WhatsApp users can now encrypt their in-app messages and contacts that are uploaded to Apple’s servers as data backups.
The new feature works when a user of the secure messaging app chooses to back up their data to iCloud Drive. Once they’ve entered in a texted verification code sent to them by the Facebook-owned company, they receive an encryption key. They can then use that key to encrypt their data that makes its way to Apple.
This option provides an additional layer of security if WhatsApp users choose to back up their data to Apple’s servers. That’s because iCloud Drive already uses a minimum of 128-bit Advanced Encryption Standard (AES) encryption to encrypt users’ information when it’s sent over the web, store it in an encrypted format while it’s saved on a server, and employ secure tokens for authentication.
WhatsApp deployed the new feature in late 2016, but it waited to disclose it until 5 May. Its confirmation of the enhancement, which follows its announcement of other notable features like end-to-end encryption and two-step verification (2SV), was not entirely self-motivated. In part, it responded to the claims of Oxygen Forensics, a supplier of mobile and cloud hacking tools which claims it’s added a new feature that undermines WhatsApp’s enhanced iCloud security.
Thomas Fox-Brewster, a staff writer at Forbes, describes how (and when) Oxygen Forensics’ feature might work:
“Forensic tools can download that data [of WhatsApp that’s first encrypted and then backed up to iCloud Drive] but in order to decrypt it on any device other than the original iPhone, the key is now needed, and that can be obtained only by passing the verification process again. So what Oxygen does is download data backed up by WhatsApp, and they then require a SIM-card with the same number as the user so they can receive the verification code. They can then generate the key and decrypt downloaded data. This is a rather clunky way around the added protection added by WhatsApp, as Oxygen still needs the Apple ID and password (or some other access to the iCloud) and the user’s SIM card or phone.”
Given those limitations, Fox-Brewster notes the workaround would work only if law enforcement needed to retrieve iCloud data using a device from which someone had deleted WhatsApp.
It’s unclear if WhatsApp has created a similar encrypted backups feature for Android users of its messaging service. Fox-Brewster reached out to WhatsApp but had not received comment at the time of writing.