WhatsApp sneakily made some security changes to iCloud backups without your knowledge, ladies and gents. Not that strengthening security is a bad thing, but still!
The messaging giant added an encryption to iCloud backups to prevent a data privacy breaches loophole. This could occur via an Apple subpoena considering they have the encryption keys for iCloud, or if a savvy hacker breaks into your iCloud account. Both scenarios are equally disturbing and frankly, we're relieved that WhatsApp is beefing up its security.
This encryption feature was actually added in 2016 but this only came to light last week, according to Forbes. The additional security feature emerged after a Russian hacking supply company Oxygen Forensics claimed they were able to get around WhatsApp's encryption.
The company, which provides cloud hacking tools, told Forbes that this could only be achieved in a very specific scenario. Namely, it has access to a SIM card and WhatsApp uses the same number to send a verification code to get the encryption key for the iCloud backup.
The revelation prompted the Facebook-owned entity to confirm on Friday that the encryption had been added last year. Not that they went into much detail about it. A WhatsApp spokesperson told Forbes:
When a user backs up their chats through WhatsApp to iCloud, the backup files are sent encrypted.
The encrypted WhatsApp data can be backed up to iCloud via forensic tools. They can decrypt the code by using the associated SIM and then bypass the verification process again. Basically, the encrypted data can be downloaded with forensic tools, but you need the key now to decrypt it on any device. So, Oxygen Forensics isn't demonstrating that WhatsApp's security measures are weak so much as they are illustrating a longwinded way around the messanging app's security boost.
Forbes explained that this method could be used by the police to access a Whatsapp account when it's been deleted from an account because its backups are still lurking in the cloud.
Circumventing cyber security has become a contentious topic of late. During a senate oversight committee this month, FBI Director James Comey revealed that — despite their legal authority — they couldn't access the data of 3,000 devices in the first half of this year.
We all remember when the government agency challenged Apple's security measures in an explosive court battle last year. This came about after a domestic terrorism incident in San Bernardino, when the FBI wanted to access a locked iPhone of terrorist Syed Rizwan Farookso. Apple was having none of it, so the FBI toddled off and enlisted the help of a third-party hacker to get what they needed.
The agency is still after legislation against end-to-end encryption where service providers don't hold onto the encryption keys. Like Senator Dianne Feinstein, Comey told the committee that companies should decrypt data when they are served with a warrant. But how will this affect the everyday user who isn't an enemy of the state?
Well, WhatsApp evidently aren't taking any chances and have made their security measures accessible for all of us by rolling out end-to-end encryption across its various platforms and apps last April. We're also relieved that they have resisted handing over user data in areas likes Brazil, where it was blocked as a result of its techy rebellion.
But there is another solution in lieu of encrypting iCloud backups: not enabling WhatsApp iCloud backups would also be a viable loophole, albeit an inconvenient one for the user.
Morale of the story is that we are all screwed privacy-wise anyway with the advent of the internet. So, think twice before WhatsApping your pal that bitchy observation: it may come back to bite you. Happy messaging!