WhatsApp is the messaging app popular for a multitude of reasons. From its ubiquitous presence, its straight-forward features, easy to use, flexible and others.
But what makes it really appealing among privacy-concerned users, is its end-to-end encryption. With it, no one can read users' messages. Even WhatsApp cannot read them. Even if it has to, like when told by the government, WhatsApp cannot do much, because the key to the encryption is only present on the sender and the recipient.
While WhatsApp has been doing this since 2016, the app has not offered end-to-end encryption for backups.
When users create backup of their messages to Apple's iCloud or Google Drive, messages are sent in the way they are meant to appear.
Because of this, users' chat could be read by a third party. Issues like may have made law-enforcement agencies to have gained user data access.
Of course, this is an issue to those privacy-concerned users, who wish not to have anyone to read their messages.
This is where WhatsApp has upped its privacy, by introducing end-to-end encryption to backups.
WhatsApp has been testing this feature quietly since earlier this 2021. This time, the company is making that feature official, saying that all users can encrypt backups of their chat history.
“We’re adding another layer of privacy and security,” Facebook CEO Mark Zuckerberg said. “WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge.”
The encryption happens before the backups hit users' cloud storage service.
Once end-to-end encryption is enabled, WhatsApp makes use of a front-end service called ChatD, which handles client connections and client-server authentication.
The feature implements a protocol that sends backup keys to and from WhatsApp’s servers, and the client and key vault exchange encrypted messages. Backups are then generated as a continuous stream of data that is encrypted symmetrically.
Once encrypted, the backups can be stored anywhere off-site, and in this case, include on Apple's iCloud and Google Drive.
“Neither WhatsApp nor the backup service provider will be able to access” the backup, WhatsApp said in a blog post. What this means, no one, including WhatsApp or any third-parties, can read users' messages.
After backing up their messages, users can choose between two options: manually storing the 64-digit key, or setting a password, which can be used to access the key.
This privacy feature should make backups a lot more secure. However, there is some factors that users have to know.
For example, opting in means that there will be no way to recover a chat backup if the key is lost.
The HSM-based Backup Key Vault is responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a minimal number of unsuccessful attempts to access it. The security measures should provide protection against brute-force attempts to retrieve the key. WhatsApp will know only that a key exists in the HSM, but will not know the key itself.
The next issue is that, even though WhatsApp announced support for multiple devices, users can only use encrypted backups on their primary device.
It’s also worth pointing out that end-to-end encryption doesn’t guarantee messages won't be used in a way users might not like. Like for example, WhatsApp allows users to report abusive messages, meaning that the company has something to process that data, even when things are encrypted.
But still, encryption is better than no encryption at all.
And it should also be noted that WhatsApp’s announcement means that the app is going a step further than Apple, which encrypts iMessages's messages, but still holds the keys to encrypted backups.
The move arrives as Facebook faces scrutiny over its privacy polices for the messaging service.