Bridging the security divide for chat applications

Chat-App Decryption Key Extraction through Information Flow Analysis

In the last few years instant messaging has become commonplace in society, being used in a multitude of situations such as our personal and professional lives. Everyday a vast amount of data changes hands via applications such as WeChat and WhatsApp. This includes sensitive information such as personal data and private conversations and users expect this information to be handled securely.

Currently, WeChat uses an external, open-source library called SQLCipher to encrypt data, while WhatsApp uses an encrypted backup database file usually stored on a device’s SD card. However, there are weaknesses in the current protection mechanism that could allow hackers to read encrypted data and access sensitive information. In fact, in recent studies, the decryption key for specific versions of both WeChat and WhatsApp were uncovered.

In a project led by Dr Vrizlynn Thing at the A*STAR Institute for Infocomm Research, A*STAR researchers have been able to exploit these weaknesses. In doing so, they have successfully recovered decryption keys for two popular chat-apps — WeChat and WhatsApp. With the keys, they could potentially collect users’ personal data and private information. Researchers were able to do so using a method called Information flow analysis. Information flow analysis is used in mobile forensics to filter pertinent details from the vast volumes of data flowing within devices. Using this method, Dr Thing’s team was able to pinpoint the decryption keys for both apps, even though the chat-apps used different encryption techniques. The researchers then used this information to simulate the key generation processes, which allowed them to access data from other users.

“Results of the project confirms that a technique called information flow analysis can reveal decryption keys for current and future versions of chat-apps, assuming the app design and use of external encryption libraries stay the same,” explains Zhongmin Dai, a colleague of Dr Thing who also worked on the project.

Thankfully, by knowing these weaknesses, A*STAR researchers are able to make the applications more robust against attacks through a variety of methods. “Many messaging apps use ‘end-to-end’ encryption; only the sender and receiver can read messages and they are encrypted for third parties,” says Dr Thing. “Chat-app servers should verify more than one piece of information from an incoming decryption key request before releasing the key. For example, they should make an association between a device phone number and the user account,”

Dr Thing points out, however; their experiments were carried out on exploitable devices with escalated privilege. Even so, she urges users to keep their devices and applications updated to protect them from security risks.

The A*STAR-affiliated researchers contributing to this research are from the Cyber Security team of Institute for Infocomm Research.

* This paper clinched the Singapore Cyber Security R&D Conference (SG-CRC) 2017 – Best Paper Award.