WhatsApp may soon roll out encrypted chat backups - We Live Security
WhatsApp may soon roll out encrypted chat backups - We Live Security |
| WhatsApp may soon roll out encrypted chat backups - We Live Security Posted: 09 Mar 2021 12:00 AM PST  While chats are end-to-end encrypted, their backups are not – this may change soon WhatsApp is said to be working to add encryption for chat backups that will allow users to easily secure their conversations when storing them in the cloud. While the company does currently offer end-to-end encryption for messages, calls and other forms of communication, thus making their content visible only to the sender and the recipient, the same protection doesn't extend to the backups, stored on third-party platforms such as iCloud and Google Drive. However, that may change soon according to WhatsApp tipster WABetaInfo, which shared four screenshots of the long-anticipated feature. Two screenshots showcase the iOS version while the rest display what the Android version may look like.
"To prevent unauthorized access to your iCloud backup, you can set a password that will be used to encrypt future backups. This password will be required when you restore from the backup," reads one screenshot of the setup process, which requires the user to confirm their choice by entering their phone number. Meanwhile, a screenshot of the Android context window shows a warning by WhatsApp that forgotten passwords cannot be recovered. In translation, once you set up the password to encrypt your backups and store it in iCloud or Google Drive, you'd better remember the password – or use a password manager to do the work for you. RELATED READING: Hey there! Are you using WhatsApp? Your account may be hackable There is no information on whether the feature will be available anytime soon since WhatsApp has remained silent on the subject and refused to confirm or deny if or when the feature will be released. However, the boost for privacy and security would not come as much of a surprise. The Facebook-owned messaging platform has already released several new features on the heels of the confusing communication of its Privacy Policy and Terms of Service update, which saw users leaving WhatsApp en masse. Just days ago, the chat app extended its audio and video call features to the desktop version of its app.  |
| When cryptographers looked at iOS and Android security, they weren’t happy - Computerworld Posted: 29 Jan 2021 12:00 AM PST  For years, the US government begged Apple executives to create a backdoor for law enforcement. Apple publicly resisted, arguing that any such move for law enforcement would quickly become a backdoor for cyberthieves and cyberterrorists. Good security protects us all, the argument went. More recently, though, the feds have stopped asking for a workaround to get through Apple security. Why? It turns out that they were able to break through on their own. iOS security, along with Android security, is simply not as strong as Apple and Google suggested. A cryptography team at John Hopkins University just published a frighteningly detailed report on both of the major mobile operating systems. Bottom line: Both have excellent security, but they do not extend it far enough. Anyone who really wants to get in can do so — with the right tools. For CIOs and CISOs, that reality means all of those ultra-sensitive discussions happening on employee phones (whether company-owned or BYOD) could be easy pickings for any corporate spy or data thief. Time to drill into the particulars. Let's start with Apple's iOS and the Hopkins researchers' take. "Apple advertises the broad use of encryption to protect user data stored on-device. However, we observed that a surprising amount of sensitive data maintained by built-in applications is protected using a weak 'available after first unlock' (AFU) protection class, which does not evict decryption keys from memory when the phone is locked. The impact is that the vast majority of sensitive user data from Apple's built-in applications can be accessed from a phone that is captured and logically exploited while it is in a powered-on but locked state. We found circumstantial evidence in both the DHS procedures and investigative documents that law enforcement now routinely exploits the availability of decryption keys to capture large amounts of sensitive data from locked phones." Well, that's the phone itself. What about Apple's ICloud service? Anything there? Oh yes, there is. "We examine the current state of data protection for iCloud, and determine, unsurprisingly, that activation of these features transmits an abundance of user data to Apple's servers, in a form that can be accessed remotely by criminals who gain unauthorized access to a user's cloud account, as well as authorized law enforcement agencies with subpoena power. More surprisingly, we identify several counter-intuitive features of iCloud that increase the vulnerability of this system. As one example, Apple's 'Messages in iCloud' feature advertises the use of an Apple-inaccessible end-to-end encrypted container for synchronizing messages across devices . However, activation of iCloud Backup in tandem causes the decryption key for this container to be uploaded to Apple's servers in a form that Apple — and potential attackers, or law enforcement — can access. Similarly, we observe that Apple's iCloud Backup design results in the transmission of device-specific file encryption keys to Apple. Since these keys are the same keys used to encrypt data on the device, this transmission may pose a risk in the event that a device is subsequently physically compromised." What about Apple's famed Secure Enclave processor (SEP)? "iOS devices place strict limits on passcode guessing attacks through the assistance of a dedicated processor known as SEP. We examined the public investigative record to review evidence that strongly indicates that, as of 2018, passcode guessing attacks were feasible on SEP-enabled iPhones using a tool called GrayKey. To our knowledge, this most likely indicates that a software bypass of the SEP was available in-the-wild during this timeframe." How about Android security? For starters, its encryption protections appear to be even worse than Apple's. "Like Apple iOS, Google Android provides encryption for files and data stored on disk. However, Android's encryption mechanisms provide fewer gradations of protection. In particular, Android provides no equivalent of Apple's Complete Protection (CP) encryption class, which evicts decryption keys from memory shortly after the phone is locked. As a consequence, Android decryption keys remain in memory at all times after 'first unlock,' and user data is potentially vulnerable to forensic capture." For CIOs and CISOs, this means that you have to trust either Google or Apple or, much more likely, both. And you must also assume that thieves and law enforcement can also access your data when they want, as long as they can access the physical phone. For a well-compensated corporate espionage agent or even a cyberthief with an eye on a specific executive, this is a potentially massive problem.  |
| You are subscribed to email updates from "android database encryption,how to encrypt my phone,what is encryption on android" - Google News. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
Comments
Post a Comment