ESET’s Michael Aguilar takes a deep dive into SMS/messaging clients, security, and privacy.
My mother text me the other day about cycling and performance components. No one other than myself really wants to read that. Looking at the multitude of different types of SMS users out there, however, there is a very high probability that there is someone who wants to read or gain access to another user’s SMS messages. What kind of SMS client is their target using? Is the target taking precautions to protect their data? Does the target even know what data is stored on their device and how easily it can be accessed?
These are things that a possible attacker might mentally filter through when attacking a mobile device. I use Android phones and have been for some time (briefly using an iPhone in 2012). As a result, I have gone through a fair share of Android SMS clients through my many years of use of the OS and wanted to share some insight into the various security issues and solutions that exist for Android phones. SMS (text) clients exist natively on the Android OS, however, there are some better solutions that pride themselves on security and privacy – others even go a step further and incorporate three very hardened cryptographic protocols into their applications to ensure that communications are secure. For the analysis of these applications, I will be using a Samsung Galaxy Note 5 and a rooted Samsung Galaxy S5 running Cyanogenmod 12.x OS (Android 5.x)
Default Android SMS clients
An interesting item is the back end database where the messages are stored. Looking at a phone through the eyes of an attacker, 3G/4G data interception, though it is technically possible is normally somewhat difficult to conduct and needs specialized equipment to facilitate. An easy and open option that is enabled on many phones (looking at smartwatch users) is Bluetooth. With the option on, there is a possibility that it can be used against you, especially when a pin” for pairing a device is normally only four digits long.
So, simulating a Bluetooth vulnerability, I connected to a phone (S5) remotely and was able to see the file system. Once access was gained, locating the database for the SMS application took about three minutes without knowing where I was searching. The databases for the SMS clients appear to be stored in a Sqlite database, and once opened, you are able to see messages, times, dates and other information that would be valuable to an attacker or someone that really wanted to see whom you were texting. Though the connection and simulation was referencing a remote attack, if you drop your phone somewhere, the results could easily be just as dire.
Privacy and security-centric messaging client
Next, I wanted to take a look at the benefits of upgrading to an application that focuses on “privacy and security” as part of their core ethos, so I decided to install WhatsApp. Even the installation is much more secure, as instead of just “being” there it associates the application in use to your mobile phone number to associate the two together on their servers. The messaging mechanism holds “end to end” encryption, however, it was developed by the application developer of the third application I chose to analyze, Signal, which is an interesting side note.
Another good feature is that messages are not stored on the Application/Company’s servers. This is particularly nice, as in the ‘Age of the Data Breach’, holding responsibility for your own data is key. The application also has a nice “phone” portion that allows for similar end-to-end encryption on calls. My favorite option is that there is a convenient “lock” that is displayed that reaffirms that the connections/data transmitted is in an “encrypted” state. I was truly impressed with the focus on privacy and security, however, there were a few minor issues that I encountered when researching and over time of using the application.
One minor item that may reduce usability and user adoption is that the users you would like to message need to also have WhatsApp installed. If they do not have the application installed, messaging them through the application is not possible, though, you do have the option to invite them to utilize the application. Getting users, or friends, to install the same application is hard, especially if they are fine with their default applications and see no need in protecting their privacy, though, you can try. An issue I felt was not quite right was the database was still very much available for browsing. If local access were gained to the phone, it would only be a quick search to locate valuable data and gather what you would like from the messages database.
Lastly, one major issue that I had was the integration with Facebook services after the purchase of WhatsApp in 2016. As a result, data is forwarded to Facebook for various advertising services in an attempt to monetize the largely free service. I am not an avid user of Facebook, so, having my data sent to Facebook unless I “opt-out” is something that I would rather not happen, so I switched applications to MY default application, Signal.
Open sourced – donations welcome
I first became aware of Signal (previously TextSecure) when I was using a bit of software from the same developer for pen testing (SSL strip). I had good success with the Linux software, so I decided to use their SMS/Messaging client on my Android phones. I have yet to truly be disappointed. Beginning with the installation, and similar to WhatsApp, the device and messaging client are registered on OpenWhisperSystems’ servers and paired together online via an SMS message received on your phone validating identity.
Once completed, you can begin sending messages. Again, similar to WhatsApp, the SMS and MMS (text and data) messages use your phones data services as not to charge against SMS or MMS usage in your cellular plan, only data. In theory, you could have no 3G/4G data and rely solely on an internet connection for transmissions. A bonus that I found was the ability to send text or data messages to people not using the application, which I believe helps users adopting the application. It does not limit functionality but rather builds on it, allowing base functions then allowing you to add to them, such as the integration of end to end encryption if the other users you are communicating are using Signal.
The “end to end” encryption is a combination of three cryptographic algorithms, Curve25519, AES-256 and HMAC-SHA256. Also, it is the same underpinnings that provide the “end to end” encryption enjoyed by the WhatsApp application, minus the forwarding of data to Facebook. One very notable item is that the source code for Signal is completely available on GitHub for review due to its open source nature. As a result, you have the ability to see every piece of the Signal application to validate that it does what it should do as opposed to what you are told that it does. Finally, the Signal database I found relatively useless. While still accessible, the amount of data that can be gathered is limited only to phone numbers. Message data is completely scrambled as the database itself is encrypted. I was only able to locate phone numbers as a usable data source.
It is truly up to the eye of the beholder when selecting a messaging client. Some people just want to get things working and feel that their data is trivial, so why would anyone want to steal it or compromise it? Others, like myself, see a burgeoning market for data and want my personal information in a more controlled environment, like not existing on the open internet. There is truly a lot of criterion that can determine the outcome of, “What mobile messaging client should I use?” but make no mistake, data theft is on the rise and an ounce of prevention is worth more than a pound of cure. Or a terabyte of your data. The choice is yours.