Design a site like this with WordPress.com
Get started

Threema the Secure Messenger

Threema v. 4.6.2 on iOS, and v. 4.41 Build 3000635 on Android,  advertises that it is a secure communication application which can keep its user’s data away from hackers, corporations, and governments. They advertise that they keep very little data on the server. Threema writes that mobile user files are stored encrypted. To obtain more detailed information please visit https://threema.ch/en . In my research here the backup data from Threema must be created and is password protected (set by user) on Android v. 7. The backup up data (Android v. 7) is created within the application itself, and is not present either in a full dump or a general device backup, unless the user creates the backup in the application.  Another feature the user can set on Android version is the ability to Auto-save to gallery, if this is selected the images (incoming or outgoing) are stored unencrypted. The user can also set a locking mechanism and a passphrase (used to unlock encryption) in the Security setting.  On iOS version the user can set an application passcode lock, and select to erase all data after 10 failed attempts. The user in the Media setting can select to automatically save media in “Photos” application. Finally, in the Advanced setting the user can select to collect a “Debug Log” which can be used to independently verify Threema’s end-to-end encryption.

To begin with, Threema is not a free application whether on Android or iOS. The application fee is $2.99, and the chats, under the conditions of this research, were found in state.  I purchased the Threema application through Google Play on my Samsung Galaxy S6 test device, running Android v. 7, this device is rooted. I also paid for the Threema application through the Apple App Store on my iPhone 7, running iOS 13.3.1, and is checkra1ned.

Starting with the Samsung Galaxy S6 device I opened the application and set up the account for Brian Thompson, profile of Brithomp55, then you are requested to draw a pattern to set up the user’s ID, Brian’s Threema ID is 2T6KCAJC, Key Fingerprint aa6b8015c8704c77fb93d4391Qaf97ea. Once Brian’s account was set up I proceeded to set up Lorie’s account.

Then I set up the account on the iPhone7 test device. I did not set any settings either on the Samsung Galaxy S6 or the iPhone 7. I used the application as is when it is downloaded.

Next, I began populating both devices with data. I started by sending a chat message from Brian Thompson’s acct. to Lorie Hermesdorf acct. Here in the chat you use the account user’s ThreemaID to send a text message. Then, I sent Brian Thompson a text message using Brian’s ThreemaID. Included in the message is an attached image file.

Now for the analysis. I will begin with,

 Threema on iOS

I created an iOS backup (encrypted) on my MacBookPro. I then downloaded the iBackupViewer v. 4.1600 application from the Apple store. I opened the iOS backup in iBackupViewer and selected file tree. I then located the folder in AppDomainGroup/group.ch.threema. Upon opening the folder, I located a file ThreemaData.sqlite I exported this file to my MacBookPro desktop. Next, I opened this file using DB Browser for SQLite.

I also checked for the database in the ffs dump. I located it private/var/mobile/data/containers/Shared/AppGroup/

The artifacts are the same in both the backup database file and the database file contained in the ffs dump. You get the timestamps and messages in plaintext.

Further, there was a snapshot in ch.threema.iapp which contained the image that Brian sent to Lorie (ID W6ENEYNJ). See image below.

So, to sum up the iOS examination of Threema. The ThreemaData.sqlite file is available both in an iOS encrypted backup, and a ffs dump. The database itself is discovered in state. I have only examined the artifacts involved with text messages. This application can also handle calls.

Threema on Android

So, at first examination there were no artifacts located in the Threema folder. The threema4.db was identified as encrypted. Again, applications store their data differently not only by different versions, but the OS itself. See below.

So, I opened the application again on the Samsung Galaxy S6 test device running Android v. 7. I noticed that the user can create a backup. I selected to make a backup. When you create this backup, the user is prompted to create a password for the file. There is no way to disregard the password. (see image)

Since this device is rooted, I plugged it into my MSI Windows 10 computer to view the files. This time in the path /data/ch.threema.app/files/data/ there was a backup folder (see image below).

Now, I will use 7zip to decompress this folder. I am prompted for the password. These are the files contained within the backup folder. Interestingly, instead of a database there are individual files of the previous database tables (see image below).

Highlighted is the Message table (contained within a .csv file message_W6ENEYNJ). The filename contains the ThreemaID of Lorie Hermesdorf not Brian Thompson. Keep in mind this backup was created on the Samsung Galaxy S6 which is the device of Brian Thompson.  The message contents are in plaintext (see image below).

So, to sum up the Android analysis. It appears if the user creates a backup within the Threema application, the backup folder can be opened and viewed if the examiner knows the password of the folder.  Upon opening the folder, the examiner is presented with separate .csv files similar to the database structure tables. In the message_ThreemaID file the examiner will find timestamps and plaintext content of the messages.

I intend to conduct further research on this application by changing some settings and then checking for data storage changes. Again, the only operation of the Threema application that was examined is the text message capability. The telephony aspect was not examined.

I want to take a moment and thank Alexis Brignoni for reviewing this material for me!

Till next time….

Advertisement

ProtonMail on iOS

This is part two of my post on ProtonMail. The first section involved artifacts on Android. This post will deal with artifacts (lack thereof) on iOS v. 13.3.1.

So, after I finished having my temper tantrum about not finding any artifacts on device, I picked myself up and I got to business. Yes, ProtonMail on iOS 13.3.1 was disappointing after what was located in Android. However, for security purposes I suppose it is good news.

First, when I set up the ProtonMail acct. I selected the 4096bit encryption for the account. I used this account on my iPhone 7 device, running iOS 13.3.1. This device has been checkra1ned and I utilized Magnet Acquire to obtain a FFS dump. I also utilized Elcomsoft’s iOS Forensic Toolkit to obtain a FFS dump.

I placed the image files on my MacBookPro, running MacOS 10.15.6 to analyze the images. I navigated to private/var/mobile/Data/Application/5F9545AD-59AF-4E93-8593-965D11DC40C2. There are several folders here.

Under folder Saved Application State/KnownSceneSessions there is a plist file, restorationInfo that contains the following,

I admit that I do not know what these recovery keys are, but I thought someone may find this information useful. I dug deep into the ch.protonmail.protonmail without much luck.

I made a backup of the iPhone 7 device shortly after creating the ProtonMail and Threema Secure Messaging applications. I used iBackup Viewer, version 4.1600, to view the backup file. I selected the image view of file tree. Within the backup folder, group.ch.protonmail.protonmail which contains three files (see below image), however, these files cannot be exported. Therefore, I do not know what data they may contain.

After I had published the first blog post on ProtonMail a good friend of mine had suggested that I secure the ProtonMail addresses. I attempted to secure l.hermesdorf4n6@protonmail.com via the app on the iPhone 7. I was directed to sign into the ProtonMail website. I signed into the ProtonMail website and went to my Account, Settings, to set 2 Factor Authentication. Interestingly enough, once I set this I was presented with a folder keys which presented me with the 4096bit RSA encryption key fingerprint (see image below)

I do not know enough about cryptography to know if this is of any benefit or not. I did find it interesting that this key appeared from the ProtonMail website.

Well, that is it for ProtonMail. I hope you will return to read my blog post on Threema Secure Messaging application. Till then….

UPDATE

Okay, well I got excited about this. I am still going to have to do some work. Anyway, while working on manually examining another application on Android, I discovered that a database is created if the user creates a backup within the application.

So I decided to apply this to Protonmail. I archived three emails. Then I dumped the iPhone 7 running iOS 13.3.1 using Magnet Acquire to obtain a ffs dump. This device is checkra1ned.

Well, well, I am surprised. A protonmail.sqlite database was indeed created. The path is private/var/mobile/containers/shared/AppGroup/14DC-B381-D852-498F-9798-E8519EB6476B.

When I opened the database using DB Browser for SQLite. I was greeted with the familiar database similar to what was seen on Android.

However, here is where I stopped with my excitement. When I copied what I thought was Base64 encoded ZMESSAGEID, surprise, it does not appear to be Base64 encoding according to CyberChef.

If anyone recognizes this encoding please leave a comment. I checked the entropy and it does not appear to be encrypted. There appears to only be one timestamp.

If anyone would like a copy of the database please email me. Thank you everyone for reading this research!! I promise a blog post is coming on Threema.

Introduce Yourself (Example Post)

This is an example post, originally published as part of Blogging University. Enroll in one of our ten programs, and start your blog right.

You’re going to publish a post today. Don’t worry about how your blog looks. Don’t worry if you haven’t given it a name yet, or you’re feeling overwhelmed. Just click the “New Post” button, and tell us why you’re here.

Why do this?

  • Because it gives new readers context. What are you about? Why should they read your blog?
  • Because it will help you focus you own ideas about your blog and what you’d like to do with it.

The post can be short or long, a personal intro to your life or a bloggy mission statement, a manifesto for the future or a simple outline of your the types of things you hope to publish.

To help you get started, here are a few questions:

  • Why are you blogging publicly, rather than keeping a personal journal?
  • What topics do you think you’ll write about?
  • Who would you love to connect with via your blog?
  • If you blog successfully throughout the next year, what would you hope to have accomplished?

You’re not locked into any of this; one of the wonderful things about blogs is how they constantly evolve as we learn, grow, and interact with one another — but it’s good to know where and why you started, and articulating your goals may just give you a few other post ideas.

Can’t think how to get started? Just write the first thing that pops into your head. Anne Lamott, author of a book on writing we love, says that you need to give yourself permission to write a “crappy first draft”. Anne makes a great point — just start writing, and worry about editing it later.

When you’re ready to publish, give your post three to five tags that describe your blog’s focus — writing, photography, fiction, parenting, food, cars, movies, sports, whatever. These tags will help others who care about your topics find you in the Reader. Make sure one of the tags is “zerotohero,” so other new bloggers can find you, too.