Hello, I am H2spice. I work in security development here at LINE.

This post will cover how your data can be leaked if your mobile device is stolen, and what we at LINE are doing to prevent that: a new feature called “True Delete.”

There are many instances where people lose their mobile devices, or leave their devices unattended in places where anyone can access them. Many serious problems may arise if someone else obtains your mobile device and gains access to the information inside. Devices like your smartphone contain information such as call records, messages, contacts, schedules, browsing history, navigational data, photos, memos and so on. Information leaks like this can lead to an invasion of your privacy, or a breach of confidential company information in some cases. There have been reports where thieves would steal mobile devices for this exact purpose. While our mobile devices bring us great convenience, one mistake and they can be used against you.

LINE has various features that can protect your privacy such as a Passcode Lock, data encryption, and Hidden Chat to name a few. Even with these features however, there is still some room for improvement. One limitation is due to how deleted data can be restored due to how “deletion” works in programming.

Limitations of Deleting Chat Records

There is an increasing number of people who use messaging apps such as LINE to communicate with other people. While most of the data transferred between users would be general chitchat, there are instances where a user may need to share credit card information or passwords with a family member, or let their friends know their home address. People that are aware may delete these sensitive images in hopes of keeping their private information safe. These people may think that their deleted messages are completely deleted and safe from prying eyes, but the truth is somewhat different.

Your information is safe as long as you actually have your mobile device in your possession, but it may not be so safe if you lose your device in places where many people pass by such as a fitness club or a public restroom. Someone may read your messages, use your credit card information, or upload your secrets to the internet by accessing the data that you thought was completely deleted. These things that sound like events from the movies can happen to you as well.

All of this is possible because in some applications, data deleted in a normal method can be restored fairly easily. Security company Avast announced last year that they have bought and restored 20 used smartphones off eBay and succeeded in obtaining 40,000 private photos; 750 of which were photos of people in nude. These findings suggest that private information leaks are not so farfetched as we may think.

This is where we need to take a closer look on how deleted data can be restored, and what limitations are present when deleting messages. The “delete” function that you use on your personal computers and mobile devices does not actually delete the data right away. While it may look like your data has been deleted, what “delete” does is just change the space that your “deleted” files used to take up into usable space so that other data can be written over it. In other words, your data is still present and can be restored until it is overwritten with something else.

Common deletion structure

Below is the structure of a commonly seen deletion method. The actual data on the right have metadata defined on the left. When deleted, the metadata changes from “Allocated” to “Unallocated,” but leaving the actual data. Before anything is written over this unallocated data area, the data will remain in a state where it can be restored.

Android and iOS save data such as messages, call records on a database called SQLite. Deletion works in a similar way as above even on databases. Deleted data (records) leave behind pieces of data in the database, which makes it even easier to restore than a deleted file. Unless the SQLite database itself is deleted, deleted records will remain in unallocated space until overwritten by new records.

Database structure of remaining deleted data

Remaining deleted data exists in the database in a structure similar like the one below. Data active on the database is called a “cell,” and an active cell also has a structure similar to the one below.

A common cell

A cell is divided into the Cell Header, the Data Header, and the Data Area. The Cell Header contains the Record Size and RowID, which are made up of variable-length integers. The Data Header contains information on the type of the data present on the Data Area, while the Data Area contains the actual data. User messages in LINE are stored in the database as you can see below.

Analyzing the binary of the database above, we can see the Cell Header, Data Header, and Data Area. The data that has not yet been deleted can be seen in the Cell Header which means it is currently allocated.

Database structure of deleted data

Normally deleting data (records) in a database will leave the actual data, only changing the Cell Header like the picture below. The Cell Header of the deleted data will appear as unallocated. When storing new data (records) afterwards, the new data (records) will check the unallocated space and find an unallocated space with the appropriate size to be written on.

Deleted cell

Looking at the database with SQLite Browser after deleting user messages “hi,” “h e l l o (UTF-8),” and “h i (UTF-8),” they appear to be deleted.

Upon closer observation of the database binary, it can be seen that only the Cell Header has been changed to unallocated while the actual data is left intact.

Deleted records can be restored using this process. With an automated program it is possible to extract deleted data in a more cleaner form as well.

Perfect Data Deletion

As we have discussed above, the common method of deletion will leave behind actual data that can be restored. We will be taking a look at some methods that will completely delete data in this section. These methods will ensure that data is actually deleted and prevent anyone from restoring it.

Overwriting

Overwrites zero byte or random byte data over the deleted data. The overwritten data becomes extremely difficult to restore.

Encryption

Obfuscates the data with a secure encryption method so that even if someone restores or leaks the data, it cannot be read.

Degaussing

Hard disk drives (HDD) record data using magnetic materials. By exposing and destroying the magnetic flow of these materials with a strong magnetic field, it is possible to completely render any data on the disk useless. By observing the disk surface with a microscope after the degaussing process, you can see that the data has been destroyed and does not resemble what it used to look like before.

Physical Destruction

Physically destroying disks by puncturing or crushing them. Commonly used to completely dispose of disks after degaussing them.

Secure Chat Deletion ‘True Delete’

Starting with LINE 5.3.0, a feature called “True Delete” has been added so that your messages can no longer be restored with the methods mentioned above. “True Delete” is enabled by default as we truly believe that your privacy should always be protected.

While the common deletion method seen above would only mark the metadata of deleted data as unused, “True Delete” overwrites your deleted data with zero byte data so that it can no longer be restored¹. Starting with LINE 5.3.0, deleting any individual message or chat room, or deleting all chat records altogether, makes it impossible for someone to restore them. When you delete your messages now, you are actually deleting them instead of just “deleting” them.

1: “True Delete” has been developed to be compatible with SQLite. Due to the limitations of SQLite, your deleted data will remain for a brief moment after deletion. However, your data will be practically deleted completely in a normal use-case scenario.

Conclusion

To ensure user privacy, LINE has added features such as Hidden Chat, Passcode Lock in the past. In our next post, we will learn about the newly added privacy feature called “Letter Sealing.” “Letter Sealing” has been added to LINE 5.3.0, and it uses an advanced encryption method called end-to-end encryption (E2EE).

LINE will continue to keep your data safe and secure, so you can leave the worrying to us.