End-to-end encryption protects messages in transit. Local storage is a different story.

Introduction

WhatsApp says your messages are end-to-end encrypted. That is true for transmission. But what happens after they reach your phone?

New research from iOS security researchers at Mysk has revealed that WhatsApp chat histories may be stored unencrypted on both macOS and iOS devices. The findings raise fresh concerns about local data protection and cross-application access within the Apple ecosystem.

This article explains the issue, its implications, and what you can do to protect yourself.

What Researchers Found

The Discovery

WhatsApp stores chat data in a SQLite database file commonly named “Axolotl.sqlite.”

Where It Is Stored

The file is stored in a shared app group container labeled: group.net.whatsapp.WhatsApp.shared

Who Can Access It

Because this container is accessible to applications that share the same developer group permissions, other Meta-owned apps such as Facebook and Instagram could theoretically access the stored data without requiring explicit user consent.

The Key Concern

The database is stored in plaintext. It is not encrypted at rest.

Does This Violate Apple’s Rules?

This behavior does not violate Apple’s sandboxing model. Shared containers are designed to allow data exchange between apps from the same developer.

However, the security concern is separate from the policy question. The database is stored in plaintext, meaning any app with access to the container can read your chat history.

The Important Distinction

End-to-end encryption protects messages during transmission between users. Once messages are decrypted on a device, they may be stored in a readable format. Local storage security depends on app implementation, not E2EE.

Security and Privacy Risks

The exposure of unencrypted chat databases introduces several risks:

1. Cross-App Data Access
Other Meta-owned apps (Facebook, Instagram) with access to the same shared container could theoretically read chat histories.

2. Malicious App Exploitation
If any app within the same developer ecosystem is compromised, attackers could access the container.

3. Forensic Extraction
Chat histories could be extracted from compromised or jailbroken devices.

4. Insider Threats
Legitimate app privileges could be misused by employees or malicious actors.

Important Note: There is no public evidence that Meta is actively exploiting this access. However, the architectural design raises valid concerns about user data isolation.

Platform Differences

iOS: The issue affects iOS devices running WhatsApp. Apple’s Data Protection framework can encrypt files based on device state (e.g., when the device is locked). However, this does not guarantee that application-level databases are always encrypted in a way that prevents access by other authorized apps.

macOS: The risk may be more pronounced on macOS, where file system access is more flexible and endpoint security controls may be weaker.

Mitigations: What You Can Do

For Individual Users:

1. Use strong passcodes and biometric locks on your devices
2. Keep iOS, macOS, and WhatsApp updated to benefit from security improvements
3. Be cautious about jailbreaking your device
4. Limit installation of unnecessary apps from the same developer ecosystem

For Organizations:

1. Use Mobile Device Management (MDM) solutions to restrict app permissions
2. Implement endpoint security controls on macOS devices
3. Consider alternative messaging apps for high-security use cases
4. Educate employees about local storage risks

Alternative Messaging Apps with Stronger Local Storage:

• Signal (encrypted local database)
• Threema (encrypted local storage)
• Wire (enterprise-focused with local encryption)
• Session (decentralized with local encryption)

The Broader Industry Challenge

This finding underscores a broader industry challenge: securing data not just in transit, but also at rest on user devices.

As messaging platforms increasingly emphasize encryption, attention is shifting toward endpoint security, where decrypted data inevitably resides.

Key questions for the industry:

• Should messaging apps encrypt local databases by default?
• Should shared containers be used for sensitive data?
• How can users verify local storage security?
• What standards should apply to data at rest?

Conclusion

WhatsApp uses strong end-to-end encryption to secure messages in transit. This protection does not extend to how data is stored locally once the user accesses it.

Researchers at Mysk have discovered that WhatsApp chat histories may be stored unencrypted on macOS and iOS devices. The database is stored in plaintext in a shared container accessible to other Meta-owned apps.

While there is no evidence of active exploitation, the design raises legitimate privacy concerns. Device compromise, forensic extraction, or access by other apps in the same container could expose sensitive chat histories.

Users concerned about local storage security should take precautions: use strong device passcodes, keep software updated, and consider alternative apps for high-security needs.

The disclosure is likely to prompt further scrutiny of how major applications handle local data storage and whether stronger encryption-at-rest mechanisms should become standard practice for privacy-focused services.

Q: If WhatsApp has end-to-end encryption, how can my chats be unencrypted?

Ans: End-to-end encryption only protects your messages while they are traveling across the internet (in transit). Once they reach your iPhone or Mac and are decrypted for you to read, WhatsApp stores them as plain text files in local databases, meaning they are fully unencrypted at rest.

Q: Can Facebook and Instagram read my WhatsApp messages?

Ans: Architecturally, yes. Because WhatsApp stores its decrypted chat databases in a shared Apple app group container (group.net.whatsapp.WhatsApp.shared), other apps from the same developer (Meta) have the technical permission to read those files without triggering an alert or permission dialog.

Q: How can I protect my WhatsApp chat history on my iPhone?

Ans: To mitigate WhatsApp Local Storage Security risks, ensure you use strong device passcodes and biometrics to leverage Apple’s Data Protection framework. Avoid jailbreaking your device, and consider auditing or limiting the co-installation of other Meta applications if you use WhatsApp for highly sensitive communications.

What is the name of the unencrypted SQLite database file where WhatsApp stores chat histories?

• Ans: Axolotl.sqlite.

Which security research team disclosed these plaintext storage findings on May 23, 2026?

• Ans: Talal Haj Bakry and Tommy Mysk (Mysk).

Why can other Meta-owned apps potentially access this database on Apple devices?

• Ans: Because the file is stored in a shared app group container (group.net.whatsapp.WhatsApp.shared) accessible to apps holding the same developer permissions.

Does End-to-End Encryption (E2EE) protect the database once it is stored locally on the device?

• Ans: No, E2EE only protects messages in transit; it does not protect data at rest on the local device.

Adv. Shoeb Hakim
Data Privacy & Mobile Security Advisor

📌 Follow me on LinkedIn for daily data privacy and security insights: https://www.linkedin.com/in/shoebhakim

📌 Visit my website for more articles: https://www.shoebhakim.com
📌 Visit my website for legal knowledge: https://www.vakilverse.com
📌 Visit my website for research fellowship: https://www.legalcomplaince.in

♻️ Share this article with your network.

Disclaimer: This article is for informational purposes only and does not constitute legal advice.

Hashtags: #AdvShoebHakim #WhatsApp #WhatsAppSecurity #E2EE #LocalStorage #DataAtRest #Meta #Facebook #Instagram #iOS #macOS #Privacy #CyberSecurity #MobileSecurity #Signal #Threema #Wire #Session #SecureMessaging #Encryption #DataProtection #InfoSec #Mysk #Apple #Sandboxing #SharedContainers #Axolotl #SQLite #ForensicExtraction #Jailbreak #MDM #EndpointSecurity #ZeroTrust