WhatsApp chats can still be retrieved even if users think they’ve completely deleted or cleared them, according to new research.
Security researcher, Jonathan Zdziarski, claimed that even the latest version of the app leaves a forensic trace of all chats – at least on iOS.
“To test, I installed the app and started a few different threads. I then archived some, cleared some, and deleted some threads. I made a second backup after running the ‘Clear All Chats’ function in WhatsApp. None of these deletion or archival options made any difference in how deleted records were preserved. In all cases, the deleted SQLite records remained intact in the database,” he explained.
“Just to be clear, WhatsApp is deleting the record (they don’t appear to be trying to intentionally preserve data), however the record itself is not being purged or erased from the database, leaving a forensic artifact that can be recovered and reconstructed back into its original form.”
These records could remain for months on a so-called “free list” until the database needs extra storage, he added.
The privacy issue here is that the WhatsApp chat database gets copied to the iCloud and on the desktop during a backup.
Although desktop backups can be encrypted via iTunes, using a weak password could render them accessible, and iCloud back-ups aren’t encrypted by Apple, Zdziarski said.
This could give law enforcers several ways to access deleted chats – for example, anyone with physical access to a user’s computer could theoretically recover WhatsApp chats.
“Law enforcement can potentially issue a warrant with Apple to obtain your deleted WhatsApp chat logs, which may include deleted messages,” Zdziarski added. “None of your iCloud backup content will be encrypted with your backup password (that’s on Apple, not WhatsApp).”
He recommended users turn off iCloud backup and periodically delete and reinstall the application in order to “flush out deleted records and start fresh.”
Richard Cassidy, cyber security evangelist at Alert Logic, argued that while full disk encryption could be used for any back-ups to the desktop, a similarly “capable” solution for the handset doesn’t exist.
“I suspect we’ll see some tools develop in the near future that can search for these records and remove them correctly, but the onus has to be on the application developers to offer users a specific delete function that will indeed perform this for them, regardless of how much extra time is required,” he added.
“The user should always have the choice or be given the details of the risk.”