[C10] "Introducing Man In The Contacts attack to trick encrypted messaging apps"
by Jérémy Matos

Author: Jérémy Matos (@SecuringApps)
Language: French
Country: Switzerland
Date & Time: Thurs. 3, nov. - 14:45 to 15:30

Mobile messaging applications have recently switched to end-to-end encryption, including the most popular ones like WhatsApp. With debates at the government level to ask for backdoors, those tools are perceived as unbreakable. Yet, most of the implementations use the phone number as the identifier and blindly trust the contact information stored in the smartphone. Given that end-users hardly know a few phone numbers and that modifying contacts is easy, we will introduce a new type of attack: Man In The Contacts (MITC).

Without studying any cryptography, we will examine how WhatsApp, Telegram and Signal behave when an Android application is tampering with the contacts in background. For some scenarios, the end-user can be fooled in talking to the wrong person.

Modifying contacts is straigthforward as APIs are provided and this application can be published in the store without any validation issue. We just need to convince the end-user to download it and grant contact permission. We will show a tempting example abusing WhatsApp and Facebook Messenger poor privacy choices.

Fooling one person allows us to try convincing his contacts. If another one is tricked, we can start doing a real Man In The Middle for their conversations, using the MITC app as a control channel. The web versions of messaging apps enable us to build with less effort such a MITM proxy.

We will then consider the impacts on trendy mobile payment solutions building their user experience around contact information. Finally, we will discuss about countermeasures both at the technical and usability levels.

Biography: Jeremy Matos has been working in building secure software over the last 10 years. With an initial academic background as a developer, he has a clear insight of what is a software development lifecycle in practice. It also enables him to gain the trust of other programmers by speaking the same language and understanding their day-to-day activities, providing an efficient channel to increase their security awareness.
Designing and developing for a two-factor authentication product during 6 years made him deal with challenging threat models, particularly when delivering a public mobile application. And also practice extensively secure coding guidelines, as the solution was regularly reviewed and penetration tested by 3rd parties. Being responsible for the integration and deployment with customers was for him a great opportunity to work with diverse production infrastructures and security providers, in critical sectors such as banking, health or industry. Understandting the various stakeholders constraints was key to reduce operational costs as much as possible.
His experience was used in both internal and external consulting roles. He helped in the security requirements definition and implementation, including cryptographic protocols, for applications where the insider is the enemy. He also led code reviews and security validation activities for companies exposed to reputation damage. In addition, he participated in research projects to mitigate Man-In-The-Browser and Man-In-The-Mobile attacks.