Encrypted messaging platform WhatsApp recently added the ability to delete sent messages, but the team at Android Jefe (article is in Spanish) has discovered that they don't quite disappear completely.
A deleted text still exists on the recipient's device in the form of a notification, Android Jefe found, and with the proper software it can be read hours later.
As an individual bug it might not sound too concerning, but the Android notification log doesn't exist in a vacuum. If an Android device has already been compromised by malware, the notification log could be a way for anyone to read WhatsApp messages, deleted or not, and that's a huge security problem for an app that prides itself on being private and secure.
Android notifications and you
Every time a notification comes to an Android device it gets stored in a log that records everything from that Android session (it clears on reboot). If you can access the notification log you can see a list of every single notification you've received since your phone has been on, regardless of how private that notification may be.
The bulk of the data contained in the notification log is technical information designed for devs, but the text visible in the notification, in this case the first 100 characters of a WhatsApp message, is recorded as well.
SEE: WhatsApp copycat fools millions; here's what that means for app security (TechRepublic)
If a user deletes a WhatsApp message they may assume the recipient won't get it, and they very well may not if they don't know how to access the notification log. Android know-how changes the situation, though: It's all stored and available for as long as that device is on.
The notification log can be accessed one of two ways: In a stock install of Android (as well as some third-party launchers) you can create a homescreen widget that links to it (described in the Android Jefe article linked above), or you can download a notification history app, which may be an invitation to someone hijacking your records. All in all, it's pretty easy to access the notification log despite how invisible it is to the average user.
WhatsApp encryption: Is it really protecting you?
One of the reasons people use WhatsApp is that it's touted as a secure alternative to texting and MMS. During message transmission that may be the case, but sensitive notifications stored in a log make this an issue of endpoint security.
Most notification log apps extract the log itself into a text file or database. If a legitimate app can do that it's definitely possible for a malicious app to do so.
SEE: The Comprehensive Android Development Bundle (TechRepublic Academy)
So what can Android users do to protect themselves in this case? Short of disabling WhatsApp notifications, not much. The only other alternative is to reboot your device every time you receive a WhatsApp message that needs to stay private.
A proactively protected device in the hands of a smart user shouldn't be a concern. Make sure you have an Android antivirus app installed, be sure to use biometric security to restrict access, and follow these basic tips for good Android hygiene.
I reached out to WhatsApp for a response to this issue, and all they said was that the message deletion option doesn't delete notifications. A request for clarification or elaboration on the security concerns this may give users went unanswered as of this writing.
The top three takeaways for TechRepublic readers:
- Android blog Android Jefe found out that WhatsApp's message delete feature is leaving notifications behind that can be read in the notification log. This goes for undeleted messages as well.
- The notification log contains a running tally of all notifications received during an Android session, starting at power up. The log is accessible by third-party applications, which raises security concerns due to the potentially sensitive nature of WhatsApp messages.
- Any Android device with a malware infection could be rigged to transmit notifications, so practice good Android security to ensure your private messages stay private.