WhatsApp Stores Chats Unencrypted on iOS and macOS
WhatsApp stores your chats unencrypted on macOS and iOS. Any Meta app can read them without permission. Breaking down the flaw discovered by Mysk.
You thought your WhatsApp conversations were safe thanks to end-to-end encryption? You're right in transit. But new research published by the Mysk team just revealed a far more uncomfortable reality: once messages land on your iPhone or your Mac, they're stored in plaintext, with no local encryption at all.
And the worst part? Any other Meta app installed on the same device Facebook, Instagram, Threads can technically read your entire conversation history without asking your permission. Here's a breakdown of a design flaw that changes the privacy conversation across the Apple ecosystem.
The Myth of End-to-End Encryption
WhatsApp has spent years hammering home that end-to-end encryption (E2EE) guarantees no one not even Meta can read your messages. That's technically true, but incomplete.
End-to-end encryption protects your messages only while they're in transit between your device and your recipient's. Once a message arrives and is decrypted to be displayed on screen, it has to be stored somewhere for you to read it later. And that's exactly where the privacy promise breaks down.
The distinction matters:
→ Encryption in transit your messages are unreadable while traveling across the internet → Encryption at rest your messages are unreadable while stored on your device
WhatsApp brilliantly checks the first box. On the second, radio silence.
Axolotl.sqlite: The Database That Gives Everything Away
iOS security researchers at Mysk put their finger on the central element of this flaw. WhatsApp stores your entire chat history in a SQLite file called Axolotl.sqlite. The name isn't random it's a reference to the Axolotl protocol, the ancestor of the Signal protocol that WhatsApp's encryption is built on.
The irony is striking: a file named after a reference encryption protocol... stores your messages in plaintext.
This file lives in a specific shared container on iOS and macOS:
group.net.whatsapp.WhatsApp.sharedThat container is technically called an "app group container" in Apple's terminology. It's a legitimate mechanism in the iOS/macOS ecosystem that lets multiple apps from the same developer share data with each other. The problem isn't that this mechanism exists it's what WhatsApp puts inside it.
Why Every Meta App Can Read Your Conversations
Here's the point that should worry every Meta ecosystem user: all of a developer's apps register under the same identity with Apple. That means Facebook, Instagram, Threads, and WhatsApp share the same group permissions on your iPhone or Mac.
In technical theory:
Facebook installed on your iPhone can access WhatsApp's shared container
Instagram can read your entire WhatsApp SQLite database
No notification is sent to the user when this happens
No additional permission is requested
And technically, none of this violates Apple's rules. The iOS sandboxing model explicitly authorizes this kind of sharing between apps from the same developer. That's literally what "shared app groups" are designed for.
Mysk released a video demonstration proving that a Meta app can read the WhatsApp file in plaintext without any user interaction. No exploitation, no hack just normal use of an API that Apple documents publicly.
The Real Security Implications
At this point you might be thinking: "OK, but Meta isn't going to spy on its own users via Facebook that would be a scandal." That's probably true. But the risk isn't limited to deliberate malicious behavior from Meta.
1. Compromise via a single Meta app
If Facebook, Instagram, or Threads ever gets compromised through a vulnerability, a supply chain attack on a dependency, or a leaked developer credential attackers no longer need to target WhatsApp directly. They access WhatsApp conversations through any of the other Meta apps.
2. Simplified forensic extraction
For law enforcement, investigators, or malicious actors with physical access to an unlocked (or jailbroken) device, the work becomes trivial. No need for sophisticated decryption techniques: just copy the Axolotl.sqlite file and open it with any free SQLite client. Years of private conversations in two commands.
3. Insider threats
Any Meta engineer with access to code that runs inside a Meta app from the same group (legitimately or through an undetected backdoor) technically has the capability to read the WhatsApp messages of hundreds of millions of users.
4. Heightened risk on macOS
On macOS, the filesystem is significantly more accessible than on iOS. If endpoint controls are weak which is the default on personal Macs a malware or even an unprivileged script can access Axolotl.sqlite without restriction. For professionals using WhatsApp Desktop on a work Mac, this is a real attack surface.
Apple Data Protection's False Safety Net
Apple offers a framework called Data Protection that encrypts files based on device state. When your iPhone is locked, certain files become inaccessible until the next unlock. It's an excellent protection... against physical theft.
But Data Protection does absolutely nothing against access from an authorized app running on the same device. When you use your phone normally unlocked, with Facebook open in the background all of Data Protection's safeguards are effectively neutralized for this threat scenario.
The safety net exists. It just doesn't cover the right threat model.
How to Protect Yourself Concretely
Mitigations exist, but they require a change of habits. Here's what actually works, ordered by effectiveness:
Uninstall other Meta apps
Radical, but the only technical mitigation that actually works against cross-app reading. If Facebook, Instagram, and Threads aren't installed on your device, they can't read anything. For many sensitive users (journalists, lawyers, activists, executives), it's an acceptable trade-off.
Harden the device itself
A strong passcode (6 digits minimum, ideally alphanumeric), Face ID or Touch ID enabled, and disable notification previews on the lock screen. These measures protect against physical access not against the cross-app risk.
For enterprises: strict MDM
Mobile Device Management solutions let you restrict which apps can be installed on work devices and monitor abnormal behavior. For any organization handling sensitive data via WhatsApp Business, this is now a prerequisite, not a nice-to-have.
Keep iOS, macOS, and WhatsApp updated
Standard but essential. Meta will probably end up fixing this behavior under media pressure. When the patch ships, you'll want it immediately.
Migrate to a messenger with a stricter local storage model
If you handle truly sensitive conversations, Signal remains the reference for local encryption. Signal's database on iOS and macOS is encrypted at rest with a key stored in the OS Keychain, which prevents cross-app access even when developer groups are shared. Threema and Session offer comparable models.
The Bigger Problem Beyond WhatsApp
This disclosure goes far beyond WhatsApp itself. It illustrates a structural flaw in how the industry communicates about encryption.
For years, "end-to-end encryption" has been the ultimate marketing label a guarantee of absolute privacy. But as this case demonstrates, encryption in transit is worthless if the data is stored in plaintext at the destination. It's like armoring a cash transport truck only to dump the cash in the street on arrival.
The future of digital privacy is now being fought on two fronts simultaneously:
→ Encryption in transit the battle of the 2010s, largely won → Encryption at rest with strict isolation the battle of the 2020s, barely started
And for offensive security, this affair opens up concrete perspectives. Bug bounty hunters and mobile pentesters should now systematically include analysis of shared app group containers in their methodology. How many other "secure" apps use the same pattern without measuring its implications? The question deserves more research.
Bottom Line
WhatsApp encrypts your messages in transit but stores them in plaintext on your iPhone and your Mac. Any other Meta app can technically read them. Apple authorizes this behavior by design. And the situation won't change until Meta implements real encryption at rest with per-app isolation.
Until then, the real question to ask is no longer "Is WhatsApp secure?" but "What threat model does WhatsApp actually cover?" And for many sensitive users, the answer probably doesn't match the marketing image.
Did you enjoy this article?
Written by
Chris
Tech builder · Agentic AI & offensive security
A tech-obsessed builder, I'm building Sentinelle — an autonomous offensive-security AI agent. I write here about agentic AI, AI-assisted pentesting, and what I learn shipping offensive tooling.
