‘Privacy and security is in our DNA,’ WhatsApp boasts on its website.
But a forensic scientist and security researcher claims the popular messaging app retains and stores traces of chats even after conversations have been deleted by users.
While this does not put users at risk, it creates a potential treasure trove of information for anyone with access to a device to tap into, an expert has warned.
Jonathan Zdziarski wrote in a blog post: ‘Sorry folks, while experts are saying the encryption checks out in WhatsApp, it looks like the latest version of the app tested leaves forensic trace of all of your chats, even after you’ve deleted, cleared, or archived them…even if you ‘Clear All Chats’.
‘In fact, the only way to get rid of them appears to be to delete the app entirely.’
TOT has contacted WhatsApp for comment but has yet to receive a response.
Mr Zdziarski discovered the glitch by installing the app on this phone and starting a few different conversation threads.
He archived some, cleared some and deleted others as well as running the ‘Clear All Chats’ function in the app.
But he wrote: ‘None of these deletion or archival options made any difference in how deleted records were preserved,’ noting they remained intact in the database.
Mr Zdziarski noted that WhatsApp does not seem to be trying to intentionally preserve data, but a record is left in the database, ‘leaving a forensic artefact that can be recovered and reconstructed back into its original form.’
He believes the fault is down to the ‘SQLite library’ used to code the app, which doesn’t automatically overwrite.
A full explanation can be read on the blog.
WhatsApp has been lauded by privacy campaigners after it introduced end-to-end encryption in April.
But the system only stops carriers, security services and cyber criminals spying on data in transit, The Verge noted.
Instead, Mr Zdziarski’s findings deal with how data is stored on an iPhone and in the iCloud.
Because WhatsApp messages are backed upin the cloud without hard encryption, records could later be accessed even if the conversation had been deleted in the app.
Commentators have said the news does not put WhatsApp users in danger, even if it seems to contradict the company’s stance on privacy, but many messaging apps do the same.
Richard Parris, CEO at security firm Intercede, told TOT: ‘In the connected world, we can never be absolutely sure our personal information can’t be read by others.
And while WhatsApp has actually gone to some lengths to protect consumers, there appears to be a hole in the net.
Consumers need to have control over their own content, be it a photo, text, email or video.
The most effective way to do this is by giving users digital rights management for their own content.
‘This requires complex encryption to ensure communications remain private and secure.
he continued: ‘It really is about time that all consumer application and service providers started to apply the same stringent security they apply to their business data.
‘The cost to do so is marginal and it would provide consumers much greater confidence in the applications and services they use that surely has to be worth doing.
‘Right now the best advice you can provide to consumers is that whatever they put out there is at risk of being snooped on.’