Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Communications Data Storage Google

WhatsApp Warns Free Google Drive Backups Are Not End-To-End Encrypted (zdnet.com) 38

On November 12th, WhatsApp users on Android will be able to back up their messages to Google Drive for free and it won't count towards Google Drive storage quotas. But, as WhatsApp warns, those messages will no longer be protected by end-to-end encryption. ZDNet reports: While Apple iOS users may elect to use iCloud backup storage options, Android users store theirs through Google Drive -- but alongside the changes, WhatsApp has reminded users that once communication, chat, and media is transferred away from the app, end-to-end encryption is no longer in place.

Some users may think that backup services will have the same level of protection as the app. However, this is not the case and the reminder is important for those interested in protecting their privacy. In WhatsApp support documents, this separation is now explicitly mentioned. "Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive," WhatsApp says.

This discussion has been archived. No new comments can be posted.

WhatsApp Warns Free Google Drive Backups Are Not End-To-End Encrypted

Comments Filter:
  • by RhettLivingston ( 544140 ) on Wednesday August 29, 2018 @08:42PM (#57221720) Journal

    I often back up encrypted files to Google Drive. Why would WhatsApp bother to decrypt, backup, restore, reencrypt?

    Perhaps this is an export/import capability, not a backup, and they've named it wrong? They are two completely different things. Backup is intended for restoration to the same system and can use the system's encryption. Export is just that, exporting from the system for the purpose of allowing other apps to utilize the data.

    • Because WhatsApp doesn't hold the key. The private key is only stored on your phone. You can't restore a backup if you've lost your key.
      Storing the messages encrypted would render the backup useless if you lost your phone or factory reset it..

      • Ahhh. That is not a reasonable backup. No user should be required to compromise security to use their own backup.

        At the least they should provide a means of choosing to backup with encryption in place and a separate means to back up the private key. I would want to put the key in my key vault which is also backed up.

    • by AmiMoJo ( 196126 )

      WhatsApp only does end-to-end encryption of the messages being transferred. Once a message reaches your phone it is decrypted and stored in plaintext. There are some OS level protections to stop other apps reading them, but not at the file level.

      It appears they are just copying the file to Google Drive. They should add an extra layer of encryption, but they aren't really interested in that. They prioritise ease of use, which means easily restoring your messages years later when you will have long since forg

  • Or maybe one's!

  • Michael Cohen flipped in part because his WhatsApp communications were stored in the cloud unencrypted. I'm surprised the article didn't mention it.

    • by dohzer ( 867770 )

      If you don't want your messages in the open, you should destroy them soon after sending/receiving.

  • by itsme1234 ( 199680 ) on Thursday August 30, 2018 @12:13AM (#57222550)

    Just to be clear, the ONLY part that is new is "won't count towards Google Drive storage quotas".

    Nothing changes, you could (since probably before Whatsapp was really popular) store the un-encrypted backups on GDrive and it's off by default and you are warned that they aren't encrypted. Local backups aren't encrypted too by the way, unless you have some kind of device encryption.

    The end-to-end encryption is only on-the-fly. You start saving shit you need to trust the place you save it to. It's just like ssh, there is encryption for the connection and there is even an ephemeral symmetrical key agreed upon on the spot but you need to take care what to do with the stuff once you start logging or redirecting to files, etc.

    Most people don't care anyway. Many of the services aren't end-to-end encrypted (Email, SMS, Yahoo Messanger - rest in peace-, Google Talk or whatever they call it nowadays, Facebook Messenger unless you're using secret conversation or something and so on).

    Sure, they could encrypt the backups but the user would have to manage (think store safely) the keys. Do you really expect most users to be able to get the key they set/saved years ago when the old phone breaks (or is lost) and they need to restore the backup to a new phone? Especially if is a key with enough entropy (think a complicated passphrase) that they aren't supposed to be using anywhere else?

  • It sounds like Google Drive's network protocol is plaintext. The article actually means WhatsApp doesn't encrypt their backup files.
  • Why aren't the backup's themselves encrypted? If there's end-to-end encryption (so encryption with about every whatsapp chat), you might expect a backup of your chats to also be encrypted.
    • by FunOne ( 45947 )

      They are. So is the message store on your phone. The problem is the key to encrypt the message store is generated during registration, and given during any re-registration. If you control the phone or phone number, and the backup, you can get the key and decrypt the message store easily.

      Media is not encrypted at rest on your phone or backup by WhatsApp.

      WhatsApp should add a salt or pin or something to the backup encryption to make it safer at rest. That would be straightforward and "solve" this "issue."

      • If WhatsApp wanted true end to end security, they would have done a number of things:

        1: They would have stored messages encrypted on the device. Signal and TextSecure do this, where you can have all messages they store be stored with encryption independent from the OS. For maximum security, the app could print out a recovery key on setup for the user to write down and save somewhere, then use a composite key derived from a PIN/password and a key stored in the KeyChain or Android's KeyStore. That way, th

  • Buy your own storage devices, keep your own data, put backups in a safe deposit box if you feel the need, but do not use 'The Cloud' to store anything. Reject 'non-ownership' philosophies; stop 'renting' everything and own things instead.

Whoever dies with the most toys wins.

Working...