WhatsApp is the fastest growing instant messenger app. With over 2 billion monthly users, WhatsApp keeps the crown of the most popular instant messaging tool in the Western hemisphere. The recent introduction of end-to-end encrypted backups and the change of Google’s authentication protocol broke things temporarily for EXWA users, but now everything is back to normal. Learn how Elcomsoft Explorer for WhatsApp can download and decrypt encrypted WhatsApp communication histories from Google Drive and Apple iCloud!
WhatsApp is secure. The iOS and Android apps make use of the Open Whisper Signal communication protocol to secure communications with end-to-end encryption. Recently, WhatsApp started rolling out end-to-end encryption of its cloud backups to offer an optional extra protection layer.
WhatsApp is extremely popular, easily being the number one instant messenger in the Western hemisphere. This, combined with its end-to-end encryption, make WhatsApp a popular tool among the criminals. Terrorists, scammers, extortionists and child molesters don’t hesitate using WhatsApp to lure their victims, plan and coordinate illegal activities. While end-to-end encryption is great for protecting personal privacy and civil liberties of ordinary users, stopping criminal activities was the primary driving force behind our decision to release Elcomsoft Explorer for WhatsApp.
WhatsApp advertises end-to-end encryption all around. Both messages in transit and the backup copies of users’ conversations are securely encrypted in such a way that only the original user and their recipient can access the messages. As to the backups, only the owner of the backup can decrypt the data, and only after successful authentication. The general idea behind end-to-end encrypted backups is described in End-to-End Encrypted Backups on WhatsApp – WhatsApp Blog, while the company shared some technical details in How WhatsApp is enabling end-to-end encrypted backups (fb.com).
The thing is still very new, being rolled out slowly in stages to the entire 2 billion users crowd. The new end-to-end encrypted backups are stored as .crypt14 files, implementing a new encryption algorithm. To access the data, you’ll need a unique cryptographic key that can be only obtained from the WhatsApp server after successful authentication. Without access to that cryptographic key, there is no way to decrypt the backup or access the conversation history – unless you are able to hack the device and do the low-level extraction thing.
There is one more thing that makes the extraction of the new (crypt14) backups difficult. Not only are the backups encrypted by WhatsApp with a unique encryption key, but downloading such backups from the corresponding cloud service (Google Drive or Apple iCloud depending on the platform) requires authenticating into the corresponding cloud service.
That’s a lot of authentication, and that’s a lot of things that can go wrong should Google, Apple, or WhatsApp make a change into their proprietary authentication or communication protocols, encryption, or the data format. This is exactly what happened some months ago: Google broke Google Drive authentication, while WhatsApp introduced end-to-end encrypted backups and also made a few changes to the format of internal tables. That was enough to break Elcomsoft Explorer for WhatsApp for the time being.
Interestingly, media attachments (images and videos) are still stored without any encryption at all, let alone end-to-end encryption. To access those, you’ll just need to authenticate into the corresponding cloud service (Google or Apple).
Elcomsoft Explorer for WhatsApp was updated to automatically download and decrypt end-to-end encrypted backups from the user’s iCloud and Google accounts. The cryptographic key is generated automatically based on the authentication code received as a text message and delivered to the user’s trusted phone number.
WhatsApp developers are working hard to deliver new features and increased security. End-to-end encryption was there since the beginning thanks to the choice of the Open Whisper Signal communication protocol. End-to-end encrypted backups are becoming a thing right now, literally at this very moment. There are several other things in WhatsApp that are not yet supported in our tool.
User key/password: this optional feature allows the user to encrypt their backups with a custom key or password. We are aware of the feature and are currently working on it.
In iOS, stand-alone WhatsApp backups are saved in iCloud Drive. While we do support the extraction of these backups from non-2FA accounts, we are currently struggling with iCloud Drive accounts protected with two-factor authentication. There is a fix in the pipeline; stay tuned for news.
Group calls. Elcomsoft Explorer for WhatsApp does not support them for the time being.
Google accounts with Google Prompt. Google Prompt is the default two-factor authentication method for many Google accounts. This method is also the easiest to use, as the only action the user needs to make is tapping “Yes” on the corresponding prompt. In certain cases, using Elcomsoft Explorer for WhatsApp to access the user’s Google Account requires two confirmations of the Google Prompt instead of one.
No FIDO keys 2FA for Google accounts. At this time, we do not support two-factor authentication with FIDO keys. A fix is in the pipeline, but no ETA.
WhatsApp is a moving target, and we do our best to deliver the most comprehensive WhatsApp extraction and decryption tool on the market. Stay tuned!
Elcomsoft Explorer for WhatsApp is a tool to download, decrypt and display WhatsApp communication histories. The tool automatically acquires WhatsApp databases from one or multiple sources, processes information and displays contacts, messages, call history and pictures sent and received. The built-in viewer offers convenient searching and filtering, and allows viewing multiple WhatsApp databases extracted from various sources.
Elcomsoft Explorer for WhatsApp official web page & downloads »