New research has exposed a significant privacy gap in WhatsApp’s data handling on Apple devices. iOS security researchers at Mysk have revealed that WhatsApp stores its message database in plaintext on both macOS and iOS, meaning your chat history sits unencrypted on your device long after those end-to-end encrypted messages arrive.
How the Vulnerability Works
WhatsApp is widely trusted for its end-to-end encryption (E2EE), which secures messages while they travel between users. However, once messages are decrypted and land on your device, they are stored in a SQLite database file called “Axolotl.sqlite” — and this file is not encrypted at rest.
What makes this particularly concerning is where this database lives. It is stored inside a shared app group container labeled “group.net.whatsapp.WhatsApp.shared.” Apple’s sandboxing model permits apps from the same developer to access shared containers — meaning other Meta-owned applications such as Facebook and Instagram could, in theory, read your WhatsApp chat history in plaintext without ever requesting explicit user permission.
Why This Matters for Privacy
This finding draws a sharp distinction between two very different security guarantees:
– End-to-end encryption protects messages while they are in transit between devices.
– Once messages are decrypted on your device, they may be stored in a fully readable format.
– Local storage security depends entirely on how the application implements data protection — not on E2EE.
Apple’s Data Protection framework can encrypt files based on device state, such as when a device is locked. However, this does not prevent other authorized apps within the same developer container from accessing application-level databases. The architectural design means that any Meta app installed on the same iPhone could silently access your WhatsApp message history.
There is currently no public evidence that Meta is actively exploiting this access. However, the structural capability raises valid and serious concerns about user data isolation within the Meta ecosystem.
The Broader Security Risk
The exposure of unencrypted chat databases creates multiple attack surfaces and privacy risks:
– Cross-app data access within the same developer ecosystem without user notification.
– Increased exposure from malicious apps that exploit shared container permissions.
– Forensic extraction of full chat histories from compromised or jailbroken devices.
– Insider threat scenarios involving misuse of legitimate app privileges.
– On macOS, where file system access is more flexible, the risk is potentially more pronounced if endpoint security controls are weak.
What You Can Do
Users and organizations concerned about this issue should consider the following precautions:
– Protect devices with strong passcodes and biometric authentication.
– Limit the number of Meta apps installed on devices that handle sensitive communications.
– Deploy mobile device management (MDM) solutions to restrict app permissions in enterprise environments.
– Keep iOS, macOS, and WhatsApp updated to benefit from the latest security improvements.
– For high-security use cases, evaluate alternative messaging platforms that implement stricter local storage encryption.
The Bigger Picture
This disclosure highlights a challenge that extends well beyond WhatsApp. As messaging platforms invest heavily in transit-layer encryption, the security community is increasingly turning its attention to endpoint security — where decrypted data inevitably lives. Strong encryption in transit means very little if that same data is stored in plaintext once it arrives.
The findings are expected to prompt broader scrutiny of how major applications handle local data storage, and whether encryption-at-rest should become a non-negotiable standard for privacy-focused services across the industry.
