A Security researcher has discovered a major flaw in WhatsApp chat encryption system. He found that the chats in WhatsApp are not completely deleted even after you delete them. They are still stored in the database and can be recalled back when needed easily. This was discovered by an independent iOS researcher, Jonathan Zdziarski.
He also added;
To test, I installed the app and started a few different threads. I then archived some, cleared, some, and deleted some threads. I made a second backup after running the “Clear All Chats” function in WhatsApp. None of these deletion or archival options made any difference in how deleted records were preserved. In all cases, the deleted SQLite records remained intact in the database.
Just to be clear, WhatsApp is deleting the record (they don’t appear to be trying to intentionally preserve data), however the record itself is not being purged or erased from the database, leaving a forensic artifact that can be recovered and reconstructed back into its original form.
Forensic trace is common among any application that uses SQLite, because SQLite by default does not vacuum databases on iOS (likely in an effort to prevent wear). When a record is deleted, it is simply added to a “free list”, but free records do not get overwritten until later on when the database needs the extra storage (usually after many more records are created). If you delete large chunks of messages at once, this causes large chunks of records to end up on this “free list”, and ultimately takes even longer for data to be overwritten by new data. There is no guarantee the data will be overwritten by the next set of messages. In other apps, I’ve often seen artifacts remain in the database for months.
You can read the full blog post here.
Let’s look a bit deep into the problem:
Zdziarski claims that even after performing “Clear All Chats” on WhatsApp, he noticed that the application stores a forensic trace of the chat logs. In other words, these messages could be accessed by anyone who will have physical access to the mobile device. At the same time, this data can also be recovered via any remote backup systems in place.
Zdziarski mentioned that the problem is with the SQLite library that was used in the coding of the App. He also mentioned the possible fix that can be implemented by WhatsApp team to fix this issue. That means even Whatsapp team might not be aware of this bug before. WhatsApp is deleting the record, which means they are not intending to store the messages, which is a good news for users, but a forensic footprint has been left behind using which the messages can be restored when required.
Is there any possible fix that can be done by WhatsApp Users?
Yes, the only way to fix this from your end is to delete the app itself permanently. But, that doesn’t seem to be a nice solution. So, lets wait till WhatsApp does some fix for this issue as it is now public. Other notable precautionary measures;
- Using a really strong iTunes password
- Disabling iCloud backups
- Periodically deleting application from the device and reinstalling to flush out the database.
Even though Whatsapp has enabled end to end encryption, it can only encrypt messages from hackers, spoofing, hijacking techniques. But, in this case if someone is able to access your account directly on your device, the messages can be retrieved back even if they are deleted.
Zdziarski was talkling primarily about iOS, its unclear whether the flaw applies to Android too.
WhatsApp hasn’t responded to this, we have to wait for a response from their end on this serious issue.