WhatsApp retains and stores chat logs even after those chats have been deleted, according toa post today by iOS researcher Jonathan Zdziarski. Examining disk images taken from the most recent version of the app, Zdziarski found that the software retains and stores a forensic trace of the chat logs even after the chats have been deleted, creating a potential treasure trove of information for anyone with physical access to the device. The same data could also be recoverable through any remote backup systems in place.
In most cases, the data is marked as deleted by the app itself — but because it has not been overwritten, it is still recoverable through forensic tools. Zdziarski attributed the problem to the SQLite library used in coding the app, which does not overwrite by default.
“EPHEMERAL COMMUNICATION IS NOT EPHEMERAL ON DISK.”
Zdziarski’s findings deal with what happens to that data after it reaches the phone, particularly when it’s stored on the phone’s local disk drive or remote iCloud storage. WhatsApp messages are backed up by iCloud without hard encryption, so the finding means police could obtain clear records of conversations through a court order, even if the conversation had been deleted within the app.
“The core issue here is that ephemeral communication is not ephemeral on disk,” Zdziarski wrote in the post.
The news shouldn’t be alarming to WhatsApp users, although it does temper many of the privacy promises made by the company in the past. The majority of messaging apps leave similar traces, recoverable through iCloud backups, although a number of privacy-focused apps do not. “iMessage leaves a lot [of forensic traces],” Zdziarski said, reached by The Verge. “Signal leaves virtually none.”
The research is particularly relevant given the app’s current legal struggles over encryption policy. In Brazil, WhatsApp has weathered numerous blackout orders from local courts over its refusal to turn over court ordered chat logs in an ongoing case. The company has repeatedly claimed that it cannot turn over the logs as a result of WhatsApp’s end-to-end encryption systems, and the blackout orders have been routinely overturned by higher courts.