Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Facebook Announces Encrypted WhatsApp Backups

Facebook has announced plans to further improve WhatsApp privacy and security by allowing users to encrypt their message history backups in the cloud.

Facebook has announced plans to further improve WhatsApp privacy and security by allowing users to encrypt their message history backups in the cloud.

While a user can easily turn on WhatsApp on any new device, given that accounts are phone number-based, conversation history isn’t available unless a backup was created on the previous device. Users can set time intervals for the creation of local backups and can also choose to store those in the cloud, for fast access.

While conversations in WhatsApp have been end-to-end encrypted for years (with only the sender and recipient being able to view them), backups have been stored in the cloud unencrypted, albeit secured by the cloud services providers.

By adding an end-to-end encryption option for backups stored in the cloud, Facebook essentially ensures that no one but the account owner can access these backups and their backup encryption key.

Facebook says it came up with a new system for storing encryption keys to make the end-to-end encrypted backups feature possible: a unique, randomly generated encryption key is used to encrypt the backup and the user can opt to secure that key manually or with a password.

“When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM) — specialized, secure hardware that can be used to securely store encryption keys,” Facebook explains.

The account owner can access the backup either using the encryption key or their personal password to retrieve their encryption key and decrypt the backup. Once the user provides the password, the Backup Key Vault sends the encryption key to the WhatsApp client, which can then decrypt the backup.

If the user chooses to secure the key on their own, they would need to manually enter the encryption key themselves to access the backup’s content.

The HSM-based Backup Key Vault will enforce password verification attempts and will render the key permanently inaccessible after a specific number of unsuccessful access attempts, to ensure that attackers can’t brute-force their way to the key.

Both iOS and Android users will get the option of end-to-end encrypted backups in the coming weeks.

“WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems,” Mark Zuckerberg, CEO of Facebook, commented.

Related: Ireland Fines WhatsApp 225M Euros for Breaching EU Privacy Laws

Related: Consumer Group Lodges EU Complaint Against WhatsApp

Related: WhatsApp Delays Enforcing New Privacy Terms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.