Security researchers have raised significant concerns regarding the storage practices of WhatsApp, particularly how it manages user chat data on both macOS and iOS platforms. The findings indicate that WhatsApp maintains message databases in an unencrypted format within a shared app group container that is accessible by other applications from the same developer framework.
The research team at Mysk has revealed startling details about WhatsApp’s data management system. They discovered that the application stores chat histories in plaintext within a shared app group container on Apple devices. This shared architecture, specific to Apple platforms, allows data to be exchanged between applications that have been signed by the same developer. In this instance, various Meta-owned applications, including Facebook and Instagram, reportedly utilize a common container referred to as “group.com.facebook.family,” raising serious privacy implications.
This shared data storage structure opens the door to various privacy risks. Firstly, the fact that chat databases are stored without any form of encryption means that they are vulnerable to unauthorized access. Furthermore, other Meta applications that reside on the same device could theoretically access WhatsApp data without obtaining explicit consent from the user. Compounding this issue is the absence of any notification mechanism to inform users about such access, which poses a significant threat to user privacy. It is important to note that this situation is prevalent in both macOS and iOS environments.
Researchers also validated their findings by demonstrating that users could extract WhatsApp chat data from iPhone backups, revealing the same unencrypted structure that confirms the absence of encryption at rest. This lack of security in data storage is not just a technical oversight; it raises serious doubts about the overall integrity of user data protection on these platforms.
Further aggravating the situation is the discovery of a recently disclosed vulnerability in macOS, identified as CVE-2026-28910. This flaw, which affects the Archive Utility tool, enables nearly unrestricted access to the file system and can circumvent Apple’s App Sandbox protections. By exploiting this vulnerability, malicious actors could potentially:
1. Access protected app containers.
2. Extract sensitive data from applications like WhatsApp, Messages, and Safari.
3. Circumvent the Transparency, Consent, and Control (TCC) mechanisms that have been put in place to safeguard user data.
The seriousness of this vulnerability was highlighted by a proof-of-concept demonstration that showed how attackers could take advantage of both this flaw and WhatsApp’s storage behavior to gain unauthorized access to chat histories.
Despite the alarming nature of these findings, not all experts agree on the severity of the situation. WABetaInfo advised that while WhatsApp’s databases may not be encrypted when stored locally, they remain confined within a sandboxed environment that Apple has designed to deter unauthorized access. From this viewpoint, gaining access to the shared container necessitates either elevated system-level privileges or successful exploitation of other operating system vulnerabilities. Therefore, the onus of preventing cross-app data access largely falls on Apple’s operating system protections.
Conversely, researchers at Mysk have argued that the existence of shared app group entitlements between Meta applications significantly reduces the isolation boundaries. This deficiency permits internal data sharing without any awareness or consent from the end user. The researchers highlight a broader concern regarding the protection of data-at-rest within mobile ecosystems:
1. While end-to-end encryption provides a secure pathway for data in transit, it does not ensure the protection of data kept on devices.
2. The risks associated with shared containers can broaden the attack surface, especially when coupled with operating system flaws.
3. The extraction of backups continues to serve as a viable method for accessing sensitive data, provided those backups are not encrypted.
To mitigate these risks, users and organizations have several precautions they can adopt:
1. Enable encrypted backups via iTunes or Finder for iOS devices.
2. Regularly update macOS and iOS to address known vulnerabilities.
3. Limit the number of applications installed from the same developer ecosystem.
4. Implement device-level encryption and utilize strong passcodes.
While there have been no widespread reports of active exploitation stemming from these vulnerabilities, the research conducted emphasizes the critical importance of safeguarding sensitive data in both transit and at rest. This is particularly vital in tightly integrated app ecosystems such as those developed by Meta, where data privacy concerns are amplified by shared access mechanisms. As the digital landscape evolves, end-users must remain vigilant to the threats that accompany such vulnerabilities.