Privacy and Messaging apps: Signal Vs Telegram 2021

https://www.youtube.com/watch?v=llgAfjpPEm8

#signal #telegram #messenger #privacy #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Tencent has been caught spying on your web browsing history with QQ Messenger

QQ Messenger, a popular Chinese instant messaging app by Tencent, was caught scraping web browser history with their desktop client. The discovery was made by Chinese internet users on the Q and A platforum Zhihu. Here is a Chinese language thread that documents the QQ Messenger web browsing history scraping investigation. Basically, all Chromium based web browsers store your internet history in an sqlite file in local storage. QQ Messenger would seek out this file and scrape the information, comparing it to a list of keywords and then phoning home if any matches were found.

After the spying revelation, Tencent quickly released a new version of QQ Messenger without the web history scraping functionality and claimed that the Chinese company was only previously looking at its millions of users’ web browsing history as a way of ”checking whether malicious programs were using certain websites to access QQ.”

This isn’t the first time Tencent has spied on users for the Chinese government

Since last year, QQ messenger has lost 6% of its active users – possibly because users have already started distrusting QQ and Tencent. Over the years, similar revelations about Tencent’s anti-privacy and weak security practices have come out especially in regards to QQ products. Back in 2016, the University of Toronto’s CitizenLab revealed that Tencent’s QQ Browser regularly sent personal information back to Tencent unencrypted. Furthermore, it became known that this overt lack of encryption was likely explicitly requested by “higher powers.”

https://www.privateinternetaccess.com/blog/tencent-has-been-caught-spying-on-your-web-browsing-history-with-qq-messenger/

#tencent #china #spying #browsing #history #qq #messenger #thinkabout #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Overview / comparison of the current messengers

Every WhatsApp message feeds Zuckerberg's data octopus - but there are alternatives that you can use. If you want to get rid of WhatsApp, you have to look very carefully, depending on your needs, to see whether an alternative actually brings an improvement or whether you just end up jumping out of the frying pan into the fire. As a user, you are literally spoiled for choice. There are now so many messengers that it is almost impossible to evaluate or present every single one.

#messenger #overview #comparison
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Telegram 7.4 now allows import of WhatsApp chats (and others)

Telegram has a nice feature for users who want to switch from WhatsApp to Telegram, for example. With the new version 7.4, which is currently being distributed for iOS, you can quickly import messages from WhatsApp into Telegram. We have tested this and it works perfectly, at least for text messages.

In WhatsApp, you go to a chat and click on the contact at the top, which takes you to the contact info - where you will probably also find the item "Export chat". This can be done with or without media. This ensures that the chat can be exported - but if you select Telegram and the person in question as the storage location, the chat is imported from WhatsApp into Telegram.

What we noticed: Media is not displayed, only the file names. Text chats, on the other hand, are correctly ported from WhatsApp to Telegram. That could certainly help one or the other. And if not, you can export the chat and save it as a ZIP file locally - the archive will then contain the text file and the media. Telegram also mentions Line and Kakao Talk as possible export messengers in the changelog.

https://stadt-bremerhaven.de/telegram-7-4-erlaubt-import-von-whatsapp-chats-und-weiteren/

#telegram #tg #whatsapp #DeleteWhatsapp #messenger #importieren #chats
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Why You Should Stop Using Your Facebook Messenger App

If you’re one of the 1.3 billion people using Facebook Messenger, then you need to switch to an alternative. Facebook has suddenly confirmed significant delays with much needed security enhancements to the platform, enhancements that its own executives say are “essential.” Here’s what you need to know.

“The lessons of the past five years make it absolutely clear that technology companies and governments must prioritize private and secure communication.” So said senior Facebook exec Will Cathcart in a Wired opinion piece this week.

Cathcart currently heads WhatsApp, and his article focuses on the need for end-to-end encryption to be protected. He’s absolutely right. Such encryption is “essential,” there is “serious pressure to take it away,” and it “should not be taken for granted.”

I have warned users before to quit Facebook Messenger for alternatives. Beyond its lack of encryption, the platform is also open to content monitoring by Facebook itself, and I have also reported on other serious issues with its handling of your private data.

Now, this week, we have seen three separate events, all of which should give you every reason you need to make that change, to quit Messenger. First Cathcart’s rallying cry for users to use platforms with end-to-end encryption in place. Second, Facebook admitting that such security will not come to Messenger until some time in 2022, at the earliest. And, finally, another story on Facebook’s data mishandling.

https://www.forbes.com/sites/zakdoffman/2021/04/10/stop-using-facebook-messenger-on-your-apple-iphone-or-google-android-phone/

#facebook #DeleteFacebook #messenger #android #google #apple #smartphone #thinkabout
📡 @nogoolag 📡 @blackbox_archiv

Messenger Matrix (German / English)

The following matrix provides an overview of the different (technical) features of various messengers. Click on the matrix to open a larger view - the current status is noted at the top left

👉🏼 English:
https://www.messenger-matrix.de/messenger-matrix-en.html

👉🏼 German:
https://www.messenger-matrix.de/messenger-matrix.html

#security #privacy #sustainability #messenger #kuketz
📡 @nogoolag 📡 @blackbox_archiv

All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers

Contact discovery allows users of mobile messengers to conveniently connect with people in their address book.
In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods.

Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service.

https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1C-3_23159_paper.pdf

#contact #messenger #telegram #whatsapp #signal #crawling #attacks #study #pdf
📡 @nogoolag 📡 @blackbox_archiv

All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (Interesting quotes and conclusion)

💡 All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (PDF)
https://t.me/BlackBox_Archiv/2042

Both WhatsApp and Telegram transmit the contacts of users in clear text to their servers (but encrypted during transit), where they are stored to allow the services to push updates (such as newly registered contacts) to the clients. WhatsApp stores phone numbers of its users in clear text on the server, while phone numbers not registered with WhatsApp are MD5-hashed with the country prefix prepended (according to court documents from 2014 [2]).

Signal does not store contacts on the server. Instead, each client periodically sends hashes of the phone numbers stored in the address book to the service, which matches them against the list of registered users and responds with the intersection. The different procedures illustrate a trade-off between usability and privacy: the approach of WhatsApp and Telegram can provide faster updates to the user with less communication overhead, but needs to store sensitive data on the servers.

💡Signal:

Our script for Signal uses 100 accounts over 25 daysto check all 505 million mobile phone numbers in the US. Our results show that Signal currently has 2.5 million users registered in the US, of which 82.3 % have set an encrypted user name, and 47.8 % use an encrypted profile picture. We also cross-checked with WhatsApp to see if Signal users differ in their use of public profile pictures, and found that 42.3 % of Signal users are also registered on WhatsApp (cf. Tab. IV), and 46.3 % of them have a public profile picture there. While this is slightly lower than the average for WhatsApp users (49.6 %), it is not sufficient to indicate an increased privacy-awareness of Signal’s users, at least for profile pictures.

💡Telegram:

For Telegram we use 20 accounts running for 20 days on random US mobile phone numbers. Since Telegram’s rate limits are very strict, only 100,000 numbers were checked during that time: 0.9 % of those are registered and 41.9 % have a non-zero importer_count. These numbers have a higher probability than random ones to be present on other messengers, with 20.2 % of the numbers being registered with WhatsApp and 1.1 % registered with Signal, compared to the average success rates of 9.8 % and 0.9 %, respectively. Of the discovered Telegram users, 44 % of the crawled users have at least one public profile picture, with 2 % of users having more than 10 pictures available.

💡 Comparison WhatsApp | Signal | Telegram:

With its focus on privacy, Signal excels in exposing almost no information about registered users, apart from their phone number. In contrast, WhatsApp exposes profile pictures and the About text for registered numbers, and requires users to opt-out of sharing this data by changing the default settings. Our results show that only half of all US users prevent such sharing by either not uploading an image or changing the settings. Telegram behaves even worse: it allows crawling multiple images and also additional information for each user. The importer_count offered by its API even provides information about users not registered with the service. This can help attackers to acquire likely active numbers, which can be searched on other platforms.

💡 Conclusion:

Mobile contact discovery is a challenging topic for privacy researchers in many aspects. In this paper, we took an attacker’s perspective and scrutinized currently deployed contact discovery services of three popular mobile messengers: WhatsApp, Signal, and Telegram. We revisited known attacks and using novel techniques we quantified the efforts required for curious serv[...]

#contact #messenger #telegram #whatsapp #signal #crawling #attacks #comment #conclusion
📡 @nogoolag 📡 @blackbox_archiv

Off the Grid Messenger

Off The Grid (OTG) Messenger is an easy way for people to communicate through text messages when in remote areas. With a theoretical transmission range of 10 miles (16kms), OTG messenger can be used by groups of people to stay connected when they are in areas not serviced by mobile connectivity.

For portability and low power purposes, the device was created by re-purposing an old Nokia e63 phone I had laying around. The enclosure, LCD, keypad, backlighting and speaker have been re-used however the motherboard was re-designed from the ground up with low power components, a modern STM32 H7 microcontroller, an ISM LoRA radio and expanded flash memory.

https://github.com/TrevorAttema/OTGMessenger

Comments
https://news.ycombinator.com/item?id=27659105

https://hackaday.com/2021/06/26/lora-messenger-in-nokias-shell/

#otg #offthegrid #grid #im #messenger #alternatives #cellphone #mobile #nokia

simplex@mastodon.social - SimpleX Chat v5.1-beta.1 is released!

New in v5.1-beta.1:
- message reactions - finally!🚀
- self-destruct passcode.
- voice messages up to 5 minutes.
- custom time to disappear - can be set just for one message.
- message editing history.
- a setting to disable audio/video calls per contact.
- group welcome message visible in group profile.

Install the apps via the links here: https://github.com/simplex-chat/simplex-chat#install-the-app

More details: https://simplex.chat/blog/20230523-simplex-chat-v5-1-message-reactions-self-destruct-passcode.html

#privacy #security #messenger

KryptEY - Secure E2EE communication


An Android keyboard for secure end-to-end-encrypted messages through the Signal protocol in any messenger. Communicate securely and independent, regardless of the legal situation or whether messengers use E2EE. No server needed.
https://github.com/amnesica/KryptEY

F-Droid
https://f-droid.org/packages/com.amnesica.kryptey/
IzzyOnDroid
https://android.izzysoft.de/repo/apk/com.amnesica.kryptey

Reminder : new apps available in F-Droid app may not emmediatly show on the F-Droid web site ( ie when you share the link app it returns a 404 error ) some extra time is needed for both to be available
https://gitlab.com/fdroid/wiki/-/wikis/FAQ#how-long-does-it-take-for-my-app-to-show-up-on-website-and-client

#encryption #keyboard #E2EE
#messenger #security #Signal