Security researchers have discovered a flaw in the Android version of the secure messaging application, Signal, which lets hackers make the app crash and also alter the attachments sent on the app.
Signal is one of the most revered secure messaging applications, and it was built by Moxie MarlinSpike’s Open Whisper System. It’s a privacy-focused app that is available on both the Android and iOS market for users who want to have encrypted options for messaging and voice calling. The app is well known in security circles and many people including NSA whistleblower, Edward Snowden have recommended the app. Privacy advocates and cryptography experts have also lauded the app.
Markus Vevier and Jean-Phillipe Amausson, two security researchers analyzed the app available on the Android market and they discovered some problems and found some flaws in it. One of the problems they found was one which had to do with the message authentication code, which is used to verify the attachments on the app.
When users are using the app and they send the attachment, it is first encrypted before it goes and gets a message authentication code. The code will be used to verify the integrity of the file and the identity of the sender. The file is then sent to the Amazon S3 storage servers, after which it would be downloaded to the recipient’s address through HTTPS.
The two researchers discovered that if a man in the middle could get access to the Amazon S3 storage servers, or in possession of any of the certificates which are trustee by Android, the attacker would be able to send the recipient a changed file. The main problem for the MAC is that it can be bypassed by simply adding the attachment with 4 GB plus 1 byte of data. The two experts also discovered that the attacker does not need to send the 4 GB of data to the victim, all they have to do is to use the HTTP compression so that they can simply alter the size to 4Mb.
Another flaw that the two experts discovered was one that was connected to the CallAudioManager class of the app and its handling of Real-Time Transport Protocol packets. The flaw gives attackers the chance to crash the app, and experts also believe that the flaw could be used for other problems. They also believe the problematic code can be found in other applications.
The flaws were revealed to Signal which made patches and released them on GitHub. However, for users of the app on the Google Play Store, they still have to wait a few more days because the company has not released a patch for them yet. There were other vulnerabilities discovered on the app, but the researchers said they would reveal them later.