WhatsApp last year closed an important security loophole by adding encryption to users’ chat backups stored in iCloud. Before the change, hackers could theoretically gain access to WhatsApp chat archives in iCloud using third-party forensic tools to access underlying messages in a readable form.
Rather than rely on iCloud Drive to protect customer data, the Facebook-owned company has added a unique encryption key created by the WhatsApp app.
A spokesperson confirmed iCloud backups are now being encrypted, telling Forbes: “When a user backs up their chats through WhatsApp to iCloud, the backup files are sent encrypted.”
Although Apple holds the encryption keys for iCloud, it’s up to app makers to use encryption when sending user data to iCloud. According to TechCrunch, a Russian company called Oxygen Forensics, which supplies mobile and cloud hacking tools, was able to generate encryption keys for WhatsApp’s iCloud backups.
The workaround requires that an attacker have access to a SIM card with the same mobile number that the app uses to send a verification code to generate the encryption key for the iCloud backup. Of course, Oxygen still needs a user’s Apple ID and password to gain access to their iCloud user space in the first place.
“Then, using the associated SIM, Oxygen said it can generate the encryption key for decrypting the data by passing the verification process again,” explains TechCrunch. Forbes suggests the method could be used by police in possession of a device where the WhatsApp account has been deleted but iCloud backups have not been wiped.
— Filippo Valsorda (@FiloSottile) May 8, 2017
In other words, after realizing that forensic tools could be used to download encrypted WhatsApp data from iCloud backups in a readable form, WhatsApp has beefed up security and quietly rolled out encryption for iCloud backups last year.
You can backup your entire WhatsApp chat archive to iCloud by tapping the Settings tab in the lower-right corner of the app. Now tap Chats, then Chat Backup and finally hit Back Up Now.
By the way, WhatsApp should update the wording of the Chat Backup screen because it states, somewhat confusingly, that “media and message you back up are not protected by WhatsApp end-to-end encryption while in iCloud.”