Popular online messaging service WhatsApp has made all sorts of security news in recent years.
One of WhatApp’s early cryptographic SNAFUs involved using non-secret information to construct secret encryption keys, which is a bit like using your pet’s name as a login password.
The company went on to make two-time use of a one-time pad, a no-no in cryptographic circles. (It isn’t called a one-time pad for nothing.)
WhatsApp CEO Jan Koum subsequently asserted that “[r]espect for your privacy is coded into our DNA” little more than a year after the company was censured by Canadian and Dutch privacy authorities for violating privacy rules in both countries.
And the app went through a period of blurting out your location to eavesdroppers by communicating with Google Maps via unencrypted HTTP rather than using encrypted-and-authenticated HTTPS.
The company was bought by Facebook in early 2014, at which point we wondered whether that would make things better or worse.
Technically, at least, the acquisition seems to have done no harm, with WhatsApp now providing end-to-end encryption in a privacy-centred way, where WhatsApp itself never holds the cryptographic secrets that it would need to snoop on your messages as they pass through its service.
So much for what’s often called “encryption in transit” or “encryption in motion.”
Encryption at rest
But what about “encryption at rest”?
If crooks (or suitably warranted-up law enforcement officials) got hold of your laptop, or your phone, or your iCloud backups, would they find blobs of digital shredded cabbage?
Or would some or all of your long-sent and theoretically-deleted messages hang around where they could be recovered?
Well-known and respected iOS security researcher Jonathan Zdziarski decided to take a look at the iOS flavour of WhatsApp, and he found that WhatsApp’s delete
function didn’t quite.
The iOS app stores its messages in a database that uses the popular and widespread SQLite toolkit.
SQLite promises to keep your data safe and consistent: what’s known in the trade as ACID, short for Atomic, Consistent, Isolated, and Durable.
Even if the battery runs out at the wrong moment, or the app crashes half-way through, the database will still be in a stable and sensible condition.
But SQLite doesn’t offer, or claim, to encrypt your data at rest; that aspect of security can be provided by an additional cryptographic layer, thus avoiding the additional complexity that would arise if SQLite also had to be an encryption tool, or the encryption tool also had to be an ACID database engine.
In other words, when you delete messages from the WhatsApp database, SQLite marks the records so they can be re-used later, but until the database fills back up again (which could take a long time if you delete lots of messages at once), the raw bits-and-bytes of the old data will remain behind.
A forensics expert like Zdziarksi might well be able to recover it, especially if you have synced your phone to your laptop without encrypting it, or backed it up to iCloud, where it won’t be encrypted:
The WhatsApp chat database gets copied over from the iPhone during a backup, which means it will show up in your iCloud backup and in a desktop backup.
Fortunately, desktop backups can be encrypted by enabling the “Encrypt Backups” option in iTunes. Unfortunately, iCloud backups do not honor this encryption, leaving your WhatsApp database subject to law enforcement warrants.
This isn’t the end of the world, of course: it’s still not easy for crooks to grab your WhatsApp messages, and even after a heap of work they might get no more than a few fragments of uninteresting stuff.
But it’s a reminder to programmers everywhere that end-to-end encryption doesn’t just mean “each end of a network connection.”
It includes the physical device at each end, too.
What to do?
Zdziarski has a range of handy hints for iOS data security in general, which we encourage you to look at.
Suggestions include:
- Remove and reinstall the app from time to time so a blank database is re-created.
- Backup locally via iTunes and encrypt the backup, but don’t replicate your data to iCloud.
As always, this is a reminder that security is a journey, not a destination.
Mikkles
So where’s the vulnerability here? Isn’t this the basic fundamentals of properly working backups?
Paul Ducklin
The vulnerability, such as it is, is the irony of going to loads of trouble to secure a message against recovery by a third party, but leaving it behind after it’s supposedly deleted for good.