Sunday, February 21, 2021

Are Messaging Apps Really Private? I Doubt It. Here's Why

I used to believe that WhatsApp, Signal and Telegram offered "private" messaging, particularly end-to-end encryption. I no longer belive that, in spite of what they all say. With all the recent flurry of controversy surrounding WhatsApp, I installed Signal and took another look at Telegram. I belong to a number of WhatsApp groups, and a few Telegram groups. Each WhatsApp chat states:
"Messages and calls are end-to-end encrypted. No one outside of this chat, not even WhatsApp, can read or listen to them. Tap to learn more."
I used to take this at face value, but I don't believe it any more.
The first problem is what do they mean by end-to-end encryption? One would assume that each phone would create a direct link to the other phone, similar to the way Skype used to work. But that isn't the case. You can send a message to someone whose phone is switched off. The message can wait for days, if not weeks, before the other phone is switched on and the message is delivered. So the encrypted message is queued somewhere, presumably on the messaging app's servers, because the receiving party can receive the message even if the sending party's phone is off.
The second problem is the message backups. WhatsApp does a regular backup to my Google Drive, and they don't claim that it is encrypted. Nor do they claim that the messages sitting on my phone are encrypted. Confiscate my phone or log in to my Google Drive, and you get a pretty good idea what I have been reading and writing. Signal can make encrypted backups to my phone, and I have to copy that backup off the phone to make sure I don't lose all that data if the phone goes up in smoke or gets confiscated. Telegram automatically backs up all my messages to its "cloud servers", whatever that means. These are not encrypted. "Secret chats" are encrypted and not backed up.
The most obvious problem is this: each of these apps has a version you can run on your PC. So how does the PC get to display all the chats in plain, unecrypted text? No obvious information passes from the phone to the PC. If the phone stores a private key, the PC never asks for it. That means that either the server keeps a copy and passes it to the PC, or there is no private key on the phone. Therefore the server has the means to read the stored messages.
WhatsApp displays a barcode on the PC screen that the phone needs to read when you visit No information is passed from the phone to the PC. It all comes from the server. I have confirmed this by watching the traffic leaving my phone after connecting using WhatsApp Web. On the PC I navigated to a group that posts a picture price list every day, and was able to go back to October 2020, when the group first started. Every picture that I had opened on the phone was available on the PC, without the phone uploading the data when I requested it on the PC. It complained if I put the phone into flight mode, but the PC was able to read the messages anyway and the data was transferred from the phone's unencrypted store to the WhatsApp Web server. Hopefully it was sent using https, but WhatsApp doesn't say.
Telegram and Signal both send a confirmation message to the phone when you setup the desktop app. But nothing appears to go in the other direction. They don't complain if the phone is in flight mode. So when any of these apps talk about "end-to-end" encryption they don't mean that your phone (or PC) is one end and the person you are talking to is the other end. Nope. The other end is their server.
The implications of this are serious: your chat is "secure" in the way your internet banking is "secure": it uses https between your PC and its servers. Anyone trying to intercept the traffic between the user and the server is going to have a hard time decrypting it. For practical purposes we will say it's impossible. Even for the NSA and other (Big Brother) nation state agencies. It's encrypted, but it isn't private. Big difference.
If the government wants to read my messages, all it needs to do is get a court order and instruct WhatsApp/Signal/Telegram to enable their PC application for my phone number, without sending the confirmation message or barcode to my phone. Presumably this would be in read-only mode so they don't give the game away by typing in something by mistake, or showing that the message has been received and read when I haven't done that yet. But there is nothing on my phone that they need to read my messages. If there was, the PC app would need it too. It doesn't. So either the servers have a copy of my private key, or they don't need a copy because they don't use public-private key pairs.
Whatever the reason, it's not private, even if it is encrypted. Leave a comment if you think I missed something obvious.

Update 25th February 2021: From the WhatsApp white paper:
Defining End-to-End Encryption
WhatsApp defines end-to-end encryption as communications that remain encrypted from a device controlled by the sender to one controlled by the recipient, where no third parties, not even WhatsApp or our parent company Facebook, can access the content in between. A third party in this context means any organization that is not the sender or recipient user directly participating in the conversation.
From their "privacy page":
End-to-end encryption
Conversations in end-to-end encrypted chats are clearly labeled with a gold message; these messages and calls stay between you, and no one else can read or listen to its content, not even WhatsApp.
Messages are stored on your device
Your messages belong to you. That's why your messages are stored on your phone, and we don't share them with advertisers.
The messages are not only stored on my device: they can be displayed on a PC. They are backed up to Google Drive. If "and no one else can read or listen to its content, not even WhatsApp" then how does display my decrypted content when I ask it to? My phone didn't suddenly become a web server. Did it decrypt the content and then send it unencrypted to their web server? Did it send my private key to their server so it could decrypt my content from its backup copy and display it? They don't say.
From the Whitepaper:
Client Registration
At registration time, a WhatsApp client transmits its public Identity Key, public Signed Pre Key (with its signature), and a batch of public One-Time Pre Keys to the server. The WhatsApp server stores these public keys associated with the user’s identifier.
Great. Public keys are supposed to be public. But in order to decrypt my messages you either need my private key or the private key of the reciptient. Which one does their web server or PC app use? They don't say.

Update 26th February 2021: I did some more careful measurements with WhatsApp Web. There is a discussion group I am part of that has 34MB of picture and file data, according to the app. During the time I displayed most of these images, after having cleared my browser cache, my mobile data usage went from 665.31MB to 671.56MB, a difference of 6.25MB. So presumably this data was sent by the phone app to the WhatsApp Web server, so it could be displayed in my browser. So I have deleted some of my original statements in the light of the new evidence.

No comments: