Signal

I don’t think there is anyone who doesn’t know what WhatsApp is. With Signa, I doubt everyone knows about the app and its benefits. With Threema, I think I’m not mistaken if I say that few people know him. All three are instant messaging apps that promise to do what they do well. Signal and Threema are also characterized because they are applications whose identity is the privacy and security of communications. So much so that they are even used for state services. And yet all three suffer from the same problem: Location data may be exposed.

One of the characteristics that instant messaging applications must guarantee is the confidentiality of communications. WhatsApp suffered from this problem for a long time and its fame was rather the opposite. But it is true that lately we put the batteries back and it seems that the data is safe. Signal and Threema have always raised the flag of confidentiality in communications as a sign of identity.

Now, security researchers have found a surprising method to expose location data in secure messaging apps WhatsApp, Signal, and Threema. It is possible to infer user locations with an accuracy that exceeds 80% by launching a specially crafted timing attack. This is to measure the time it takes for the attacker to receive the delivery status notification of the message when it has been sent to the target.

Since mobile Internet networks and the infrastructure of instant messaging application servers have specific physical characteristics that result in standard signal paths, these notifications they have predictable delays depending on the position of the user.

It doesn’t seem like an easy system to replicate or something that can happen continuously. But it is good to know that the system is there and that It’s possible that users’ location data could be exposed in apps that specifically combat these leaks.