WhatsApp has suddenly launched a major new strike at iMessage, as the battle between Facebook and Apple continues. This latest update from WhatsApp is a serious problem for iMessage, because it attacks the biggest weakness in Apple’s platform. If you’re an iMessage user, WhatsApp has just given you a reason to switch.
“No other messaging service at our scale provides this level of security for your messages from sending and transit, to receiving and storing in the cloud,” WhatsApp told me, ahead of the news confirming it would finally enable encrypted cloud backups on both iOS and Android “in the coming weeks.”
I’ve commented multiple times on WhatsApp’s awkward lack of encrypted backups before, seriously weakening its security. “We figured you’d be excited about this one,” the company’s spokesperson told me. And they’re right.
This was a big enough announcement to be confirmed by Facebook CEO Mark Zuckerberg himself, the extension of WhatsApp’s end-to-end encryption to iCloud and Google backups means that neither Apple nor Google (nor Facebook itself) will be able to access to your cloud content, even when approached by law enforcement.
“WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups,” Zuckerberg posted on Facebook, “and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems.”
Encrypted Backups
WhatsApp has always warned users that “media and messages you back-up are not protected by WhatsApp end-to-end encryption in the cloud.” WhatsApp has never had access to these backups—they’re controlled and secured by the relative cloud platform, specifically iCloud or Google Cloud. Well, not any longer.
This level of security is possible on iMessage, but only if you change the default settings on your iPhone and other Apple devices. To fully encrypt iMessage backups, you need to disable general iCloud backups, otherwise Apple stores a copy of your encryption key, which it can access if needed or asked.
“iMessage users may wrongly believe that their communication is private,” ESET’s Jake Moore has warned, “but with access granted from just with a backup created, it somehow defeats its success in protection.”
As Apple says, “Apple retains the [iCloud] encryption keys in its U.S. data centers. iCloud content, as it exists in the customer’s account, may be provided in response to a search warrant issued upon a showing of probably cause, or customer consent.”
The way to ensure that Apple cannot read your messages, that your content is backed-up and fully encrypted, you need to ensure that both Messages in iCloud is enabled that that iCloud Backup is disabled. That way “a new key is generated on your device to protect future messages and isn't stored by Apple.”
It’s this iMessage weakness that Zuckerberg was referring to back in January, when he said that “iMessage stores non-end-to-end encrypted backups of your messages by default unless you disable iCloud. So, Apple and governments have the ability to access most people's messages. So, when it comes to what matters most—protecting people's messages, I think that WhatsApp is clearly superior.”
In reality, that wasn’t the case until now—WhatsApp had its own equivalent issues, without Apple’s option to fix the situation. But that has changed. You just need to enable the opt-in feature when it hits your device—and don’t forget the encryption password, WhatsApp cannot recover it. That’s the point of end-to-end encryption.
iMessage security only works within Apple’s ecosystem, which is why this update is so significant. iMessage is no longer the most secure hyper-scale messaging platform for Apple users. A fully encrypted, backed-up, multi-device, secure messenger that works across iOS and Android is about to be made available for the very first time.
The technical challenge for WhatsApp is that it doesn’t own the cloud service, and so it needs a way for you to retrieve and restore a backup after losing a device. This is done by the selection of a password that protects an encryption key that’s stored on third-party servers. If you lose your device, you use your password to retrieve your key.
The third-party cannot access the encryption key without your password—WhatsApp has no access to any of this. After a number of failed access attempts, the encryption key is destroyed. If you want to make this even more secure, you can create your own 64-digit encryption key and keep it yourself, with nothing stored outside your control.
Either way, if you lose your password or your key, you lose your backup. You also need to deselect options to backup WhatsApp using Apple or Google backup processes.
E2EE backups
The battle between iMessage and WhatsApp has come to exemplify the war between Apple and Facebook, adding spice to this latest news. “We see Apple as one of our biggest competitors,” Zuckerberg said. iMessage is a key linchpin of their ecosystem, which is why iMessage is the most used messaging service in the U.S.”
The timing for WhatsApp could not be better. The platform has always had two major weaknesses on which Apple has provided the better alternative. Multi-device access and encrypted backups, notwithstanding the need to adjust your iCloud settings.
WhatsApp already has multi-device access in public beta, now this encryption news squares the circle for the world’s most popular messenger. And, WhatsApp has that advantage over iMessage in that it runs cross-platform without reverting to SMS. Unless and until Apple adopts RCS, this will remain the platform’s ultimate winning advantage over both iMessage and the newly encrypted Google Messages.
There is another feature that WhatsApp has introduced this year at Apple’s expense—disappearing messages and media. As I’ve commented before, this is a great defense against casual messages or photos and videos resurfacing years later to cause harm.
WhatsApp now has both ephemeral messages and a “view-once” media option, both of which are excellent additions. In contrast, iMessage can only offer a storage clean-out option to reduce clutter on your device, but this will not delete content on other users’ devices, which is the entire point of ephemeral messaging.
I am a big fan of the transparency and technical detail WhatsApp is providing here, which also contrasts with Apple’s more “black-box” approach; very few users, for example, realize their encrypted iMessages can likely be accessed in iCloud.
Security experts have always pointed to the lack of encrypted backups as a WhatsApp weakness, and so this is a game-changer. WhatsApp remains by recommended go-to for most users, over Google Messages, iMessage, Telegram, Facebook Messenger and (especially) SMS. Albeit I also recommend users to run Signal in parallel, which is even more secure—opt for that where your contacts have it on their devices.
