Categories: Security

WhatsApp ‘Doesn’t Fully Delete Messages’

Weeks after WhatsApp began using end-to-end encryption to protect users’ communications, a researcher has found that the service leaves traces of deleted posts that could be easily recovered.

“The latest version of the app tested leaves forensic trace of all of your chats, even after you’ve deleted, cleared, or archived them… even if you ‘Clear All Chats’,” wrote Jonathan Zdziarski in an advisory. “In fact, the only way to get rid of them appears to be to delete the app entirely.”

Data held

Zdziarski found that when users delete messages, the app only removes the indicators that point to where the content is held in the database, but leaves the content itself unchanged.

The messages may or may not be overwritten by further data, but if not, the chat content could be recovered using forensics tools, said Zdziarski, who tested the iOS version of WhatsApp.

“SQLite by default does not vacuum databases on iOS,” he wrote. “There is no guarantee the data will be overwritten by the next set of messages. In other apps, I’ve often seen artifacts remain in the database for months.”

The data remains not only on the iOS device, but is also copied when the device is backed up to desktops and iCloud. The desktop backup can be encrypted by selecting an iTunes option, but this doesn’t apply to iCloud backups, meaning that data remains in an unencrypted form.

“When that data comes off the device as freely as WhatsApp’s database does, it poses a rather serious risk to privacy,” Zdziarski added.

The privacy of electronic messages came to public attention beginning in 2013 with the disclosure of mass surveillance programmes by the US government, leading Google, Apple and others to adopt encryption for their communications systems.


More recently, IT companies including Apple have fought highly publicised court battles that have raised public awareness of the use by law enforcement bodies of data held on mobile devices or on remote services such as iCloud, with some saying users’ privacy is insufficiently protected.

The way WhatsApp and other messaging services handle messages means the data could be recoverable by law enforcement bodies, Zdziarski said.

“Law enforcement can potentially issue a warrant with Apple to obtain your deleted WhatsApp chat logs, which may include deleted messages,” he wrote.

Apple’s iMessage stores copies of a user’s messaging database in multiple locations and handles deleted messages in a similar way to WhatsApp, he said.

But he said that other applications, such as Signal, are more thorough about deleting data and don’t leave such traces, while Wickr encrypts its database.

He said WhatsApp users can protect their privacy by disabling iCloud backups, using a long, complex password to encrypt desktop backups and periodically deleting and reinstalling the application.

WhatsApp, meanwhile, could block its message databases from being copied during iCloud backups and could mark deleted messages in such a way that they would be automatically overwritten, Zdziarski said.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Microsoft Executive Indicates Departmental Hiring Slowdown

Amid concern at the state of the global economy, a senior Microsoft executive tells staff…

1 day ago

Shareholders Sue Twitter, Elon Musk For Stock ‘Manipulation’

Disgruntled shareholders are now suing both Twitter and Elon Musk, over volatile share price swings…

1 day ago

Google Faces Second UK Probe Over Ad Practices

UK's competition watchdog launches second investigation of Google's ad tech practices, and whether it may…

1 day ago

Elon Musk Raises His Contribution To Twitter Acquisition

But one of Elon Musk's biggest backers on the Twitter board has tendered his resignation…

2 days ago

Broadcom Confirms VMware Acquisition For $61 Billion

Entry into cloud infrastructure software for US chip firm Broadcom after it confirms reports it…

2 days ago