WhatsApp Security Improvement: Encrypted Backups
WhatsApp, a Facebook-owned company, is a mobile application that allows users to send text messages, voice calls, and share documents with other WhatsApp users. You may wonder why the app ...

Or login with email
Join our subscribers list to get the latest news, updates and special offers directly in your inbox
WhatsApp, a Facebook-owned company, is a mobile application that allows users to send text messages, voice calls, and share documents with other WhatsApp users. You may wonder why the app sounds familiar, it’s likely due to the Jeff Bezos attack in 2018 where his phone was hacked and the attacker stole GBs worth of personal data. This led to incriminating photos being released publicly of Bezos with his mistress, a very public divorce, and a roast at the Oscars by Chris Rock, all because of a cyber-attack involving WhatsApp. WhatsApp has been working to improve its security-related reputation ever since the 2018 Bezos attack.
On September 10th, 2021, WhatsApp announced it will roll out support for end-to-end encrypted chat backups on the cloud for Android and iOS users, paving the way for storing information such as chat messages and photos in Apple iCloud or Google Drive in a cryptographically secure manner. When implemented properly, end-to-end encryption can prevent WhatsApp employees from snooping on its users. Normally, this wouldn’t be an issue, but when a subpoena is issued to What’s App they must comply if they’re able. End-to-end encryption prevents even WhatsApp employees from being able to capture and turn over these chat message histories to the authorities.
Back in 2016, WhatsApp enabled End-to-End Encryption (E2EE) for personal messages, calls, video chats, and media between senders and recipients. The problem with this E2EE solution relates to users’ backup data in the cloud. When transferring conversations or data from user devices the same E2EE security protections were not possible, making backups readable by WhatsApp staff, government agencies with a subpoena, the cloud providers themselves, and even hackers inside cloud provider networks.
The optional feature will go live in September of 2021, but will only work on the primary devices tied to a users’ account; not companion devices such as desktops or laptops that simply mirror the content of WhatsApp on the phones. WhatsApp made a statement in a whitepaper:
“With the introduction of end-to-end encrypted backups, WhatsApp has created an HSM (Hardware Security Module) based Backup Key Vault to securely store per-user encryption keys for user backups in tamper-resistant storage, thus ensuring stronger security of users’ message history.”
With end-to-end encrypted backups enabled, before storing backups in the cloud, the application encrypts the chat messages and all messaging data (texts, photos, videos, etc.) using a random key generated on the user’s device. The device-generated key encrypting the backup is secured with a user-provided password, which is stored in the vault to allow easy recovery in the event the device gets stolen.
Alternatively, users have the option of providing a 64-digit encryption key instead of a password, but in this scenario, the encryption key will have to be stored manually given that it will no longer be sent to the HSM Backup Key Vault. When an account owner needs access to their backup, it can be done so with the help of the password or the 64-digit key, which, subsequently, is employed to retrieve the encryption key from the backup key vault and decrypt their backups.
The vault is geographically scattered across five data centers and is responsible for enforcing password verification as well as rendering the key inaccessible after a set number of unsuccessful login attempts; reducing the likelihood of brute force attacks.
If you’re a WhatsApp user, you should avoid using WhatsApp until this new feature is rolled out. Once the feature is released, CyberHoot recommends enabling this optional feature to reduce the likelihood of a data privacy breach.
While you’re waiting for the new What’s App E2EE security feature to be released, it’s vital you implement the following CyberHoot recommendations:
hackeridiot Feb 12, 2022 0 18
hackeridiot Nov 11, 2021 0 15
hackeridiot Feb 4, 2022 0 10
hackeridiot Apr 19, 2022 0 8
hackeridiot Jan 27, 2022 0 227
hackeridiot Nov 11, 2021 0 353
hackeridiot Oct 31, 2021 0 115
hackeridiot Aug 5, 2022 0 0
The Internal Revenue Service (IRS) has modified the crypto question asked on Form...
hackeridiot Aug 5, 2022 0 0
Top cryptocurrency exchange, LBank, gave its various communities across the world...
hackeridiot Aug 2, 2022 0 1
Passive-Recursive DNS daemon. Quickstart nameserver 127.0.0.1 | sudo tee /etc/resolv.conf...
hackeridiot Aug 5, 2022 0 0
Latest episode - listen now! (Or read if that's what you prefer.)
hackeridiot Nov 11, 2021 0 353
A pop-up now greets you on the vast majority of websites you visit. The “cookie...
hackeridiot Aug 2, 2022 0 0
The above was archived from NASA’s site. The editor was Rob Garner. It is archived...
hackeridiot Aug 5, 2022 0 4
Background Before the modern era, cryptography was concerned solely with message...
hackeridiot Mar 23, 2022 0 36
The darknet markets are subject to availability and one of the many factors that...
hackeridiot Mar 24, 2022 0 3
A member of a “global darkweb organized crime group” has been sentenced to nine...
Donate to us on BuyMeACoffee also we have built an app for this site with the real-time post receiving and notification to go and download it.