- WhatsApp sends media files directly on the local storage and can’t delete them afterwards.
- This problem concerns iOS devices, as files that go on Android’s Media Gallery do get deleted.
- WhatsApp could at least change the default setting, and avoid storing the media files locally.
Security consultant Shitesh Sachan has discovered that WhatsApp’s “Delete for Everyone” feature doesn’t work on iPhone devices due to a bug in the iOS version of the app. While the sender will still get a “This message has been deleted” on their device, the recipient gets to keep any media that came with the message. This is a serious flaw that undermines the privacy of WhatsApp users, who are mistakenly made to think that the message has been deleted for everyone. To clarify, the “Delete for Everyone” feature is working as expected on the Android version of the chat app.
The problem is on the media files that are sent via WhatsApp, like video and image attachments. These files are dropped onto the iPhone’s memory and are no longer linked with the app’s message string. This means that even if the sender “deletes the media for everyone”, the files remain in the recipient’s device memory, and is not automatically deleted as it happens on Android. The default settings of WhatsApp automate the saving of media on Camera Roll and Media Gallery, but if the user wants to change this setting, they may turn it off.
Sachan first reported the problem with this setting to WhatsApp’s developers, but the company responded with the following, bewildering message:
“The functionality provided via “Delete for Everyone” is intended to delete the message and there is no guarantee that the media (or message) will be permanently deleted—the implementation focuses around the message presence in WhatsApp.”
Weirdly, WhatsApp developers don’t recognize the need for a dedicated local folder where media attachments should be stored. This could create file links to Camera Roll, controlling and managing the media files directly. Instead, they treat this as something that happens entirely outside their app and its region of responsibility. Moreover, WhatsApp mentions that even if they did implement a protective measure, the recipient could always store the media files manually. In addition to this, the recipient could simply screenshot the media and keep it forever.
While this is true, adding an extra step to protect the privacy of its users should be non-negotiable for WhatsApp. Even when there is still a way to go around protection measures, developers should always try and do the best they can. For now, they state that they can’t even guarantee that the existing implementation works right every time, no matter the platform.