A Security researcher has discovered a major flaw in WhatsApp chat encryption system. He found that the chats in WhatsApp are not completely deleted even after you delete them. They are still stored in the database and can be recalled back when needed easily. This was discovered by an independent iOS researcher, Jonathan Zdziarski.
He also added;
To test, I installed the app and started a few different threads. I then archived some, cleared, some, and deleted some threads. I made a second backup after running the “Clear All Chats” function in WhatsApp. None of these deletion or archival options made any difference in how deleted records were preserved. In all cases, the deleted SQLite records remained intact in the database.
Just to be clear, WhatsApp is deleting the record (they don’t appear to be trying to intentionally preserve data), however the record itself is not being purged or erased from the database, leaving a forensic artifact that can be recovered and reconstructed back into its original form.
Forensic trace is common among any application that uses SQLite, because SQLite by default does not vacuum databases on iOS (likely in an effort to prevent wear). When a record is deleted, it is simply added to a “free list”, but free records do not get overwritten until later on when the database needs the extra storage (usually after many more records are created). If you delete large chunks of messages at once, this causes large chunks of records to end up on this “free list”, and ultimately takes even longer for data to be overwritten by new data. There is no guarantee the data will be overwritten by the next set of messages. In other apps, I’ve often seen artifacts remain in the database for months.
You can read the full blog post here.
Let’s look a bit deep into the problem:
Zdziarski claims that even after performing “Clear All Chats” on WhatsApp, he noticed that the application stores a forensic trace of theremote backup systems in place.
Zdziarski mentioned that the problem is with the restored when required.
Is there any possible fix that can be done by WhatsApp s?
Yes, the only way to fix this from your end is to delete the app itself permanently. But, that doesn’t seem to be a nice solution. So, lets wait till WhatsApp does some fix for this issue as it is now public. Other notable precautionary measures;
- Using a really strong iTunes
- Disabling iCloud backups
- Periodically deleting application from the device and reinstalling to flush out the database.
Even though Whatsapp has enabled end to end encryption, it can only encrypt messages from hijacking techniques. But, in this case if someone is able to access your directly on your device, the messages can be retrieved back even if they are deleted.
Zdziarski was talkling primarily about iOS, its unclear whether the flaw applies to Android too.
WhatsApp hasn’t responded to this, we have to wait for a response from their end on this serious issue.
