HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ridafkih

no profile record

Submissions

Sunbird / 'Nothing Chats' Is Not Secure

texts.blog
3 points·by ridafkih·3 anni fa·0 comments

comments

ridafkih
·2 anni fa·discuss
Since the Messenger Application on desktop is much closer to the usage model of the Texts.com client. We want to replicate the desktop client as closely as possible. It can be assumed there’s going to be properties that are unique to the desktop client and vice versa.
ridafkih
·2 anni fa·discuss
This only works on Android, we had no interest in intercepting the Android application.
ridafkih
·2 anni fa·discuss
Their Android application in particular allows the participation in a developer program which allows access to one of these menus. Not available on macOS and iOS unfortunately!
ridafkih
·2 anni fa·discuss
Fair! In that case, yes you totally have access to the payload before its encrypted.
ridafkih
·2 anni fa·discuss
Good question, Proxyman is the one I'm using in the writeup. It does route all application through it on macOS, and you can proxy iOS devices as well by installing a self-signed certificate on the device and connecting it through the proxy.
ridafkih
·2 anni fa·discuss
It prevents attack vectors that involve attacker-owned certificate authorities as well as compromised certificate authorities from exposing user-data.

https://sslmate.com/resources/certificate_authority_failures
ridafkih
·2 anni fa·discuss
Not the case with asymmetric encryption, you could encrypt with a public key and only the server's private key would be able to decrypt it. Not even the client could.
ridafkih
·2 anni fa·discuss
You're right, it probably could have been implemented by only assigning the output of the sandbox flag function in the consumer function to true, but in this case it worked fine. :)
ridafkih
·2 anni fa·discuss
I will say that ChatGPT did a decent job of explaining non-documented instructions in prior attempts of binary patching.

Now if I could feed an AI a binary and have it tell me where what is happening in a very broad scope, that'd be a game changer, and I'd say that's quite attainable with a high-context window LLM as they seemingly understand hex-formatted byte-code quite well.
ridafkih
·2 anni fa·discuss
It's probably a matter of priorities, as well as cost v. benefit.

Obfuscation would've had very little effect on the outcome of this experiment, but might've changed the approach to involve dynamic instrumentation a little more. The most effective obfuscation I've seen is VM obfuscation, but that presents a significant performance impact. Obfuscation would also make legitimate debugging harder.

Preventing modified binaries is done at the system level, and could feasibly be implemented at the application level and is common, but this functionality itself could be both bypassed, or modifications could simply be implemented after security checks have completed (once again, through dynamic instrumentation libraries like Frida).

Engaging in a cat-and-mouse game with reverse engineers probably isn't in Meta's best interest.
ridafkih
·2 anni fa·discuss
> With Meta’s Messenger application for macOS being so close to the Texts.com model—that being a standalone desktop application—Batuhan İçöz who is leading the Meta platform project at Texts.com thought we could gain some valuable insight by analyzing it.
ridafkih
·2 anni fa·discuss
Snapchat and TikTok both boast pretty gnarly RE-prevention measures.
ridafkih
·2 anni fa·discuss
This was initially an internal post at Texts.com that we decided to share, and I scrapped mention of the fact I had tried the exact same approach a few weeks prior and reached my time-box as well.

I initially spent two hours trying to modify different instructions, and then gave up. I saw another blog post written by a reverse engineer by the name of "Hassan Mostafa" (aka cyclon3) that previously succeeded in the same approach (taking Hopper Disassembler to Instagram on iOS) and I was inspired to try again that night, but I had no luck. I even found and attempted to modify the same instructions.

I decided to call it quits, and then a few weeks later with a bit of a grudge, I spontaneously tried again and I had it done in about 30 minutes after finding the sandbox function.
ridafkih
·3 anni fa·discuss
It acts as a linked device, and you are interfacing directly with Signal's servers with the same protocol that their desktop and mobile applications use.