WhatsApp’s end-to-end encryption closes a longstanding security loophole

In brief: WhatsApp’s introduction of end-to-end encryption (E2EE) will provide users with the ability to secure their backed up message history stored in the cloud. This capability resolves a previously known security gap that potentially made user data available to unintended third parties when storing cloud backups.

Over two billion WhatsApp users are set to receive a major security enhancement as the app will now allow users to encrypt cloud-based backups via end-to-end encryption (E2EE).

WhatsApp users have enjoyed knowing that their communications within the app were encrypted, ensuring messages were viewable only by senders and their indicated recipients. This protection ceased, however, any time a messaging session was backed up to a cloud-based backup location such as Apple’s iCloud or Android’s Google Drive. This lack of encryption on the backed-up messages created a security loophole exploitable by parties ranging from law enforcement agencies to unintended malicious third parties.

The new E2EE functionality will ensure that these backups are no longer viewable by anyone, including WhatsApp or the hosting provider, that does not possess the required key. Once received, only the intended recipient can decrypt a transmitted message by using the private key, also known as the decryption key.

The newly available encryption functionality is a big step forward in ensuring the confidentiality, integrity, and availability of WhatsApp backup data transmitted and stored in the cloud.

While the new functionality does provide enhanced security for WhatsApp users and their data, it does not provide complete and total anonymity. Metadata information such as dates, times, senders, and receivers are still retrievable from the message. While this may not provide the content of the message to an unintended third party, it can provide some indication of the subject matter and urgency of the message. The encryption also does nothing to combat other security vulnerabilities such as compromised receiver endpoints and unencrypted intermediary servers encountered in transit.

WhatsApp will deploy the new E2EE solution to users over the next several weeks. Once deployed, the backup key vault service will be replicated and distributed across multiple data centers to ensure service availability and support for end users.