WhatsApp is one of the most popular messaging apps in the world, with over 2 billion users. It uses end-to-end encryption to protect messages, media, and calls between users. This encryption is implemented using the Signal Protocol and ensures that messages can only be read by the sender and recipient.
On Android devices, WhatsApp stores encrypted local message databases in msgstore.db files. These files contain all messages, media, and other data associated with a user’s account. Older versions of WhatsApp used an unencrypted database, but since 2016 all msgstore.db files are encrypted using a crypt12 algorithm.
Overview of WhatsApp’s Encryption
Here is a quick overview of how WhatsApp’s end-to-end encryption works:
- Each user has a unique public/private key pair generated on their device.
- Keys are exchanged between users when contacting for the first time.
- Messages are encrypted with the recipient’s public key before being transmitted.
- Messages can only be decrypted by the recipient’s private key.
- WhatsApp and third parties cannot decrypt messages.
This ensures only the communicating users can access messages. WhatsApp does not have the keys to decrypt messages. The msgstore.db database on each device contains the encrypted messages associated with that user’s account.
History of msgstore.db Encryption
In WhatsApp’s early versions, msgstore.db was not encrypted and contained messages in plaintext. This posed a significant privacy and security risk if the database was extracted from a device.
Starting in early 2016, WhatsApp began encrypting msgstore.db using a crypt12 algorithm before storing messages. Crypt12 provides a 128-bit AES encryption key to encrypt each message before storing in the database.
Some key events in the history of WhatsApp msgstore.db encryption include:
- April 2016 – Encryption enabled for all new installs and registers.
- July 2016 – Encryption enabled for all re-installs after app update.
- August 2016 – Encryption fully rolled out to all existing installs.
This ensured full end-to-end encryption coverage for all WhatsApp users. The crypt12 encrypted msgstore.db continues to be used in all versions of WhatsApp ever since.
Where is msgstore.db Located?
The encrypted msgstore.db database file is located in the following directories on each platform:
Platform | Msgstore.db Location |
---|---|
iPhone | /User/Library/Databases/ChatStorage.sqlite |
Android | /data/data/com.whatsapp/databases/msgstore.db |
Windows Phone | /Data/SharedData/ChatStorage.sqlite |
On Android and Windows Phone, the msgstore.db file is located in the app’s private data directory. On iOS, it is in the ChatStorage.sqlite file under the user Library database directory.
msgstore.db Database Schema
The encrypted msgstore.db database has multiple tables to store different types of data. Here are some key tables:
- messages – Contains details of all chat messages including timestamp, from, to, type, status, etc.
- chat_list – Lists all the user’s chats and their contacts.
- contacts – Stores contact details of users.
- media – Stores metadata of media files like images, videos, audio sent in chats.
- stickers – Contains data on any stickers sent in chats.
There are several other tables like messages_fts, identity_changes, gifs, etc. for search indexing, key changes and other data.
Encryption Keys for msgstore.db
The crypt12 encryption algorithm uses a 128-bit AES encryption key to encrypt the msgstore.db file. This key is randomly generated on the user’s device when they first install WhatsApp.
The encryption key is derived from the user’s password. So if the user has set a password, it is used to generate the key. If no password is set, it is derived from the phone’s hardware identifiers.
Changing the user’s password or performing a re-install regenerates a new random encryption key. The old key is required to decrypt any existing msgstore.db backups.
Is Encrypted msgstore.db Secure?
The crypt12 encrypted msgstore.db provides strong security and prevents extraction of messages and data, even if physical access to the device is obtained. Some key aspects around its security:
- Secure 128-bit AES encryption prevents brute force attacks.
- Randomly generated keys enhance security and prevent backdoors.
- Keys are derived from user passwords or device hardware IDs.
- Encryption happens on user devices only.
- WhatsApp servers don’t have access to device encryption keys.
Crypt12 encryption has stood up well to all known attacks attempted by researchers and forensics experts. No technique has been found to decrypt the contents without the original encryption key.
Limitations of msgstore.db Encryption
While the crypt12 encrypted msgstore.db provides robust security, some limitations include:
- Encryption is limited only to data at rest on the device. Messages are also encrypted in transit.
- Backups of msgstore.db remain encrypted only if user sets a password.
- Encryption keys can be extracted if the OS is compromised through exploits.
- Does not prevent metadata analysis of usage patterns and contacts.
Users should be aware that strong device security is still important along with WhatsApp encryption. Other endpoint security measures like screen lock, remote wipe, malware scanning etc. are recommended.
How to Extract and Decrypt msgstore.db
It is extremely difficult to decrypt the encrypted msgstore.db file without the original encryption key used on the device. But here are the general steps involved:
- Gain physical access to the device and create a full backup.
- Extract the msgstore.db database file from the backup.
- Obtain the encryption key using exploits, hardware crackers, or consent.
- Use the encryption key and decryption tools to decrypt msgstore.db.
- The decrypted database can then be queried and analyzed.
This requires high technical expertise, substantial resources and time. Law enforcement agencies may use such techniques for legal investigations. But for ordinary users, msgstore.db decryption is not possible without the encryption key.
Tools to Analyze msgstore.db
There are several open source and commercial tools that can analyze WhatsApp msgstore.db databases. However, they require the database to be in an decrypted state to work. Some examples include:
Tool | Description |
---|---|
WhatsApp Viewer | Windows app to view chat messages, media, contacts from decrypted msgstore.db. |
SQLite Database Browser | Cross-platform SQLite DB viewer. Can browse decrypted msgstore.db |
Undark | Command line Python script to parse decrypted msgstore.db files. |
These tools simply view, search and analyze the DB once decrypted. The actual decryption still requires the encryption key.
Frequently Asked Questions
Is msgstore.db encrypted by default?
Yes, since 2016 all WhatsApp msgstore.db databases are encrypted using crypt12 encryption by default for all users.
Can WhatsApp decrypt msgstore.db?
No, WhatsApp does not have access to the encryption keys used on user devices. Only users have the keys to decrypt their own msgstore.db.
Does re-installing WhatsApp change encryption key?
Yes, re-installing WhatsApp on the same device generates a new random encryption key for msgstore.db.
Can I tell if someone has decrypted my msgstore.db?
Not directly. But if your chat history and media has been accessed by others then your msgstore.db was likely decrypted.
Is msgstore.db encrypted on SD card backups?
Msgstore.db will remain encrypted in SD card backups only if the user has set a backup password. Without a password, backups are unencrypted.
Can I decrypt msgstore.db without encryption key?
No, the crypt12 encryption used is extremely secure. Decryption without the original key is considered practically impossible by current standards.
Conclusion
The crypt12 encrypted msgstore.db database provides robust security for WhatsApp users’ messages, media, and data. Decryption is realistically only possible with the encryption key generated on the user’s device. While not infallible, it does prevent casual inspection of message data, even with physical access to devices. Users should continue to take precautions like setting backup passwords, device encryption, malware prevention and strong passwords.