The problem is in the way WhatsApp's SQLite DB deletes data

Jul 29, 2016 14:05 GMT  ·  By

Facebook's WhatsApp messaging client fails to properly delete conversations, allowing attackers or law enforcement a few avenues to recover deleted chats, iOS developer Jonathan Zdziarski has discovered.

The core issue at the heart of this problem is the SQLite database, which WhatsApp and many other more mobile applications use to store data on the phone they are installed.

WhatsApp's SQLite database fails to delete data

Zdziarski has discovered that, when a user deletes a WhatsApp conversation, SQLite's normal mode of operation is to mark the data as deleted and add it to a "free list" of database entries that can be re-written by other information, instead of actually wiping the data from its index.

The developer says that there can be cases where months pass without the data being overwritten with other information. During all this time, the data lingers around on the device and is included as part of the app's database when the user creates backups of their device.

Zdziarski says that if the user backs up their device to an iCloud account, because there is no encryption enforced, the WhatsApp SQLite database gets backed up in clear text, and law enforcement can force Apple to hand over the backup files and implicitly the deleted WhatsApp messages, still present in the database.

There are several ways to recover deleted WhatsApp messages

If the user backs up their device to their own computer, the data is again susceptible to the same process of reverse-engineering and getting the deleted WhatsApp messages.

Apple also allows users to create and save backups to computers protected with encryption. If the backup password (encryption key) is short and simple, the researcher says that there are ways to brute-force the password and break the encryption.

If the user stores this backup password in the Apple Keychain utility, then there are forensics tools that can leak the content of the Keychain and allow access to the WhatsApp SQLite database.

Furthermore, any attacker with access to the user's iOS device can retrieve the SQLite database and recover deleted conversations.

iMessage has the same problem, Signal does not

Zdziarski says that other apps that use SQLite databases to store data on iOS devices are likely affected by the same problem. The researcher says that iMessage suffers from the same issue but highlights that the Signal messaging app does not.

In his blog post, Zdziarski details four ways that app developers and users could mitigate this issue and also recommends four solutions that Facebook could implement to fix WhatsApp's SQLite problem.

"Software authors should be sensitive to forensic trace in their coding. The design choices they make when developing a secure messaging app has critical implications for journalists, political dissenters, those in countries that don’t respect free speech, and many others," Zdziarski says. "A poor design choice could quite realistically result in innocent people - sometimes people crucial to liberty - being imprisoned."