The best laid plans of mice and men…
A lot of attention has been paid to the design and implementation of messaging apps. Signal usually comes out as being considered the most trustworthy of the bunch by people who worry about detail, but there are other apps with real end-to-end encryption too.
Of course, subverting an end-point is the most reliable way to compromise such communications, but that’s inevitable with mass market multifunction devices. At least it tends to force attackers to expend significant resources, meaning that they have to prioritise their targets rather than anyone being able to just scoop up everything from everyone and go fishing for information.
Most of these messaging apps can be configured to delete each item of content after a certain time, so you can be sure it’s gone. Or so you think.
Sometimes it isn’t obvious where the security may rely upon the how the devices operating system works and how the application is configured. For example, if your messaging application receives a message, do you get a popup previewing the message? What about if the phone is locked?
You are relying partly upon how the application is configured, and partly upon how the underlying OS works to display such popups.
Here is where it is so simple to get caught out. On an iPhone, those popup messages, if they show the actual message content, get logged in by the OS outside of the messaging application. Which puts the content outside the control of the app completely.
Hence this: FBI Recovers Deleted Signal Messages Through iPhone Notifications
A useful example to remind those seeking assurance of privacy – or indeed, those seeking assurance of type on any system really – to remember to consider dependencies like these which bring other components into the scope of necessary consideration.
In the case of these messaging apps, you should be able to configure them such that the message content remains within the app only. But just try documenting how – it tends to be a confusing mixture of app-specific settings within the OS, and settings within the app itself, both of which can change how they appear across different versions of the app or OS. What could possibly go wrong there.
Thus, as usual with security technology, it isn’t only the application software that matters, it is the processes around how they are used that matter too.
So when someone responsible for assurance asks what might seem like irrelevant or difficult questions about process or documentation, they are probably considering such things for your organisation to protect your data and your users.
Sophie Baskerville 