sophisticated attackers can hide malware within standards-conformant files.

Related Concepts

Memory Safety
Rust Programming Language
C++ To Rust Migration
Defense-in-depth Security
Media File Parsing Vulnerabilities
Differential Fuzzing
Control Flow Integrity (cfi)
End-to-end Encryption
Cross-platform Library Development
Supply Chain Security
Static Analysis
Bug Bounty Programs
Parser Differential Exploits
File Type Masquerading
Attack Surface Reduction