The iPhone and Android version of WhatsApp, both store all messages that are being sent or received locally and unencrypted on the phones. The Android version even stores the messages on the SD-card, allowing other applications to access them.
The messages are stored in a nosql-database, together with names, contacts and timestamps. The URL’s of media files are also saved in this database, but cannot be accessed because it is likely that these links will check if the device is authorized or not.
It is yet unknown whether the clients for BlackBerry and Symbian also store the data in a unencrypted database. Storing messages unencrypted is a serious security risk, especially the Android version that stores all the chat data on the SD-card and always uses the same URL. It is also possible for hackers to develop an application that steals the chat logs, and obtain phone numbers and contacts.
This isn’t possible on the iPhone since the logs are stored in a directly that can only be accessed by the WhatsApp application. Users that own a jailbroken iPhone are can be at risk, an application with root access could be capable to steal the messages as well.
So more bad news for WhatsApp, last week it already became clear that it is possible to spoof the SMS verification that is needed when first starting the application, allowing you to read messages of someone else. This new problem is quite similar to the Skype, which also saved data on the SD-card. They however quickly released a new update that solved the problem.