WhatsApp has launched a new privacy-focused feature called Identity Proof Linked Storage (IPLS), designed to securely manage and store contact lists.

This encrypted storage system addresses two common issues WhatsApp users have faced for years: the risk of losing contacts if their phone is lost and the inability to sync contacts across multiple devices.

With IPLS, contact lists are now linked to the user’s account instead of their device, allowing seamless management during device changes or replacements. Additionally, the system supports the creation of separate contact lists for different accounts on the same device, ensuring each list is securely managed and isolated.

Encrypted and Secure Contact Storage

IPLS uses a combination of encryption, key transparency, and Hardware Security Modules (HSMs) to maintain security. When a new contact is added, the information is encrypted using a symmetric key generated on the user’s device, and this data is stored securely in WhatsApp’s HSM-based Key Vault.

During a device change, users authenticate using a cryptographic keypair linked to their account, establishing a secure connection with the Key Vault to retrieve their contact information. WhatsApp ensures that all contact data is encrypted end-to-end, preventing unauthorized access during transmission or by Meta employees.

Buy Me A Coffee

Independent Auditing and Enhanced Security

To further ensure the integrity of the system, WhatsApp has partnered with Cloudflare to independently audit its cryptographic operations. Cloudflare guarantees updates to the Auditable Key Directory (AKD), and WhatsApp publishes proofs of consistency for these updates, allowing users and researchers to verify the integrity of the AKD via a publicly accessible Amazon S3 instance.

READ
Musk’s SpaceX Wins $733 Million Launch Contract From US Space Force

Prior to its launch, NCC Group conducted a security audit of IPLS. A critical flaw, which could have allowed the impersonation of Marvell HSMs and decryption of users’ secret keys, was identified and resolved in September 2024, along with other lower-severity issues. As a result, the final release of IPLS is free from these vulnerabilities.