WhatsApp encrypts messages between users by default. Billions rely on that promise daily. Yet for years a quiet vulnerability persisted. Chat backups stored in Google Drive or iCloud often lacked the same protection. Anyone with access to those accounts could read years of conversations. Media. Documents. Location data. All exposed.
That gap didn’t go unnoticed. Privacy advocates sounded alarms. Security researchers pointed to the contradiction. And Meta responded. First with an optional fix in 2021. Then with refinements that continue today. The latest shifts make encryption easier to adopt. But adoption remains far from universal. The stakes keep rising.
Encryption That Stops Short
By default WhatsApp backs up chat history to the user’s chosen cloud provider. On Android that means Google Drive. On iOS it points to iCloud. These backups let people restore conversations after switching phones or losing a device. Convenience first. Security came later.
Without extra steps the backed-up data sits readable by the cloud companies. Google and Apple can access it. Law enforcement can request it. A 2025 analysis from the Electronic Frontier Foundation put it plainly. Unencrypted backups “may make those conversations available to read by whoever runs the cloud storage platform.” The same piece noted that encrypted backups remain an option but not the default. For users with sensitive exchanges the advice was direct. Turn on encryption or skip backups altogether. Tell your contacts to do the same.
Meta first rolled out end-to-end encrypted backups in late 2021. Users could lock their cloud copies with a password or a 64-digit key generated on device. Neither WhatsApp nor the cloud provider could read the contents. The company detailed the technical approach in an engineering blog post that September. “Neither WhatsApp nor the backup service provider will be able to access their backup or their backup encryption key,” it stated.
But the setup carried friction. Forget the password and recovery became impossible. The long key proved cumbersome to store safely. Many users never bothered. Cybersecurity experts continued urging activation. Recent social media reminders from 2026 echo the same message. One post noted that without this layer “a copy of your chat history may be stored in the cloud without the same end-to-end encryption as your messages.”
Fast forward to 2025. WhatsApp introduced passkeys. The change arrived in stages. A TechCrunch report from October 30 that year captured the shift. “With passkeys, you don’t need to look for the password or the key.” Users could now secure backups using device biometrics or screen lock. Fingerprint. Face ID. The code already protecting the phone. If the device was lost the previous phone’s credentials could unlock the backup during restore. The article highlighted WhatsApp’s scale. The service had crossed 3 billion active users months earlier.
Even more changes landed in 2026. Meta announced upgrades to the underlying infrastructure for both WhatsApp and Messenger. A May 1 report in SQ Magazine outlined the additions. The company deployed hardware security modules in a distributed key vault. Keys generated locally on user devices reached 256 bits. Protocols like OPAQUE protected password entry. Over-the-air delivery of keys removed the need for app updates. And Meta published cryptographic proofs of secure deployment. The goal stayed consistent. Only the user holds the ability to decrypt.
Google entered the picture on the management side. A recent Android Authority piece described a Play services update version 26.23 dated June 15 2026. The update surfaces WhatsApp backup controls directly in device settings rather than buried inside the app. Users gain quicker access to frequency options data types and network preferences. The story called it “a convenient place to manage your WhatsApp chat and media backups.” Yet the article made no mention of encryption status. The convenience boost could encourage more backups. Without parallel emphasis on encryption that creates new risk.
And here’s the tension. Billions of users generate massive volumes of sensitive data. Political activists. Journalists. Business leaders. Everyday people discussing health finances and relationships. One forgotten backup can expose all of it. Recent X discussions from June 2026 show users still discovering the setting for the first time. Threads urge immediate activation. Some share horror stories of lost passwords locking them out permanently.
Meta’s approach reflects broader industry patterns. Signal offers encrypted backups too but with its own trade-offs. Apple and Google have moved toward default encryption in select areas yet full chat backup protection varies. The EFF piece compared them directly. Better defaults would help. For now WhatsApp places the burden on users. That choice protects the company from holding keys. It also leaves millions exposed.
Passkeys lower the barrier. The 2026 infrastructure upgrades add defense in depth. Transparency reports on key vaults build trust. Still the feature requires manual activation. Most users stick with defaults. They prioritize easy restore over theoretical threats. Until a high-profile breach ties directly to an unencrypted WhatsApp backup that calculus may not change.
So what should security-conscious organizations and power users do? Enable encrypted backups today. Use passkeys where available. Store recovery information safely offline. Consider limiting backup frequency or excluding especially sensitive chats. And coordinate with frequent contacts. One person’s unencrypted backup can compromise a group conversation.
The technology exists. The recent updates from Meta and Google show momentum toward better usability. Yet the gap between promise and practice remains. End-to-end encryption for messages set a high bar. Backups must clear it too. Anything less leaves the door open. And in a world of sophisticated adversaries and eager data requests that door needs to stay shut.


WebProNews is an iEntry Publication