By rssfeeds-admin 
Private WhatsApp messages on Apple iOS and macOS are stored in plaintext within a shared app container, fully readable by other Meta-owned apps like Facebook, with no permission prompt and no user notification whatsoever, as the researcher said.
The disclosure, made by researchers at Mysk on May 23, 2026, exposes a critical gap between WhatsApp’s well-marketed end-to-end encryption and the actual security of messages once they are decrypted and stored locally on a device.
While WhatsApp’s encryption protects messages in transit between servers, the on-device storage offers no such protection.
Unencrypted WhatsApp Chats Found
Apple’s App Group container system allows multiple applications from the same developer to share a common file storage directory, a feature designed for legitimate use cases like syncing data between a main app and its widgets or extensions.
The shared container path on macOS is located at ~/Library/Group Containers/, and on iOS at /private/var/mobile/Containers/Shared/AppGroup/.
WhatsApp places its core SQLite chat databases, including Axolotl.sqlite, ContactsV2.sqlite, and LocalKeyValue.sqlite directly into the group.net.whatsapp.WhatsApp.shared container in plaintext.
Critically, the shared container receives no additional encryption beyond iOS’s standard filesystem protection class NSFileProtectionCompleteUntilFirstUserAuthentication, meaning data is accessible at any point after the first device unlock, which in practice means virtually always.
Any application signed with the same Apple Team ID and registered in the same app group has full read and write access to these files without triggering any system permission dialog.
Because WhatsApp and other Meta applications, including Facebook, Instagram, and Messenger, share the same Apple Developer Team ID, they are structurally positioned to access the same group container.
On iOS and macOS, WhatsApp stores chat databases unencrypted in an app group container accessible to apps from the same developer. So all Meta apps on the same iPhone (e.g., Facebook) can read WA chats in plaintext without permission, and users wouldn’t be notified. Demo
https://t.co/X4rWekWte3 pic.twitter.com/K4qtYRaQ6L
— Mysk
This means a co-installed Meta app could silently read WhatsApp message history, contact records, and cryptographic session state stored in the Axolotl.sqlite database all in plaintext with no alert to the user.
Affected Files
| File | Sensitive Data at Risk |
|---|---|
Axolotl.sqlite | Signal Protocol session keys and encryption state |
ContactsV2.sqlite | Full contact database in plaintext |
LocalKeyValue.sqlite | App configuration and local key-value data |
Message/ folder | Full chat message history |
connection.dlock / connection_setup.dlock | App state and session lock data |
WhatsApp’s FAQ states clearly that “end-to-end encryption keeps your personal messages and calls between you and the person you’re communicating with” and that “no one outside of the chat, not even WhatsApp,” can read them.
However, this guarantee applies exclusively to messages in transit, not at rest on the device.
WhatsApp also claims that “access to WhatsApp personal data is restricted so other Meta apps cannot use it.” Still, this policy statement does not address the structural filesystem-level access enabled by the group container architecture.
Security best practices for iOS development explicitly recommend that developers never store sensitive data in plaintext in shared containers, and should instead use the Keychain for secrets and apply AES-GCM encryption to any data written to the group container.
Mitigation
- Remove co-installed Meta apps (Facebook, Instagram, Messenger) from any iOS or macOS device where WhatsApp privacy is a concern.
- Enable end-to-end encrypted backups in WhatsApp via
Settings > Chats > Chat Backup > End-to-end encrypted backupto protect cloud-synced data. - Use Signal as a privacy-respecting alternative; it does not share a developer ecosystem with advertising-dependent platforms.
- Apple should enforce encryption requirements for sensitive data stored in shared group containers, or require explicit user consent when cross-app data access occurs within the same developer Team ID.
Meta has not issued a public statement addressing this specific on-device storage vulnerability. WhatsApp’s optional end-to-end encrypted backup feature, still off by default, protects only cloud backups, not the local SQLite databases exposed in this disclosure.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Unencrypted WhatsApp Chats Found on Apple macOS and iOS Devices appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.