![]() ![]() The verification level of each contact is represented by three dots, that indicate the degree of confidence that a stored public key really belongs to the contact. ![]() Every contact that uses the Threema app in the contact list will appear as a contact in the user s app. The app can be linked to the user s account and his phone number. To start using it, the user has to create his own private key, randomness is created by moving the finger on the display. The Threema application is a classical mobile messaging app, that can be downloaded at Google s Play Store for Android devices, or App Store for ios devices. ![]() In this research project we focused on Android mainly because we have some experience developing Android applications, and specifically decompiling the application would be easier for us, as well as reading the decompiled code. 1.2 Threema The Threema application is available both for Android and ios. 1.1 Research questions The main research question for this project is: What is the current observable state of the Threema application? The main question can be split into the following subquestions: Is there any readable data left on the mobile s device flash drive? Is Threema susceptible to Man in the Middle Attacks? Does Threema employ Perfect Forward Secrecy? Is there any reachable data left in the mobile s RAM? Are there no obvious security flaws in the application source code? e.g.: Wrong use of (cryptographic) libraries. In this research, we want to test the current state of the security of the application, and test if it is as secure as they claim it to be. Widely used applications such as Whatsapp, BlackBerry Messenger, have claimed that they are secure, but seriously security flaws have been found, such as unencrypted channels. The Threema application claims to be secure by using true end-to-end encryption, where even the server operator has no access to read the user s messages. Big security flaws have been discovered in widely used messaging applications like Whatsapp or BlackBerry Messenger, where communications can be eavesdropped by an attacker. 2ģ Contents 1 Introduction Research questions Threema Security used Approach 5 3 Implementation Decompiling Memory analysis Filesystem Preferences Database Network traffic Environment Set Up Network Communication Man-in-the-Middle Conclusion 13 5 Further research 13 A Threema database key retrieval 14 B Contribution 15 3Ĥ 1 Introduction Messaging applications are constantly used nowadays, and one big concern is whether they are secure or not. ![]() The conclusion is that Threema looks safe and well built. No serious security flaws were found in this research, as long as a master key is used for added security, this is a feature of Threema itself. Lastly the network traffic generated by Threema was inspected, and attempts were made to perform a man-in-the-middle attack. In order to do this the memory of the application was analyzed, as well as the files stored on the mobile device. 1 Threema security assessment Research project for Security of Systems and Networks Master System and Network Engineering Hristo Dimitrov, Jan Laan, Guido Pineda December 22,Ģ Abstract The research described in this paper aims to find out if there are any security flaws in the mobile messaging application Threema. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |