WhatsApp backups are not encrypted
WhatsApp backups created by the built-in backup option of the messaging client on Android are not encrypted when they are transferred to Google Drive.
WhatsApp users on Android can enable the application's automatic backup functionality to store backups on the device itself or upload backups to Google's Google Drive web storage service.
Backups are useful as they can be used to restore data on the device they were created on initially but also on new devices of the user so that media and messages become available on the new device as well.
While remote backups are quite useful when it comes to switching to a new device or installing WhatsApp anew on a reset device, WhatsApp users need to be aware that remote backups are not transferred using end-to-end encryption when they are stored on Google Drive. Backups are, however, encrypted so that anyone with access to the backup files still needs to find a way to decrypt them.
WhatsApp highlights this in the application itself and on a FAQ page on the official company website.
Important: Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive.
WhatsApp users on Android can verify the backup settings in the following way:
- Open WhatsApp on the Android device.
- Select Menu > Settings.
- Open Chats > Chat Backup.
The page lists date and time of the last local backup and Google Drive backup if applicable. You can check the Google Drive settings to change WhatsApp's remote backup options.
A tap on Back up to Google Drive displays options to set the feature to never or to "only when I tap "Back up".
You can't delete existing backups from within the WhatsApp application, however. You need to delete the backup on Google Drive.
- Visit https://drive.google.com/ on your Android device or, better, on a desktop computer.
- Sign-in to your Google Account if you have not already.
- If you use the mobile version, select Menu > Desktop Version to switch to the desktop version as you can't manage the data on the mobile version.
- Select Menu > Settings.
- Switch to Manage Apps to list all applications connected to Google Drive.
- Select Options next to WhatsApp Manager and there "Delete hidden app data".
- Google Drive displays a prompt to verify that you want to delete the data. Select "Delete" to continue with the deletion.
You can use the local backup to restore WhatsApp data on a new device but need to copy the backup to the new device to do so.
Now You: Do you store WhatsApp data or other data on remote servers?
This is incorrect and misleading. Please fix this.
Whatsapp DOES encrypt their backups. It just does NOT use “end-to-end” encryption for the backups, as stated.
Whatsapp knows the encryption key and uses it to decrypt the backup when restoring to your phone/number. The user does not have to use a password in this case.
What happens with the messages inside the app (not the automatically created backup files) when you do a backup of app + data (again I don’t mean the automatically created backup files) I don’t know. These are maybe not encrypted as is often the case with all apps app data.
Nonetheless there have been and likely are still ways to very easily decrypt the encryption on backups (with keys stored on phone or generated), so always be sure to be careful who gets your data.
Read this and weep:
https://blog.salvationdata.com/2018/02/08/whatsapp-forensics-decryption-of-encrypted-databases-and-extraction-of-deleted-messages-on-non-rooted-android-devices/
I do-not! use Google at all! Google is the Borg! If you really want, you can circumvent any google service and disrupt any attempt by them to spy on you.
I’m not that surprised… TBH, isn’t that obvious, that this is the way to get encrypted data out of WhatsApp?
I don’t use Whatsapp due to the app being acquired by Facebook and instead use LINE which is a Japanese chat app. LINE uses the term “Letter Sealing” for encryption which is enabled by default in the Settings menu for Chats.
I checked on their site re: backing up chats to Google Drive, but it doesn’t mention anywhere that encrypted files will be decrypted (I assume that’s what happens with Whatsapp chat files) so I assume they remain encrypted. http://help.line.me/line/android/categoryId/20000058/3/pc?lang=en
I don’t quite understand how a Whatsapp chat backed up to Google Drive would be accessible to a third party who isn’t the intended recipient and therefore doesn’t possess the unlock keys: https://faq.whatsapp.com/en/android/28030015/?category=5245250
Does this mean that all encrypted files regardless of where they come from are automatically decrypted simply by being uploaded to Google Drive?
@TelV
I was about to write the same thing………… Line App, from Japan works flawlessly. There is a desktop app, which perfectly syncs with your phone/tablet.
I’d never ever use WhatsApp……………for all the obvious reasons, and Line App as far as I can tell, is a closed-circuit encrypted chat, no ads, no bothering…. and it just works.
Trouble is, who uses it and knows about it? It has a big market in Asia, but most people get drawn towards WhatsApp for some reason….following the sheep, perhaps.
@Sophie,
Yes, I’ve been using LINE for about five years now and have always found it to be reliable and efficient. They do have ads, but only in countries where there’s an abundance of users. Their giant sized smileys are often highly amusing especially when they’re animated. I usually turn the small ones which try to replace words such as “baby” with a baby carriage for example off though.
One of the amusing things with the ads that are available is that the advertisers often create their own giant smileys which are nearly always animated and which you get for free if you accept the accompanying ads. It’s a good marketing method to encourage users to accept ads instead of blocking them and I see them all the time when I chat with friends who live in Thailand. What’s more, you can retain the advertiser’s smiley even if you block the ad afterwards.
Sadly though, I live in the Netherlands and LINE doesn’t appear to have any advertisers in this part of the world. Oh, I think this is the first time in my life I’ve actually complained about not being able to watch ads :D
@TeIV
Interesting that you mention friends that live in Thailand, because it was a Thai that introduced it to me, around Feb 2018. I was travelling there at the time, and was delighted to return home and find the Desktop and Mobile versions really working well.
I’m from the UK, and have never seen a Line “ad” as such. Perhaps that’s why no ads? You are suggesting I think, that our market is not big enough using that App?
And you must be the first person I’ve ever head of that regretted not seeing the ads!! I had to read your sentence more than once to see that’s really what you meant!
I encourage all to try Line App, if they are using other things like WhatsApp. It really is great. Good face calls too! :)
@Sophie,
I think the UK market is more than big enough for LINE, but it doesn’t seem to have caught on yet probably due to a lack of publicity. There’s an interesting article over the company’s background on this site: https://www.fastcompany.com/3041578/how-japans-line-app-became-a-culture-changing-revenue-generat
Once it does become popular then expect ads to appear. Oh, and yes, I’d be quite happy to watch them (!) if it means I get free (animated) stickers. It doesn’t seem possible to save the ones which appear in chats I have with friends in Thailand and I guess that’s probably because the same ads don’t appear in the Netherlands where I live, but they’re very funny and I often replay them.
I saw a new batch of freebies today which I promptly downloaded. They’re not animated, but still comical.
And yes peeps! Download LINE: it’s well worth a try: https://line.me/en-US/
I assume that the texts backed to Google Drive are plain text. Whatsapp or similiar messaging services have unique encryption key for every installation. If you wipe your phone, your key will be different. To make the backup works, it needs to be saved in plain text and restored later on the new installation. Whatsapp don’t know your previous key so that’s the only way to back it up.
Line also can’t restore your messages if you wipe your device and reinstall. Just try it.
@Anonymous: “Whatsapp don’t know your previous key so that’s the only way to back it up.”
But it’s not. Whatsapp could allow you to export/import your key for backup purposes. That way, backups can remain encrypted.
“Line also can’t restore your messages if you wipe your device and reinstall.”
That’s an excellent thing that speaks well of Line.
@Anonymous,
It looks like you’re right. Backups only maintain their encryption when backed through iCloud: https://techcrunch.com/2017/05/08/whatsapp-quietly-added-encryption-to-icloud-backups/
From the ZDNet report it looks like backups made to Google Drive aren’t encrypted when the latter service is free: https://www.zdnet.com/article/whatsapp-warns-free-google-drive-backups-are-not-encrypted/
Encryption, no encryption.. what difference does it make in this situation? Daddy facebook knows everything and everyone you talk with and about through its service.
You are aware that WhatsApp uses end-to-end encryption? In this case, Facebook doesn’t know the content of your conversation.
So does Apple with their iMessage service. Yet they are always able to give the history when asked by state authorities. Just because it uses end-to-end encryption doesn’t mean the implementation is done in a way it can’t be circumvented by them.
@Yuliya
If end-to-end encryption is done in a way that the service provider can get access to the encrypted data, then the encryption is simply broken and people should stop using that service.
Of course it’s not encrypted. How could Google stop terrorism if it was ? It’s useless for them to build war drones if they don’t know who to assassinate with them.
What has Google to do with encrypting WhatsApp ? Its Facebook/WhatsApp responsibility to encrypt the backups before uploading to Google Drive.
If backups are not encrypted, how is guaranteed that no one has been able to read them? Does it mean that massive data could be stolen by anyone? So amazing disgraceful security, LOL.