Re: Telegram privacy fails again.

[Solar Designer <solar () openwall com>]

On Mon, Sep 09, 2019 at 11:16:37PM +0400, Dhiraj Mishra wrote:
> well-known feature of deleting messages, which allows users to delete
> messages sent by mistake or genuinely to any recipient. It was observed
> that once the message (image) is sent to the recipient, it still remains in
> the internal storage of the user which is located at `/Telegram/Telegram
> Images/`path.
[...]
> Assume a scenario where Bob sends a message which is a confidential image
> and was mistakenly sent to Alice, Bob proceeds to utilize a feature of
> Telegram known as "*Also delete for Alice*" which would essentially delete
> the message for Alice. Apparently, this feature does not work as intended,
> as Alice would still be able to see the image stored under `*/Telegram/Telegram
> Images/` *folder, concluding that the feature only deletes the image from
> the chat window.
[...]
> You're relying on a functionality that is broken since your file would
> still be present in storage for all users. Aside from this, I found that
> since Telegram takes `read/write/modify` permission of the USB storage
> which technically means the confidential photo should have been deleted
> from Alice's device or storage.
>
> A compete, app for Telegram which is WhatsApp also has the same
> feature to "*Delete
> for everyone*". If you perform the following steps mentioned above in
> WhatsApp it deletes the confidential photo from Alice's `*/Whatsapp/Whatsapp
> Media/Whatsapp Images/*` folder and maintains the privacy however Telegram
> fails. WhatsApp takes the same permission when it comes to storage which is
> `read/write/modify`.

A question here is what the intended behavior is.  Another question is
what the users' reasonable expectations are.

Sender-imposed message deletion or expiry is necessarily unreliable: the
recipient might have taken a copy of the message prior to deletion e.g.
by taking a picture of the device's screen.  This should be clearly
communicated to users of such features.

However, it gets worse.  Sure, a reasonably informed sender knows they
effectively trust the recipient not to bypass the message deletion
or/and knowingly accepts the risk.  But do they also realize the deleted
message can possibly be extracted from the device(s) by a third-party
later?  This, too, should be clearly communicated.

And, speaking of intended behavior, a question is: to what extent should
the messenger app protect deleted messages from possible recovery?
Another question is: to what extent such protection is even possible?

Dhiraj's message implies WhatsApp does what it should while Telegram
does not.  This might be so.  However, without clearly stated security
(or privacy) properties the apps are supposed to have, we can't tell.

Sure, by common sense Telegram should also delete the file since it's so
easy to do and defeats such an easy bypass, but I doubt the expected
behavior is clearly stated anywhere for either app.

Quite likely, WhatsApp merely deletes (aka unlinks) the file from the
filesystem.  If so, that does not actually wipe the file's content,
likely allowing for its recovery by a more advanced user (or attacker).

Even if it did wipe the file's content, it is almost certainly unable to
reasonably achieve that at a physical level through portable Android
APIs due to how modern flash memories work.  For wear leveling, the
flash memory controller would likely allocate new physical blocks for
the new writes, and leave the blocks with the deleted file's content
untouched until a lot later (such as until the total writes from that
point on exceed the device's free capacity, which might be never).
Again, an even more advanced user (or attacker) would possibly be able
to recover the deleted and wiped file through vendor-specific low-level
access to the flash memory chip.

What can we do to make data deletion more reliable?  One thing we can do
is only store the data encrypted, and to use per-datum encryption keys.
Then if we can reliably delete the key, the data is lost for good.

Can we reliably delete a key?  That's similarly tricky.  Some devices
provide a hardware key store separate from the main flash memory, and
maybe by reusing key slots we can in fact delete old keys.  Or maybe
not.  I'd like more research on this.

Besides, use of (only) a hardware key store with a low number of key
slots is incompatible with the need to have per-datum keys (rather than
per-app).  You wouldn't comfortably reinstall the messaging app each
time you want to have greater assurance the deleted messages are gone.
(And you wouldn't impose this on recipients of your messages.)

So I welcome research on use of (large) per-datum keys and their
deletion from flash memory, like I had suggested in this tweet thread in
May 2018:

https://twitter.com/solardiz/status/1002264067887763456

<solardiz> Use case for >256-bit symmetric keys: temporary storage on flash media (e.g., extra key material, on top of 
OS key store, for messaging apps' DBs on Android) with key bits spread across files numerous/large enough that unknown 
order of known bits provides security after deletion.

<mik235> I think that's already what LUKS does.  If it changes a lot, you end up with atomicity/integrity issues.

<ryancdotorg> Yes, LUKS uses something it calls "anti-forensic information splitting".  I'm not sure what the default 
size is. Here's a paper describing the scheme (TKS1): http://clemens.endorphin.org/TKS1-draft.pdf

<solardiz> Thanks! I just read this paper. It's related, but different: it talks about blocks (not) surviving whereas I 
talk about the ordering of blocks not sufficiently surviving (it'll take some research to figure out the probability 
and how to improve it for real-world flash media).

<ryancdotorg> If I'm understanding correctly then, your unstated assumption is that a large enough key will not be 
stored in a predictable sequence of blocks on the physical flash, and that erasure of the file will cause the 
bookkeeping data containing the sequence to be lost?

<solardiz> Sort of. But I realize this assumption might not hold true, or not on its own, which is why I say "it'll 
take some research [...] to improve it for real-world flash media". Not storing in a predictable sequence feels easier, 
ensuring the bookkeeping is lost feels hard/unreliable.

<ryancdotorg> I'd be very interested in seeing some research on how this works out on real-world flash media. WRT 
Signal specifically, are you aware that it (at least on Android) stores the db key in the secure element? You won't be 
able to read it from a filesystem or flash dump.

<solardiz> Per the tweet thread below, this is a relatively recent change (compared to Signal on iOS) and the actual 
behavior is at best device-specific - I asked whether any (only Google's own latest?) Android devices do it already and 
got no reply yet. Do you know?
Quote Tweet
<solardiz> @moxie @CopperheadOS Per Signal-Android commit "Migrate from SQLite and ciphertext blobs to SQLCipher + 
KeyStore" from Jan 2018, it looks like that's when Signal for Android also started to use OS native key store.  Does 
that also use a secure enclave on any Android devices?

<ryancdotorg> My understanding is that it uses the secure enclave if available, but I might be wrong. I don't know 
what's needed to support it device and os wise. From the API docs, it sounds like the KeyStore API decides how to store 
it. There's a ".isInsideSecurityHardware()" call.

(There were more branches of these Twitter threads at the time; I quoted
the one I found most relevant.)

Alexander