Deleted WhatsApp chat messages may be easy to recover, according to a security researcher.

Jonathan Zdziarski said in a blog post that a flaw in the messaging app could leave forensic traces of chat messages after they have been deleted, cleared or archived.

“The latest version of the app tested leaves forensic trace of all of your chats, even after you’ve deleted, cleared, or archived them… even if you ‘Clear All Chats’,” said Jonathan Zdziarski. “In fact, the only way to get rid of them appears to be to delete the app entirely.”

He added that WhatsApp only removed pointers to messages but not the messages themselves. He tested the app and started a few threads, then archived some, cleared others and deleted a few.

He ran the “Clear All Chats” option function but nothing he did made any difference to how the deleted records were preserved.

“In all cases, the deleted SQLite records remained intact in the database,” he said. “WhatsApp is deleting the record (they don’t appear to be trying to intentionally preserve data), however the record itself is not being purged or erased from the database, leaving a forensic artifact that can be recovered and reconstructed back into its original form.”

He said that SQLite does not “vacuum databases on iOS”.

“There is no guarantee the data will be overwritten by the next set of messages. In other apps, I’ve often seen artefacts remain in the database for months,” said Zdziarski.

“Simply preserving deleted data on a secure device is not usually a significant issue, but when that data comes off the device as freely as WhatsApp’s database does, it poses a rather serious risk to privacy,” said Zdziarski .

WhatsApp chat data stored on an iPhone or iPad gets copied over from the iPhone during a backup, which means it will show up in your iCloud backup and in a desktop backup.

“Fortunately, desktop backups can be encrypted by enabling the ‘Encrypt Backups’ option in iTunes. Unfortunately, iCloud backups do not honour this encryption, leaving your WhatsApp database subject to law enforcement warrants,” he said.

Zdziarski said that the way WhatsApp and other messaging services handle messages means the data could be recoverable by law enforcement.

“Law enforcement can potentially issue a warrant with Apple to obtain your deleted WhatsApp chat logs, which may include deleted messages,” he said.

The flaw could have implications for dissidents or journalists working in repressive countries. 

