Investigating Mobile Messaging Security Elias Hazboun 27/4/2016 - - PowerPoint PPT Presentation

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Investigating Mobile Messaging Security

Elias Hazboun

27/4/2016 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen

• E. Hazboun – Investigating Mobile Messaging Security

1

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Motivation

Introduction Research Question App Selection

Background

Approach Security background Related Work

Analysis and Results

TextSecure Threema WeChat WhatsApp

Conclusion

• E. Hazboun – Investigating Mobile Messaging Security

2

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Introduction

◮ Mobile messaging apps have become very popular. ◮ People are opting to communicate using the Internet

instead of sending messages over regular cellular networks.

◮ Unlike Email and other communication protocols, most

apps are closed systems.

◮ Hinders interoperability [1]. ◮ No transparency in handling users’ data.

◮ Users are still not well informed about the risks of

non-secure digital communication [2].

• E. Hazboun – Investigating Mobile Messaging Security

3

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Research Question

◮ Investigate the security properties of a selection of today’s

most popular mobile messaging apps in terms of:

◮ Encryption & Authentication. ◮ Standardized security protocol usage.

• E. Hazboun – Investigating Mobile Messaging Security

4

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

App Selection

◮ Continuation of work done in this chair [3].

◮ Security in relation to users’ geo-location.

◮ Selection was based on popularity, security measures,

architecture and geographical server distribution.

◮ Tested apps were:

◮ WhatsApp ◮ Threema ◮ WeChat ◮ TextSecure

• E. Hazboun – Investigating Mobile Messaging Security

5

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Approach

◮ Investigating:

◮ Official app documentation ◮ Past research efforts, from scientific community and

hackers.

◮ Could be obsolete by newer updates. ◮ Network traffic analysis. ◮ Capture process done by the previous work using two

communicating smartphones.

◮ 407 capture files per smartphone per app. ◮ Manual and automated script analysis.

• E. Hazboun – Investigating Mobile Messaging Security

6

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Layers of Encryption

• E. Hazboun – Investigating Mobile Messaging Security

7

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Security Concepts

◮ Perfect Forward Secrecy (PFS)

◮ Compromise of long-term keys used to negotiate session

keys, does not compromise the secrecy of past session keys.

◮ Most commonly achieved using ephemeral Diffie-Hellman

(DH) key exchange [4].

◮ Important against an attacker model that can store arbitrary

amount of traffic, like governments.

◮ Transprot Layer Protocol (TLS)

◮ De facto Standard protocol for security between client and

server on the Internet.

• E. Hazboun – Investigating Mobile Messaging Security

8

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Security Concepts

◮ Certificate Pinning

◮ Insertion of public key or certificate of the entity with which

a software should communicate in the source code.

◮ Removes need to trusted third party certificate authorities.

◮ Asynchronous Messaging Security:

◮ Not all parties are guaranteed to be online at the same time

to perform key exchange [5].

◮ Creates a challenge. Protocols like OpenPGP are used but

they lack PFS.

◮ Trusted third parties for key distribution can be used.

• E. Hazboun – Investigating Mobile Messaging Security

9

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Related Work

◮ Interest has been growing in the past few years, especially

in the public eye.

◮ Focus of research include:

◮ Authentication process when registering [6]. ◮ Receiving unsolicited messages. ◮ Phonebook enumeration. ◮ Local security (security of data on smartphone) [7] [8]. ◮ Network traffic based analysis [9] [10].

◮ Results show a trend of negligence of security from

developers, but gets better with app updates.

• E. Hazboun – Investigating Mobile Messaging Security

10

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

TextSecure

◮ Developed by Open Whisper Systems in 2010. ◮ Only app out of four to be open Source. ◮ End-to-end encryption and hardened security in general as

selling feature.

◮ Discontinued and replaced by Signal app and Signal

protocol.

◮ Direct code inspection due to open source nature. ◮ Forsch et al [11] found some peculiarities such as

unknown key-share attack.

◮ Developers acknowledged it.

• E. Hazboun – Investigating Mobile Messaging Security

11

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Analysis and Results

◮ End-to-end encryption.

◮ Axolotl ratchet (DH ratchet and key derivation based

ratchet).

◮ Guarantees PFS and backward secrecy. ◮ DH ratchet creates keys used for session keys, which are

then used to seed key derivation based ratchets to create keys to encrypt messages [12].

◮ Transport layer encryption.

◮ TLS with self-signed certificate pinning. (The same in all

captures) [13].

◮ Cipher was ECDHE RSA WITH AES 128 GCM SHA256.

• E. Hazboun – Investigating Mobile Messaging Security

12

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Analysis and Results

◮ When an App registers it:

◮ Creates 100 prekeys (signed key exchange messages) [14]. ◮ Sends them to server.

◮ When a user wants to communicate with another:

◮ Sender asks for next valid prekey. ◮ Calculates a shared secret based on it and encrypts

messages with it.

◮ AES is used for symmetric encryption.

◮ Two levels of symmetric encryption are used to protect the

sender’s identity from Google Cloud Messaging server.

• E. Hazboun – Investigating Mobile Messaging Security

13

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Threema

◮ Developed by Threema GmbH, Popular in German

speaking countries.

◮ Promises end-to-end encryption and data hosting on swiss

based servers.

◮ Partly open source, publishes white paper about security

algorithms.

◮ Allowed an external security audit of the app. ◮ Jan Ahrens [15] provided an analysis on Threema protocol. ◮ Dimitrov, Laan and Pineda [16] analysis demonstrated with

high probability that certificate pinning is present.

• E. Hazboun – Investigating Mobile Messaging Security

14

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Analysis and Results

◮ Handshake process is similar to what is described in

related work [15].

◮ No standardized protocol use.

◮ Binary protocol implemented using NaCl Library. ◮ Directory service and media transfer protocol use HTTPS.

Cipher suite was in all capture files: ECDHE RSA WITH AES 256 GCM SHA384.

◮ PFS only on transport layer, not end-to-end [17]. ◮ Random padding is used.

◮ Messages with same plaintext size are encrypted into

differently sized ciphertexts.

• E. Hazboun – Investigating Mobile Messaging Security

15

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Analysis and Results

Threema End-to-End Encryption [17]

• E. Hazboun – Investigating Mobile Messaging Security

16

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

WeChat

◮ Developed by Tenecent. ◮ One of the largest messaging apps by monthly active

users (over 650 million)

◮ Feature rich app offering lots of additions. ◮ Closed source, but has public API for messaging through

the service.

◮ Roberto Paleari [18] performed network traffic analysis.

◮ It uses a custom protocol similar to HTTPS

• E. Hazboun – Investigating Mobile Messaging Security

17

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Analysis and Results

◮ Even DNS queries are peformed over HTTP [3]. ◮ Uses AES for symmetric encryption. ◮ No indication for the existence of end-to-end encryption or

PFS.

◮ Key derivation is suspected to be done using RSA [18].

◮ Could not verify ourselves.

◮ Out of the 4 apps. WeChat is the more obscure and more

secretive in terms of security mechanisms and protocols.

• E. Hazboun – Investigating Mobile Messaging Security

18

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

WhatsApp

◮ Developed by WhatsApp Inc. (bought by Facebook) ◮ Second most popular messaging app in the world (1 billion

users)

◮ Closed source. ◮ Past research found lots of deficiencies [6] [19].

◮ Started as plaintext. Upgraded to weak encryption [20] [21]. ◮ non-secure user registration process.

◮ Funcional clone projects exist [22] [23]. Almost complete

replicas.

• E. Hazboun – Investigating Mobile Messaging Security

19

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Analysis and Results

◮ Current state is much improved compared to previous

states since release.

◮ All security is centered around a 20-byte password (pw)

that is generated by the server for each client upon registration [10].

◮ Sent to the app once over TLS connection.

◮ To communicate using the app, a three way handshake is

performed:

◮ Client Hello. ◮ Server hello with challenge data (used as nonce). ◮ Client authentication using pw and challenge data.

• E. Hazboun – Investigating Mobile Messaging Security

20

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Analysis and Results

◮ After the first handshake. Communication with server is

encrypted.

◮ Server also sends new challenge data to be used for future

handshake.

◮ If pw is compromised, past and future traffic might be

decrypted.

◮ There needs to be a traffic capture starting with a plaintext

handshake for the attack to be successful.

◮ pw is dangerous: Known to the server and is sent once

• ver the wire.

◮ No other layer of security exists.

◮ WhatsApp Announced in late 2014 a partnership with

Open Whisper Systems to incorporate Signal protocol in WhatsApp for end-to-end encryption [24].

• E. Hazboun – Investigating Mobile Messaging Security

21

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Results Summary

Analysis Summary TextSecure Threema WeChat WhatsApp Transport Layer Encryption Yes Yes Yes Yes End-to-End Encryption Yes Yes No* Partial PFS Yes Partial No* No Open Source Yes Partial No No Security Primitives Symmetric Encryption Key derivation Integrity protection TextSecure AES Axolotl Ratchet HMAC-SHA2 Threema XSalsa20 ECDH Poly1305-AES WeChat AES RSA*

• WhatsApp

RC4 PBKDF2 HMAC-SHA1

• E. Hazboun – Investigating Mobile Messaging Security

22

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Wide Spectrum of Security State

◮ Two approaches to applying security.

◮ Build your app and then add security features when they

are needed (security as an after-thought)

◮ Start with security level in mind and build your service as

user friendly as possible while maintaining that level.

◮ Open source and public/standard protocols vs closed

source and secret/proprietary protocols.

◮ From best to worst: TextSecure, Threema, WhatsApp,

WeChat.

• E. Hazboun – Investigating Mobile Messaging Security

23

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Questions?

• E. Hazboun – Investigating Mobile Messaging Security

24

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Thank you for your attention

• E. Hazboun – Investigating Mobile Messaging Security

25

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Bibliography I

[1] P . Dashtinejad, Security System for Mobile Messaging Applications. PhD thesis, KTH Royal Institute of Technology, 2016. [2] B. Adida, S. Hohenberger, and R. L. Rivest, Lightweight Encryption for Email. USENIX Association, 2016. [3] Q. Scheitle, M. Wachs, J. Zirngibl, and G. Carle, “Analyzing Locality of Mobile Messaging Traffic using the MATAdOR Framework,” in PAM, 2016. [4] E. Rescorla, “Diffie-Hellman Key Agreement Method,” RFC 2631, RFC Editor, June 1999. http://www.rfc-editor.org/rfc/rfc2631.txt. [5] N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, and M. Smith, “SoK: Secure Messaging,” in Security and Privacy (SP), 2015 IEEE Symposium

• n, pp. 232–249, IEEE, 2015.

[6] R. Mueller, S. Schrittwieser, P . Fruehwirt, P . Kieseberg, and E. Weippl, “What’s new with WhatsApp & Co.? Revisiting the Security of Smartphone Messaging Applications,” in Proceedings of the 16th International Conference on Information Integration and Web-based Applications & Services, pp. 142–151, ACM, 2014. [7] C. Anglano, “Forensic Analysis of WhatsApp Messenger on Android Smartphones,” Digital Investigation, vol. 11, no. 3, pp. 201–213, 2014.

• E. Hazboun – Investigating Mobile Messaging Security

26

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Bibliography II

[8] A. Mahajan, M. S. Dahiya, and H. P . Sanghvi, “Forensic Analysis of Instant Messenger Applications on Android Devices,” CoRR, vol. abs/1304.4915, 2013. [9] A. Azfar, K.-K. R. Choo, and L. Liu, “Android Mobile VoIP apps: a Survey and Examination of Their Security and Privacy,” Electronic Commerce Research,

• vol. 16, no. 1, pp. 73–111, 2015.

[10] F. Karpisek, I. Baggili, and F. Breitinger, “WhatsApp Network Forensics: Decrypting and Understanding the WhatsApp Call Signaling Messages,” Digital Investigation, vol. 15, pp. 110–118, 2015. [11] T. Frosch, C. Mainka, C. Bader, F. Bergsma, J. Schwenk, and T. Holz, “How Secure is TextSecure?,” IACR Cryptology ePrint Archive, vol. 2014, p. 904, 2014. [12] M. Marlinspike, “Advanced Cryptographic Ratcheting,” 2013. [13] L. Onwuzurike and E. De Cristofaro, “Danger is my middle name: Experimenting with ssl vulnerabilities in android apps,” in Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, WiSec ’15, (New York, NY, USA), pp. 15:1–15:6, ACM, 2015. [14] M. Marlinspike, “Forward Secrecy for Asynchronous Messages,” 2016. [15] J. Ahrens, “Threema Protocol Analysis.” http: //blog.jan-ahrens.eu/files/threema-protocol-analysis.pdf, 2014.

• E. Hazboun – Investigating Mobile Messaging Security

27

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Bibliography III

[16] H. Dimitrov, G. Pineda, and J. Laan, “Threema Security Assessment.” https://www.os3.nl/_media/2013-2014/courses/ssn/projects/ threema_report.pdf, 2013. [17] T. GmbH, “Threema Cryptography Whitepaper,” tech. rep., Threema GmbH, 2015. [18] R. Paleari, “A Look at WeChat Security,” 2013. [19] C. Rottermanner, P . Kieseberg, M. Huber, M. Schmiedecker, and S. Schrittwieser, “Privacy and data protection in smartphone messengers.” https://www.sba-research.org/wp-content/uploads/ publications/paper_drafthp.pdf, 2015. [20] R. Eikenberg, “WhatsApp versendet keinen Klartext mehr,” 2012. [21] F. Balducci, “WhatsApp is Broken, Really Broken,” 2012. [22] “The PHP WhatsApp Library,” 2016. [23] “The Python WhatsApp Library,” 2016. [24] M. Marlinspike, “Open Whisper Systems Partners With WhatsApp to Provide End-to-End Encryption,” 2016.

• E. Hazboun – Investigating Mobile Messaging Security

28