The "mess" in mobile instant messengersMarkus Vogl

Whoami

● Network & Security master student @ JKU– Not: Lawyer, cryptographer, sponsored

● Bachelor thesis “Evaluation of the IM Landscape”: öä.eu/bac.pdf– Overview table: öä.eu/bac.html

● Email: vogl91@gmail.com– PGP: 6C48 29CD 43A3 7606 0FB2 5343 1F95 14F6 5C11 7E62

● Questions:– +43 681 81 723 115– Wire, Signal, WA; LIFO

Instant Messaging

● In use for 20 years● New hype with social media● Rapidly changing, updates since late Sept.:

– Facebook got E2EE + self destroying messages– Facebook lite– WhatsApp got VideoChat– Signal and Wire got self destroying messages– Google Allo updated to 2.0, keychange notif.

History

● 2000: Early messengers: ICQ, MSN, Skype● 2005: Rise of social networks● 2011: NSA leaks by Manning● 2013: Snowden leaks, Merkelphone affair● 2014: WhatsApp sold: $19B● 2014: We kill people based on Metadata

– General Hayden, Director of NSA & CIA 2014

Security 101● Basic IM/Crypto knowledge assumed● Information Security:

– Confidentiality - Encryption– Integrity - Signatures– Availability – Proxy, DOS-Prevention– Non-Repudiation | Plausible Deniability

● Pseudonymity: N-Anonymity, Tor● PFS (Perfect Forward Secrecy)

– Session keys, not long term key

● E2EE (End2End Encryption)

Data in IM● Transferred messages● Presence and status data – logging● Message history – seperately stored

– Conflicting to E2EE / PFS, often in cloud

● Login and profile data● Contact lists

Metadata in IM● Unintentionally/unavoidably produced● Low level: IPs, port, packet size● Received / read / now typing notification● Server-connection-times● Multimedia metadata● Text/Language metadata: keystroke

dynamics, spelling mistakes

Metadata protection● Protection:

– Xprivacy (Xposed Module)– AppOps (<4.3)– Privacy Guard (Cyanogen)– Permission Manager (>5)

● Don’t link accounts● Disabling IM features like location● Sleeping, turning off, killing● Tor, Proxy, GnuNet, I2P

Attackers and attacks● Alice: Bad user configuration/defaults

– Telegram: No default encryption

● Bob: Conversation partner leaks– Snapchat save module, photo of screen

● Cain: Physical attacker– Theft, borrowing, shoulder surfing, ADB

backup over OTG-USB

● Developer, vendor:– Closed source, auto update, backdoors,

shipped software, third party apps

Attackers and attacks● Eavesdropper: Classic MITM with

technical vulnerabilities– ARP/DHCP/DNS spoofing, TLS exploits, GSM

● Future: Exponential growth(?), unknown algorithms, quantum computing

● Government: Block specific services– Chinese firewall, Twitter during protests

● Host: Cloud hosting, ISPs– Legal and technical access

Risks and mitigation● Weak number verification and login

– Guess 4/6-digit-code, MITM link– Oauth/OpenID, multimodal login, biometrics

● Mobile network– SS7 backbone network, GSM issues, LTE

● Chat history– Self destorying, do not save to cloud

● Presence and contact lists– DP5: Dagstuhl privacy preservering presence proto

– Local storage or decentralized

Analyzed messengers and protocols● Order:

– Open to closed; Big to small userbase– Open protocol and open source

● XMPP, Telegram, Signal/Wire, Ricochet, Ring/Tox

– Open protocol and closed source● FB Messenger, WhatsApp, Snapchat, Threema

– Closed protocol and closed source● Skype, iMessage, Google *, Viber, Wickr

– “Honorable” mentions

Open sourceOpen protocol

XMPP: eXtensible Message & Presence Protocol

● Mobile clients: ChatSecure, Conversations● Federated: Host your server, like Email● Mess #1: 10 RFCs: 3920-3923, 4622, 4854,

5122, 6120-6122, 669 pages● Mess #2: 380 XEPs (XMPP Extension Protocols),

fragmentation, incompatiblity– PGP, OTR, OMEMO (multidevice OTR), no e2ee-MUC– Multiple for mobile optimizations– Multiple for live audio/video and file sharing

● Bare XMPP has minimal features and only TLS– Security is not a “feature” you tack on

Telegram

● Bound to phone number● Mess #1: Insecure by default● Mess #2: No encrypted group chats● Mess #3: Weird selfmade MTProto

– No TLS/HTTPS, no Axelotl– “Cert-pin” by hardcoded RSA signature key– Documentation != Implementation– Paper (2015) showed minor integrity flaws– Seperate long term key per partner

Signal / Wire● Axelotl/TextSecure/Signal protocol:

– First half of a DH-like key exchange (prekey for OTR) stored on server, PGP-like signed → PGP like fingerprints

– Allows OTR with offline messages

● Signal / Signal protocol:– Phone number, Multiparty-chat, 1:1 voice…– Legally: USA, Hosted: AmazonWS, using GCM– Open source servers

● Wire / Proteus protocol:– Phone number and/or email + password– Multiparty-voice, 1:1 video, multimedia features– Legally in CH, Hosted in CH / EU, closed servers

Tox / Ring

● Decentralized protocol– Every client is a server with an ID– Blocking impossible, monitoring hard– Storing data in Distributed Hash Table

● Difference: Cryptographic primitives● Full multimedia capabilities● Mess #1: No offline capabilites● Mess #2: Bad mobile capabilites● Mess #3: Accountfiles lost – account lost

Ricochet

● Using TOR hidden services as username● Nearly impossible to monitor● Same flaws as TOX/Ring● Only PC-client● Only 1:1 chat, no multimedia, no voice

Closed sourceOpen protocol

FB Messenger● MQTT (Message Query Telemetry Transport

Protocol)– Designed for Machine2Machine / IoT– Energy saving, modern, binary– Subscriber-publisher based

● Bound to Facebook account● Most features of all IMs● Mess #1: Insecure by default● Mess #2: New feature: Optional Signal E2EE

– Unaudited– Only 1:1 text with app

WhatsApp

● Worldwide most used pure IM● Since 2016: Signal encrypted● Basically a closed source Signal

– Also using GCM– Hosted and owned by Facebook

● Mess: Backups all conversations to iCloud / Google Cloud by default

Snapchat● Over 100 million users● Focus: Spontaneous sharing

– Deletes history on app-close

● Early adopter of self-destroying messages:– Notifies other if screenshot taken– Mess #1: Client-sided feature: Can be disabled

with XPosed Module SnapPrefs

● Mess #2: Reverse engineered protocol:– Not E2EE– Using a REST API over HTTPS– Showed various horrible flaws

Threema

● Mess #1: 3.5 Million users● Mess #2: Costs money (~3€)● Audited well-documented E2EE protocol● Also uploads backups to Google Clouds

– Encrypts with a password

● Bound to 8-alphanum-ID– Also adds by phone number

● No live video, no self destroying messages● Hosted and legally in CH

Closed sourceClosed protocolMess #1: Unknown code ...Mess #2: … sending unknown data ...Mess #3: … to USA-based companies …Mess #4: … monetizing your data

Skype

● 300 Million users● Internally using Windows Live Protocol● Early adopter of live audio/video● Mess #1: No E2EE● Mess #2: Involved in PRISM

iMessage

● Shipped with Apple devices● Self-made E2EE crypto like Telegram

– Mess #1: Undocumented

● Mess #2: Limited to Apple devices

Google Allo

● Previous attempts:– Google Plus Chat– Google Talk (XMPP based!)– Google Hangouts (partially replaced by Duo)

● Mess #1: Just optional E2EE– Undocumented– Unaudited

● Can talk to Google Assistant Chatbot● Based on phone number

Viber

● Claims to have 700m registered users● Same concept as Skype● Based on phone number● Self-made weird closed E2EE protocol● Mess #1: Key not verifiable● Mess #2: Previously analyzed users calls

Blackberry Messenger

● Early adopter of secure mobile IM in 2005● Previously only for Blackberry devices● Mess #1: No special features or E2EE● Mess #2: Shared data with canadian

mounted police

Wickr

● Basically free Threema● Mess #1: Closed protocol● Mess #2: Based in USA● Early adopter of self destroying messages● Featured in Mr. Robot● At least better than Snapchat

Honorable Mentions

● Franz: – Desktop based multimessenger – Using web-interfaces → basically a browser– Made in Austria

● Slack and Slack-Clones:– Focus on cooperative working– Basically IRC with a webinterface– Some allow self-hosting, nearly all HTTPS

“Honorable” Mentions

● Various locally popular messengers like Line, WeChat, Tencent QQ, KIK, RenRen, KakaoTalk with 200M-800M users– No or bad E2EE, often not even TLS/HTTPS– Closed source, closed protocol– Used because others are blocked– Mostly comparable to Facebook Messenger

User requirements

● Ease of use → Number based tools● Pseudonymity → Account/Mail based tools● Sharing private information → E2EE, self

destorying messages, use your brain● Trust in software → open software● Best privacy, whistleblowing, censorship

→ Tor, Decentralized, PGP, Basic Infosec● Company guidelines → Selfhosted or E2EE

Summary

● Huge improvement in the last years– HTTPS by default, mostly cert-pinned– Big players have verifiable E2EE

● Horrible solutions are still in use● Good solutions are far from perfect● Best solution depends on requirements● Try out Signal, Wire, Tox and Ricochet!● Thesis/table: öä.eu/bac.pdf | bac.html