Deleted WhatsApp messages are not actually deleted
01 Aug 2016
Chat logs from WhatsApp linger on users' phone even after they have been deleted, according to new research published by iOS expert Jonathan Zdziarski.
Forensic traces of chats lingered on the phone even after a user archived or deleted them, Zdziarski found, and could be accessed by someone with physical access to the device or by law enforcement authorities issuing a warrant to Apple for iCloud backups.
Although the data was deleted from the app, it was not overwritten in the SQLite library and continued to remain on the phone.
''I installed the app and started a few different threads,'' Zdziarski wrote in a blog post. ''I then archived some, cleared, some, and deleted some threads. I made a second backup after running the 'Clear All Chats' function in WhatsApp. None of these deletion or archival options made any difference in how deleted records were preserved. In all cases, the deleted SQLite records remained intact in the database.''
''The only way to get rid of them appears to be to delete the app entirely,'' Zdziarski added.
WhatsApp has been commended over its concern for security since the company, owned by Facebook, implemented end-to-end encryption in April, using the well-regarded Signal Protocol.
"Sorry, folks, while experts are saying the encryption checks out in WhatsApp, it looks like the latest version of the app tested leaves forensic trace of all of your chats, even after you've deleted, cleared, or archived them…even if you 'Clear All Chats,'' Zdziarski wrote in a post. "In fact, the only way to get rid of them appears to be to delete the app entirely."
The database is not just being stored on users' handheld device, it is also saved online as part of any normal iCloud backup or desktop backup.
Though one could encrypt these desktop backups, one could not encrypt files sent up to one's iCloud account - leaving law enforcement an easy method for recovering seemingly deleted chats.