alt Hacker NewsAs far as I remember, Google does the final signing of the APK, which is eventually the signature verified by the OS to verify if an update is valid or not.
So Google can, if ordered or willing to help, create a new release track (e.g. experimental-do-not-deleted) and add specific e-mails to that track with the "improved" version.
Nobody would be able to see that in real world, and you know what, if WhatsApp themselves are ordered, they can also create their own "test" track, it's just less covert but it would technically be working.
In all cases, Google and Apple have to respect US laws, and the laws of earning money too.
If you do not cooperative with intelligence / police services of your country, only bad things can happen.
Yes, the app could be compromised, or the OS, or the compiler of the app, or of the OS, or the OS of the compiler, or the CPU any of these things run on, etc. etc. None of that is relevant to the definition of E2EE.