The Privacy Risks of Secure Messaging Apps
Exposing how third-party tools can compromise user privacy.
― 5 min read
Table of Contents
Secure messaging apps are essential for keeping our communications private in today's digital age. However, many of these apps rely on third-party tools, such as Google's Firebase Cloud Messaging (FCM), to help deliver messages and notifications. While this practice can save developers time and money, it also raises concerns about Privacy. This article discusses how secure messaging apps might unintentionally share personal data through push notifications sent via FCM, highlighting the risks involved and suggesting improvements.
Background
Modern software often uses various third-party components to perform tasks, which helps developers avoid building everything from ground zero. This method is common in many industries, from car manufacturing to software development. While third-party tools, known as software development kits (SDKs), can be beneficial, they can also lead to privacy issues if not used correctly.
Recent studies have shown that many software privacy problems arise when developers fail to configure these third-party services properly. This can lead to sensitive user data being shared without proper consent or understanding. The risks are even higher in secure messaging apps, which are supposed to protect user privacy and data.
The Need for Secure Messaging
Public concern about privacy has grown in recent years, with many people worried about government and corporate surveillance. A survey from 2014 found that a significant percentage of Americans are worried about these issues. As a result, more individuals are turning to secure messaging apps, believing that they protect their privacy. Popular apps like Signal and Telegram have hundreds of millions of users and handle various sensitive data, from personal messages to multimedia files.
Risks of Third-party SDKs
Secure messaging apps often use third-party SDKs like FCM to send push notifications. These notifications alert users about new messages, including potentially sensitive content. If developers do not implement these notifications correctly, they risk leaking sensitive information to third parties, including Google.
For instance, a messaging app that claims to offer end-to-end encryption might not provide it if the message content is sent in plain text to FCM instead of being encrypted beforehand. Misusing these SDKs can also lead to misrepresentations of the privacy and security promised to users.
Potential Consequences
The combination of leaking sensitive information and misrepresentation can have serious consequences. For people in oppressive regimes or high-risk situations, leaking communication data can endanger their safety. If a government can access push notification records, it could expose vulnerable individuals to significant risks without their knowledge.
Research has shown that government agencies can request push notification records from companies like Google and Apple. This further emphasizes the need for secure messaging apps to take extra precautions when handling sensitive data.
Research Focus
This article examines how secure messaging apps on Android use Google's FCM to deliver push notifications. FCM is one of the most widely used SDKs for sending notifications, making it crucial to investigate how it might affect user privacy.
We aim to answer three primary questions:
- What personal data do secure messaging apps send via FCM?
- What strategies do developers implement to protect user information from being shared with FCM?
- Do these data-sharing practices align with the privacy assurances made by the apps in their public disclosures?
Research Methods
To answer these questions, we conducted both dynamic and static analyses of several secure messaging apps. The dynamic analysis involved monitoring the apps while they were in use to see what data was sent over the network. Static analysis involved examining the app's code to understand what measures were in place to protect user information.
Findings on Personal Data Sharing
Our analysis revealed that over half of the secure messaging apps we studied leaked personal information to Google via FCM. This included user identifiers, sender and recipient names, and even phone numbers. Alarmingly, some apps also leaked the actual message contents. None of the leaked data was mentioned in the apps' privacy disclosures.
This inconsistency raises concerns about developers' understanding of how to secure user data properly. While some apps attempted to mitigate privacy leakage, we found that these efforts were not consistent or well-supported across the board.
Strategies for Protection
Developers employed various strategies to protect user data while using FCM. Two common approaches were identified: end-to-end encryption and the push-to-sync method. End-to-end encryption ensures that only the sender and receiver can read the message content. The push-to-sync method sends a simple notification without personal data, prompting the app to fetch the actual message securely from its server.
Privacy Disclosure Analysis
We also examined how developers communicated their privacy practices to users. Many apps made claims about their commitment to user privacy but did not adequately disclose their data-sharing practices. For example, some apps stated they would never share users' data but still leaked information via FCM without informing users.
Conclusion
The findings highlight a significant disconnect between the promises made by secure messaging apps and their actual practices regarding user privacy. Many developers may not fully understand the risks associated with using third-party SDKs or do not take the necessary precautions to protect user data.
To address these issues, app developers must take responsibility for ensuring that their apps handle user data securely. They should implement thorough testing and analysis during the development process to prevent privacy breaches. Additionally, platform owners and SDK providers should offer clearer guidance on best practices for data protection.
By prioritizing user privacy and implementing better practices, secure messaging apps can help build trust with their users and ensure that sensitive information remains protected.
Title: The Medium is the Message: How Secure Messaging Apps Leak Sensitive Data to Push Notification Services
Abstract: Like most modern software, secure messaging apps rely on third-party components to implement important app functionality. Although this practice reduces engineering costs, it also introduces the risk of inadvertent privacy breaches due to misconfiguration errors or incomplete documentation. Our research investigated secure messaging apps' usage of Google's Firebase Cloud Messaging (FCM) service to send push notifications to Android devices. We analyzed 21 popular secure messaging apps from the Google Play Store to determine what personal information these apps leak in the payload of push notifications sent via FCM. Of these apps, 11 leaked metadata, including user identifiers (10 apps), sender or recipient names (7 apps), and phone numbers (2 apps), while 4 apps leaked the actual message content. Furthermore, none of the data we observed being leaked to FCM was specifically disclosed in those apps' privacy disclosures. We also found several apps employing strategies to mitigate this privacy leakage to FCM, with varying levels of success. Of the strategies we identified, none appeared to be common, shared, or well-supported. We argue that this is fundamentally an economics problem: incentives need to be correctly aligned to motivate platforms and SDK providers to make their systems secure and private by default.
Authors: Nikita Samarin, Alex Sanchez, Trinity Chung, Akshay Dan Bhavish Juleemun, Conor Gilsenan, Nick Merrill, Joel Reardon, Serge Egelman
Last Update: 2024-07-15 00:00:00
Language: English
Source URL: https://arxiv.org/abs/2407.10589
Source PDF: https://arxiv.org/pdf/2407.10589
Licence: https://creativecommons.org/licenses/by-sa/4.0/
Changes: This summary was created with assistance from AI and may have inaccuracies. For accurate information, please refer to the original source documents linked here.
Thank you to arxiv for use of its open access interoperability.
Reference Links
- https://github.com/blues-lab/fcm-app-analysis-public
- https://github.com/facundoolano/google-play-scraper
- https://github.com/skylot/jadx
- https://support.google.com/googleplay/android-developer/answer/10787469
- https://www.charlesproxy.com/
- https://mitmproxy.org/
- https://datatracker.ietf.org/doc/rfc8599/
- https://github.com/blues-lab/cloud-messaging-apks/edit/main/README.md
- https://play.google.com/store/apps/details?id=com.skype.raider
- https://play.google.com/store/apps/details?id=com.snapchat.android
- https://play.google.com/store/apps/details?id=com.viber.voip
- https://play.google.com/store/apps/details?id=jp.naver.line.android
- https://play.google.com/store/apps/details?id=com.discord
- https://play.google.com/store/apps/details?id=com.tencent.mm
- https://play.google.com/store/apps/details?id=com.juphoon.justalk
- https://play.google.com/store/apps/details?id=com.safeum.android
- https://play.google.com/store/apps/details?id=com.yallatech.yallachat
- https://play.google.com/store/apps/details?id=com.is.core.app
- https://play.google.com/store/apps/details?id=com.wire
- https://www.tablesgenerator.com/latex_tables
- https://play.google.com/store/apps/details?id=com.facebook.orca
- https://play.google.com/store/apps/details?id=com.whatsapp
- https://play.google.com/store/apps/details?id=org.telegram.messenger
- https://play.google.com/store/apps/details?id=com.kakao.talk
- https://play.google.com/store/apps/details?id=kik.android
- https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms
- https://play.google.com/store/apps/details?id=org.briarproject.briar.android
- https://play.google.com/store/apps/details?id=im.vector.app
- https://play.google.com/store/apps/details?id=network.loki.messenger
- https://play.google.com/store/apps/details?id=ch.threema.app