The end-to-end encrypted WhatsApp service is leaving traces of previously deleted chats behind in device storage, making forensic retrieval possible through physical device access or a warrant served on Apple for an iCloud backup.
Security researcher Jonathan Zdziarski has discovered that the only way to truly purge chats made through the communications app, is to delete the app entirely. Zdziarski discovered that even after deletion, only the pointer to the chat on the app's database was removed, leaving the actual chat transcript intact until the OS and the app get around to over-writing the previously used location where the chat was stored.
Retrieval of deleted chats is performed similarly to how assorted undelete apps find accidentally deleted files.
Regardless of how much data has to be written to a block, flash media controllers process an entire block of flash media when it is writing -- even if it only needs to write to part of the block. A write to a completely empty block is faster, because the drive doesn't have to copy the partially-full block to a cache, and make the changes in cache before it completely overwrites the cell.
As a result, modern operating systems prioritize those sectors in the interest of speed. Sectors of a medium previously containing data are written to after any zeroed sectors are available, acerbating the issue with WhatsApp not truly erasing stored chats after user deletion.
Regardless of what's been re-written or retained, "the WhatsApp chat database gets copied over from the iPhone during a backup, which means it will show up in your iCloud backup and in a desktop backup," according to Zdiziarsky. However, iCloud backups do not respect the iTunes setting, and are not encrypted.
While exploitation of the flaw isn't trivial, Zdziarski notes that anyone with physical access to a phone could create a backup with it, if they were granted access. Additionally, anyone with physical access to a computer with a stored backup could copy the backup, made easier by recovering a password for it from the Keychain.
Law enforcement could issue a warrant to Apple to obtain the unencrypted database as well, and feed it to existing forensic tools to obtain the deleted messages that still exist in the media. Furthermore, users can be legally compelled in some locations to submit user credentials in macOS to access stored Keychain passwords, getting at the iTunes backup that way.
Zdziarski also recommends that users periodically delete the application from a device, and reinstall it, which will completely clear the database and all its contents, which "appears to be the only way to flush out deleted records and start fresh."
The security researcher also suggests that the WhatsApp developers shift to Apple's encrypted CoreData routines.
Zdziarski has been delving into iOS security since the launch of the iPhone. He discussed in March 2016 how the FBI could retrieve data from the San Bernardino shooter's iPhone 5c. Additionally, he was the initial discoverer of a large amount of services being unencrypted on the second iOS 10 beta, after discovery of the system's kernel cache not being encrypted.