WhatsApp isn't fully deleting its 'deleted' chats

WhatsApp retains and stores chat logs even after those chats have been deleted, according to a post today by iOS researcher Jonathan Zdziarski. Examining disk images taken from the most recent version of the app, Zdziarski found that the software retains and stores a forensic trace of the chat logs even after the chats have been deleted, creating a potential treasure trove of information for anyone with physical access to the device. The same data could also be recoverable through any remote backup systems in place.

In most cases, the data is marked as deleted by the app itself — but because it has not been overwritten, it is still recoverable through forensic tools. Zdziarski attributed the problem to the SQLite library used in coding the app, which does not overwrite by default.


WhatsApp was applauded by many privacy advocates for switching to default end-to-end encryption through the Signal protocol, a process that completed this April. But that system only protects data in transit, preventing carriers and other intermediaries from spying on conversations as they travel across the network.

Zdziarski’s findings deal with what happens to that data after it reaches the phone, particularly when it’s stored on the phone’s local disk drive or remote iCloud storage. WhatsApp messages are backed up by iCloud without hard encryption, so the finding means police could obtain clear records of conversations through a court order, even if the conversation had been deleted within the app.

"The core issue here is that ephemeral communication is not ephemeral on disk," Zdziarski wrote in the post.

The news shouldn’t be alarming to WhatsApp users, although it does temper many of the privacy promises made by the company in the past. The majority of messaging apps leave similar traces, recoverable through iCloud backups, although a number of privacy-focused apps do not. "iMessage leaves a lot [of forensic traces]," Zdziarski said, reached by The Verge. "Signal leaves virtually none."

The research is particularly relevant given the app’s current legal struggles over encryption policy. In Brazil, WhatsApp has weathered numerous blackout orders from local courts over its refusal to turn over court ordered chat logs in an ongoing case. The company has repeatedly claimed that it cannot turn over the logs as a result of WhatsApp’s end-to-end encryption systems, and the blackout orders have been routinely overturned by higher courts.

WhatsApp did not immediately respond to a request for comment.

Comments

Oh! Those old icons

Haha, yeah why are they using a screenshot from 2010 or something?

deleted

(but not really)

Isn’t that common knowledge? When you delete something from your disk it’s never completly deleted?

In general, overwrite stuff is a known issue, but it’s not true of all encrypted chat apps (see Signal) and it’s interacting with iCloud in a uniquely bad way, producing backup copies of conversations you might reasonably think were erased. I was surprised to learn that was the case!

If you’re backing stuff up, why would you automatically assume the backup is gone when you delete the main item though?

That’s generally not the case and typically why a backup exists.

Its important to understand though that with SSDs – attempting to overwrite is not something that will generally produce the expected results.

The OS does not control where writes occur – the SSD does. And the virtual address (that the OS and consequently apps use) has a different corresponding physical address each time its written to.

Reason? Actually overwriting on SSD media is hilariously slow; and its also done for wear-leveeing purposes.

Disregarding the cloud backup issue for a moment, since the phone’s storage is encrypted already wouldn’t the attacker have to already have the phone unlocked?

NO WAY!!!!

Wouldn’t the simple solution be to allow the user to toggle off cloud backup on whatsapp?

It also doesn’t delete the pictures when you receive or send them, they are always there when you browse via file explorer.

Apparently the same issue is plaguing iMessage.

View All Comments
Back to top ↑