Your WhatsApp conversations may not be as private as you believed.
iOS researcher Jonathan Zdziarski wrote in a blog post Thursday that he has discovered the messenger program is retaining traces of your deleted messages.
The company rolled out end-to-end encryption in April for its users, meaning that your message stays private while traveling between devices. WhatsApp doesn’t claim to have self-destructing messages, but it does claim: “Deleted messages are permanently deleted from your phone.”
Zdziarski shuts this claim down on his blog. He writes:
“Sorry, folks, while experts are saying the encryption checks out in WhatsApp, it looks like the latest version of the app tested leaves forensic trace of all of your chats, even after you’ve deleted, cleared, or archived them… even if you “Clear All Chats”. In fact, the only way to get rid of them appears to be to delete the app entirely.”
Less than ideal. Zdziarski said the company doesn’t appear to be intentionally retaining the data, but his tests on archived, deleted and cleared messages showed that something was amiss. On all tests, the data behaved exactly the same.
This means that forensic information of the message remains on the user’s phone, and can be recovered and reconstructed back to its original form, according to Zdziarski. This would be of some worry if you lost your phone and someone wanted to restore your messages, such as law enforcement.
This is not an unusual thing to happen to iPhone apps, Zdziarski explained. He said that a user should take into account the amount of data an app leaves behind. He claimed that iMessage has exactly the same problem that it is spread across every device you have accessed your messages on.
“Signal leaves virtually nothing, so there’s nothing to worry about. No messy cleanup. Wickr takes advantage of Apple’s CoreData and encrypts their database using keys stored in the keychain (much more secure),” Zdziarski wrote. “Other apps would do well to respect the size of the forensic footprint they’re leaving.”
He offered a couple of solutions for users to consider for extra privacy. Firstly, create a really strong password on your phone. Secondly, disable your iCloud backup as it does not honor encryption. And lastly, periodically delete the app from your phone to clear out the message data completely.
“Simply preserving deleted data on a secure device is not usually a significant issue, but when that data comes off the device as freely as WhatsApp’s database does, it poses a rather serious risk to privacy. Unfortunately, that’s what’s happening here and why this is something users should be aware of,” Zdziarski added.
WhatsApp and Apple have been contacted for comment.