End-to-end encryption (E2EE) is usually touted as the best method to secure our messages and information. Signal, WhatsApp, and other apps feature E2EE as a means to guarantee nobody—not hackers, not the app developers, nor even governments—can access your messages. What if there exists a loophole that quietly bypasses this robust security?
That loophole is backups.
In this blog, we’ll explore how backups can break end-to-end encryption, why it’s a serious concern, and what users and companies can do to protect themselves.
Prefer watching instead of reading? Here’s a quick video guide
https://youtu.be/-O4HqJQryac?embedable=true
What is End-to-End Encryption (E2EE)?
Let us begin with the fundamentals. End-to-end encryption implies that both the sender and receiver of a message are only able to see its contents. The message gets encrypted on your device and decrypts only when it reaches the recipient's device. No middleman, even the service provider, is not allowed to see the content of the message.
# Example for End-to-End Encryption
from cryptography.fernet import Fernet
# Generate keys for sender and receiver
sender_key = Fernet.generate_key()
cipher = Fernet(sender_key)
# Encrypt message
message = b"Hello, this is a secret message."
encrypted = cipher.encrypt(message)
# Decrypt on receiver's side
decrypted = cipher.decrypt(encrypted)
print("Encrypted:", encrypted)
print("Decrypted:", decrypted.decode())
This is powerful stuff. But there's a catch.
How Do Backups Work?
Backups are duplicates of your information—chats, photos, settings—that are saved outside of your phone or computer, usually in the cloud (such as Google Drive or iCloud). They come in handy when you lose your device or upgrade to a new one. You can recover everything like nothing ever occurred.
# Simulate storing a backup to Openexploit cloud (not encrypted)
backup_data = {
"chat": "Hi, this is your chat history!",
"timestamp": "2025-05-09"
}
# Saved to file (representing openexploit cloud)
with open("openexploit_cloud_backup.json", "w") as f:
import json
json.dump(backup_data, f)
print("Backup saved without encryption.")
But the catch is this: most backups are encrypted differently from the original information.
The Fatal Flaw: Backups Break E2E
When you turn on backups, particularly cloud backups, several messaging apps keep your data decrypted or with lower-level encryption. That is to say, your E2EE is no longer covering you.
# Suppose the same chat is encrypted on-device but saved unencrypted in backup
cipher = Fernet(sender_key)
secure_message = cipher.encrypt(b"Hi, only the recipient should see this")
# Unsafe backup (unencrypted)
with open("leaky_backup.txt", "w") as f:
f.write("Hi, only the recipient should see this")
print("Original encrypted securely, but leaked in backup!")
Example: WhatsApp
WhatsApp encrypts messages using end-to-end encryption. But if you turn on Google Drive or iCloud backups, those messages are backed up outside the secure E2EE system. For years, those backups weren't even encrypted. Even today, you have to opt in to encrypted backups—and most people don't.
Who Can Access These Backups?
- Cloud Service Providers: If backups are encrypted, then Apple or Google technically cannot read them. Without encryption, they can.
- Hackers: If a hacker gets into your cloud account (perhaps through phishing or weak passwords), they can download and read your backup.
- Law Enforcement: Even though the service provider is unable to read your messages in real-time, law enforcement agents might subpoena your backup and read the contents legally.
- Insiders: Workers within cloud providers or messaging services might abuse access to peek at stored user information (this has occurred previously).
A Real-World Case
One of the most dramatic examples is the case of TeleMessage, a firm that altered Signal for government compliance by archiving messages. The original Signal application employs robust end-to-end encryption. But TeleMessage's variant stored messages for archiving purposes. This exposed messages to leaks.
# Signal-like encrypted message
secure_data = Fernet.generate_key()
cipher = Fernet(secure_data)
secure_msg = cipher.encrypt(b"This should never be archived plainly.")
# But custom version logs it unencrypted
with open("archived_data.log", "w") as f:
f.write("This should never be archived plainly.")
print("Signal was secure, custom archive leaked it.")
Later, attackers infiltrated the archive, accessing messages that were initially meant to be E2EE-encrypted. This case illustrates how tweaking secure apps to include features such as archiving or backups can compromise their fundamental security guarantees.
Why This Matters More Than Ever
With the rise in surveillance, hacking, and government scrutiny, many users rely on E2EE for privacy—activists, journalists, political figures, and everyday users alike. But if they don't know how backups work, they might be spilling their secrets without realizing it.
This is particularly risky because people have trust in E2EE apps without even knowing that backups are a different system with its own rules.
How Can You Protect Yourself?
Here are some steps users can take to protect their data:
- Disable Cloud Backups: Turn off automatic cloud backups in apps like WhatsApp unless you’re certain they’re encrypted.
- On WhatsApp: Go to Settings → Chats → Chat Backup → set "Back up to Google Drive" or "iCloud" to Never.
- Use Apps with Encrypted Backup Options: Some apps, like Signal, don't even allow unencrypted backups. They keep encrypted backups on the device (locally), and only you hold the passphrase to open it.
- Encrypt Your Cloud Account: Use secure passwords and turn on two-factor authentication (2FA) for your cloud storage. This provides an additional layer of security even if your backups are kept there.
- Encrypt Before Uploading: Manually encrypt files using third-party utilities before uploading them to the cloud. This way, even if an intruder gains access to your cloud account, they can't read the files.
- Check App Settings Regularly: App settings evolve over time. An update may turn on backups or modify security settings. Get into the habit of reviewing your app's backup and privacy settings periodically.
What Should Developers and Companies Do?
- Educate users clearly about the risks of backups.
- Provide encrypted backup options by default.
- Avoid storing encryption keys on servers.
- Conduct regular audits and publish results for transparency.
- Treat backups as first-class security concerns, not an afterthought.
Security is only as good as the weakest link, and backups are too often that weak link.
Final Thoughts
End-to-end encryption is a critical tool in defending our digital privacy. But it's not magic. It only works if the data remains within the encrypted bubble. The moment it leaves—such as into a backup—it may be vulnerable.
Keep in mind: A backup is just as secure as its weakest security layer.