Image of Whatsapp courtesy of tanuha2001 / Shutterstock.com
It has been reported that the latest version of WhatsApp leaves forensic traces of chats, even after they have been deleted. The security researcher that discovered the bug said that the only way to properly delete them is to delete the app entirely. The security experts from Alert Logic, NSFOCUS, and ESET and Comparitech.com commentedbelow.
Richard Cassidy, Cyber Security Evangelist at Alert Logic:
Any offenders will be affected if they use certain types of database software to store chat messages. SQLite is affected, given how data is stored and then chat records deleted, which means that traces of specific chats will always remain (albeit broken, but certainly legible in some cases) until overwritten, but unfortunately overwrites can take months in some cases. This is a common issue across how many applications handle purging of data.
To increase using preservation of privacy when using WhatsApp or other messaging apps, encryption is always key. But if you really want the chat data to be deleted permanently, then it’ll be case of deleting the application entirely removing the database records that could be searched (through app deletion) and restarting again. I suspect we’ll see some tools develop in the near future that can search for these records and remove them correctly, but I the onus has to be on the application developers to offer users a specific delete function that will indeed perform this for them, regardless of how much extra time is required; the user should always have the choice or be given the details of the risk.”
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
Mark James, Security Specialist at ESET:
Trying to ascertain a program’s integrity or its ability to do exactly as advertised for most of us is no more than reading reviews, speaking to experts and doing as much research as humanly possible before committing and then buying that product. For most software that’s not a big deal but tools that offer security or are solely designed to keep your data private you often only get one chance, a program called Signal by Open Whisper Systems supposedly does just that, but as with any program you should do your own research and totally understand what the application is and is not capable of doing.
If WhatsApp is your app of choice then make sure you are aware of its current failings. That’s not to say it’s always going to be the case; most manufacturers are always trying to improve their offerings and work very hard to do things right. Look at the type of messages you’re sending and understand what’s involved to actually be able to see the remnants of these messages. Having the ability to remotely wipe your device if it falls into the wrong hands should be a factor in securing your device.”
Lee Munson, Security Researcher at Comparitech.com:
In practice, however, the problem with full encryption is that it is just a phrase used to described complex mathematical computations that are extremely hard to crack, thus making the act of decryption too time-consuming and hence too costly.
The thing is, though, computational power is always on the increase so the ability to crack any given type of encryption is only likely to increase with time. For that reason, no-one should ever fall into the trap of believing any system is completely infallible.
The implementation used by WhatsApp is still plenty good enough for the typical consumer, at least in terms of the protection it offers data as it is transmitted from one device to another. Given many apps do not encrypt data in any way whatsoever, I still wholeheartedly recommend WhatsApp for secure and private communications.
Anyone who feels alarmed by the fact that WhatsApp leaves message traces on the sending and receiving devices should ensure that their phones, tablets or other machines are suitably secured themselves.
That means strong passwords and possibly the avoidance of authentication that relies upon biometrics as in some countries, such as the US, a court can order a suspect to use something they have (a fingerprint, for example) but not give up something they know (a password or passcode).”
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.