‘Recover deleted chats from WhatsApp’

It is possible to recover deleted WhatsApp chats. This is the conclusion of security researcher Jonathan Zdziarski after sifting through his iPhone. Even after removing the app completely, it is still possible to retrieve chats, for example via iCloud backups.

The text data remains in the SQLite database, a common problem according to Zdziarski. This is because SQLite does not completely flush databases when they are deleted. For example, if a part of the database is deleted by the user, SQLite places this part on a so-called ‘free list’, according to the researcher. This list is not immediately overwritten. This will only happen if the space is needed at a later date. As a result, data often remains, sometimes for months. By throwing away more data, more will end up on the list.

WhatsApp does delete the data, but it does not disappear from the database, Zdziarski explains. This is problematic, as the messages between users are ephemeral, or temporary, but not on the device itself. In addition, the still readable databases are also included in an iCloud backup. These backups are not encrypted, as is the case on the desktop, according to the iOS researcher. In addition, an encrypted backup is also not worth much in combination with a weak password. The backup function to which Zdziarski refers is separate from the iCloud sync function in WhatsApp itself.

Due to these factors, for example, an investigation service can still retrieve the content of deleted messages via the device or via a backup. However, according to the researcher, this is no reason to panic, but he emphasizes that it is important to be aware of this. Users can take action by choosing a long and strong password for iCloud and not storing it in the keychain. Disabling backups or periodically removing the app is also an option.

Zdziarski recommends WhatsApp to characterize the SQLite database so that it is not included in a backup. The company can also use a technique to overwrite data before it is deleted. In addition, an SQLite alternative can offer a solution, for example by using encrypted CoreData. WhatsApp turned on end-to-end encryption for all its users in April.