WhatsApp announces safety feature for Android & iOS users

Sept 10: Finally, WhatsApp has introduced end-to-end encryption even for chat back-ups. Earlier, the lack of encryption for backups could provide a loophole to malicious actors.

“We’re adding another layer of privacy and security to WhatsApp: an end-to-end encryption option for the backups people choose to store in Google Drive or iCloud. WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems,” wrote Mark Zuckerberg. He further stated, “For those curious about how we made this work, we’ve published a white paper and engineering blog with all the technical details for the security community to check out.”

How does it Work?

At present, backups of the WhatsApp data (chat messages, photos, etc.) in Apple iCloud or Google Drive. Prior to the introduction of end-to-end encrypted backups, backups stored on Apple iCloud and Google Drive were not protected by WhatsApp’s end-to-end encryption.

Now, the instant messaging platform will offer the ability to secure backups with end-to-end encryption before they are uploaded to these cloud services. With the introduction of end-to-end encrypted backups, WhatsApp has created an HSM (Hardware Security Module) based Backup Key Vault to securely store per-user encryption keys for user backups in tamper-resistant storage, thus ensuring stronger security of users’ message history.

With end-to-end encrypted backups enabled, before storing backups in the cloud, the client encrypts the chat messages and all the messaging data (i.e. text, photos, videos, etc) that is being backed up using a random key that’s generated on the user’s device.

Where will the key be stored?

The key to encrypt the backup is secured with a user-provided password. The password is unknown to WhatsApp, the user’s mobile device cloud partners, or any third party. The key is stored in the HSM Backup Key Vault to allow the user to recover the key in the event the device is lost or stolen.

The HSM Backup Key Vault is responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a certain number of unsuccessful attempts to access it.