Contact discovery is a core feature in popular mobile messaging apps such as WhatsApp, Signal and Telegram that lets users grant access to their address book in order to discover which of their contacts are on that messaging service. While contact discovery is critical for WhatsApp, Signal and Telegram to function properly, privacy concerns arise with the current methods and implementations of this feature, potentially resulting in the exposure of a range of sensitive information about users and their social circle.

Do we really need to rely on sharing every phone number on our phone in order for mobile messengers to be usable? What are the privacy risks, and do better cryptographic alternatives exist for managing that data? Joining us are researchers looking exactly into this problem, who will tell us more about their interesting results.

Links and papers discussed in the show:
All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers

Music composed by Toby Fox and performed by Sean Schafianski.

Special Guests: Alexandra Dmitrienko, Christian Weinert, and Christoph Hagen.

Sponsored By:

• Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.

Links:

• All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers — Contact discovery allows users of mobile messen- gers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods. Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, large- scale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (cross- messenger) usage statistics, which also reveal that very few users change the default privacy settings. Regarding mitigations, we propose novel techniques to significantly limit the feasibility of our crawling attacks, especially a new incremental contact discovery scheme that strictly improves over Signal’s current approach. Furthermore, we show that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal of mobile phone numbers. For this, we also propose a significantly improved rainbow table construction for non-uniformly distributed inputs that is of independent interest.