[Busec] WhatsApp default settings vulnerability

Mayank Varia varia at bu.edu
Sat Jan 14 23:26:43 EST 2017


Hi Ran,

Is anyone aware of a study of the level of protection that Whatsapp/Signal
> gives from the OS itself, or from other applications on the phone?
>

Your second question is easier: as far as I know, Signal/WhatsApp relies
upon the OS to protect its own secrets from other applications on the
phone. I would hope that on iPhones they store the secret keys in the iOS
keychain <https://www.apple.com/business/docs/iOS_Security_Guide.pdf> so
that its confidentiality would chain back to the phone's login credentials
and the physical protection of the Secure Enclave, but I don't know for
sure.

As for protection from the OS itself: Ari is right that there isn't much
that Signal can do here, but you've actually opened up a far bigger can of
worms. There's another piece of Signal's threat model that you should know:
they protect data, but they're very clear that they make no attempt to
protect metadata or consumer anonymity.

As a result, Signal for Android relies heavily on Google's cloud messaging
service <https://developers.google.com/cloud-messaging/gcm> to provide a
simple, low-power method to notify your phone when you've received a
message. From a privacy standpoint, this means that Google knows everyone
you're talking to.

Some privacy-conscious people tried to make a Signal clone called
LibreSignal that was compiled without Google services, but Moxie killed the
project. You can read the long discussion between Moxie and the privacy
activists here
<https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165>;
it's about as humorous and disjointed as a Three Stooges sketch, with the
LibreSignal folks rambling about an ideal world with reproducible builds of
a Google-free Signal clone while Moxie beats them over the head with claims
about (1) trademark infringement and (2) their inability to take GPL code
that communicates with a centralized server and modify it while still
trying to communicate with said server.

Rather than reading the forum post, I would instead recommend you read Moxie's
blog post <https://whispersystems.org/blog/the-ecosystem-is-moving/> the
next day about the death of federation. Also, there's a $1055 bounty
<https://www.bountysource.com/issues/35722527-create-proper-pull-request-to-add-libresignal-s-websocket-support-to-ows-signal>
for anyone who submits a pull request to Signal with an alternative method
of message notifications that can be used on Android phones without Google
play services installed... so if you've read this far and you want to
improve the privacy of Signal for Android, go for it!

Mayank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/20170115/bbe3ae3b/attachment.html>


More information about the Busec mailing list