Even if it's open source, we should say that unless the binary can be reproduced exactly by end user, you can never trust what you are using is actually what you think it is.
Is thst possible, in general? If someone published an open source app to Play, could I compare the Play downloaded app to a local build, and set config appropriately, and get a match?
(Deterministic|reproducible) (compilation|builds) are a fairly recent endeavor; though they're not yet common they are technically feasible. The two efforts I'm aware of are Debian[1] and Chromium[2], though I'm not sure what state they're currently in. From their site, Chromium appears to include Android builds.
There may be Android-specific concerts w.r.t the JVM's JIT, but if you can't trust the onboard runtime, you've already lost IMO.
We can disprove the existence of strong encryption with a wireshark, but cannot prove it.
Entropy of a rot13 message would be much lower than that of a properly encrypted channel. High entropy is not proof of "meaningful encryption", mind you, since a compressed rot13 or plaintext message would have high entropy too.
Encryption on the transport != end-to-end encryption if you consider the users as the ends. The encryption might very well just be from your device to WhatsApp.
Or it might be like with skype - where according to some report (I don't have link right now, sadly) the encryption is used mostly for obfuscating the protocol and to make building alternative clients harder, but it is give so small entropy pool that it's useless for security.
