WhatsApp Chat Histories Stored Unencrypted on macOS and iOS, Researchers Find
Mysk researchers discovered WhatsApp stores chat histories unencrypted in a shared app group container on iOS and macOS, exposing plaintext messages to other Meta apps like Facebook and Instagram.
Security researchers at Mysk have uncovered that WhatsApp stores chat histories in plaintext on both macOS and iOS devices, raising significant concerns about local data protection and cross-app access within Meta's app ecosystem. The finding, disclosed on May 24, 2026, reveals that WhatsApp's message database is kept in a shared app group container accessible to other Meta-owned applications without explicit user consent.
The issue centers on how WhatsApp handles local storage after messages are decrypted on the device. While WhatsApp employs end-to-end encryption (E2EE) to protect messages in transit, this protection does not extend to data stored locally once the user accesses it. According to the researchers, WhatsApp stores chat data in a SQLite database file named "Axolotl.sqlite" within the container path `group.net.whatsapp.WhatsApp.shared`.
Because this container is shared among apps from the same developer, other Meta-owned apps such as Facebook and Instagram can theoretically read the plaintext chat database without requiring additional permissions. This behavior does not violate Apple's sandboxing model, as shared containers are designed to allow data exchange between apps from the same developer. However, the key concern is that the database is stored unencrypted at rest, meaning any app with access to the container can read the contents.
The exposure of unencrypted chat databases introduces several security and privacy risks. These include cross-app data access within the same developer ecosystem, increased risk from malicious apps exploiting shared container permissions, forensic extraction of chat histories from compromised or jailbroken devices, and potential insider threats or misuse of legitimate app privileges. Although there is no public evidence that Meta is actively exploiting this access, the architectural design raises valid concerns about user data isolation.
The issue affects both iOS devices and macOS systems running WhatsApp, with heightened risk on macOS due to more flexible file system access. Apple's Data Protection framework can encrypt files based on device state, such as when the device is locked, but this does not guarantee that application-level databases are always encrypted in a way that prevents access by other authorized apps. Users and organizations can mitigate the risk by ensuring devices are protected with strong passcodes and biometric locks, avoiding unnecessary apps from the same developer ecosystem, using mobile device management (MDM) solutions to restrict app permissions, and regularly updating iOS, macOS, and WhatsApp.
This finding underscores a broader industry challenge: securing data not just in transit, but also at rest on user devices. As messaging platforms increasingly emphasize encryption, attention is shifting toward endpoint security, where decrypted data inevitably resides. The disclosure is likely to prompt further scrutiny of how major applications handle local data storage and whether stronger encryption-at-rest mechanisms should become standard practice for privacy-focused services.