UK Edition
WhatsApp has encrypted its iPhone backups - here's why that matters
WhatsApp has quietly added encryption for messages backed up on Apple's iCloud in a move that bolsters its security against hackers and spies.
The messaging app added end-to-end encryption that prevents messages being intercepted last year, but until recently the chats were stored in a readable form when iPhone users backed their chats up on Apple's own servers.
While iCloud accounts are encrypted, someone with Apple's decryption key would have been able to access the entirety of a users' communication history, meaning they theoretically could have handed messages to law enforcement if instructed to do so. Hackers with access to iCloud accounts could have done the same.
The extra layer of security means messages are now stored on Apple's cloud backup in a way that is not legible to anyone without WhatsApp's decryption key.
"When a user backs up their chats through WhatsApp to iCloud, the backup files are sent encrypted," said WhatsApp. It is not clear if WhatsApp has introduced similar security for Android users. The app has been contacted for comment.
The move is likely to irritate governments that have pushed for WhatsApp to break its encryption for security services. Home Secretary Amber Rudd criticised social media companies including WhatsApp of giving criminals a place to hide in the wake of the Westminster Attack and secret plans leaked last week revealed the Government is looking at cracking down on encryption.
The Facebook-owned messaging platform has not revealed how the iCloud backup encryption works. It is possible that it requires the associated SIM card and iCloud passwords necessary to unlock the backup.
But security experts said WhatsApp itself could have the ability to decrypt the files.
"Right now, user data cannot be accessed by iCloud, but still by WhatsApp. Users have to decide for themselves if this solution satisfies them," said Elmar Eperiesi-Beck, chief executive at security firm Eperi GmbH.
"WhatsApp currently seems to both generate and backup the key data. This means they have key access and subsequently can access user data. Only the user should be able to generate the access key."
Eperiesi-Beck urged WhatsApp to make its software open so that users can understand how it works and experts can test how secure it is.
The update emerged after Forbes reported Oxygen Forensics, a company that specialises in hacking tools, introduced a new product to bypass the iCloud encryption. As WhatsApp sends users the unlock key in a text message, Oxygen Forensics' hack requires the SIM card associated with the account.