Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
57,391
20,220


WhatsApp has announced it will give its two billion users the option to upload their chat backups to Apple's iCloud using password-protected encryption.

Whatsapp_E2EE_Backups.png.jpg

Currently, WhatsApp on iPhone lets users back up their chat history to ‌iCloud‌, but messages and media that users back up aren't protected by WhatsApp's end-to-end encryption while in ‌‌Apple's cloud servers‌.

Given that Apple holds the encryption keys for iCloud, a subpoena of Apple or an unauthorized iCloud hack could potentially allow access to WhatsApp messages backed up there. Apple was reportedly pressured to not add encryption to iCloud Backups after the FBI complained.

The upcoming WhatsApp feature will resolve that security vulnerability by allowing users to encrypt and password-protect their chat history before uploading it to Apple's cloud-based platform. WhatsApp began early work on the security feature back in March 2020.

The rollout will make backups secure in remote iCloud servers by making them unreadable without an encryption key. Encrypted backups will be optional, and users will be asked to save a 64-bit encryption key or create a password that is associated with the key.

According to a whitepaper published by the Facebook-owned platform, when a WhatsApp user creates a password linked to their account's encryption key, WhatsApp stores the key in a physical hardware security module (HSM) that acts like a safety deposit box and can only be unlocked using the correct password. WhatsApp only knows that a key exists in a HSM, not the key itself or the associated password to unlock it.

When the password is used to unlock the HSM, the encryption key is released which then decrypts the account's backup on Apple's servers. If the wrong password is entered repeatedly, however, the data in the HSM becomes permanently inaccessible. WhatsApp will only know that a key exists in a HSM, not the key itself or the associated password to unlock it.
"WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems," said Facebook CEO Mark Zuckerberg in a post announcing the feature.
The encrypted chat backups feature will be rolled out in the coming weeks on Android (for WhatsApp users backing up to Google Drive) and iOS, and will be available in every market where WhatsApp is operational, which could put the company at odds with some governments.

Comparatively, Apple is not making its upcoming iCloud+ Private Relay encrypted browsing feature available to users living under certain authoritarian regimes, including China, Belarus, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda, and the Philippines. According to Apple, "regulatory reasons" are preventing the Private Relay feature from launching in those countries.

Article Link: WhatsApp to Let Users Encrypt Chat Backups Uploaded to iCloud
 

ecatomb

macrumors 6502
May 19, 2021
307
1,400
France
WhatsApp is what iMessage should have been.
So true ?

Without joking, I can only agree... If iMessage was available on Android long time ago, iMessage could be at the same place than WhatsApp : encryption, used by nearly everyone...

Maybe Signal will replace WhatsApp ?
 

sdz

macrumors 65816
May 28, 2014
1,079
1,384
Europe/Germany
So true ?

Without joking, I can only agree... If iMessage was available on Android long time ago, iMessage could be at the same place than WhatsApp : encryption, used by nearly everyone...

Maybe Signal will replace WhatsApp ?
Big deal. Messages are forwarded after you’ve been warned. They cannot control it from the outside. It stays e2e encrypted. Actually a very good design. Much better than the rotten Apple solution (we will store your key in the Backup file just because hehehehe )
 

andrewxgx

macrumors regular
Apr 20, 2018
140
728
can anyone explain the use of HSM here? that makes 3 things needed for decryption: backup, password, and HSM as opposed to simple on-device key generation which would require just backup and password.
seems like adding unnecessary step here. what if HSM dies? what if its compromised or has backdoor?
 

EmotionalSnow

macrumors 6502
Nov 1, 2019
267
868
Linz, Austria
can anyone explain the use of HSM here? that makes 3 things needed for decryption: backup, password, and HSM as opposed to simple on-device key generation which would require just backup and password.
seems like adding unnecessary step here. what if HSM dies? what if its compromised or has backdoor?
If somebody figures out how to compromise a HSM then we have much larger problems than WhatsApp chats.
 

kyjaotkb

macrumors 6502a
Nov 20, 2009
825
596
London, UK
It’s your turn, iMessage/iCloud…
Indeed… but even in many countries where it’s already ‘safe’ to use iMessage, most people have long stopped using iMessage. Am in London and I literally don’t know anyone who uses iMessage, everyone’s on Whatsapp (with a fee outliers on Signal or Facebook messenger). I think it’s still used in the US because it integrates well with SMS, which most people don’t use much either in Europe.
 

Sasparilla

macrumors 68000
Jul 6, 2012
1,710
2,898
It’s your turn, iMessage/iCloud…
Agreed, however am quite sure Apple chose not to E2E encrypt iCloud specifically because of all the heat they were getting from the U.S. government (and who knows how many other governments). Supposedly the original plan was to E2E encrypt it.

Guessing the same reason for not deploying iMessage to Android early on. While its nice Facebook did this (probably just to poke Apple) - the main piece of information that baddies want (who you talked to and when) is logged, data mined and ready for any government that asks with Whatsapp (cause its Facebook).

Anyone who really cares can skip iCould backups and use Apple's local encrypted backup - good to see Apple preserving this option.
 

ian87w

macrumors 604
Feb 22, 2020
6,868
9,646
Indonesia
Funny thing is, Whatsapp local backup (I believe, at least on Android) has been encrypted. I also think in the past, the backup to Google Drive was encrypted, but then Whatsapp made a deal with Google so the backup won't take up user's GDrive quota, but then it was unencrypted. So I'm guessing from this, Whatsapp backup will count against user's storage quota?

And I'm also guessing it's a starting point to have interchangeable backup between platforms? Whatsapp announced the feature to transfer chat history between platforms sometime ago, but never officially release it.
 

willchris

macrumors member
Aug 24, 2021
37
17
Indeed… but even in many countries where it’s already ‘safe’ to use iMessage, most people have long stopped using iMessage. Am in London and I literally don’t know anyone who uses iMessage, everyone’s on Whatsapp (with a fee outliers on Signal or Facebook messenger). I think it’s still used in the US because it integrates well with SMS, which most people don’t use much either in Europe.
Yeah. I don't know a single person who uses sms anymore. Even grandparents learned how to use Viber which is the most popular messaging app in my country.
 

nouvejetzt

macrumors member
Nov 11, 2020
86
197
Apple attachs Facebook lack of privacy, Facebook attacks Apple lack of privacy. The tech paradox.
 
Last edited:
  • Like
Reactions: Alex_Mac

PowerMacBook

macrumors regular
Jun 23, 2008
131
245
Yeah, good luck finding normal people willing to go that far. I have zero active contacts in Signal.
that's the whole point: people use Windows because people use Windows. People use Whatsapp because people use Whatsapp.
Why not take it from another point of view: IF you really like to stay in contact with me, well, then the only option will be Signal.
Don't want to download it, because you don't know it or the like? Well, in that case you are not a person I really find that interesting anyway. Bye.

Just have a look at your connections in Whatsapp (in case you are still using it): how many of these connections are really important to you?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.