Facebook is tightening WhatsApp’s security by extending end-to-end encryption (E2EE) to cloud backups via an update to the app on iOS and Android. This was already allowed this on local WhatsApp backups, but the company will extend these security tools to online backups made to iCloud and Google Drive.
“Starting today, we are making available an extra, optional layer of security to protect backups stored on Google Drive or iCloud with end-to-end encryption. No other global messaging service at this scale provides this level of security for their users’ messages, media, voice messages, video calls, and chat backup,” the WhatsApp team shared this week.
It’s an optional feature, and users will be able to enable it in WhatsApp’s settings when it’s available. While WhatsApp’s link to Facebook means that it carries the company’s stigma around privacy and security, the service had always been surprisingly secure. Person-to-person chats are secured by the same end-to-end encryption protocol as Signal, while the only loophole was with online chats. With this rollout, the company would be closing that and increasing its privacy profile.
Facebook Engineering Blog
“To enable E2EE backups, we developed an entirely new system for encryption key storage that works with both iOS and Android. With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key. People can choose to secure the key manually or with a user password,” the WhatsApp team explained in September. “When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM) — specialized, secure hardware that can be used to securely store encryption keys. When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the HSM-based backup key vault and decrypt their backup.”
Facebook’s other messaging services, Messenger and Instagram Direct, do not yet offer end-to-end encryption by default. Instead, the company offers a discrete private mode on Messenger for people who want their calls and chats secured. With Facebook planning to merge all three services eventually, it seems more likely than not that the company plans for end-to-end encryption to be the default at some point in the future.