Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods.
Mobile phones are used by billions of users for communication and interaction with the virtual world. The initial channel to contact different users was by calling or writing SMSs. With the establishment of smartphones, the communication channel shifted to so-called mobile messengers such as WhatsApp and Signal. Most of the mobile messaging apps apply a Contact Discovery protocol to discover other users to communicate with. This Mobile Contact Discovery typically works by uploading the entire contact list of the mobile phone to the messenger app’s servers. The upload of contact lists poses privacy risks, since service providers, or other parties that can gain access to such sensitive information (e.g., through attacks), can use the uploaded data to build a social graph of users and even infer identifiable information about not-registered users. This privacy concern is mitigated by some of the messenger apps by means of applying a hash function to obfuscate uploaded and matched phone numbers. Another attack vector against messenger apps is crawling attacks, where malicious users or hackers can collect sensitive data by querying contact discovery services for random phone numbers. This threat is typically mitigated by setting rate limits on querying the service.
The goal of this project is to perform in-depth analysis of security and privacy risks of the Contact Discovery process of several popular mobile messengers, such as WhatsApp, Telegram and Signal. By analyzing contact discovery of various messengers and conducting large-scale empirical study for each platform, we estimate the efforts needed by attackers to exploit the above mentioned attack vectors. We identify common weaknesses of Contact Discovery protocols and propose novel countermeasures and mitigation techniques.
The project is conducted in cooperation with our partner from TU Darmstadt, the Cryptography and Privacy Engineering Group (ENCRYPTO) lead by Prof. Thomas Schneider. Our current results are described in publication recently accepted for NDSS 2021 (Read the publication here).
Watch a short introductory video about privacy-preserving mobile contact discovery with private set intersection here.
Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations. in Cryptology ePrint Archive, Report 2022/875 (2022). (2022/875)
Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations. in ACM Transactions on Privacy and Security (TOPS) (2022).
All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers. in Network and Distributed System Security Symposium (NDSS) (2021).
All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers. in Cryptology ePrint Archive, Report 2020/1119 (2020).
Evaluating the Privacy of Contact Discovery. Thesis; University of Würzburg. (2020, July).