End-to-end encryption can protect a message in transit, but it cannot protect every place that message lands.
Researchers at Mysk have alleged that WhatsApp stores some decrypted chat data in readable local database files on macOS and iOS, raising questions about how much protection users have after messages reach an Apple device.
The allegation points to a broader issue for messaging apps: encryption can protect delivery, but local databases, device backups, shared app containers, and operating system controls still matter once a message is opened.
For organizations that allow WhatsApp on managed devices, the issue is less about whether end-to-end encryption works and more about what happens on the endpoint after encryption has done its job.
Researchers allege readable local databases
Security researchers at Mysk alleged that WhatsApp stores some chat databases in an app group container that could be accessible to apps from the same developer, depending on permissions and platform protections.
“WhatsApp stores chat databases unencrypted in an app group container accessible to apps from the same developer,” the researchers said, according to Cyber Security News.
Some WhatsApp data files, including Axolotl.sqlite, ContactsV2.sqlite, and LocalKeyValue.sqlite, were found in a shared WhatsApp container on Apple devices.
App group containers are designed to allow related apps or extensions from the same developer to share data. The concern raised by researchers is that readable local chat data may depend more heavily on Apple’s sandboxing, device security, and backup protections.
If accurate, that would make endpoint protections, device access controls, and backup security especially important.
Must-read security coverage
Experts dispute the broader claim
WABetaInfo pushed back on the broader interpretation of the finding, saying on X that the claim was “misleading.” The outlet said WhatsApp’s database may not be encrypted on the device, but it is stored in a secure container that only WhatsApp can access under normal system permissions.
WABetaInfo also disputed the claim that other Meta apps, such as Facebook and Instagram, can access the WhatsApp database. According to its post, the shared container supports data migration between WhatsApp and WhatsApp Business, not cross-app access by other Meta apps.
The issue could still matter if an attacker has elevated access or exploits an operating system flaw. Experts cited a recently disclosed macOS Archive Utility flaw, CVE-2026-28910, as one scenario that could allow broader filesystem access.
That makes the issue more limited than a simple cross-app data exposure claim. The remaining concern is whether readable local data could become exposed if a device is compromised, a backup is insecure, or an operating system flaw bypasses normal protections.
What IT teams can do now
Security teams should treat this as an endpoint and mobile device management issue, not just a messaging app issue.
Organizations that allow WhatsApp on managed devices can reduce risk by requiring strong passcodes, biometric locks, the latest iOS and macOS versions, and encrypted iPhone backups via Finder or iTunes. Teams handling regulated or highly sensitive conversations should also review whether WhatsApp’s reported local storage model fits their risk profile.
Until more details emerge, the practical takeaway is clear: end-to-end encryption protects transmission, but it does not automatically guarantee encrypted local storage.
Read our breakdown of the 2026 Verizon Data Breach Investigations Report to see how faster attacks, AI-driven cybercrime, and basic security gaps are reshaping today’s threat landscape.
Read the full article here
