From my experience, it's because security is a half baked priority #50 usually at startups. A sum total of a week was probably spent by some back-end engineer 2 years ago on message security since it's not a selling point.
They probably record every single message too since storage without transmission is cheap and avoids a class of bugs with deletion. The stored histories could become a business advantage later to mine chat histories for marketing and advertising data like facebook, twitter, google and everyone else. They say they charge now to avoid a marketing driven approach, but cable TV has made similar promises in it's starting days too.
Also they run on such platforms as blackberry, nokia s40 devices, windows phone and symbian where plopping in some C crypto library probably wasn't practical. From what I know, most crypto libaries are written in some C family language or you have bouncycastle for java. Everything else is relatively obscure or broken. So something they could roll by themselves might of been what they have to choose from.
For many companies, security is something you do the motions for like you would with government paperwork and compliance, not necessarily because it's important to you. Unfortunately the average person only cares about door lock security, not real crypto secured products.
WhatsApp is over 4 years old with over 300 million (claimed) active users. I would expect them to have addressed security by this point. Especially after their previous blunders, I'd imagine hiring a security expert or having a third party audit their code being on the top of their list. Apparently not.
I think these news and concerns often don't make their way to a bulk of their users, who probably aren't very tech savvy. If they don't see any user defection as a result of these issues being uncovered, then I'm not surprised about their lax stance on security.
I think companies start addressing things like security more seriously when they start becoming 'comfortable' companies. Which means securely profitable. Security is higher on the pavlov pyramid of software company needs than 'is a viable business'. I doubt WhatsApp is securely profitable, or flip a switch profitable like amazon.com.
When you are not viable as a business new features or begrudgingly addressing the huge amount of technical debt you generated in your early days so you can deliver new features faster is what you focus on. WhatsApp will only address security when it threatens the viability of their business, which by that time will probably be too late.
LOL. You would cringe at the amount of duct-taped infrastructure that plagues most large enterprises. Their viewpoint often is, "We have a firewall and antivirus so we should be good right"?
They probably record every single message too since storage without transmission is cheap and avoids a class of bugs with deletion. The stored histories could become a business advantage later to mine chat histories for marketing and advertising data like facebook, twitter, google and everyone else. They say they charge now to avoid a marketing driven approach, but cable TV has made similar promises in it's starting days too.
Also they run on such platforms as blackberry, nokia s40 devices, windows phone and symbian where plopping in some C crypto library probably wasn't practical. From what I know, most crypto libaries are written in some C family language or you have bouncycastle for java. Everything else is relatively obscure or broken. So something they could roll by themselves might of been what they have to choose from.
For many companies, security is something you do the motions for like you would with government paperwork and compliance, not necessarily because it's important to you. Unfortunately the average person only cares about door lock security, not real crypto secured products.