back

A look into the Mobile Messaging Black Box

A gentle introduction to mobile messaging and subsequent analysis of the Threema protocol.

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
01:03:19
Language
English
Abstract
Most of us use mobile messaging every day. We use certain apps that we chose for a number of factors, like our friends using it, good press, privacy promises, or simply their feature sets. This talk aims to enable more of us to reason about the privacy and security of messaging apps. We will try to present simple analogies translating abstract security and privacy expectations into concrete feature sets. We will illustrate these features using the the popular messaging app Threema. Our analysis of its protocol is based on our own reverse-engineering efforts and a re-implementation of the Threema protocol that we will release during the talk.

Despite its ubiquitous application and widespread acceptance, mobile instant messaging remains a complex matter and is often not understood by its users. Easy-to-use apps and security assurances by their developers suggest users a safe and private environment for conversation. At the same time, more and more apps flood the market and it is becoming increasingly difficult, even for technically-educated users, to keep track of both technological development and their own security and privacy requirements. We want to present a talk that sheds some light into technical aspects of mobile instant messaging and presents an overview of techniques and design decisions by different mobile instant messaging app developers. We aim at both technically-educated and casual users alike, trying to present simple analogies and break down complex details into understandable components. After an introduction to the mobile instant messaging world, we will dissect one of the most popular mobile instant messaging apps in Germany: Threema. It is closed-source and only superficially documented, yet widely used. We picked it for a particular design decision in its protocol, the lack of which we consider the most important flaw in competitor protocols like Signal: the use of discardable IDs in favor of phone numbers. Another interesting aspect about Threema’s protocol is its use of the NaCl library for end-to-end encryption. We have fully reverse-engineered the Threema app and can therefore analyze and present its protocol and our analysis of it in detail.

Talk ID
8062
Event:
33c3
Day
2
Room
Saal G
Start
11:30 a.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Roland Schilling
Frieder Steinmetz
Talk Slug & media link
33c3-8062-a_look_into_the_mobile_messaging_black_box

Talk & Speaker speed statistics

Very rough underestimation:
157.4 wpm
844.5 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
157.4 wpm
844.5 spm
keymessageserverthreemamessagingpublicgroupcommunicationmessagestextkeyssecretsendapptalkpersonphonecallstuffimageencryptionfriederencryptedenvelopesecrecyconversationbasicallyforwardroomtalkingpeoplecasepartyfuturethingsscenarioworksexamplestartnumberslibrarysimplebittimepacketsendingpartnersthingnonceroland