Deleted WhatsApp chats can still be read, security researcher warns
Published 02/08/2016 | 08:32
WhatsApp isn't actually deleting the messages you send to the archive, according to a security researcher.
On Apple devices the app stores a "forensic trace" of all chats, be them "deleted, cleared, or archived", Jonathan Zdziarski found. This means that instead of disappearing from the device as you'd expect, a trace of the chat remains in the phone. And that trace could be reconstructed into its "original form" by someone with access to the device.
It would be reasonable for WhatsApp users to expect message history to disappear from a phone when a conversation is deleted, especially given WhatsApp's focus on privacy and security: the app recently introduced end-to-end encryption.
But instead of properly deleting messages, the app retains a memory of chats that could be recovered using forensic tools by law enforcement or anyone else with access to the device.
"Simply preserving deleted data on a secure device is not usually a significant issue, but when that data comes off the device as freely as WhatsApp's database does, it poses rather a serious risk to privacy," said Zdziarski.
On your iPhone or iPad, WhatsApp's data is stored in an unencrypted form. Although the messaging service now uses end-to-end encryption, that only applies to data that is travelling between devices so that messages can't be intercepted and read.
That data, including the traces of deleted conversations, is automatically backed up to iCloud, whether or not iCloud sync is enabled, which is also not encrypted and could therefore be read by a third party.
This means anyone with access to the physical device or a computer associated with the device can access the messages, especially if the user doesn't have a password protecting their backups.
"Law enforcement can potentially issue a warrant with Apple to obtain your deleted WhatsApp logs, which may include deleted messages," said Zdziarski. "The core issue here is that ephemeral communication is not ephemeral on disk."
The only way to totally delete the information stored by WhatsApp is to delete the app entirely. While WhatsApp users on the whole do not need to panic about the discovery, according to Zdziarski, he urged software developers to consider forensic trace when designing new products.
"The design choices they make when developing a secure messaging app has critical implications for journalists, political dissenters, those in countries that don't respect free speech, and many others," he said. "A poor design choice could result in innocent people - sometimes people crucial to liberty - being imprisoned."
Facebook complies with over 70 per cent of requests for data from the government in the UK, which includes WhatsApp data. Some of that data could include unencrypted messages and those users thought had been deleted.
What apps will delete my messages?
WhatsApp isn't the only messaging app that stores some form of data about deleted messages. Apple's iMessage, for example, "leaves a lot" of information in a device's memory, Zdziarski said.
He advised privacy-conscious users that Signal "leaves virtually nothing" on a phone, while Wickr uses a version of encryption makes messages on the app far more secure.
"Other apps would do well to respect the size of the forensic footprint they're leaving," said Zdziarski.