About a year ago, we talked about a flaw discovered in some instant messaging apps, namely, Whatsapp and iMessage that could potentially be exploited by malicious individuals (or organizations) by accessing unencrypted backups of your conversations and having access to all of your contact history, including even deleted messages.
Well, now, at least on one side, this flaw is (probably) fixed. I say this because Facebook has made a good improvement in the backup of WhatsApp conversations to iCloud: now, all content sent to Apple servers encrypted at the source, before uploading, can only be accessed with a unique key generated by the messenger itself .
Previously, WhatsApp backups were sent without any kind of protection to iCloud, the idea being that Apple's own security structure would protect users' data. However, as we well know, iCloud does not have end-to-end encryption in its operation; that is, an individual with a court order or a particularly dedicated malefactor with some effort and access to key information could obtain all of his conversation history from one of the most popular messengers in the world. Now, no more.
The most interesting thing to note, however, is how this whole story was discovered. The WhatsApp team had already silently enabled encryption for iCloud backups in December last year, and no one had noticed until now. How did this information come to light, then? Simple: a company that provides tools for hacking mobile devices and cloud systems has found a way to circumvent this protection!
Oxygen Forensics, a company that has already served the FBI, said Forbes that the method used to circumvent backup encryption in iCloud only works in a specific scenario, in which the attacker has access to a SIM card with the same number as the relevant WhatsApp account is registered. With it, it is possible to generate the key to decrypt previously downloaded data with forensic tools.
Obviously, this is a very specific scenario most people should not technically worry about, but still WhatsApp has come to the public to confirm that it started to adopt the practice at the end of last year. Good to know, right?