[messaging] Crypto standards in modern-day consumer apps

Mike Hearn mike at plan99.net
Tue Jun 9 02:18:47 PDT 2020

Interesting question.

Unfortunately their website offers little more information than the
Liverpool Echo article you link to. It appears to simply be a customised
Android phone, with a few features that are especially useful for
criminals. Without a doubt 95% of the tech in them is the same as you can
get on a regular Android phone, but the remaining 5% of the integration and
feature work is sufficiently valuable to justify the eyewatering cost.

>From looking over the advertised feature set, my guess is the value comes
from a very small number of features. The majority of advertised features
are industry standard and nothing special, e.g. disk encryption, secure
boot, tamper proofing, the message cryptography they discuss etc. They
advertise them because they're security related, but they're not actually a
competitive advantage.

I'd dig in to this mysterious "notary" verification process, which is
presumably some method of verifying public keys. They say:

"All clients directly negotiate keys automatically with each other’s
devices. Our servers, located offshore in our datacenter, never create,
store, or decrypt keys, message conversations or user data."

To me this implies some sort of Bluetooth based key transfer or key
agreement, probably combined with the ability to send keys between users.
Sort of like the PGP web of trust but integrated with the phone itself.

The point of this would be to ensure police can't force EncroPhone to
intercept messages by changing public keys, which is an issue for every
centralised messenger otherwise.

Users who buy this phone have demonstrated a huge willingness to make
effort up front, as apparently to get one you have to know someone who can
supply you. You can't buy them from shops. So, they can probably impose
rules like "you may only communicate with someone you interacted with
physically before, or someone they vouched for", whereas for normal
consumer-oriented software it's all about maximum convenience so the
messengers all use centralised public key directories linked to phone

The other obvious eye-catching feature is the duress/capture stuff, like
being able to request all your contact phones delete all your messages
triggered by a panic PIN. There's even mention of a countdown which I
suppose can be useful if you suspect you're walking into a trap - you could
set up a timer, be grabbed immediately, your phone taken from you without
even a chance to touch it at all, and all the evidence is still destroyed.
Finally the ability to hide that you're using this phone via dual boot is
quite clever.

I'll now say something that may be a bit controversial for this list
(though it's a point I've made before).

It's worth observing that these sorts of features are in many ways a
meaningless shell game. EncroPhone are a Dutch company with (presumably)
known owners who can be found. All the fancy stuff they advertise is
controlled by software. That makes it meaningless because EncroPhone can
push a "security update" to their users that disables all of it, or adds
arbitrary message interception facilities, without any visible change and
at any time. For example, how do the users know the message deletions are
really working? The only trustable evidence is complaints from the police.

Even though stock Android will notify users that an update is available and
ask them to apply it, users can't tell the difference between a real
security update that makes their phone harder to hack by the police, and
one that makes it easier. No matter what option they take (apply/ignore)
there's a risk it's the wrong one.

This is a fundamental problem with all end-to-end encrypted messaging
services. Despite all the progress made in this space, it all still boils
down to the trustworthiness of a brand because the service owners always
have the option of just switching it off - and in ways users cannot
actually detect except via some sort of hypothetical continuous reverse
engineering effort, which nobody anywhere has ever mounted.

Whilst pitched for privacy advocates, if that were true they'd presumably
make it easier to buy them via their website and charge less. The fact that
it's so expensive and that they're only leasable implies something odd is
going on there. It won't surprise me if at some point EncroPhone gets
silently taken over by the Dutch police and used in a sting operation, in
the same way that Tor markets sometimes were. For them to be legally safe
they'd have to avoid anything that could be used to prove a criminal
conspiracy, which from your description of how they operate and the news
articles sounds unlikely.

W.R.T. your last question. All consumer messaging systems on smartphones
route all messages via central datacenters. That's not unique to WhatsApp
and is the entire motivation for the end-to-end encryption features to
start with. The only "peer to peer" messaging system that works is SMS, and
obviously it's peer to peer only in some pedantic technical sense that the
telcos themselves communicate directly with each other (so e.g. messages
stay in country). All app-based messengers route messages either via
Google/Apple datacenters, or their own, or more typically a mix. Moreover
most modern messengers use the same cryptography. Certainly Signal,
WhatsApp and probably this EncroPhone thing (which sounds like it uses a
modified version of Signal) all use the same underlying tech developed by
the sort of people who are on this mailing list. Telegram I don't know,
someone else can tell you about that, last I heard they were different and
used their own thing.

>From a pure cryptographic perspective none of them are really hiding the
message metadata people care about and indeed cannot, as the Liverpool Echo
story points out (police can still track EncroPhone users via cell sites
and messengers must still route messages to the right devices).

So with respect to what you can use that your contacts will trust, sorry
but I have no idea.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20200609/5b2151ca/attachment.html>

More information about the Messaging mailing list