Let’s see how information stored on user’s device looks like, created when being used by an encrypted communication system. As an example we’ll take the industry leader – WhatsApp: it is most highly praised, it’s most often mentioned as an example of a successful product, it is regarded as quite secure by a majority of the world users.
We are not giving an evaluation of all the shortcomings of the messenger in question – we’ll get back to those later on. At this point we are only talking about the information which is stored and processed on end devices.
It is mentioned in one of the articles from this series that Jan Koum’s service does not disclose its clients’ data since it does not store it on the company’s servers. However, it does store texts of chats and other user data on devices: smartphones, tablet and personal computers. It is convenient for sure: at any moment you can find all the necessary fragments of a chat history or some attached files. But what is going to happen when a lost (or stolen?) device gets into the hands of a malefactor?
As our experience shows no special skills are required for reading data. It is sufficient to have a device, a standard connection cable and a software from a producer used for making backup copies and/or for the system recovery.
A LINK TO THE FIRST VIDEO
Just a couple of innocent manipulations and the most popular models of smartphones and tablet computers from top famous Asian producers let you get access to databases either directly on a device or after creation of a database backup copy. In a situation described it is absolutely unimportant whether it’s direct or indirect, the sole important thing is that though having no special software tools or knowledge in the sphere of cryptography we get access to the stored information database. And here we suddenly face a big surprise.
Our entire message history and our contacts’ data in the received dump of the encrypted messenger WhatsApp is presented… completely in the open!
In a normal text for the entire period of using the service: nicknames, phone numbers and above all – messages that most often contain quite not-for-public-eyes information.
One should note that far from all devices open access to message histories in such a primitive manner. In one of the forthcoming articles we will get back to the evaluation of exact producers and models. Right at this moment we are interested in the way other messengers treat stored data, the ones from the top charts of the world ratings.
And here’s what we see…
A LINK TO THE SECOND VIDEO
All the most famous brands, like Imo, Kik, Facebook Messenger, Telegram, Skype, Viber – act in the same way. They delegate care for safety of our personal data to device producers supposing it’s their duty. Vendors in turn might not share their point of view though. So, end users have nothing left but try to guess who, with whom and what about does anyone have an arrangement, if an arrangement of the sort has ever taken place.
Public information about such agreements is absent and it is very much likely that it doesn’t exist at all. Software developers and suppliers owe us no obligations in this matter. The former produce the magnificent encrypted messenger to be used on a wonderful encrypted smartphone. The latter produce their impeccable encrypted smartphone to be used coupled with the best encrypted messenger.
Device developers do not often think about backup copies’ security. Service developers think about it even less. As a result, the weak point is a process which is according to the inventors’ idea was supposed to save us from data loss.
However, there are cases when it is better to lose your data with no chance for recovery, just once and for all than to save it and then expose it to the entire world.
We’ll start with some good news: on this planet there are people who do think about our security. To be more precise – about security of our personal data. Part of these people produces telephones, smartphones, tablet computers, laptops and other devices that we tend to trust as much as we do to ourselves.
Here is a list of producers whose devices we have tested:
- Apple, Huawei, Meizu, Motorola, Samsung, Sony, Xiaomi.
As far as backup copies formation and system recovery go today we can certainly trust Apple and Samsung devices. Specimens from Motorola and Sony can also boast decent security. Retention of personal data is implemented in various ways but even in lab conditions having equipped himself with physical access to information carriers (to the memory of the device) a person interested receives an encrypted unreadable file. Thus, using a soldering hammer for its initial function is just pointless without high producing computation capacities (without a quantum computer so to speak) for the sake of further decryption of a memory dump.
Within the framework of the current article we are having a look at some specific complexes like software and equipment of Cellebrite, an Israel-based company which allows to crack smartphones, including the latest models from Apple. We’ll get back to such commercial technologies later.
Smartphones and tablet computers from Chinese producers like Huawei, Meizu and Xiaomi are the exact opposites to the above mentioned brands. Access to the data stored on these devices can be easily gained with the help of the software and utility programs available on the official websites of these vendors.
In some cases, devices allow information to be read directly from them. In other cases, a producer leaves a chance to create a backup copy without a password and thanks to this undocumented action a saved backup can be opened on a simple personal computer and one can see a message history of any popular messenger in the form of a simple chart.
One story is when a malefactor using a smartphone firmware upgrade program gets a full control over it. He takes over a smartphone and in this case there’s no need in tricky manipulations. In the long run one can simply read through the message history by opening this app.
Another story is about creating a backup copy without user’s participation who tends to think has a full control over it. He has a smartphone in his hands, but he takes a full shot of the system and user’s data and then sends it to Mr ‘Don’t Know Who’. Having no sanction from the owner!
Chinese companies producing mobile gadgets have been revealing wonderful growth results, boasting unheard-of sales, publishing optimistic forecasts of their development surprising both consumers and experts until it hit a North-American market. Let’s put it simpler: till its target audience started to question confidentiality issues.
In January 2018 mobile giants from the Heavenly Empire faced market resistance from the entire mainland for the first time ever. Leading mobile operators from the US refused from selling Huawei device on the territory of their country – the fastest growing mobile producing company in 2016. Among unofficial reasons for such a decision experts pointed out recommendations from the American government that declared possible surveillance over Americans and global personal data collection.
In spite of the fantastic nature of such suspicions Chinese producers have essentially nothing to object to those special forces agents who are obliged to see conspiracy theories everywhere: if a device creates a backup copy of data without a password and our interference who can give you a guarantee that this very copy is not going to migrate to a remote server where in the long run it is going to be read, systemized and absorbed by the memory of the Big Brother?
One of the versions that has solidly gained ground in the expert society is that all the Chinese mobile producers follow unspoken of directives of their government thus leaving a ‘hole’s in the gadget security on a conscious level. They just have no other way around.
We don’t have any proofs for this theory as well as any proofs of the opposite. But if you are interested in keeping your data safe then it is better to choose a producer who does not fight to gain trust a priori.
It is well-known that business has only the things that can be counted. Assurances about good intentions are not subject to calculations, especially if we talk about a Chinese math model.