Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
65,979
34,766


WhatsApp is working on a way to secure users' chat backups in iCloud using password-protected encryption, according to a new report from forthcoming-feature specialist WABetaInfo.

Whatsapp-Feature.jpg

The Facebook-owned chat platform began early work on the security feature back in March 2020. Currently, WhatsApp on iPhone lets users back up their chat history to iCloud, but messages and media that users back up are not protected by WhatsApp's end-to-end encryption while in ‌iCloud.

Apple holds the encryption keys to iCloud, and does provide backed-up data to authorities when lawfully requested, as outlined in its semiannual Transparency Reports. The new WhatsApp feature, should it see the light of day, would resolve that security hole by allowing users to encrypt and password-protect their chat history before uploading it to Apple's cloud-based platform.

In screenshots posted by WABetaInfo, WhatsApp describes the password-protection like so:
"To prevent unauthorized access to your iCloud Drive backup, you can set a password that will be used to encrypt future backups. This password will be required when you restore from the backup."
The user is then asked to confirm their phone number and select a password of at least eight characters in length. Another screenshot forewarns users that "WhatsApp will not be able to help recover forgotten passwords."


It's unclear when the security feature will go live, but after the recent exodus from WhatsApp prompted by the service's poorly explained privacy policy update, sooner would be better than later.

Rival encrypted messaging services Telegram and Signal have both experienced a surge in signups following the controversy, which led WhatsApp to delay the privacy policy update until May while it attempts to deal with the fallout and clarify to users that the changes won't affect the privacy of their conversations.

Article Link: WhatsApp Still Working on Password-Protected Encrypted iCloud Backups
 
Last edited:
Good. And it would be great if this puts pressure on Apple do develop a similar feature for iMessage chats. It has been reported that Apple has consciously chosen to not (end-to-end) encrypt chats backed up to iCloud to allow the government to access people's private conversations, a serious hole in Apple's public commitment to privacy.
 
I think the solution Apple have chosen to use is probably quite a good measure as it satisfies both sides. In that if people wish to keep the conversation totally private they can opt not to back up their messages to iCloud, and equally if the government wish to access these messages through necessary legal processes then they can do so, if the backups exist. This prevents a situation whereby if they are totally encrypted, Governments may end up taking further action to prevent encryption or insist on a back door which would totally undermine the purpose of encryption.
 
It would be nice to know which third-party chat apps encrypt your chats even in backup scenarios.
I believe Whatsapp local backups are encrypted and Whatsapp messages are end-to-end encrypted. The issue is the cloud backups. They are currently unencrypted. On Android side, Whatsapp/Facebook made a deal with Google for Whatsapp backup to not count against Google Drive quota.

What I don't get is, why is it so hard for Whatsapp to have their backup interchangeable between iOS and Android.
 
I think the solution Apple have chosen to use is probably quite a good measure as it satisfies both sides. In that if people wish to keep the conversation totally private they can opt not to back up their messages to iCloud, and equally if the government wish to access these messages through necessary legal processes then they can do so, if the backups exist. This prevents a situation whereby if they are totally encrypted, Governments may end up taking further action to prevent encryption or insist on a back door which would totally undermine the purpose of encryption.
Losing privacy by backing up encrypted data isn’t a good measure.
 
I guess it's too late now. Move to Signal.

Remember WhatsApp is owned by FACEBOOK!
A lot of phone plans, in South America in particular, include free or big chunks of WhatsApp usage. I get that that’s a niche problem, but switching to Signal would make it more expensive for people to keep in touch.
 
  • Like
Reactions: Jovijoker
I think all steps towards stronger encryption on any legal platform is a good thing, but if you are concerned with privacy should you really be trusting a Facebook products to begin with?
 
I think all steps towards stronger encryption on any legal platform is a good thing, but if you are concerned with privacy should you really be trusting a Facebook products to begin with?
Are there reports of WhatsApp’s end-to-end encryption’s being breached?
 
There are more reasons to not trust facebook than just breach reports. No system will keep hackers out completely forever.
What does Facebook do with end-to-end encrypted messages that WhatsApp can’t even read? Maybe my friends should be looking for an alternative even if it costs more money.
 
If messages are end to end encrypted, how does Facebook plan to read them to sell us targeted ads?
 
Have you seen anything which suggests Facebook can read them?

That is the furore with WhatsApp’s new user agreement. They want your acceptance to start monetizing WhatsApp content and provide this information to Facebook to display targeted ads. If you don’t accept your account will be deleted. They tried to clarify that it will be chats with business only but that also seems to be encrypted.
 
  • Like
Reactions: Delta-NC
That is the furore with WhatsApp’s new user agreement. They want your acceptance to start monetizing WhatsApp content and provide this information to Facebook to display targeted ads. If you don’t accept your account will be deleted. They tried to clarify that it will be chats with business only but that also seems to be encrypted.
That’s not what it says, though. Nothing says they can read your messages.
 
Losing privacy by backing up encrypted data isn’t a good measure.
It’s better than legislated backdoors which would render there to be effectively no encryption. this way there is a choice given.
It’s specifically icloud backups. You can still backup locally with the encryption and then if you wish back up to the cloud.
 
It’s better than legislated backdoors which would render there to be effectively no encryption. this way there is a choice given.
It’s specifically icloud backups. You can still backup locally with the encryption and then if you wish back up to the cloud.
Still a false dichotomy.

Backing up locally with encryption then backing that up to the cloud is backing up to the cloud with encryption, just with an extra step. All your proposal does is expose the less tech-savvy to exposure. And, by your logic, if everyone did that then we’d be right back at legislated back doors.
 
What does Facebook do with end-to-end encrypted messages that WhatsApp can’t even read? Maybe my friends should be looking for an alternative even if it costs more money.
E2EE usually isn't bulletproof because a centralized server is still trusted to some extent. For one, WhatsApp could give you the wrong identity for a user from the start. That possibility is unavoidable if you're simply connecting to users by username or phone number or something, but the MitM attacks would be a difficult secret for the company to keep. Signal has the same flaw, but it's maybe easier to detect if you've been compromised.

Personally I wouldn't be worried in either case unless I were sending very sensitive messages and thinking I'm on a watchlist.
 
Last edited:
E2EE usually isn't bulletproof because a centralized server is still trusted to some extent. For one, WhatsApp could give you the wrong identity for a user from the start. Signal has the same flaw, but I think they hare more features designed to mitigate that risk.
That’s not a flaw limited to WhatsApp, though, is it?
 
I guess it's too late now. Move to Signal.

Remember WhatsApp is owned by FACEBOOK!

Yep, to late for signal also. Should have been around decade ago. Majority of the World does use WhatsApp (just 2 billions or so) and I guess majority does not give a flying monkey who WhatsApp is owned by, despite hate (typically from the West) and they just can’t be bothered to switch when everyone they know uses WhatsApp. That’s a fact check.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.