Slashdot Mirror

← Back to Stories (view on slashdot.org)

WhatsApp Isn't Fully Deleting Its 'Deleted' Chats (theverge.com)

Posted by msmash on from the security-blues dept.

Facebook-owned messaging app WhatsApp retains and stores chat logs even after those messages have been deleted, according to iOS researcher Jonathan Zdziarski. The Verge reports: Examining disk images taken from the most recent version of the app, Zdziarski found that the software retains and stores a forensic trace of the chat logs even after the chats have been deleted, creating a potential treasure trove of information for anyone with physical access to the device. The same data could also be recoverable through any remote backup systems in place. In most cases, the data is marked as deleted by the app itself -- but because it has not been overwritten, it is still recoverable through forensic tools. Zdziarski attributed the problem to the SQLite library used in coding the app, which does not overwrite by default. WhatsApp was applauded by many privacy advocates for switching to default end-to-end encryption through the Signal protocol, a process that completed this April. But that system only protects data in transit, preventing carriers and other intermediaries from spying on conversations as they travel across the network.

4 of 60 comments (clear)

  1. Not a SQLite problem by QuietLagoon · · Score: 5, Insightful

    ...Zdziarski attributed the problem to the SQLite library used in coding the app, which does not overwrite by default. ...

    That's not the root cause.

    The root cause is the programmer who used SQLite and did not know that SQLite did not fully delete, or did know but did not care.

    SQLite will only do what it is told to do by the programmer.

  2. Fail is another 4 letter word by BoRegardless · · Score: 4, Insightful

    How can a company declare a product "secure" when obviously no security audit was done?

    If WhatsApp merely stated that in transit is encrypted, but data on your phone is open to discovery, even if deleted, at least they would have been honest.

  3. Alternate Headline by Tyrannosaur · · Score: 4, Insightful

    A better headline would be "WhatsApp Isn't Securely Deleting Its 'Deleted' Chats"

    Most file systems don't overwrite deleted data until the space is needed again. This is expected behavior.

    Of course, this is a flaw that should be fixed- especially that any backups would be able to see everything- but this doesn't look to be a "backdoor" or anything nefarious in WhatsApp.

  4. Yes, deleted files are (sometimes) recoverable by T.E.D. · · Score: 3, Insightful

    In most cases, the data is marked as deleted by the app itself -- but because it has not been overwritten, it is still recoverable through forensic tools.

    For the record, this is exactly what happens when you "delete" any file. The file system just goes to its little index of disk locations in use, and marks the ones the file's data is sitting in as available. Quick and easy. The data is all still there until the filesystem happens to give those locations away to a new file some day. There's nothing at all special about WhatsApp here. This is just how filesystems work.

    Security professionals (eg: when I was working COMSEC jobs for the DoD) know to "zeroize" old data you really want to be non-recoverable. When last I checked, that's a matter of writing patterns of 1's and 0's repeatedly to the disk enough that the old data patterns are no longer recoverable. But typical OS's don't have that as a native operation, and it would be fairly unreasonable (not to mention dangerous) to expect a simple social media phone app to be jumping around the OS to do things like that itself.