WhatsApp doesn’t properly erase your deleted messages, researcher reveals

Are you using WhatsApp? There is an interesting news for you, the popular instant messaging app doesn’t properly erase the user’s deleted messages.

The issue was reported by the popular iOS security researcher Jonathan Zdziarski who is warning about the risks for the users’ privacy.

The flaw could be exploited by attackers to snoop on user’s private conversations, even when they gave been “deleted.”

Zdziarski was analyzing the latest version of the popular app when discovered traces of previously deleted messages. Data are not physically deleted allowing an expert to recover it with certainly data forensic tools.

“Sorry, folks, while experts are saying the encryption checks out in WhatsApp, it looks like the latest version of the app tested leaves forensic trace of all of your chats, even after you’ve deleted, cleared, or archived them… even if you “Clear All Chats”. In fact, the only way to get rid of them appears to be to delete the app entirely.” states the blog post published by Zdziarski.

The issue represents a serious problem for users that live in an oppressive country, there is the concrete risk that authorities access sensitive conversations by physically accessing the mobile device.

“Just to be clear, WhatsApp is deleting the record (they don’t appear to be trying to intentionally preserve data), however the record itself is not being purged or erased from the database, leaving a forensic artifact that can be recovered and reconstructed back into its original form.” wrote the expert.

The issue is common among applications that uses SQLite, this specific database by default doesn’t delete data on iOS. Every time a record is deleted, it is added to a “free list,” instead its physical deletion. Free records will get overwritten is a second time, for example when the database needs the extra storage.

“If you delete large chunks of messages at once, this causes large chunks of records to end up on this “free list”, and ultimately takes even longer for data to be overwritten by new data. There is no guarantee the data will be overwritten by the next set of messages. In other apps, I’ve often seen artifacts remain in the database for months.” explained the expert.

Among other applications that suffer a similar problem, there is the popular Apple iMessageas explained by Zdziarski.

“Apple’s iMessage has this problem and it’s just as bad, if not worse. Your SMS.db is stored in an iCloud backup, but copies of it also exist on your iPad, your desktop, and anywhere else you receive iMessages. Deleted content also suffers the same fate.” he said.

Other applications like Signal doesn’t leave forensics trace, according to Zdziarski:

“Signal leaves virtually nothing, so there’s nothing to worry about.”

It is curious to note that Zdziarski has included in the analysis the instructions to fix the problem.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Whatsapp, mobile forensic)