Potential User Privacy Violation: WhatsApp Messages Backed Up to Google Drive Left Unencrypted

WhatsApp has emerged to be the largest instant messaging platform on mobile devices. With about 1.5 billion daily users on the WhatsApp messaging app, the privacy of user data is an essential part of keeping the platform enticing for its users, which is reason for the app offering end-to-end encryption so that only participants in conversations can read messages. Unfortunately, the encryption features of WhatsApp appear to be void on backups that are uploaded to Google Drive leaving countless messages unencrypted, which may be a user privacy violation.

Mobile devices, those running Android, have an option to perform a backup and save the backup to Google Drive. Such convenience is attractive to some users, but with-it security researchers have found that messages that have been archived on WhatsApp and then included in a backup to be saved on Google Drive possess a potentially dangerous issue of the messages being left unencrypted. In such cases, messages may be accessible to anyone who has access to a specific Google Drive account where the backup data is stored.

Unencrypted messages could be accessed by law enforcement

While Google Drive contents are encrypted themselves and can only be accessed by those with the proper login credentials to the associated Google account, the keys to the encrypted files may be obtained by entities such as law enforcement in a case that a warrant is obtained. In such a case, the WhatsApp archived messages could then be accessed without any apparent roadblocks. Even though the scenario explained is potentially a rare instance, the data is obtainable even though it should not be if you go by the guidelines and promises of WhatsApp. Ultimately, with Google holding the encryption keys to files on Google Drive, law enforcement, if needed, could obtain WhatsApp archived messages.

The underlying issue with the WhatsApp backup and archived messages being left unencrypted on Google Drive, is the idea that the apps initial end-to-end encryption isn't fortified in the way it is intended. On Android devices that backup data to Google Drive in hopes to have their WhatsApp conversations and messages protected only goes so far.

Due to the discovery of the potential violation of user privacy, WhatsApp updated their statement on their website about encryption now stating: "Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive."

The iPhone has similar functionality that allows users to store backups to the iCloud. However, it is not known if archived WhatsApp backups stored on the iCloud are left unencrypted like the ones stored on Google Drive from Android devices.

For now, Android users who wish to avoid their WhatsApp archive messages from being backed up on Google Drive and left unencrypted can disable the WhatsApp backups to Google Drive by going to their Settings screen, then the Chats option, and to the Chats backup feature to deselect Google Drive backups.