Today WhatsApp is rolling out an important security fix for their iOS app. Let’s discover together what we’re talking about below!
|Topic about?||Security fix|
|Availability?||WhatsApp is rolling out the security fix for 2.21.80 builds.|
|I’ve the same version but I don’t see this news, why?||This isn’t something you can see with your eyes.|
|Previous article?||WhatsApp is asking to accept Terms of Service again|
This story is from a long time ago. One year ago, a WhatsApp user discovered that WhatsApp was storing the Two-Step Verification code in a file into the private directory of WhatsApp. Unfortunately the original tweet seems unavailable right now, but this is what I’ve quoted:
Note that the 2FA code isn't enough to get access your WhatsApp account. It needs another code received via SMS.
There is nothing to worry about now, but having that code in an encrypted text should be better. https://t.co/eDU1XKehPS
— WABetaInfo (@WABetaInfo) March 22, 2020
Being saved into the sandbox of the app, other apps cannot view it, for this reason WhatsApp saved it there. iOS updates from Apple always bring several fixes, that address security flaws, but it can happen that a flaw is unknown and it’s exploited using some techniques (called 0-days). These techniques, for example installing malicious apps from third parties or exploiting some arbitrary code execution from Safari, might access without any authorization to private files.
WABetaInfo is able today to confirm that WhatsApp, in order to make the Two-Step Verification code more private, is now rolling out a security fix, moving the Two-Step Verification PIN from the sandbox of the app to the iOS Keychain, an iOS private and safe database used from apps to store their sensible data.
WhatsApp was considering to release this security fix a long time ago, but we don’t know why they didn’t do. Fortunately, we can confirm that it’s available today for all users having the WhatsApp for iOS 2.21.80 version installed.
2.21.80 is a beta build available for beta testers on TestFlight, but it has been sent to the App Store and it should be available within the next few hours for production. We really recommend to install the new update when it is available, so your WhatsApp account will be eligible to receive this security fix.
If you have a previous beta version from TestFlight, please install this version to be sure that the latest security fix takes effect.
Note that WhatsApp for Android doesn’t need a similar fix.
Let us know on Twitter if you like this article and read our next announcements on our Telegram Channel!
WABetaInfo has a Discord Server about WhatsApp, where you can chat, give advice, ask for help to other participants and read my announcements!