research-article

Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations

Authors:

Christoph Hagen,

Christian Weinert,

Christoph Sendner,

Alexandra Dmitrienko,

Thomas SchneiderAuthors Info & Claims

ACM Transactions on Privacy and Security, Volume 26, Issue 1

Article No.: 2, Pages 1 - 44

https://doi.org/10.1145/3546191

Published: 07 November 2022 Publication History

Abstract

Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods and propose suitable mitigations.

Our study of three popular messengers (WhatsApp, Signal, and Telegram) shows that large-scale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram, we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (cross-messenger) usage statistics, which also reveal that very few users change the default privacy settings.

Furthermore, we demonstrate that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal. Most notably, we show that with the password cracking tool “JTR,” we can iterate through the entire worldwide mobile phone number space in < 150 s on a consumer-grade GPU. We also propose a significantly improved rainbow table construction for non-uniformly distributed input domains that is of independent interest.

Regarding mitigations, we most notably propose two novel rate-limiting schemes: our incremental contact discovery for services without server-side contact storage strictly improves over Signal’s current approach while being compatible with private set intersection, whereas our differential scheme allows even stricter rate limits at the overhead for service providers to store a small constant-size state that does not reveal any contact information.

References

[1]

Affinityclick. 2013. Hushed - Private Phone Numbers, Talk and Text. Retrieved from https://hushed.com/.

[2]

Parry Aftab. 2014. Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA). Retrieved from https://parryaftab.blogspot.com/2014/03/what-does-whatsapp-collect-that.html.

[3]

Martin Albrecht, Lenka Mareková, Kenneth Paterson, and Igors Stepanovs. 2022. Four attacks and a proof for Telegram. In IEEE Symposium on Security and Privacy (S&P). IEEE.

[4]

Backes SRT. 2013. WhatsBox - GDPR Compliant WhatsApp. Retrieved from https://www.backes-srt.com/en/solutions-2/whatsbox/.

[5]

Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti, and Christopher Kruegel. 2010. Abusing social networks for automated user profiling. In Recent Advances in Intrusion Detection (RAID). Springer, 422–441.

[6]

Leyla Bilge, Thorsten Strufe, Davide Balzarotti, and Engin Kirda. 2009. All your contacts are belong to us: Automated identity theft attacks on social networks. In International Conference on World Wide Web (WWW). ACM, 551–560.

Digital Library

[7]

Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich. 2016. Argon2: New generation of memory-hard functions for password hashing and other applications. In IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 292–302.

[8]

BitWeasil. 2012. Cryptohaze. Retrieved from http://www.cryptohaze.com.

[9]

Andreas Buchenscheit, Bastian Könings, Andreas Neubert, Florian Schaub, Matthias Schneider, and Frank Kargl. 2014. Privacy implications of presence sharing in mobile messaging applications. In International Conference on Mobile and Ubiquitous Multimedia. ACM, 20–29.

Digital Library

[10]

Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the keys to the Intel SGX Kingdom with transient out-of-order execution. In USENIX Security Symposium. USENIX Association, 991–1008.

[11]

Katie Canales. 2021. Hackers Scraped Data from 500 Million LinkedIn Users. Retrieved from https://www.businessinsider.com/linkedin-data-scraped-500-million-users-for-sale-online-2021-4.

[12]

Katie Canales. 2021. Scraped Personal Data of 1.3 Million Clubhouse Users Has Reportedly Leaked Online. Retrieved from https://www.businessinsider.com/clubhouse-data-leak-1-million-users-2021-4.

[13]

Hao Chen, Zhicong Huang, Kim Laine, and Peter Rindal. 2018. Labeled PSI from fully homomorphic encryption with malicious security. In ACM Conference on Computer and Communications Security (CCS). ACM, 1223–1237.

Digital Library

[14]

Hao Chen, Kim Laine, and Peter Rindal. 2017. Fast private set intersection from homomorphic encryption. In ACM Conference on Computer and Communications Security (CCS). ACM, 1243–1255.

Digital Library

[15]

Yao Cheng, Lingyun Ying, Sibei Jiao, Purui Su, and Dengguo Feng. 2013. Bind your phone number with caution: Automated user profiling through address book matching on smartphone. In ACM ASIA Conference on Computer and Communications Security (ASIACCS). ACM, 335–340.

Digital Library

[16]

Howard Chu. 2015. LMDB Website. Retrieved from http://www.lmdb.tech/doc/.

[17]

Karen Church and Rodrigo de Oliveira. 2013. What’s up with WhatsApp? Comparing mobile instant messaging behaviors with traditional SMS. In Human-Computer Interaction with Mobile Devices and Services (MobileHCI). ACM, 352–361.

[18]

Catalin Cimpanu. 2019. Hong Kong Protesters Warn of Telegram Feature that Can Disclose Their Identities. Retrieved from https://www.zdnet.com/article/hong-kong-protesters-warn-of-telegram-feature-that-can-disclose-their-identities/.

[19]

Mike Clark. 2021. The Facts on News Reports about Facebook Data. Retrieved from https://about.fb.com/news/2021/04/facts-on-news-reports-about-facebook-data/.

[20]

J. Clement. 2019. Most Popular Global Mobile Messenger Apps. Retrieved from https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps.

[21]

J. Clement. 2019. Most Popular Mobile Messaging Apps in the United States as of June 2019. Retrieved from https://www.statista.com/statistics/350461/mobile-messenger-app-usage-usa/.

[22]

J. Clement. 2019. Number of WhatsApp Users in the United States from 2019 to 2023. Retrieved from https://www.statista.com/statistics/558290/number-of-whatsapp-users-usa/.

[23]

Douglas Comer. 1979. Ubiquitous B-tree. Comput. Surv. 11, 2 (June 1979), 121–137.

Digital Library

[24]

Confide, Inc.2022. Confide Privacy Policy. Retrieved from https://getconfide.com/privacy.

[25]

Kelong Cong, Radames Cruz Moreno, Mariana Botelho da Gama, Wei Dai, Ilia Iliashenko, Kim Laine, and Michael Rosenberg. 2021. Labeled PSI from homomorphic encryption with reduced computation and communication. In ACM Conference on Computer and Communications Security (CCS). ACM, 1135–1150.

Digital Library

[26]

Josh Constine. 2018. WhatsApp Hits 1.5 Billion Monthly Users. $19B? Not So Bad. Retrieved from https://techcrunch.com/2018/01/31/whatsapp-hits-1-5-billion-monthly-users-19b-not-so-bad/.

[27]

Joseph Cox. 2017. Building a Database of WhatsApp Users Can Be Pretty Easy. Retrieved from https://www.vice.com/en/article/wnw4vw/building-a-database-of-whatsapp-users-can-be-pretty-easy.

[28]

Levent Demir, Amrit Kumar, Mathieu Cunche, and Cédric Lauradoux. 2018. The pitfalls of hashing for privacy. IEEE Commun. Surv. Tutor. 20, 1 (2018), 551–565.

[29]

Deutsche Welle. 2019. New EU Data Law Forces Firms to Ban WhatsApp, Snapchat from Phones. Retrieved from https://www.dw.com/en/new-eu-data-law-forces-firms-to-ban-whatsapp-snapchat-from-phones/a-44076861.

[30]

Zak Doffman. 2019. New WhatsApp Threat Confirmed: Android and iOS Users at Risk from Malicious Video Files. Retrieved from https://www.forbes.com/sites/zakdoffman/2019/11/16/new-whatsapp-threat-confirmed-android-and-ios-users-at-risk-from-malicious-video-files/.

[31]

Zak Doffman. 2021. Apple’s iMessage Safety Update Is a Major Change for iPhone Privacy. Retrieved from https://www.forbes.com/sites/zakdoffman/2021/11/13/apples-billion-iphone-users-shock-imessage-update-after-security-warnings/.

[32]

Meredith Dost and Kyley McGeeney. 2016. Moving without Changing Your Cellphone Number: A Predicament for Pollsters. Retrieved from https://www.pewresearch.org/methods/2016/08/01/moving-without-changing-your-cellphone-number-a-predicament-for-pollsters/.

[33]

Pavel Durov. 2020. 400 Million Users, 20,000 Stickers, Quizzes 2.0 and 400K EUR for Creators of Educational Tests. Retrieved from https://telegram.org/blog/400-million.

[34]

Jose Estrada. 2018. WhatsApp Scraping. Retrieved from https://github.com/JMGama/WhatsApp-Scraping.

[35]

Facebook, Inc.2020. Two Billion Users — Connecting the World Privately. Retrieved from https://about.fb.com/news/2020/02/two-billion-users/.

[36]

Google. 2010. Google’s Common Java, C++ and JavaScript Library for Parsing, Formatting, and Validating International Phone Numbers. Retrieved from https://github.com/google/libphonenumber.

[37]

Google. 2022. I’m Getting a Contacts Error - Contacts Help. Retrieved from https://support.google.com/contacts/answer/148779.

[38]

Srishti Gupta. 2016. Emerging threats abusing phone numbers exploiting cross-platform features. In International Conference on Advances in Social Networks Analysis and Mining (ASONAM). IEEE, 1339–1341.

[39]

Srishti Gupta, Payas Gupta, Mustaque Ahamad, and Ponnurangam Kumaraguru. 2016. Exploiting phone numbers and cross-application features in targeted mobile attacks. In Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM@CCS). ACM, 73–82.

[40]

Christoph Hagen, Christian Weinert, Christoph Sendner, Alexandra Dmitrienko, and Thomas Schneider. 2021. All the numbers are US: Large-scale abuse of contact discovery in mobile messengers. In Network & Distributed System Security Symposium (NDSS). Internet Society.

[41]

George Hatzivasilis. 2017. Password-hashing status. Cryptography 1, 2 (2017), 10.

[42]

Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, and Christian Weinert. 2021. AirCollect: Efficiently recovering hashed phone numbers leaked via Apple AirDrop. In ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM WiSec). ACM, 371–373. Retrieved from https://ia.cr/2021/893.

Digital Library

[43]

Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, and Christian Weinert. 2021. PrivateDrop: Practical privacy-preserving authentication for Apple AirDrop. In USENIX Security Symposium. USENIX Association, 3577–3594. Retrieved from https://ia.cr/2021/481.

[44]

Martin Hellman. 1980. A cryptanalytic time-memory trade-off. Trans. Inf. Theor. 26, 4 (1980), 401–406.

Digital Library

[45]

Aaron Holmes. 2021. 533 Million Facebook Users’ Phone Numbers and Personal Data Have Been Leaked Online. Retrieved from https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4.

[46]

Hang Hu, Peng Peng, and Gang Wang. 2019. Characterizing pixel tracking through the lens of disposable email services. In IEEE Symposium on Security and Privacy (S&P). IEEE, 365–379.

[47]

Ali Hubail. 2015. Interface to WhatsApp Messenger—Fed up with the F**king Legal Threats. Retrieved from https://github.com/venomous0x/WhatsAPI.

[48]

inAudible-NG. 2017. RainbowCrack-NG: Free and Open-Source Software to Generate and Use Rainbow Tables. Retrieved from https://github.com/inAudible-NG/RainbowCrack-NG.

[49]

ITU Telecommunication Standardization Sector. 2022. National Numbering Plans. Retrieved from https://www.itu.int/oth/T0202.aspx?parent=T0202.

[50]

Daniel Kales, Christian Rechberger, Matthias Senker, Thomas Schneider, and Christian Weinert. 2019. Mobile private contact discovery at scale. In USENIX Security Symposium. USENIX Association, 1447–1464. Retrieved from https://ia.cr/2019/517.

[51]

Samantha Murphy Kelly. 2021. Yes, You Are Getting Lots of Robocalls Again. Retrieved from https://edition.cnn.com/2021/03/04/tech/robocalls-pre-pandemic-levels/index.html.

[52]

Eunhyun Kim, Kyungwon Park, Hyoungshick Kim, and Jaeseung Song. 2014. I’ve got your number: - harvesting users’ personal data via contacts sync for the KakaoTalk messenger. In Workshop on Information Security Applications (WISA). Springer, 55–67.

[53]

Eunhyun Kim, Kyungwon Park, Hyoungshick Kim, and Jaeseung Song. 2015. Design and analysis of enumeration attacks on finding friends with phone numbers: A case study with KakaoTalk. Comput. Secur. 52 (2015), 267–275.

Digital Library

[54]

Jinwoo Kim, Kuyju Kim, Junsung Cho, Hyoungshick Kim, and Sebastian Schrittwieser. 2017. Hello, Facebook! Here is the stalkers’ paradise!: Design and analysis of enumeration attack using phone numbers on Facebook. In Information Security Practice and Experience. Springer, 663–677.

[55]

Ágnes Kiss, Jian Liu, Thomas Schneider, N. Asokan, and Benny Pinkas. 2017. Private set intersection for unequal set sizes with mobile applications. Proc. Priv. Enhanc. Technol. 2017, 4 (2017), 177–197.

[56]

Loran Kloeze. 2017. Collecting Huge Amounts of Data with WhatsApp. Retrieved from https://www.lorankloeze.nl/2017/05/07/collecting-huge-amounts-of-data-with-whatsapp/.

[57]

Vladimir Kolesnikov, Ranjit Kumaresan, Mike Rosulek, and Ni Trieu. 2016. Efficient batched oblivious PRF with applications to private set intersection. In ACM Conference on Computer and Communications Security (CCS). ACM, 818–829.

Digital Library

[58]

James M. Lepkowski. 2011. Telephone sampling: Frames and selection techniques. In International Encyclopedia of Statistical Science. Springer, 1585–1586.

[59]

Joshua Lund. 2017. Encrypted Profiles for Signal Now in Public Beta. Retrieved from https://signal.org/blog/signal-profiles-beta/.

[60]

Joshua Lund. 2018. Technology Preview: Sealed Sender for Signal. Retrieved from https://signal.org/blog/sealed-sender/.

[61]

Joshua Lund. 2019. Signal-Server. Retrieved from https://github.com/signalapp/Signal-Server.

[62]

Joshua Lund. 2019. Technology Preview for Secure Value Recovery. Retrieved from https://signal.org/blog/secure-value-recovery/.

[63]

Moxie Marlinspike. 2014. The Difficulty of Private Contact Discovery. Retrieved from https://signal.org/blog/contact-discovery/.

[64]

Moxie Marlinspike. 2017. Technology Preview: Private Contact Discovery for Signal. Retrieved from https://signal.org/blog/private-contact-discovery.

[65]

Matthias Marx, Ephraim Zimmer, Tobias Mueller, Maximilian Blochberger, and Hannes Federrath. 2018. Hashing of personally identifiable information is not sufficient. In Sicherheit. Gesellschaft für Informatik e.V., 55–68.

[66]

Signal Messenger. 2020. Introducing Signal PINs. Retrieved from https://signal.org/blog/signal-pins/.

[67]

Adrian Mönnich. 2010. Flask. Retrieved from https://palletsprojects.com/p/flask.

[68]

Marti Motoyama, Kirill Levchenko, Chris Kanich, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. 2010. Re: CAPTCHAs-understanding CAPTCHA-solving services in an economic context. In USENIX Security Symposium. USENIX Association, 435–462. Retrieved from http://www.usenix.org/events/sec10/tech/full_papers/Motoyama.pdf.

[69]

Robin Mueller, Sebastian Schrittwieser, Peter Frühwirt, Peter Kieseberg, and Edgar R. Weippl. 2014. What’s new with WhatsApp & Co.? Revisiting the security of smartphone messaging applications. In Information Integration and Web-based Applications & Services. ACM, 142–151.

[70]

Philippe Oechslin. 2003. Making a faster cryptanalytic time-memory trade-off. In CRYPTO. Springer, 617–630.

[71]

Official Journal of the European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN.

[72]

OpenMP. 2022. The OpenMP API Specification for Parallel Programming. Retrieved from https://www.openmp.org.

[73]

OpenSSL Software Foundation. 2022. OpenSSL: Cryptography and SSL/TLS Toolkit. Retrieved from https://www.openssl.org.

[74]

Openwall. 2022. John the Ripper Password Cracker. Retrieved from https://www.openwall.com/john/.

[75]

Benny Pinkas, Mike Rosulek, Ni Trieu, and Avishay Yanai. 2019. SpOT-light: Lightweight private set intersection from sparse OT extension. In Advances in Cryptology – CRYPTO 2019. Springer, 401–431.

Digital Library

[76]

Benny Pinkas, Thomas Schneider, Gil Segev, and Michael Zohner. 2015. Phasing: Private set intersection using permutation-based hashing. In USENIX Security Symposium. USENIX Association, 515–530.

[77]

Benny Pinkas, Thomas Schneider, Christian Weinert, and Udi Wieder. 2018. Efficient circuit-based PSI via Cuckoo hashing. In EUROCRYPT. Springer, 125–157. Retrieved from https://ia.cr/2018/120.

[78]

Benny Pinkas, Thomas Schneider, and Michael Zohner. 2014. Faster private set intersection based on OT extension. In USENIX Security Symposium. USENIX Association, 797–812.

[79]

Benny Pinkas, Thomas Schneider, and Michael Zohner. 2018. Scalable private set intersection based on OT extension. Trans. Priv. Secur. 21, 2 (2018), 7:1–7:35.

[80]

Sebin P. J. 2017. WhatsApp Crawler. Retrieved from https://gitlab.com/jishnutp/whatsapp-crawler.

[81]

Jon Porter. 2020. Signal Becomes European Commission’s Messaging App of Choice in Security Clampdown. Retrieved from https://www.theverge.com/2020/2/24/21150918/european-commission-signal-encrypted-messaging.

[82]

Niels Provos and David Mazières. 1999. A future-adaptable password scheme. In USENIX Annual Technical Conference (ATC). USENIX Association, 81–91.

[83]

RainbowCrack Project. 2022. List of Rainbow Tables. Retrieved from http://project-rainbowcrack.com/table.htm.

[84]

RainbowCrack Project. 2022. RainbowCrack. Retrieved from http://project-rainbowcrack.com/.

[85]

Yasmeen Rashidi, Kami Vaniea, and L. Jean Camp. 2016. Understanding saudis’ privacy concerns when using WhatsApp. In Workshop on Usable Security (USEC). Internet Society.

[86]

Salvatore Sanfilippo. 2022. Redis Commands - GET. Retrieved from https://redis.io/commands/get.

[87]

Salvatore Sanfilippo. 2022. Redis Website. Retrieved from https://redis.io/.

[88]

Sebastian Schrittwieser, Peter Frühwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. 2012. Guess who’s texting you? Evaluating the security of smartphone messaging applications. In Network & Distributed System Security Symposium (NDSS). Internet Society.

[89]

Scattered Secrets. 2020. Bcrypt Password Cracking Extremely Slow? Not If You Are Using Hundreds of FPGAs! Retrieved from https://scatteredsecrets.medium.com/bcrypt-password-cracking-extremely-slow-not-if-you-are-using-hundreds-of-fpgas-7ae42e3272f6.

[90]

Security Research Group FAU Erlangen-Nürnberg. 2014. Online Status Monitor. Retrieved from https://onlinestatusmonitor.com/.

[91]

Signal. 2022. Signal Homepage. Retrieved from https://signal.org.

[92]

Mehul Srivastava. 2019. WhatsApp Voice Calls Used to Inject Israeli Spyware on Phones. Retrieved from https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab.

[93]

Jens Steube and Gabriele Gristina. 2022. hashcat - World’s Fastest and Most Advanced Password Recovery Utility. Retrieved from https://hashcat.net/.

[94]

Telegram. 2020. Telegram FAQ: How Secure is Telegram? Retrieved from https://telegram.org/faq#q-how-secure-is-telegram.

[95]

Telegram. 2022. TDLib: importedContacts Class Reference. Retrieved from https://core.telegram.org/tdlib/docs/classtd_1_1td__api_1_1imported_contacts.html.

[96]

Telegram. 2022. Telegram Database Library. Retrieved from https://core.telegram.org/tdlib.

[97]

Tom Slack. 2019. Is WhatsApp in Breach of the GDPR? A Lawyer’s View. Retrieved from https://guild.co/blog/is-whatsapp-in-breach-of-the-gdpr-a-lawyers-view/.

[98]

Huahong Tu, Adam Doupé, Ziming Zhao, and Gail-Joon Ahn. 2019. Users really do answer telephone scams. In USENIX Security Symposium. USENIX Association, 1327–1340.

[99]

William Turton. 2016. Why You Should Stop Using Telegram Right Now. Retrieved from https://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415.

[100]

Lisa Vaas. 2019. Robocalls Now Flooding US Phones with 200m Calls per Day. Retrieved from https://nakedsecurity.sophos.com/2019/09/17/robocalls-now-flooding-us-phones-with-200m-calls-per-day/.

[101]

Jelle van den Hooff, David Lazar, Matei Zaharia, and Nickolai Zeldovich. 2015. Vuvuzela: Scalable private messaging resistant to traffic analysis. In Symposium on Operating Systems Principles (SOSP). ACM, 137–152.

[102]

WhatsApp LLC. 2022. About Contact Upload. Retrieved from https://faq.whatsapp.com/general/contacts/about-contact-upload.

[103]

WhatsApp LLC. 2022. WhatsApp Legal Info. Retrieved from https://www.whatsapp.com/legal?eea=0#terms-of-service.

[104]

Gilbert Wondracek, Thorsten Holz, Engin Kirda, and Christopher Kruegel. 2010. A practical attack to de-anonymize social network users. In IEEE Symposium on Security and Privacy (S&P). IEEE, 223–238.

[105]

WriteThat.Name. 2013. Your Address Book Automagically Updated. http://writethat.name/.

[106]

x0rz. 2018. A Look into Signal’s Encrypted Profiles. Retrieved from https://blog.0day.rocks/a-look-into-signals-encrypted-profiles-5491908186c1.

[107]

Maria Xynou and Arturo Filastò. 2021. How Countries Attempt to Block Signal Private Messenger App around the World. Retrieved from https://ooni.org/post/2021-how-signal-private-messenger-blocked-around-the-world/.

[108]

Liliya Yapparova and Alexey Kovalev. 2019. Comrade Major. Retrieved from https://meduza.io/en/feature/2019/08/11/comrade-major.

[109]

Guixin Ye, Zhanyong Tang, Dingyi Fang, Zhanxing Zhu, Yansong Feng, Pengfei Xu, Xiaojiang Chen, and Zheng Wang. 2018. Yet another text CAPTCHA solver: A generative adversarial network based approach. In ACM Conference on Computer and Communications Security (CCS). ACM, 332–348.

Digital Library

[110]

Maikel Zweerink. 2015. WhatsApp Privacy is Broken! Retrieved from https://maikel.pro/blog/en-whatsapp-privacy-options-are-illusions/.

[111]

Maikel Zweerink. 2015. WhatsApp Privacy Problem Explained in Detail. Retrieved from https://maikel.pro/blog/en-whatsapp-privacy-problem-explained-in-detail/.

[112]

Maikel Zweerink. 2016. PoC WhatsSpy Public Support Ending Today. Retrieved from https://maikel.pro/blog/whatsspy-public-support-ending-today.

Cited By

Wang PLiu YLi ZLi R(2024)An LDP Compatible Sketch for Securely Approximating Set Intersection CardinalitiesProceedings of the ACM on Management of Data10.1145/36392812:1(1-27)Online publication date: 26-Mar-2024
https://dl.acm.org/doi/10.1145/3639281
Guduri MChakraborty CMaheswari UMargala M(2024)Blockchain-Based Federated Learning Technique for Privacy Preservation and Security of Smart Electronic Health RecordsIEEE Transactions on Consumer Electronics10.1109/TCE.2023.331541570:1(2608-2617)Online publication date: Feb-2024
https://doi.org/10.1109/TCE.2023.3315415
Hetz LSchneider TWeinert C(2023)Scaling Mobile Private Contact Discovery to Billions of UsersComputer Security – ESORICS 202310.1007/978-3-031-50594-2_23(455-476)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-50594-2_23

Index Terms

Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Security services
    1. Privacy-preserving protocols

Recommendations

Scaling Mobile Private Contact Discovery to Billions of Users
Computer Security – ESORICS 2023
Abstract
Mobile contact discovery is a convenience feature of messengers such as WhatsApp or Telegram that helps users to identify which of their existing contacts are registered with the service. Unfortunately, the contact discovery implementation of many ...
Comparing Apples to Androids: Discovery, Retrieval, and Matching of iOS and Android Apps for Cross-Platform Analyses
MSR '24: Proceedings of the 21st International Conference on Mining Software Repositories

For years, researchers have been analyzing mobile Android apps to investigate diverse properties such as software engineering practices, business models, security, privacy, or usability, as well as differences between marketplaces. While similar studies ...
Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Due to the portability advantage, HTML5-based mobile apps are getting more and more popular.Unfortunately, the web technology used by HTML5-based mobile apps has a dangerous feature, which allows data and code to be mixed together, making code injection ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security

ACM Transactions on Privacy and Security Volume 26, Issue 1

February 2023

342 pages

ISSN:2471-2566

EISSN:2471-2574

DOI:10.1145/3561959

Editor:
Ninghui Li
Purdue University, USA

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Online AM: 30 June 2022

Accepted: 02 June 2022

Revised: 19 May 2022

Received: 15 July 2021

Published in TOPS Volume 26, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Refereed

Funding Sources

European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme
DFG as part of project E4 within the CRC 1119 CROSSING and project A.1 within the RTG 2050 “Privacy and Trust for Mobile Users,”
BMBF and HMWK within ATHENE

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
476
Total Downloads

Downloads (Last 12 months)128
Downloads (Last 6 weeks)9

Reflects downloads up to 09 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wang PLiu YLi ZLi R(2024)An LDP Compatible Sketch for Securely Approximating Set Intersection CardinalitiesProceedings of the ACM on Management of Data10.1145/36392812:1(1-27)Online publication date: 26-Mar-2024
https://dl.acm.org/doi/10.1145/3639281
Guduri MChakraborty CMaheswari UMargala M(2024)Blockchain-Based Federated Learning Technique for Privacy Preservation and Security of Smart Electronic Health RecordsIEEE Transactions on Consumer Electronics10.1109/TCE.2023.331541570:1(2608-2617)Online publication date: Feb-2024
https://doi.org/10.1109/TCE.2023.3315415
Hetz LSchneider TWeinert C(2023)Scaling Mobile Private Contact Discovery to Billions of UsersComputer Security – ESORICS 202310.1007/978-3-031-50594-2_23(455-476)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-50594-2_23

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Full Text

View this article in Full Text.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View full text|Download PDF

View Issue’s Table of Contents