It has been reported that the latest version of WhatsApp leaves forensic traces of chats, even after they have been deleted. The security researcher that discovered the bug said that the only way to properly delete them is to delete the app entirely. The security experts from Alert Logic, NSFOCUS, and ESET and Comparitech.com commentedbelow.
Richard Cassidy, Cyber Security Evangelist at Alert Logic:
“Full preservation of privacy can be obtained for data in transit; that is to say when your messages are sent from your computer/phone to another user, the encryption that they are sent with can provide the highest levels of privacy possible, which is great news if you are worried about your messages being intercepted by a 3rd party. That said, however, it’s the messages that reside on your iPhone or computer that pose the biggest risk to privacy. Leaving the issue of gaining access to your phone/computer through nefarious techniques aside, if you delete conversations, traces are still evident on the disk and with the correct search tools can be recovered. Naturally disk encryption on a computer is a good place to start, so that even if the disk is recovered, getting access to the data will be more of a challenge, if not impossibly difficult and as such will maintain privacy past data usefulness. Unfortunately, less capable solutions exist for handsets.
Any offenders will be affected if they use certain types of database software to store chat messages. SQLite is affected, given how data is stored and then chat records deleted, which means that traces of specific chats will always remain (albeit broken, but certainly legible in some cases) until overwritten, but unfortunately overwrites can take months in some cases. This is a common issue across how many applications handle purging of data.
To increase using preservation of privacy when using WhatsApp or other messaging apps, encryption is always key. But if you really want the chat data to be deleted permanently, then it’ll be case of deleting the application entirely removing the database records that could be searched (through app deletion) and restarting again. I suspect we’ll see some tools develop in the near future that can search for these records and remove them correctly, but I the onus has to be on the application developers to offer users a specific delete function that will indeed perform this for them, regardless of how much extra time is required; the user should always have the choice or be given the details of the risk.”
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
“Individuals who use these types of apps must understand that any encryption can be broken. There is no bullet proof encryption, only “stronger encryption”. In addition, there is no such thing as full privacy when using electronic devices. If you want to insure your communications are completely un-hackable and untraceable, use smoke signals. They dissipate moments after they are sent, and the conversations can never be reconstructed.”
Mark James, Security Specialist at ESET:
“When looking at any process for sending or receiving sensitive information your number one goal has to be its ability to keep said messages away from prying eyes. What people fail to realise is there are many avenues and stops to moving data from one location to another, we often focus on the app in front of our nose and forget all the other factors that form its makeup. That’s what we are seeing here, of course as with any data route its only as strong as its weakest link and you have to take this into account if you are indeed going to use WhatsApp or indeed any other messaging app for sending sensitive or private data around to others both business or personal. Unfortunately these days you have to assume that if it’s on the internet in any way shape or form then it’s not 100% private.
Trying to ascertain a program’s integrity or its ability to do exactly as advertised for most of us is no more than reading reviews, speaking to experts and doing as much research as humanly possible before committing and then buying that product. For most software that’s not a big deal but tools that offer security or are solely designed to keep your data private you often only get one chance, a program called Signal by Open Whisper Systems supposedly does just that, but as with any program you should do your own research and totally understand what the application is and is not capable of doing.
If WhatsApp is your app of choice then make sure you are aware of its current failings. That’s not to say it’s always going to be the case; most manufacturers are always trying to improve their offerings and work very hard to do things right. Look at the type of messages you’re sending and understand what’s involved to actually be able to see the remnants of these messages. Having the ability to remotely wipe your device if it falls into the wrong hands should be a factor in securing your device.”
Lee Munson, Security Researcher at Comparitech.com:
“In theory full encryption, whether it relates to messaging apps or any other type of communication, is entirely secure and capable of protecting the privacy of whoever is using it.
In practice, however, the problem with full encryption is that it is just a phrase used to described complex mathematical computations that are extremely hard to crack, thus making the act of decryption too time-consuming and hence too costly.
The thing is, though, computational power is always on the increase so the ability to crack any given type of encryption is only likely to increase with time. For that reason, no-one should ever fall into the trap of believing any system is completely infallible.
The implementation used by WhatsApp is still plenty good enough for the typical consumer, at least in terms of the protection it offers data as it is transmitted from one device to another. Given many apps do not encrypt data in any way whatsoever, I still wholeheartedly recommend WhatsApp for secure and private communications.
Anyone who feels alarmed by the fact that WhatsApp leaves message traces on the sending and receiving devices should ensure that their phones, tablets or other machines are suitably secured themselves.
That means strong passwords and possibly the avoidance of authentication that relies upon biometrics as in some countries, such as the US, a court can order a suspect to use something they have (a fingerprint, for example) but not give up something they know (a password or passcode).”