Many of us use messaging apps like WhatsApp daily. We are trusting them to keep our personal conversations private. WhatsApp uses a method called end-to-end encryption (E2EE), which means only the people involved in a chat can see the messages. Not even WhatsApp itself can read the messages exchanged between you and your contacts.
But what happens when you back up your chat history? Until recently, this was a security loophole, as backups were not as secure as the chats themselves. To fix this issue, WhatsApp introduced a new way to protect backups using encryption, ensuring your chats stay private even when stored in the cloud. What does this mean, and how does the system work in simple terms?
The Backup Problem
Before 2021, there was a weak link when you backed up your WhatsApp chats to cloud services like Google Drive or Apple’s iCloud. Although your chats were encrypted while being sent between phones, once they were backed up, the key to decrypt (or unlock) WhatsApp stored those chats. If a government request is made or if WhatsApp’s system is hacked, your backed-up messages can be accessed.
For instance, in some countries, government agencies can force companies to hand over stored information. In the case of WhatsApp, they could have been required to provide the backup decryption key, allowing authorities to read the contents of your messages. This was a significant privacy risk, exposing users' chat histories to potential scrutiny.
Whatsapp’s New Backup Protocol
In 2021, WhatsApp introduced a new protocol to secure backups using encryption. This new feature ensures that only you, the user, can access your backup with your password. Even WhatsApp doesn’t know the key that unlocks your chats, making it impossible for them or anyone else to access your backups without your permission.
This new system is called the WhatsApp Backup Protocol (WBP). It builds on a sophisticated technology called OPAQUE (a password-based key exchange system), allowing users to retrieve their backups using a password while keeping the encryption key out of WhatsApp’s hands.
How It Works: A Simple Breakdown
To better understand how this new system protects your chats, let’s break it down into two key stages: Backup Setup and Backup Recovery.
Backup Setup (Initialization)
When you first turn on encrypted backups, your WhatsApp client (the app on your phone) creates a special backup key. This key is used to encrypt your chat history, making it unreadable to anyone except you. The next step is where the magic happens:
Your phone generates a password that you will use to unlock the backup in the future.
WhatsApp has a piece of hardware called a Hardware Security Module (HSM). This is a secure, tamper-proof system that performs specific tasks like storing the key safely.
The password and key are exchanged in a highly secure way. The key is encrypted and sent to the HSM, where it’s stored, but importantly, WhatsApp never sees the actual key or your password. The HSM acts as a vault that can only be opened with your password.
Essentially, only your device and the HSM work together to store and protect your chat backup. WhatsApp itself remains completely in the dark about your password and backup key.
2. Backup Recovery
Now, imagine you lose your phone or decide to switch to a new device. You’ll need to recover your chat history on the new device. Here’s how this works:
When you enter your password on the new phone, your device and the HSM will again communicate to retrieve the backup key.
The HSM verifies the password. If it’s correct, it will release the encrypted backup key to your phone, allowing it to unlock your chat history.
The crucial point here is that the entire process happens securely, without WhatsApp knowing or controlling your password or key.
The new system gives you the ability to securely recover your backups, even if your phone is lost or stolen, while preventing WhatsApp or any other entity from accessing your data.
The Password Guessing Issue
The new protocol offers much stronger security, but researchers who analyzed it found a potential weakness. Normally, the system only allows ten incorrect password attempts before locking you out permanently to protect your backup from attackers trying to guess your password. However, the research discovered that under certain conditions, a compromised server could trick the system into resetting the guess counter, allowing more than ten password attempts.
This would mean an attacker could potentially get more opportunities to guess your password than originally intended, which weakens the security slightly. While this is not a major issue for most users, it highlights the importance of continuous improvements to keep such systems secure from all threats.
Why Is This Important for You?
The introduction of the WBP by WhatsApp is an important step toward ensuring your data is safe from unauthorized access. In a world where privacy concerns are growing, knowing that your chat history is not accessible to anyone—including WhatsApp—is reassuring.
Your Data, Your Control: With the new encrypted backup system, only you can access your backups with your password. WhatsApp cannot see your chats or provide access to anyone else.
Better Protection: Before, your backed-up chats were vulnerable to legal requests or cyber-attacks on WhatsApp’s servers. Now, even if WhatsApp’s servers were hacked, your data would remain safe.
Caution with Passwords: The only way for someone to access your backup is by guessing your password. Using a strong, unique password is vital to ensuring your chat history remains secure.
The Future of Encrypted Backups
It’s important to remember that no system is entirely foolproof. The discovered issue with potential password guessing highlights that even the best encryption systems need ongoing analysis and improvement to keep up with evolving security challenges.
As more users become aware of privacy risks, encrypted backups like those offered by WhatsApp will likely become a standard feature in other apps. This shift is good news for those who value their privacy and want to ensure their data remains under their control.
If you're using WhatsApp, it’s a good idea to enable encrypted backups and choose a strong password to maximize the protection of your chat history. As always, stay informed about updates to your favorite apps' security features to ensure your data is as secure as possible.