16
Forensic analysis of open-source XMPP/Jabber multi-client instant messaging apps on Android smartphones - SN Applied Sciences
link.springer.comIn the quest for a panacea to ensure digital privacy, many users have switched to using decentralized open-source Extensible Messaging and Presence Protocol multi-client instant messaging (IM) apps for secure end-to-end communication. In this paper, we present a forensic analysis of the artefacts generated on Android smartphones by Conversations and Xabber apps. We identified databases maintained by each app and external Secure Digital card directories that store local copies of user metadata. We analysed each app’s storage locations for forensic artefacts and how they can be used in a forensic investigation. The results in this paper show a detailed analysis of forensic files of interest which can be correlated to identify the local user’s multiple IM accounts and contact list, contents of messages exchanged with contacts, deleted files, time, and dates in the order of their occurrence. The contributions of this research include a comprehensive description of artefacts, which are of forensic interest, for each app analysed.
This is a good article. A lot of other apps have the same problem. I think it is important that apps have a security threat matrix.
Many people don’t realize what is really private, and what isn’t. As in a phone conversation, it isn’t known what you are talking about, but who you are talking with is known. Is that the full definition of privacy? No. People also don’t full understand how metadata can be collected and used. Many people don’t understand the risk of a server being hacked. If a server can be blocked/censored, I would imagine a server be spoofed is plausible too.
Many people hear “secure” or E2EE. But they do not realize that applies to the transmission of your message. That doesn’t mean it is stored on your device encrypted and secure, nor does it mean stored on someone’s else device is encrypted and secure. Some say it isn’t necessary because if your device is compromised, then so would any app security. But I doubt those same people leave their password database unencrypted.
This is an forensic analysis, meaning this is research into what police etc. needs to do when they want to ex-filtrate data from confiscated or otherwise compromised devices.
I am a bit torn on such kind of research. Obviously it isn’t done to improve security, but at least when it is openly published like this it can help app developers to look into potential security issues.
At the very least it helps to make people aware that these days a compromised device is often the most dangerous data-leak (at least for activists) and Signal for example does not help against that type of tread at all, in fact due to it’s use of phone numbers as identifiers it is a huge risk factor.
Most people do not want privacy, they want fully anonymity. They mix these things.
yep, but not only decentralized, I remember the issue about a company claiming they could extract Signal messages from the phone, if they were able to overcome the phone encryption (easily if the phone is unencrypted, though I believe LOS AOSP in general don’t allow unencrypted phones fro quite some time now)…
I’m wondering if p2p app also suffer the same. I honestly have no clue, but I would guess it should be the same, unless you provide a decrypting password or mechanism any time you open the app, to decrypt keys keeping the contents encryupted (supposing it keeps some sort of agent when opening, so you don’t need to keep decrypting the keys while the app is open)… Perhaps they don’t do it by default, but AFAIK, briar, jami, antox and triffa were not having content encrypted in the phone, and I’m not sure if there was an option to opt-in for such encryption…
Going back to xmpp, the same mentioned on the post, applies to the desktop apps, for example, I’m not awae of Dino, Gajim or Kaidan encrypting local content… I’m wondering if there are apps doing that by default, and perhaps without opt-out mechanisms…
That’s why both, the phones and the desktops/laptops/mobile/etc, require to have the storage encrypted. And even though the storage is encrypted, all private keys (GPG and/or SSH) must be encrypted as well. There are people keeping private keys unencrypted, for convenience I’d guess, but that’s really bad if the device keeping them is compromised…
In brief, I’m not aware of apps, phone or desktop, which besides doing e2ee for content transmission, they keep all local content encrypted. Not sure if there are some which can do it by setting some preferences, but if there are, please share which ones, :) Thanks !