WhatsApp Chat Histories Unencrypted on macOS & iOS Devices

Security researchers reveal that WhatsApp chat histories may be stored unencrypted on both macOS and iOS devices, raising fresh concerns over local data protection and cross-application access within the Apple ecosystem.

The issue, highlighted by iOS security researchers at Mysk, centers on how WhatsApp stores its message database locally after messages are decrypted on the device.

While WhatsApp uses strong end-to-end encryption (E2EE) to secure messages in transit, this protection does not extend to how data is stored locally once the user accesses it.

WhatsApp Chats Stored Unencrypted

According to the researchers, WhatsApp stores chat data in a SQLite database file commonly named “Axolotl.sqlite.”

This file is reportedly stored in a shared app group container labeled:

• group.net.whatsapp.WhatsApp.shared

Because this container is accessible to applications that share the same developer group permissions, other Meta-owned apps such as Facebook and Instagram could theoretically access the stored data without requiring explicit user consent.

This behavior does not violate Apple’s sandboxing model, as shared containers are designed to allow data exchange between apps from the same developer.

However, the key concern is that the database is stored in plaintext, meaning it is not encrypted at rest.

The findings highlight an important distinction:

• End-to-end encryption protects messages during transmission between users.
• Once messages are decrypted on a device, they may be stored in a readable format.
• Local storage security depends on app implementation, not E2EE.

This means that while attackers cannot intercept messages in transit, any compromise of the device or access by authorized apps within the same container could expose sensitive chat histories.

The exposure of unencrypted chat databases introduces several security and privacy risks:

• Cross-app data access within the same developer ecosystem.
• Increased risk from malicious apps exploiting shared container permissions.
• Forensic extraction of chat histories from compromised or jailbroken devices.
• Insider threats or misuse of legitimate app privileges.

Although there is no public evidence that Meta is actively exploiting this access, the architectural design raises valid concerns about user data isolation.

The issue affects both iOS devices and macOS systems running WhatsApp, particularly where shared app containers are utilized.

On macOS, where file system access is more flexible, the risk may be more pronounced if endpoint security controls are weak.

It is important to note that Apple’s Data Protection framework can encrypt files based on device state (e.g., when the device is locked).

But this does not guarantee that application-level databases are always encrypted in a way that prevents access by other authorized apps.

Mitigation and Recommendations

Users and organizations concerned about this issue can take several precautions:

• Ensure devices are protected with strong passcodes and biometric locks.
• Avoid installing unnecessary apps from the same developer ecosystem.
• Use mobile device management (MDM) solutions to restrict app permissions in enterprise environments.
• Regularly update iOS, macOS, and WhatsApp to benefit from security improvements.
• Consider alternative messaging apps with stricter local storage encryption models if required for high-security use cases.

This finding underscores a broader industry challenge: securing data not just in transit, but also at rest on user devices.

As messaging platforms increasingly emphasize encryption, attention is shifting toward endpoint security, where decrypted data inevitably resides.

The disclosure is likely to prompt further scrutiny of how major applications handle local data storage and whether stronger encryption-at-rest mechanisms should become standard practice for privacy-focused services.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.