Apple’s iPhone has broken Facebook’s business model this year, stripping billions in ad revenue from the social media giant. Now it seems the iPhone can also break WhatsApp’s huge new security update, unless millions of you change your settings.
“No other messaging service provides this level of security for your messages,” WhatsApp proudly told me in September, as Mark Zuckerberg proclaimed WhatsApp the first global platform “to offer end-to-end encrypted messaging and backups.” Unfortunately, a fairly well-hidden setting on your iPhone might stop this working, putting all those private WhatsApp messages where Apple can read them.
WhatsApp’s messages have been secured by end-to-end encryption for years. The issue that Facebook fixed was the security wrapper around the messaging platform’s cloud backups, hosted courtesy of Google Cloud for Android and Apple iCloud for iOS.
Until now, WhatsApp’s cloud backups have been outside its encryption, meaning that Apple or Google can access your chats and media. Law enforcement requests on Apple for iCloud data could return WhatsApp backups along with everything else. But by adding encryption, WhatsApp stops anyone but you from accessing your backups.
Recommended For You
I have warned about the dangers of unencrypted backups multiple times. “We figured you’d be excited about this one,” WhatsApp’s spokesperson said when they called to tell me that encrypted backups was ready and set for deployment. And now it’s here. The only problem is the way Apple sets up its iPhone could spoil the party.
The issue is the iCloud backup itself—the general iPhone backup that you can use to restore your settings, home screen, app installs and data that’s only on your phone. Your iCloud backup isn’t end-to-end encrypted, Apple holds the key to all that data.
Zuckerberg has attacked iMessage in the past for security weaknesses relating to this iCloud backup. “iMessage stores non-end-to-end encrypted backups of your messages by default unless you disable iCloud,” he has warned. “Apple and governments have the ability to access most people’s messages. So, when it comes to what matters most—protecting people’s messages, I think that WhatsApp is clearly superior.”
What iCloud actually stores in its backup is a copy of iMessage’s end-to-end encryption keys—not the messages. Zuckerberg got his facts muddled. The net effect is the same, though. Apple can retrieve the key and access messages. This renders iMessage’s rock solid encryption fairly pointless unless you disable that backup setting.
Ironically, that same issue has now hit WhatsApp. If you have an iPhone and don’t change your iCloud backup options when you enable WhatsApp’s encrypted backups, the platform warns, “an unencrypted version of your [WhatsApp] chat history is also backed up to iCloud.” Which also renders WhatsApp’s encryption fairly pointless.
WhatsApp’s encrypted backup solution is technically clever, storing encryption keys on third-party servers protected by user-generated passwords, all outside WhatsApp’s (and Apple’s and Google’s) reach, all of which is rendered useless if you don’t delve into your iPhone settings. “We recommend disabling iCloud backup when you set up end-to-end encrypted backup in WhatsApp,” the platform says.
Unlike iMessage, you don’t need to disable iCloud backup completely, and so it’s much better. But you do need to enter your iCloud settings where the app-by-app toggles can be found, and disable WhatsApp in that list. Until you do that, iMessage and WhatsApp will have exactly the same iCloud compromise.
The iMessage/iCloud backup risk has never generated the headlines it warranted. But now every iPhone user enabling WhatsApp’s backup encryption will see the warning. What they need to realize is that they’re running this same risk with iMessage, without any toggle option. Hopefully this will force Apple’s hand to finally address the issue.
If you’re an iMessage user, you can make it fully secure by disabling the general iCloud backup. iCloud’s general backup is less critical than it was in the past, given that so many of our apps and services sync continually to the cloud. If you want to secure your WhatsApp backup, so long as you have turned encrypted backups on, you can just toggle off WhatsApp within iCloud as you can see in the graphic below.
The idea of a general iCloud backup needs to be rethought. WhatsApp users shouldn’t need to search that setting, iMessage needs a more secure setup. Apple’s security loopholes have been headline news this year, with Pegasus, client side scanning and various zero-days escaping patching. This issue is much easier to fix.
As I reported last week, Apple isn’t always as much a bastion of your privacy as it makes out. Its refusal to RCS-enable iMessage, offering secure stock messaging between iOS and Android for the first time, is a good example of this. This—ironically again—is helping WhatsApp maintain its market lead.
WhatsApp is the big winner when it comes to iMessage versus Google Messages. It’s ridiculous that there’s no stock messenger option that works securely across Android and iOS, that users need to opt for an “over the top” like WhatsApp or rely on SMS, a platform with pitiful security. Apple has chosen not to onboard the industry standard RCS, essentially SMS V2, because it would loosen the stickiness of iMessage. This is not in the interests of users, and it means that WhatsApp remains the better option.
As for this iCloud backup issue, although it appears to be an iCloud issue that WhatsApp cannot fix, in reality it could find a way to run backups without relying on iCloud and so prevent there being any risk. Signal has done exactly that, assuring that “an iTunes or iCloud backup does not contain any of your Signal message history.”
Meanwhile, make sure you enable WhatsApp’s encrypted backup option when it reaches your phone, don’t lose your password, and go into those iCloud settings and toggle off WhatsApp. With all that done, Zuckerberg is right, WhatsApp leads the way for hyper-scale messaging platforms. His issue, though, is that WhatsApp’s privacy-preserving approach is moving ever further away from his other Facebook/Meta platforms. The case for its independence from Facebook has never been stronger.