WhatsApp's data storage practices on Apple platforms have come under scrutiny after security researchers discovered that chat histories are stored without encryption. Researchers at Mysk found that message databases exist in plaintext format within app group containers on both macOS and iOS devices, raising significant privacy concerns for the messaging platform's users.

The vulnerability stems from how WhatsApp implements local data storage on Apple operating systems. While the app uses end-to-end encryption to protect messages during transmission between users, the researchers found that once messages arrive on a device, they are stored in an unencrypted format. These plaintext databases reside in shared app group containers, which are designed to allow data sharing between applications from the same developer.

The technical issue centers on the accessibility of these app group containers. Other applications within the same developer ecosystem can potentially access these shared storage locations, meaning that chat histories could be read by apps beyond WhatsApp itself. This storage method contrasts with the security expectations many users have based on WhatsApp's marketing of end-to-end encryption, which protects data in transit but does not extend to data at rest on the device.

The exposure affects users across Apple's desktop and mobile platforms, potentially compromising years of private conversations, shared media, and sensitive information. While there is no evidence of active exploitation, the architectural weakness creates an opportunity for malicious applications or attackers with device access to harvest chat data without needing to break WhatsApp's transmission encryption.

Users should understand that end-to-end encryption protects messages only while they travel between devices, not after they arrive. Those with sensitive communications may want to enable additional device-level security measures such as full disk encryption, strong passcodes, and careful vetting of installed applications. Organizations relying on WhatsApp for business communications should reassess whether the platform meets their data protection requirements given this storage implementation.

Source: https://gbhackers.com/whatsapp-chat-histories-exposed/