WhatsApp still isn't as secure as you might think

Facebook's acquisition of WhatsApp in early 2014 raised all sorts of red flags for security and privacy interest groups. Facebook, then and to some extent now, isn't exactly the epitome of those two values. Over time, WhatsApp has tried to assuage fears by implementing features such as end-to-end encryption. Apparently, that may be futile after all. Forensic scientist Jonathan Zdziarski revealed that, while the app does encrypt the messages it stores, it doesn't actually completely delete them and its backups still leave users open to spying or law enforcement.

There are actually two different but related issues here. The first one is more of WhatsApp's responsibility while the second is something Apple might have to look into itself. Like other iOS apps, WhatsApp stores its chats in a database on the phone, encrypted, of course. The problem is that those chats aren't actually getting deleted when you delete them, even with a "Clear All Chats" option. WhatsApp leaves traces of the database on the phone, which can be later harvested and possibly decrypted one way or another. The only way to delete those chats would be to uninstall WhatsApp completely.

The situation is exacerbated when you add backups into the equation. WhatsApp backs up its database to two locations: iCloud and desktop. Desktop backups can be encrypted, but iCloud backups aren't. Worst case scenario, law enforcement can subpoena Apple for the WhatsApp database stored in iCloud and it will be plain as day for them to read. Desktop backups aren't completely safe either, even if encrypted, as they can still be broken with the right tools and some persistence.

Zdziarski says there's no reason to panic or call for WhatsApp's boycott, though some will probably recommend exactly that. He suggests a few tips, like disabling iCloud backups entirely and routinely uninstalling an app and then reinstall it, just to completely clear out its stored database. He is also calling on WhatsApp to implement some measures to prevent misuse of its backups, like what other chat apps are able to do anyway.

SOURCE: Zdziarski