Privacy and data protection in smartphone messengers

Abstract

Ever since the Snowden revelations regarding mass surveillance, the role of privacy protection in commodity communication software has gained increasing awareness in the general public. Still, during the last years many new messengers were developed for Android, where often privacy was not considered to be a key issue. Due to the widespread use of these apps even in corporate environments this opens up attack vectors that can result in advanced persistent threats. In this paper we analyze the most prominent messenger apps with respect to privacy concepts, focusing not only on the transmission layer regarding the support of encrypted communication, but also attacks targeting the communication metadata, e.g. detecting the existence of communication between users, as well as providing an enumeration of all users of a service. Furthermore, device theft and loss is a major issue regarding the protection of user privacy. Thus, we also analyzed, whether the messages are stored in a secure way on the device itself, or if control over the physical device allows access to the message data. In order to analyze the possible usability of these messengers as means for targeted surveillance of users by the provider (or an entity controlling it), we also analyzed the rights and privileges the respective apps need in order to be able to install and work. Here, major differences could be detected, with several apps claiming privileges that could not be explained with the normal mode of operation, thus posing a serious risk for the privacy of the respective user base.