WhatsApp has finally fixed its biggest privacy loophole
Instant messaging app WhatsApp is making chat backups end-to-end encrypted, which means users will not be left to rely on the security mechanisms of the cloud storage or local device storage for storing them. The encryption for chat backups is now rolling out for Android phone users for local storage and Google Drive backups, and for Apple iPhone users using iCloud cloud storage.
Facebook-owned WhatsApp is now letting users encrypt chat backups before they get stored in Google Drive or Apple iCloud. While these services have their own encryptions and security protocols in place, WhatsApp has for long left users at the mercy of security measures of a third-party storage platform instead of providing its own protection. This does not change how users’ backup chats or how they get saved in Google Drive or iCloud.
Password or encryption keys?
There will be two methods from which users can choose one to secure end-to-end encrypted chat backups. Users can either create a password or a 64-digit unique encryption key will be generated. They need to use either of them whenever users want to restore chat backup on the same or any other phone. WhatsApp, Google, or Apple will have no access to this security information.
Protection against forced access
This is not to say that Apple or Google would allow someone access to WhatsApp chats stored on the cloud storage in backup files or attempt accessing it. Yet this added layer of protection provides chat backups the same protection that chats otherwise have. This could be handy in grey area situations such as the local laws requiring these platforms to hand over user data stored in the cloud. In that case, WhatsApp chats would have been accessible on a platter as plain text.
How the password is protected
If a password is created, the key for backups is stored in a Backup Key Vault built based on a component called a hardware security module (HSM). This is secure hardware used to securely store encryption keys. “When the account owner uses a personal password to protect their end-to-end encrypted backup, the HSM-based Backup Key Vault will store and safeguard it,” Facebook’s software engineers Slavik Krassovsky and Gabriel Cadden said in a statement describing how encryption will work. “The HSM-based Backup Key Vault will be responsible for enforcing password verification attempts.”
Tougher but more secure
If users choose the encryption key and feel they can remember it and punch it correctly to restore the chat backup on a new phone, for instance, it may just be a bit safer than a password, which has a key that will be stored in Backup Key Vault. A 64-digit key does not go into the HSM-based vaults, which further eliminates a possible point of failure in the security chain.
WhatsApp is adding the latest update for Android phones and the Apple iPhone, but not everyone will get to see this feature yet. The company has said it will make encrypted backups available in stages to ensure a smooth rollout. In case users see it, they can go to Settings > Chats > Chat Backup > End to end Encrypted Backup to create a password or encryption key protected backup. Users can choose to turn this off at any time. Indications are that encrypted backups will not be enabled by default for all users, at least not for now. If users enable this, everything they back up will be encrypted, including messages, videos, photos, and GIFs.
What happens if a hacker wants to access encrypted backup using a brute force attempt? The key or password will be automatically made permanently inaccessible after a number of failed attempts to unlock it.
WhatsApp has over two billion active users globally, making it by far the most popular instant messaging app globally. In second place is Facebook’s Messenger. The company says WhatsApp users globally send over 100 billion messages daily.