WhatsApp and its Encryption Chat Backup on the Cloud: Secure Messaging Applications

My experience and that of the participants during the digital security training raises questions on how secure messaging applications are, majorly on day four where we discussed secure communications, understanding examples of chat applications and the safety functionalities such as that of WhatsApp, Telegram, Instagram, and others and identified which ones were safe and not safe. The subject was majorly on WhatsApp Messenger because it’s widely used around the globe. Also, the structure of the internet called metadata explains how we are secretly interconnected when accessing and sharing information. The prominence of social media platforms can be due to two main reasons; Facebook does not require the verification of users on signup (such as providing a phone number), making it easier for one to hide their identity while using the platform and there are no evident community standards on closed platforms such as Telegram with sole authority resting on the administrator of these large groups while WhatsApp uses phone numbers which then accesses the contact list

While participants suffered from offensive Online Gender-Based Violence threats on WhatsApp, they were often doxed when added to groups known as WhatsApp groups without their consent simply because someone has your number. 

From my point of view, I would say WhatsApp is a communication media platform that is worrying and out of regulation and yet we can’t do much about it. We can say the Facebook community standard is weak but the good thing is that it has a regulatory system and this community involves WhatsApp, Instagram, and Facebook.

WhatsApp’s announcement on Friday, September 10th, 2021 rolled out provision for end-to-end encryption of chat backups that we usually store on the cloud. This is done by both Android and iOS users, and it’s a way of storing information such as photos, videos, and chat messages so that in case you lose your phone, your information can be retrieved which can now be done in a secure manner for the application users.

As of 2021, approximately over 2 billion people use WhatsApp and is the most popular global mobile messenger app worldwide outranking Facebook Messenger at 1.3 billion and We Chat at 1.2 billion users. Compared to other chat applications, Facebook first owned a messaging platform that had end-to-end encryption (E2EE) for personal messages, calls, video chats, and media between senders and recipients as far back as April 2016.  In case of loss or damage of a device, information was to be backed up on the cloud to enable the transfer of the backed-up information to a new device. However, the process wasn’t subjected to the same security protections, making the backups readable by the cloud providers.

How the E2EE backups Work

The cryptographic keys used to encrypt and decrypt the messages are stored on the endpoints. This approach uses public-key encryption. When generating encryption keys and passwords, one has to first enable the E2EE backups. WhatsApp developed an entirely new system for encryption key storage that works with both iOS and Android mobile devices. With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key. People can choose to secure the key manually or with a user password. When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM),  specialized and secure hardware that can be used to securely store encryption keys. When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the HSM-based Backup Key Vault and decrypt their backup. Therefore, the HSM will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a limited number of unsuccessful attempts to access it. 

When Storing Encryption Keys in the Backup Key Vault

The client and HSM-based Backup Key Vault will exchange encrypted messages, the contents of which will not be accessible to ChatD itself.

The HSM-based Backup Key Vault will sit behind ChatD and provide highly available and secure storage for the encryption keys to the backups. The backups themselves will be generated as a continuous stream of data that is encrypted using symmetric encryption with the generated key. With E2EE backups enabled, upon being encrypted, a backup can then be stored off the device (e.g., to iCloud or Google Drive). 

Figure 1: Whatsapp Settings menu

“With end-to-end encrypted backups enabled, before storing backups in the cloud, the client encrypts the chat messages and all the messaging data (i.e. text, photos, videos, etc.) that is being backed up using a random key that is generated on the user’s device,” it added.

To that end, the device-generated key to encrypt the backup is secured with a user-furnished password, which is stored in the vault to permit easy recovery in the event the device gets stolen. Alternatively, users have the option of providing a 64-digit encryption key instead of a password but in this scenario, the encryption key will have to be stored manually given that it will no longer be sent to the HSM Backup Key Vault.

Figure 2: 64-digit encryption key

Unencrypted cloud backups have been a major security loophole and law enforcement agencies have been able to access WhatsApp chats to gather incriminating evidence pertaining to criminal investigations. 

Facebook’s chief executive Mark Zuckerberg in a post said, “WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems”.

Written by 

Nyapendi Esther


This article is part of a series of posts by trainers of trainees during the online safety and digital security capacity-building workshop conducted by Women of Uganda Network (WOUGNET) under the project, Enhancing Women’s Rights Online through Inclusive and effective response to Online Gender-based violence in Uganda. The project is funded by the Digital Human Rights Lab which is implemented by better place lab and Future Challenges under a grant agreement with the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) Programme Strengthening Governance and Civil Society in Uganda, funded by the German Federal Ministry of Economic Cooperation and Development (BMZ) under its Digital Africa Initiative.


Related Posts

Sign Up to Stay Informed!

WOUGNET is the largest grassroots feminist organization in the nation. By signing up for our email lists, you’ll receive the latest information about our advocacy outreach and important issues.

Register For Event

Fill out the form below to register yourself for this event.