Despite claiming the opposite, there is a security flaw in the popular messaging service WhatsApp: it leaves a “forensic trace” of every chat, even after deleting, clearing or archiving them, well-known security iOS researcher Jonathan Zdziarski unveiled today. The security flaw affects the latest version of WhatApp, and he even discovered the same flaw in iMessages (via The Verge).
In a blog post, Zdziarski says he tested his theory by starting a few chat threads, and then archiving, clearing and deleting them. He has found that none of deletion or archival options made any difference in how deleted records were preserved, and the deleted SQLite (which apparently WhatsApp also wants to delete but fails to do so in the new version of the app) remained intact. That leaves forensic artefacts that can be recovered and reconstructed back into its original form, Zdziarski notes.
He also points to an earlier post from March, in which he explains how Apple had the same problem leaving forensic traces of iMessages which are supposed to feature end-to-end encryption. This encryption is intended to make sure that deleted files are actually deleted.
The core issue here is that ephemeral communication is not ephemeral on disk. This is a problem that Apple has struggled with as well, which I’ve explained and made design recommendations recently in this blog post.
Apple’s iMessage has this problem and it’s just as bad, if not worse. Your SMS.db is stored in an iCloud backup, but copies of it also exist on your iPad, your desktop, and anywhere else you receive iMessages. Deleted content also suffers the same fate.
However, before you start to panic, Zdziarski also provides a solution for this issue — until WhatsApp addresses it: periodically delete the app, thereby forcing it to “flush out the database.”