Skip to content

Daniele Nicassio's blog

After all, we're just some kind of local optimum

  • About me
  • Donate

Recent Posts

  • Advanced Mortgage Calculator
  • Plani3D – Planimetry/map to 3D model
  • Heroku free plans shut down
  • Mortgage calculator (fixed rate)
  • Bomba de Humo – HTML5 game

Recent Comments

  • [How-to] Come evitare addebiti VAS (9 ct. a pagina) con 3 Italia - Pagina 24 on Due parole e un’app sugli strani redirect sdc.tre.it sdcf.tre.it di Tre Italia
  • Daniele Nicassio on Building a Raspberry PI Car Radio
  • Daniele Nicassio on Raspberry PI controlled Light Clapper
  • Alvin Pranata on Raspberry PI controlled Light Clapper
  • Veloso on Building a Raspberry PI Car Radio

Archives

  • February 2023
  • January 2023
  • November 2022
  • October 2022
  • February 2022
  • January 2022
  • April 2021
  • December 2020
  • October 2020
  • April 2020
  • March 2020
  • December 2018
  • July 2018
  • February 2018
  • October 2017
  • January 2016
  • December 2015
  • September 2015
  • July 2015
  • June 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • September 2014
  • June 2014
  • April 2014
  • March 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013

Categories

  • 3D
  • algorithms
  • Android
  • bayes
  • chrome
  • coding
  • Crypto
  • Cryptography
  • Design
  • email
  • English
  • Facebook
  • game
  • Genetic Algorithm
  • Genetic Programming
  • google code jam
  • HTML5
  • image processing
  • Italian
  • javascript
  • jmol
  • jsmol
  • Language
  • Machine Learning
  • Messaging
  • Metadata
  • music
  • Neural Network
  • notes
  • Printer configuration
  • Processing
  • python
  • quixxx
  • radio
  • Raspberry PI
  • rss feed
  • Security
  • service
  • telegram
  • Three.js
  • Thug Life
  • Uncategorized
  • Video
  • Web
  • Webapp

Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

Category: Metadata

Messaging apps and metadata concerns

I use Telegram. Many use Whatsapp. Others may use other messaging apps.

I’ve heard of debate about whether the security of telegram was really superior to whatsapp and similar arguments for a long time, but recently, a comment about “metadata” got my interest in one of these discussions. The comment pointed out that telegram, which claims to provide a very good security to its users, was leaking a certain amount of metadata.

Metadata is data that describes other data. Meta is a prefix that in most information technology usages means “an underlying definition or description.” Metadata summarizes basic information about data, which can make finding and working with particular instances of data easier.

Actually, the same arguments stands for whatsapp, but this got my attention and I wanted to actually search for some interesting implications. Since telegram is mainly open source and pretty open, we got a number of implementations, and often we have their source code to examine and play with.

Checking out this telegram command line client, it was immediately clear to me that one important piece of metadata which is actually broadcast to all users is the user status.

If you are a telegram (or whatsapp) user, whenever you switch to the app, your user status changes to ‘online’. This information is broadcast to all the users which have your number in their contact list, if you didn’t change the related setting in the preferences of the app. The same happens when you close or background the app, changing your user status to ‘offline’.

Even if the official apps doesn’t let you do that, one of your contacts could certainly write the code to monitor the status of every user regularly, thus building an history of the statuses you’ve been through during the day, collecting a worrying amount of information about you and your habits. Given the amount of messages we’re flooded with in these apps (think about group chats), if you collect this kind of data about someone on his/her primary app of messaging, it’s pretty trivial to derive some sensitive information like sleeping cycles or working hours (not for everyone, but still).

Even worse if you think that when two people are texting, having both contacts on your list means you could probably exploit the data to actually match who is texting to who. This is a bit more trickier to automate, but a finely tuned machine learning algorithm should do it (of course there may be problems with simultaneous conversations and group chats, but it would definitely work at least in some cases).

This isn’t the end of the world, but it is a good insight about a really common security problem of which people using these apps daily are probably completely unaware.

PS. I have of course modified the telegram web app to do this, and even if I’ve spent very little time on this, it actually works. Here’s a screen.

telegram_status_history

 

Code is on github.

Posted on January 20, 2016February 12, 2016Categories chrome, English, HTML5, Metadata, Security, telegram, Web, WebappTags leak, metadata, security, telegram, web
Proudly powered by WordPress