Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Chinese App. Show all posts

WeChat's Updated Encryption System Prone to Threats for its Users

 




More than a billion people send messages over WeChat and as per a new study recently, it discovered some security flaws in terms of the encryption system. While some applications use end-to-end encryption to prevent secret conversations from being read, WeChat's messages can be viewed by its servers. Researchers now find some vulnerability in WeChat's customised encryption that could leave users vulnerable to threats.


Weakened Encryption in WeChat

Scientists at the Citizen Lab of University of Toronto have established that WeChat is using a variation of the general security protocol named Transport Layer Security, or TLS 1.3. The new version of it is called MMTLS and it is actually made up of another layer of encryption called "Business-layer encryption," which encrypts messages right before they are going to be sent.

While this does mean that there is extra security placed on this system, it does not have weaknesses in the design. The inner Business-layer encryption does not protect critical information, including user IDs and request information. MMTLS also uses predictable patterns of a type of deterministic initialization vectors (IVs) that can lead to compromised encryption security overall.


Missing Forward Secrecy

Another weakness with WeChat's encryption is a lack of "forward secrecy." Forward secrecy helps to secure later communications in cases where old encryption keys are compromised. In the absence of this feature, if the attackers get hold of those encryption keys, they can decrypt old messages, compromising the users' long-term privacy.

Even before 2016, WeChat was employing the Business-layer encryption. This has made WeChat vulnerable to attacks since it had nearly no defences.

With the implementation of MMTLS, security becomes even enhanced with an added layer of protection that is acquired in the process. However, the changes are not yet at extreme conditions expected for the size of users in an app.


Improvements But Still Some Concerns

Though the security has been increased in WeChat, researchers could not break through the encryption layer that is currently used. The new MMTLS layer does hide the older, weaker encryption layer and offers protection from it. Still, the modifications to the protocol of TLS remain a security liability .


Chinese Apps Custom Security Practices

Problems with encryption form part of a broader problem about Chinese apps. Increasingly, app developers in all parts of China do not depend on widely trusted international standards but instead come up with their own custom solutions. For Citizen Lab, this forms a worrisome trend, since their homemade security solutions are nothing close to the generally recognized methods.

For instance, some Chinese apps utilise proprietary processing of DNS hijacking, and many rely on open-source software, as used in the case of Tencent Mars, and thus not all such applications or software will maintain stringent security levels or best practices for security.


WeChat Needs Stronger Encryption

Hence, although WeChat has become far safer lately, it is far from perfect. Users may have weak encryption methods that could expose their private data to possible threats. Such an application with thousands of users worldwide should deploy better standards of encryption to protect conversation among its users.


FCC Commissioner Brendan Carr Calls Out for Tik Tok Ban in US

 

The US government should take action to ban TikTok rather than negotiate with the social media app, Brendan Carr, one of five commissioners at the Federal Communications Commission, told a local media outlet in an interview. 

With more than 200 million downloads in the U.S. alone, the app’s immense popularity is concerning because ByteDance, a Chinese company, owns it. That means there’s potential for data on US residents to flow back to China. However, the FCC has no power to ban TikTok directly, but Congress previously acted after Carr raised concerns regarding Chinese telecom firms, including Huawei. 

TikTok is currently in negotiations with Council on Foreign Investment in the U.S. (CFIUS), a multi-agency government body charged with reviewing business deals involving foreign ownership, to determine whether it can be divested by ByteDance to an American firm and remain operational in the United States. 

Earlier this year in September, the New York Times reported, that a deal was taking shape but not yet in its final form and that Department of Justice official Lisa Monaco was concerned the deal did not provide enough insulation from China. 

"I don’t believe there is a path forward for anything other than a ban," Carr said, citing recent incidents regarding how TikTok and ByteDance managed American consumer's data. “Perhaps the deal CFIUS ends up cutting is an amazing, airtight deal, but at this point, I have a very, very difficult time looking at TikTok’s conduct thinking we’re going to cut a technical construct that they’re not going to find a way around.” 

A few months ago, Carr sent letters to Apple and Google asking the tech giants to remove TikTok from their respective app stores. The commissioner is now calling for a nationwide ban despite the efforts made by both parties – the US government and TikTok – to come to an agreement. 

“Commissioner Carr has no role in or direct knowledge of the confidential discussions with the US government related to TikTok and is not in a position to discuss what those negotiations entail” a TikTok spokesperson responded. “We are confident that we are on a path to reaching an agreement with the US government that will satisfy all reasonable national security concerns.” 

For now, it’s still business as usual for a Chinese app in the US, though it may be a good idea for creators to have a backup plan in case of a ban. YouTube Shorts is a good option, and it pays better too.