Bridging the Security Divide for Chat Applications

Successful decrypting demonstrations show that chat-app designers should improve the ways they protect users’ personal data

Cancer cells, cilia development, air pollution, photonic devices, Micro-lens, mosquito-borne infections, Microbiota, bone repair, 3D printing, neurodegenerative disease, cancer treatments, biological research, sepsis, foot and mouth disease, cytometry, batteries, Influenza A virus, vascular diseases, New Cancer Drugs, RNA molecules, polymers, antimicrobial resistance, Aging White Blood Cells, microviscosity, Transplant Drug, Nanophotonics, photonics, Built-In Nanobulbs, cerebral cortex, cancer cells, nanowires, optoelectronic, solar energy, gold nanowires, Chikungunya virus, concrete, glaucoma, light-emitting diode, Proteomics, nanostructures, nickel catalyst, Ultrafast lasers, liver capsular macrophages, obesity, cancer, lignin polymer, liver capsular macrophages, Ultrafast lasers, monocyte cells, cancer treatments, antibody drug, gene mutations, quantum-entangled photons, gut microbes, skin aging, stroke, machine learning, Cloned tumors, cancer, Rare Skin Disease, terahertz lasers, silicon-nanostructure pixels, oral cancer, heart muscle cells, cancer, cancer stem cells, gastric cancer, microelectromechanical systems, data storage, silicon nanostructures, Drug delivery, cancer, muscle nuclei, Lithography, silicon nanostructures, Quantum matter, robust lattice structures, potassium ions, Photothermal therapy, Photonic devices, Optical Components, retina, allergy, immune cells, catalyst, Nanopositioning devices, mold templates, lung cancer, cytoskeletons, hepatitis b, cardiovascular disease, memory deficits, Photonics, pre-eclampsia treatment, hair loss, nanoparticles, mobile security, Fluid dynamics, MXene, Metal-assisted chemical etching, nanomedicine, Colorectal cancer, cancer therapy, liver inflammation, cancer treatment, Semiconductor lasers, zika virus, catalysts, stem cells, fetal immune system, genetic disease, liver cancer, cancer, liver cancer, RNA editing, obesity, Microcapsules, genetic disease, Piezoelectrics, cancer, magnesium alloy, Quantum materials, therapeutic antibodies, diabetes, 2D materials, lithium-ion batteries, obesity, lupus, surfactants, Sterilization, skin on chip, Magnetic Skyrmions, cyber-security, wound infections, human genetics, immune system, eczema, solar cells, Antimicrobials, joint disorder, genetics, cancer

A*STAR researchers have successfully recovered decryption keys for two popular chat-apps — WeChat and WhatsApp. With these decryption keys, they could potentially collect users’ personal data and private information.

WeChat is particularly popular in Asia with more than 700 million users and uses an open-source library called SQLCipher to encrypt data. By contrast, WhatsApp, owned by Facebook Inc., with more than one billion active users worldwide uses an encrypted backup database file usually stored on a device’s SD card.

Vrizlynn Thing, who led the project at the A*STAR Institute for Infocomm Research explained that many messaging apps use ‘end-to-end’ encryption — only the sender and receiver can read messages and they are encrypted for third parties. “Now, we’ve confirmed that a technique called information flow analysis can reveal decryption keys for current and future versions of chat-apps, assuming the app design and use of external encryption libraries stay the same,” added her colleague, Zhongmin Dai.

This information flow analysis technique is used in mobile forensics to filter pertinent details from the vast volumes of data flowing within devices. Using this method, Thing’s team was able to pinpoint the decryption keys for both apps, even though the chat-apps used different encryption techniques. The researchers then used this information to simulate the key generation processes, which allowed them to access data from the devices.

Through this project, the team was able to assess the robustness of the chat-apps and suggest a variety of preventative methods.

“Chat-app servers should verify more than one piece of information from an incoming decryption key request before releasing the key,” said Thing, “they should make an association between a device phone number and the user account, for example.” She points out, however; that their experiments were carried out on exploitable devices with escalated privilege. Even so, she urges users to keep their devices and applications updated to protect them from security risks.

The A*STAR-affiliated researchers contributing to this research are from the Institute for Infocomm Research.

Source : A*STAR Research