Security researchers have flagged a privacy weakness in WhatsApp’s handling of chat histories on Apple devices, warning that message databases on macOS and iOS may be stored in readable form inside shared app group containers rather than being separately encrypted at rest.The finding, raised by researchers Talal Haj Bakry and Tommy Mysk, has drawn attention to a gap between WhatsApp’s widely advertised end-to-end encryption for messages in transit and the way those messages can be stored locally after they reach a user’s device. The issue does not mean chats are exposed to anyone on the internet, nor does it suggest that WhatsApp’s transport encryption has been broken. It points instead to the risks created when sensitive data is kept in plaintext on a device where other authorised software, backups, forensic tools or malware with sufficient access may be able to inspect local files.
WhatsApp, owned by Meta Platforms, uses end-to-end encryption by default for personal messages and calls, meaning content is encrypted between sender and recipient and cannot be read by intermediaries during delivery. Security experts, however, have long cautioned that encryption in transit does not automatically protect data once it is decrypted on a handset or computer for normal use. Local databases, notifications, media files and backups often become the weaker points in messaging security.
The concern centres on Apple’s app group mechanism, a legitimate system that allows multiple apps or extensions from the same developer team to share files and settings inside a common container. On iOS and macOS, this model is used to support features such as widgets, extensions, linked companion apps and shared media handling. Researchers said WhatsApp’s chat database can reside in such a container without an additional layer of encryption, creating a broader attack surface than users may expect from a messaging service marketed around privacy.
The practical risk depends heavily on device conditions. A normal app from an unrelated developer cannot simply open another developer’s app group container. Apple’s sandboxing model limits cross-app access, and the shared container is intended for apps with matching entitlements. The concern is sharper where another app from the same developer ecosystem has access, where a desktop system account is compromised, where a malicious tool gains local file access, or where device backups are extracted and examined. On macOS, the risk can be more visible because users and processes often have broader file-system interaction than on locked-down mobile devices.
The disclosure lands against a wider backdrop of scrutiny over messaging-platform security on Apple devices. WhatsApp patched a zero-click vulnerability in 2025 affecting iOS and Mac versions after a campaign targeting a small number of high-risk users. That earlier flaw involved linked-device synchronisation and was assessed to have been chained with an Apple operating-system vulnerability. Although the newly flagged storage issue is different in nature and is not described as a remote exploit, it reinforces a common concern in digital security: encrypted messaging is only as strong as the endpoint that stores, displays and backs up the conversation.
For journalists, lawyers, activists, corporate executives and political figures, the distinction matters. A WhatsApp message may be protected while crossing the network, but the same message must be readable on the recipient’s device. Once stored in a local database, it can become evidence in forensic investigations, a target for spyware, or a source of leakage if a computer is compromised. Attachments, contact details, group metadata and timestamps may also carry sensitive information even when message content is not being transmitted.
WhatsApp has continued to expand privacy features, including encrypted backups, passkeys and controls for locked chats. Yet backup protection often requires users to enable or configure options, and local storage protections may vary by platform and implementation. Security specialists argue that messaging apps should encrypt sensitive local databases using keys protected by the operating system’s secure storage features, with access tied tightly to the user session and the application process that needs the data.
The issue also highlights a challenge for large app ecosystems. Meta operates multiple apps across social networking, messaging and business communication, and shared platform functions can encourage developers to use common storage patterns. Convenience and interoperability can reduce friction for users, but they can also create privacy risks if highly sensitive data is placed in containers that are easier to reach than a dedicated encrypted store.
Topics
Technology