WhatsApp has quietly beefedup the security of an iCloud backup feature for users of its messaging service potentially closing a loophole that couldenable otherwise end-to-end encrypted messages to become accessible in a readable form. Such as via a subpoena of Apple, which holds the encryption keys for iCloud, or by a hacker otherwisegaining access to a WhatsAppusers iCloud account.
According to a Forbes report, the Facebook-owned giant added encryption to WhatsApp iCloudbackups in late 2016, though it says the fact only emerged last week after a third party company whichsupplies mobile and cloud hacking tools claimed to be able to circumvent the security measure.
The company in question, Oxygen Forensics, told Forbesits workaroundonly works fora specific scenario whereby it has access to a SIM card with the same mobile number thatWhatsApp uses to senda verification code to generate the encryption key for the iCloud backup.
A WhatsApp spokesperson confirmed iCloud backups are now being encrypted, telling Forbes:When a user backs up their chats through WhatsApp to iCloud, the backup files are sent encrypted.
Forensic tools are apparently used to download the encrypted WhatsApp data backed up to iCloud. Then, usingthe associated SIM, Oxygen Forensics said it can generate the encryption key fordecrypting the databypassing the verification process again.
Forbes suggests themethod could be used, for example, by police in possession of a device where theWhatsApp account has been deleted but iCloud backups have not been wiped.
Weve reached out to WhatsApp with questions and will update this story with any response.
Political pressure on encryption appears to be hotting upagain. Giving evidence to a Senate oversight committee earlier this month, FBI director James Comey revealedthe agencyhad been unable toaccess the contents of more than 3,000 mobile devices in the first half of thefiscal year, despite having legal authority to access the data.
The FBI was involved in a high profile battle with Apple last yearwhen it went to court to tryto force the companyto weakenits security system to help investigatorsgain access toa locked iPhone. Apple resisted and in the endthe FBI paid a third party company to hack into the device. But the bureauappears eager to push for legislation to outlaw end-to-endencryption (i.e. where service providers dont hold the encryption keys themselves).
During last weeks hearing Comey complained that a case-by-caseapproach to breaking intostrongly encrypted devices and services does not scale, and backed fresh callsby Senator Dianne Feinstein forlegislation to require companies decrypt data when served a warrant setting the scene for another round of crypto wars in the US.
WhatsApp has been at the forefront of makingend-to-end encryption more accessible for mainstream app users, completing a rollout ofthe tech across its platform and all flavors of its apps in April 2016. Its also resisted legal attempts to strong arm it into handing over user data such as in Brazil where its service has been blocked multiple times as a penalty for its failuretoprovide decrypted data topolice. The company has maintained it cannot hand over informationit does not hold.
Adding encryption to iCloud backups would appear to be a reinforcement of WhatsAppsstance that user privacy is a necessity for data security. Albeit, one with a fair fewcaveats about how it hasimplemented the security layerhere. Not enabling WhatsApp iCloud backups is a more perfectfix foravoiding the cloud storage vulnerability loophole, though one that might be inconvenient from the users point of view.