Ruhr-Uni-Bochum

A Black-Box Privacy Analysis of Messaging Service Providers' Chat Message Processing

2024

Conference / Journal

Authors

Martin Johns David Klein Noah Kamangar Simon Koch Robin Kirchner

Research Hub

Research Hub C: Sichere Systeme

Research Challenges

RC 7: Building Secure Systems

Abstract

Online messaging has rapidly emerged as today's primary communication platform, extending from personal, to business and even to government channels. But can these services be trusted to maintain the privacy of your communication? This paper addresses this question by evaluating 105 different online messaging platforms. Utilizing “honey” messages and active HTTP(S) , WebSocket, and WebRTC traffic monitoring, along with continuous observation of honey token access, we determine which messaging services process user messages beyond mere transmission. We conduct a large-scale honey token-based study on 69 popular web and 36 mobile messaging applications. Our findings reveal that 34 % of messaging services show capabilities of server-side message analysis. Seven of these messengers evidently conduct an extended analysis of the messages, reusing the results hours to an observed maximum of a month after the chat concluded. This shows that one cannot automatically expect the same confidentiality when chatting via messengers compared to in-person communication.

Tags

Software Security
Mobile Security
Privacy