Security Flaws in WhatsApp & iMessage
WhatsApp, the popular cross-platform messaging program, may have a security flaw. That security flaw might also be present in Apple’s iMessage feature. This is according to security researcher Jonathan Zdziarski, via a post on his blog Zdziarski’s Blog of Things on July 28th. First, a bit of background. You’ll recall from a few months ago that WhatsApp introduced new encryption protocols for communications sent via the app. The so-called “end-to-end encryption” was implemented in an effort to secure user privacy and ensure that no individuals or groups could access the content of messages other than the parties involved in the private conversations. According to Zdziarkski, these efforts don’t quite pass muster and the latest version of the app still leaves forensic traces of your chats, regardless of you having cleared, deleted or archived messages.
In other words, there is a vulnerability in the app that allows anyone with access to your device the ability to retrieve and restore your messages to their original form, even if you already deleted the messages. It’s an obvious flaw that leaves the chats open to not only law enforcement who may want access to the data but even less savory individuals with nefarious purposes. It potentially means that authorities could compel a company to use this method to retrieve messages that you have deleted, which raises privacy concerns. It also means that all your messages (even cleared messages) would be accessible to a thief who managed to get hold of your phone and crack your pass code. How is this possible? Zdziarski goes on to explain, citing an issue with SQLite as it allows forensic traces since it doesn’t clear databases on iOS.
He states that the same issue is present with Apple’s iMessage and that the data is also backed up to iCloud. On the surface, this revelation may be enough to elicit a knee-jerk panic response, but he makes it clear that the average end user needn’t immediately be driven to a furor. Simply be aware of the vulnerability and be smart is all. Zdziarski also offers tips to users to help protect themselves from this issue, including using long passwords, periodically deleting the app, and disabling iCloud backups. It’s an interesting read and one that raises questions about how much faith users should put in programs that promise to make their data inaccessible to interlopers.