WhatsApp encrypts messages in transit — but iOS and macOS security researchers at Mysk disclosed on May 24, 2026 that after those messages arrive on a device, the decrypted chat history sits in an unprotected SQLite database file that Facebook and Instagram can read without triggering a single user permission prompt.
How WhatsApp’s Axolotl.sqlite Database Exposes Messages After Delivery
Mysk’s analysis of WhatsApp’s file structure on iOS and macOS found that the application writes its full chat history to a SQLite database named “Axolotl.sqlite,” stored inside a shared app group container identified as “group.net.whatsapp.WhatsApp.shared.” The file carries no encryption at rest. Once end-to-end encrypted messages are decrypted upon delivery and written to local storage, their content is accessible as plaintext to any application that has permission to read that container. The database structure does not apply additional cryptographic protection beyond what the device’s standard file system offers.
How Apple’s App Group Model Gives Facebook and Instagram Access to Axolotl.sqlite
Apple’s developer app group mechanism is a standard platform feature that allows multiple applications from the same organization to share a common data container — files, preferences, cached data — without requiring the operating system to broker each individual read. Because WhatsApp, Facebook, and Instagram are all Meta-owned applications registered under the same developer identity, all three have access to the shared container where Axolotl.sqlite resides. No user-facing permission dialog appears when a Meta application accesses this container, and the operating system generates no visible alert. A device running WhatsApp alongside either the Facebook or Instagram application gives Meta’s two primary advertising platforms passive read access to the complete local WhatsApp chat history — without any user interaction, without any software flaw, and without any exploit.
WhatsApp’s Encryption Claims Do Not Apply to On-Device Message Storage
The access path documented by Mysk targets a specific and structurally different layer from the one WhatsApp’s end-to-end encryption protects. E2E encryption applies to messages while they travel between sender and recipient — the cryptographic guarantees prevent interception in transit. That protection ends when a message is decrypted on the receiving device and written to local storage. The Mysk finding is also categorically distinct from macOS CVE-2026-28910, the Archive Utility sandbox bypass that Apple patched in March 2026, which required active exploitation of a software vulnerability. The shared container access to WhatsApp’s chat database operates through Apple’s legitimate developer framework: no vulnerability is needed, and no exploit is required. It works by design.
Law Enforcement Access When Meta’s Apps Already Hold Plaintext WhatsApp Messages
The architecture surfaces a second category of concern beyond Meta’s own advertising-platform access. In jurisdictions where Meta cooperates with government data requests, law enforcement or intelligence agencies can potentially obtain WhatsApp message content by directing legal process at Meta — without any adversarial access to the E2E encryption layer. The Mysk disclosure frames this not as a traditional backdoor but as a design choice: a shared unencrypted container combined with Meta-wide app group permissions achieves a functionally equivalent outcome for any party with the legal authority to compel Meta to provide data it can access. This is relevant both to active law enforcement investigations and to broader debates about iOS platform access for encrypted messaging applications.
Active Legal Proceedings Against Meta Gain Independent Technical Corroboration
Two ongoing lawsuits against Meta now have a publicly verifiable, reproducible technical finding consistent with their central allegations. A federal class action filed in January 2026 in the Northern District of California and a May 2026 lawsuit brought by the Texas Attorney General both cite unnamed whistleblowers claiming that Meta maintains internal mechanisms to access WhatsApp message content. Before the Mysk disclosure, those claims rested solely on whistleblower accounts with no independently verified technical mechanism. Mysk’s identification of the Axolotl.sqlite container, its unencrypted contents, and the app group access path available to Facebook and Instagram provides a concrete, independently reproducible technical basis consistent with the allegations in both proceedings.
WhatsApp and Meta had not issued a public response to the disclosure as of the time of publication. The finding places WhatsApp’s device-level threat model under direct scrutiny — particularly for users on devices where Facebook or Instagram are co-installed alongside WhatsApp, and who have relied on end-to-end encryption as their primary justification for using a Meta-owned messaging platform.
