WhatsApp has designed a new IPLS, an identity-proof linked storage system. This feature aims to improve the privacies and security of a contact management system. First, this encrypted storage system deals with two problematic issues that the users have been suffering for years: losing contacts when changing devices and not syncing contacts among multiple devices. The contact lists are not attached to a specific device but to the user’s account; thus, managing contacts is much easier during changes or upgrades of devices.
In this past definition, one of the central features of IPLS is that it allows the holding of multiple contact lists on the same device for various accounts. Each list stays secured and segregated, and the data remains private between accounts.
Advanced encryption, key transparency, and HSMs are very security-intensive in IPLS. For instance, when adding a contact, the contact information would be encrypted using a unique key generated on the user’s device. All such keys are safely stored in WhatsApp’s HSM-based Key Vault. This is done by creating a secure session with the Key Vault when a user logs in for the first time from any new device; he can access all his encrypted contacts using his account’s cryptographic key pair.
With IPLS, all contact data is end-to-end encrypted. This means it would be directly encrypted in the customer’s device and safe as it transits through WhatsApp servers. In such a case, no unauthorized access would occur during the sending process. Even Meta, WhatsApp’s parent company, cannot access the data sent encrypted, which means extreme privacy for the users.
WhatsApp has also collaborated with Cloudflare so that the cryptographic procedures used by the organization will be audited outside of it. Cloudflare is a trusted auditor of the updates of the Auditable Key Directory and verifies that the changes are tamper-proof. WhatsApp publishes the audit reports on a public, accessible instance of Amazon S3, enabling users and researchers to verify the integrity of the AKD on their own.
Before deploying the IPLS, WhatsApp enlisted the services of NCC Group to test its security. From the security review conducted by NCC Group, Marvell’s HSMs identified a critical flaw that could potentially lead to impersonation attacks; it could reveal the user’s keys and sensitive contact information. WhatsApp addressed this flaw, which counted among 12 less critical cases, in September 2024. This gives the new version of IPLS higher security; thus, it will be safe for its users.
Generally, IPLS is a beautiful upgrade for WhatsApp users. It provides users with improved privacy and even a means of contact management. Its rapid update of contacts without loss ensures security because all are always encrypted.
