Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

WhatsApp encrypting iCloud backups of chat logs, but may be vulnerable

Facebook-owned WhatsApp quietly began encrypting iCloud backups of chat logs in late 2016, a report revealed this week — though that protection may now be compromised.

"When a user backs up their chats through WhatsApp to iCloud, the backup files are sent encrypted," a spokesperson confirmed with Forbes. In theory that should prevent hackers, police, or spy agencies from being able to read transcripts, even with a subpoena or security letter delivered to Apple.

The encryption was only noticed publicly, however, when a security firm — Oxygen Forensics — recently claimed it was able to crack the enhanced backups. The technique does require access to a SIM card with the same phone number WhatsApp uses to send verification codes however, since this is the basis for the encryption key WhatsApp uses.

Like Apple's iMessage network, WhatsApp has become a frequent target of governments concerned that end-to-end encryption is interfering with investigations and allowing terrorists and others to operate outside of their reach. The service has come under particularly heavy fire in Brazil, where lower courts have repeatedly leveled sanctions only to have them overturned.

Some in the U.S. and U.K. governments have called for rules that would force companies like Apple and WhatsApp to be able to decrypt data on demand. That would involve deliberately weakening the encryption used, however, and/or creating a backdoor, which companies like Apple have argued would put customers at risk while simply directing malicious parties towards alternate secrecy methods.



3 Comments

coolfactor 2341 comments · 20 Years

They are probably doing something as amateur as this:
(using PHP code as an example)

$encryption_key = md5($phone_number);

avon b7 8046 comments · 20 Years

macxpress said:
This is why you just use Messages....

And in doing so, restrict your chat options to Apple devices. Not something that happens much in the real world.

People who want security in these apps don't use WhatsApp. They use Telegram. For the rest, WhatsApp is perfectly fine and lots of people simply delete messages (empty chats) anyway.