Security experts have uncovered that WhatsApp’s chat histories may be stored without encryption on Apple devices, sparking concerns about data protection within the Apple ecosystem. The issue was brought to light by researchers from Mysk, who investigated how WhatsApp handles message storage locally.
Unencrypted Chat Storage on Apple Devices
The research indicates that while WhatsApp employs end-to-end encryption (E2EE) for message transmission, the same level of security does not apply to local data storage. On both iOS and macOS, WhatsApp stores its chat data in a SQLite database named ‘Axolotl.sqlite,’ which is not encrypted and is accessible to other apps from the same developer.
This unencrypted data resides in a shared app group container, allowing other Meta-owned applications like Facebook and Instagram to potentially access it without user notification. This setup exploits Apple’s sandboxing model, which permits data sharing between apps by the same developer.
Implications of Data Accessibility
The primary concern is that the chat database is stored in plaintext, making it vulnerable to unauthorized access. This situation poses several risks, including cross-app data access, potential misuse by malicious apps, and the possibility of forensic data extraction from compromised devices.
Although there is no evidence suggesting Meta is exploiting this access, the architectural design raises valid concerns about data isolation and user privacy. The risk is particularly pronounced on macOS due to more flexible file system access, especially if security controls are lacking.
Recommendations for Enhanced Security
Users and organizations can mitigate these risks by implementing strong passcodes, avoiding unnecessary app installations, utilizing mobile device management solutions, and keeping software updated. For high-security needs, considering alternative messaging apps with stricter local encryption might be prudent.
This discovery highlights a broader industry challenge: ensuring data is secure not just in transit but also when stored locally on devices. As encryption becomes a central focus for messaging platforms, attention must also shift to endpoint security where decrypted data is stored.
The findings are expected to prompt further scrutiny into how applications manage local data storage and whether enhanced encryption-at-rest should become a standard practice for services prioritizing user privacy.
