Oleh Diposting pada

Early this year I gave you five reasons to avoid desktop versions of messengers. The fact that many such applications use the Electron framework is one of them. This means that such a messenger works as an additional browser in your system, and its updates are quite difficult to control.

But, as I wrote in that post, it has become clear the problem is much more widespread — affecting not only messengers but hundreds of other apps as well. Chances are, because of Electron-based apps, you have a many more browsers than you think in your system this very minute…

What is Electron, and why do application developers want to use it?

Electron is a cross-platform desktop application development framework that employs web technologies — mostly HTML, CSS, and JavaScript. It was originally created by GitHub for its source code editor Atom (hence its original name — Atom Shell). Later on the framework was renamed Electron, ultimately evolving into an extremely popular tool used to create desktop applications for various operating systems, including Windows, macOS, and Linux.

Electron framework official site

Main page of the Electron framework official site. Source

Electron itself is based on the Chromium browser engine, which is responsible for displaying web content within a desktop application. So any Electron application is effectively a single website opened in the Chromium browser.

Users usually have no idea at all how the thing works. From their point of view, an Electron application is just another program you install, run in the usual way, give access to some files, occasionally update to the newest version, and so on.

Why has Electron grown so popular with developers? The idea is mainly this: no matter what digital service one might want to create, a web version is still needed. And the Electron framework allows you to develop just the web version and, based on it, produce full-fledged apps for all the desktop operating systems out there.

Electron’s other convenience features include making installation packages, their diagnostics, publication to app stores, and automatic updates.

Mullvad VPN uses the Electron framework, too

Et tu autem, Brute! You can find Electron in apps you least expect to

Summing up, the Electron framework is popular among developers — most particularly as it allows to greatly accelerate and simplify the application development process for all desktop operating systems in one go.

Issues with Electron-based applications

Electron-based applications have a number of drawbacks. The most obvious from the users’ perspective is their sluggishness. Electron-based software is usually resource-intensive and suffers from excessive file size. No wonder: each such app carries its whole home on its back like a snail a full-blown Chromium browser. In effect, it operates through that browser — serving as a sort of intermedium.

Next issue: web browsers are a favorite target of cybercriminals. It’s worth repeating: inside every Electron-based app there’s a separate instance of the Chromium web browser. This means your system may have a dozen additional browsers installed, all of which present a tempting target for criminals.

New, serious vulnerabilities pop up almost weekly in a popular browser like Chrome/Chromium: so far this year more than 70 high, and three critical severity-level vulnerabilities have been found in Chromium as of the time of writing. Worse yet, exploits for the world’s most popular browser’s vulnerabilities appear really quick. This means that a good part of Chrome/Chromium holes are not just abstract bugs you treat as a matter of routine — they’re vulnerabilities that can be used for attacks by cybercriminals out in the wild.

List of Chrome/Chromium vulnerabilities found in the first eight months of 2023

Even in fine print, Chromium vulnerabilities found so far in 2023 take up several screens. Source

For the standalone Chrome browser, this isn’t such a serious problem. Google is very quick to release patches and rather persistent in convincing users to install them and restart their browser (it even thoughtfully re-opens all their precious tabs after restarting so they don’t need to fear updating).

Things are very different for the Electron-based apps. A Chromium browser built into such an app will only get patched if the app’s vendor has released a new version and successfully communicated to users the need to install it.

So it appears that, with a bunch of installed Electron apps, not only do you have multiple browsers installed on your system, but also little to no control over how updated and secure those browsers are, or how many unpatched vulnerabilities they contain.

The framework’s creators know full well about the problem, and strongly recommend that app developers release patches on time. Alas, users can only hope that those recommendations are followed.

And here’s a fresh example: On September 11, Google fixed the CVE-2023-4863 vulnerability in Google Chrome. At that point, it was already actively exploited in the wild. It allows a remote attacker to perform an out of bounds memory write via a crafted HTML page, which can lead to the execution of arbitrary code. Of course, this bug is present in Chromium and all Electron-based applications. So, all companies using it in their applications will have to work on updates.

Which desktop applications are based on Electron?

Not many folks seem to know how incredibly common Electron-based desktop applications are. I’ll bet you are using more than one of them. Check them out yourself:

  • 1Password
  • Agora Flat
  • Asana
  • Discord
  • Figma
  • GitHub Desktop
  • Hyper
  • Loom
  • Microsoft Teams
  • Notion
  • Obsidian
  • Polyplane
  • Postman
  • Signal
  • Skype
  • Slack
  • Splice
  • Tidal
  • Trello
  • Twitch
  • Visual Studio Code
  • WhatsApp
  • WordPress Desktop

I personally use around a third of the apps from the list (but, for the record, none of them as desktop applications).

That list is not exhaustive at all though, representing only the most popular Electron-based applications. In total there are several hundred such applications. A more or less complete list of them can be found on a special page on the official website of the framework (but, it seems, not all of them are listed even there).

List of Electron-based applications

The list of Electron-based desktop applications comprises several hundred online services, including about 20 really popular ones. Source

Security considerations

So how to avoid the threats posed by uncontrolled browsers that thoughtful developers are now unpredictably embedding into desktop apps? I have three main tips regarding this:

  • Minimize the number of Electron-based apps as much as possible. It’s not as difficult as it seems: the very fact of using the framework normally suggests that the service has an extremely advanced web version, which is most likely on a par with the desktop application in terms of features and convenience.
  • Try to inventory all Electron-based apps used by your company’s employees, and prioritize their updates. More often than not, these are collaboration applications of different forms and shades — from Microsoft Teams, Slack, and Asana, to GitHub and Figma.
  • Use a reliable security solution. It will help you repel attacks in those periods when vulnerabilities are already known and being exploited but the patches haven’t yet been issued. By the way, Kaspersky products have an exploit protection system: it helps our experts detect the exploitation of new, as yet unknown vulnerabilities, and warns the developers of the corresponding programs about these holes.


#Electronbased #desktop #applications #secure

Oleh Diposting pada

Videocalls became much more widespread after the COVID-19 pandemic began, and they continue to be a popular alternative to face-to-face meetings. Both platforms and users soon got over the teething problems, and learned to take basic security measures when hosting videoconferences. That said, many online participants still feel uncomfortable knowing that they might be recorded and eavesdropped on all the time. Zoom Video Communications, Inc. recently had to offer explanations regarding its new privacy policy, which states that all Zoom videoconferencing users give the company the right to use any of their conference data (voice recordings, video, transcriptions) for AI training. Microsoft Teams users in many organizations are well aware that turning on recording means activating transcription as well, and that AI will even send premium subscribers a recap. For those out there who discuss secrets on videocalls (for instance in the telemedicine industry), or simply have little love for Big Tech Brother, there are less known but far more private conferencing tools available.

What can we protect ourselves against?

Let’s make one thing clear: following the tips below isn’t going to protect you from targeted espionage, a participant secretly recording a call, pranks, or uninvited guests joining by using leaked links. We already provided some videoconferencing security tips that can help mitigate those risks. Protecting every participant’s computer and smartphone with comprehensive cybersecurity — such as Kaspersky Premium — is equally important.

Here, we focus on other kinds of threats such as data leaks from the videoconferencing platform, misuse of call data by the platform, and the harvesting of biometric information or conference content. There are two possible engineering solutions to these: (i) hosting the conference entirely on participant computers and servers, or (ii) encrypting it, so that even the host servers have no access to the meeting content. The latter option is known as end-to-end encryption, or E2EE.

Signal: a basic tool for smaller group calls

We have repeatedly described Signal as one of the most secure private instant messaging apps around, but Signal calls are protected with E2EE as well. To host a call, you have to set up a chat group, add everyone you want to call, and tap the videocall button. Group videocalls are limited to 40 participants. Admittedly, you’re not getting any business conveniences such as call recording, screen sharing, or corporate contact-list invitations. Besides, you’ll need to set up a separate group for each meeting, which works well for regular calls with the same people, but not so much if the participants change every time.

Signal lets you set up videoconferences for up to 40 participants in a familiar interface

Signal lets you set up videoconferences for up to 40 participants in a familiar interface

WhatsApp and Facetime: just as easy — but not without their issues

Both these apps are user-friendly and popular, and both support E2EE for videocalls. They share all the shortcomings of Signal, adding a couple of their own: WhatsApp is owned by Meta, which is a privacy red flag for many, while Facetime calls are only available to Apple users.

Jitsi Meet: self-hosted private videoconferencing

The Jitsi platform is a good choice for large-scale, fully featured, but still private meetings. It can be used for hosting meetings with: dozens to hundreds of participants, screen sharing, chatting and polling, co-editing notes, and more. Jitsi Meet supports E2EE, and the conference itself is created at the moment the first participant joins and self-destructs when the last one disconnects. No chats, polls or any other conference content is logged. Finally, Jitsi Meet is an open-source app.

Jitsi Meet is a user-friendly, cross-platform videoconferencing tool with collaboration options. It can be self-hosted or used for free on the developer's website

Jitsi Meet is a user-friendly, cross-platform videoconferencing tool with collaboration options. It can be self-hosted or used for free on the developer’s website

Though the public version can be used for free on the Jitsi Meet website, the developers strongly recommend that organizations deploy a Jitsi server of their own. Paid hosting by Jitsi and major hosting providers is available for those who’d rather avoid spinning up a server.

Matrix and Element: every type of communication — fully encrypted

The Matrix open protocol for encrypted real-time communication and the applications it powers — such as Element — are a fairly powerful system that supports one-on-one chats, private groups and large public discussion channels. The Matrix look-and-feel resembles Discord, Slack and their forerunner, IRC, more than anything else.

Connecting to a Matrix public server is a lot like getting a new email address: you select a user name, register it with one of the available servers, and receive a matrix address formatted as @user:server.name. That allows you to talk freely to other users including those registered with different servers.

Even a public server makes it easy to set up an invitation-only private space with topic-based chats and videocalls.

The settings in Element are slightly more complex, but you get more personalization options: chat visibility, permission levels, and so on. Matrix/Element makes sense if you’re after team communications in various formats, such as chats or calls, and on various topics rather than just a couple of odd calls. If you’re simply looking to host a call from time to time, Jitsi works better — the call feature in Element even uses Jitsi code.

Element is a fully featured environment for private conversations, with video chats just one of the available options

Element is a fully featured environment for private conversations, with video chats just one of the available options

Corporations are advised to use the Element enterprise edition, which offers advanced management tools and full support.

Zoom: encryption for the rich

Few know that Zoom, the dominant videoconferencing service, has an E2EE option too. But to enable this feature, you need to additionally purchase the Large Meetings License, which lets you host 500 or 1000 participants for $600–$1080 a year. That makes the price of E2EE at least $50 per month higher than the regular subscription fee.

Zoom supports videoconferencing with E2EE too, but you need an extended license to be able to use it

Zoom supports videoconferencing with E2EE too, but you need an extended license to be able to use it

You can enable encryption for smaller meetings as well, but still only if you have a Large Meeting License. According to the Zoom website, activating E2EE for a meeting disables most familiar features, such as cloud recording, dial-in, polling and others.


#Top #apps #encrypted #private #videocalls

Oleh Diposting pada

For popular messengers such as Telegram, Signal and WhatsApp, there are quite a few alternative clients (not to be confused with clients as in (human) customers; whoever opted this confusing language needs a good talking to) out there. Such modified apps — known as mods — often provide users with features and capabilities that aren’t available in the official clients.

While WhatsApp disapproves of mods — periodically banning them from official app stores, not only has Telegram never waged war on alternative clients, it actively encourages their creation, so Telegram mods are popping up like mushrooms. But are they safe?

Alas, several recent studies show that messenger mods should be handled with great caution. Although most users still blindly trust any app that’s been verified and published on Google Play, we’ve repeatedly highlighted the dangers: when downloading an app on Google Play, you could also pick up a Trojan (that one had more than a 100 million downloads!), a backdoor, a malicious subscriber, and/or loads of other muck.

This just in: infected Telegram in Chinese and Uyghur on Google Play

We’ll start with a recent story. Our experts discovered several infected apps on Google Play under the guise of Uyghur, Simplified Chinese and Traditional Chinese versions of Telegram. The app descriptions are written in the respective languages and contain images very similar to those on the official Telegram page on Google Play.

To persuade users to download these mods instead of the official app, the developer claims that they work faster than other clients thanks to a distributed network of data centers around the world.

Spyware versions of Telegram on Google Play

Simplified Chinese, Traditional Chinese, and Uyghur versions of Telegram on Google Play with spyware inside

At first glance, these apps appear to be full-fledged Telegram clones with a localized interface. Everything looks and works almost the same as the real thing.

We took a peep inside the code and found the apps to be little more than slightly modified versions of the official one. That said, there is a small difference that escaped the attention of the Google Play moderators: the infected versions house an additional module. It constantly monitors what’s happening in the messenger and sends masses of data to the spyware creators’ command-and-control server: all contacts, sent and received messages with attached files, names of chats/channels, name and phone number of the account owner — basically the user’s entire correspondence. Even if a user changes their name or phone number, this information also gets sent to the attackers.

Previously: spyware versions of Telegram and Signal on Google Play

Interestingly, a short while ago researchers at ESET found another spyware version of Telegram — FlyGram. True, this one didn’t even try to pretend to be official. Instead, it positioned itself as an alternative Telegram client (that is, just a mod), and had found its way not only onto Google Play, but into the Samsung Galaxy Store as well.

What’s even more curious is that its creators didn’t limit themselves to imitating just Telegram. They also published an infected version of Signal in these same stores, calling it Signal Plus Messenger. And for added credibility, they even went so far as to create the websites flygram[.]org and signalplus[.]org for their fake apps.

Signal Plus Messenger: a spyware version of Signal on Google Play and in the Samsung Galaxy Store

There’s a spyware client on Google Play for Signal too, called Signal Plus Messenger. (Source)

Inside, these apps amounted to full-fledged Telegram/Signal messengers, whose open-source code was flavored with malicious additives.

Thus FlyGram learned to steal contacts, call history, a list of Google accounts and other information from the victim’s smartphone, as well as make “backup copies” of correspondence to be stored… where else but on the attackers’ server (although this “option” had to be activated in the modified messenger independently by the user).

In the case of Signal Plus, the approach was somewhat different. The malware scraped a certain amount of information from the victim’s smartphone directly, and allowed the attackers to log in to the victim’s Signal account from their own devices without being noticed, after which they could read all correspondence almost in real time.

FlyGram appeared on Google Play in July 2020 and stayed there until January 2021, while Signal Plus was published in app stores in July 2022 and removed from Google Play only in May 2023. In the Samsung Galaxy Store, according to BleepingComputer, both apps were still available at the end of August 2023. Even if they are now completely gone from these stores, how many unsuspecting users continue to use these “quick and easy” messenger mods that expose all their messages to prying eyes?

Infected WhatsApp and Telegram spoof cryptowallet addresses

And just a few months back, the same security researchers uncovered a slew of trojanized versions of WhatsApp and Telegram aimed primarily at cryptocurrency theft. They work by spoofing the cryptowallet addresses in the messages so as to intercept incoming transfers.

Infected WhatsApp spoofs the cryptowallet address in messages

An infected version of WhatsApp (left) spoofs the cryptowallet address in a message to the recipient, who has the official, uninfected version of WhatsApp (right). (Source)

In addition, some of the versions found use image recognition to search screenshots stored in the smartphone’s memory for seed phrases — a series of code words that can be used to gain full control over a cryptowallet and then empty it.

And some of the fake Telegram apps stole user profile information stored in the Telegram cloud: configuration files, phone numbers, contacts, messages, sent/received files, and so on. Basically, they pilfered all user data except for secret chats created on other devices. All these apps were distributed not on Google Play, but through a variety of fake sites and YouTube channels.

How to stay safe

Lastly, a few tips on how to protect yourself from infected versions of popular messengers, as well as other threats targeting Android users:

  • As we’ve seen, even Google Play isn’t immune to malware. That said, official stores are still far safer than other sources. So, always use them to download and install apps.
  • As this post has made clear, alternative clients for popular messengers should be treated with extreme caution. Open source lets anyone create mods — and fill them with all sorts of nasty surprises.
  • Before installing even the most official app from the most official store, look closely at its page and make sure that it’s real — pay attention not only to the name, but also the developer. Cybercriminals often try to fool users by making clones of apps with descriptions similar to the original.
  • It’s a good idea to read negative user reviews — if there’s a problem with an app, most likely someone will have already spotted and written about it.
  • And be sure to install reliable protection on all your Android devices, which will warn you if malware tries to sneak in.
  • If you use the free version of Kaspersky Security & VPN, remember to manually scan your device after installation and before running any app for the first time.
  • Threat scanning is done automatically in the full version of our security solution for Android, which is included into the Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium subscription plans.


#Spyware #versions #Telegram #Signal #Google #Play

Oleh Diposting pada

We’ve published multiple comparisons of secure messaging apps with end-to-end encryption, shared recommended settings, and described the respective flaws of these apps. But what about folks who want secure messengers but who aren’t exactly tech-savvy? This blogpost is just for them – based as it is on an extensive study and published report entitled What Is Secure? by a group of experts from the agencies Tech Policy Press and Convocation Research and Design.

The report contains recommendations for both users and developers. But since not everyone will read through all the 86 pages of text, we summarize the paper’s main conclusions below.

Object of study

The researchers interviewed user groups in Louisiana in the United States, and Delhi, India, to determine the strongest and weakest points of current messaging apps. The following popular apps were examined:

  • Apple iMessage
  • Meta (Facebook) Messenger
  • Messages by Google
  • Signal
  • Telegram
  • WhatsApp

The study focused on the way humans respond to in-app tips, and the way they understand the meaning of each feature. More importantly, the respondents were asked about any specific fears, and in what ways they think secure messaging apps are or could be useful in their lives. Some of the interviewees said they are worried about potential physical violence, such as domestic violence, in connection with messaging, while others fear persecution by the authorities. This had a major effect on their perception of “secure”.

Key finding

End-to-end encryption is only one aspect of security. Encrypted messaging won’t solve every problem a threatened user is having. Therefore, one needs to think through a strategy against motivated adversaries. Is there a risk of your phone being seized? A risk of you being forced to unlock it? Are you afraid that someone may try to obtain your data from the company that owns the app using litigation or a legal order? Or infect your phone with spyware? Would it be easier for the bad guys to try and extract that data from the person you’re chatting with? For many, the answer to each of the above is no, so an encrypted messaging app provides sufficient security in and of itself. And even if your answer is yes, that’s no reason to give up encryption and secure messaging: they just need to be one layer of your defenses.

As further tips, the researchers recommend that the above vulnerable user groups take several technical steps (more on those below) but, most importantly, not to carry their phones in places where they could be physically seized or forcibly unlocked. They suggest getting a second phone for such dangerous places, and keeping the main device with a person they can trust.

General tips on secure messaging

The biggest secrets are best delivered face-to-face. No method of digital communication is completely secure. Therefore, the riskiest information – especially if posing a threat to health or even life – should be discussed in person, not in a chat.

Don’t make decisions blindly. Users make conscious efforts to protect their privacy, but they often rely on popular opinion about security – not verified sources. Few read documents that accompany messaging apps: terms of use, or transparency and government data sharing reports. Research carefully what your messaging service actually stores and where, and with whom it shares data and has shared in the past. That information can be found in transparency reports and in the press.

Carefully review the app settings. Make sense of each setting and turn on all the securest options. Bear in mind that parts of the privacy settings may be spread across the phone’s general settings (especially true for iMessage in iOS, and Messages by Google in Android) or sections of the app settings (typical of Telegram).

Avoid hybrid modes. Several messaging apps support both encrypted and unencrypted messaging. In iMessage and Messages by Google, you can send open texts and encrypted messages in the same chat; however, this is a bad idea since these message types are always confused. Both Messenger and Telegram have separate encrypted and unencrypted chats, with the unencrypted mode used by default. The paper recommends using messaging apps based on full encryption: Signal or WhatsApp.

The more features – the higher the risk. Extra features, such as stories, bots or links to social networking services, provide extra surveillance and data-leak channels. It’s best to turn off these kinds of features or avoid using the app altogether.

Disable link previews, geolocation sharing, and GIFs. These features do come in handy sometimes, but they can be used to track you down by various parties, including linked websites. Another potential leak channel is finding and sharing GIFs in chats.

Messaging apps that work without a phone number are helpful. These include, to a certain extent, Telegram, Messenger and iMessage, although it does take some effort to configure each of them to use your internal username or e-mail as your identifier when chatting. According to the report, WhatsApp and Signal are planning to add a feature like this too.

Use disappearing messages. The most squeamish among us can enable chats to be deleted automatically after a short period of time, such as one minute. Unfortunately, not every messaging app has options like these, and in some of them, the shortest visibility period is 24 hours. Disappearing messages do little to protect you from screenshots or other ways that chats can be saved. Auto-deleting messages is helpful if you expect that strangers will be poking around in your phone shortly.

Encrypt chat backups. Default cloud backups are a frequent leak channel, so it’s imperative that they’re encrypted (something that needs to be enabled manually in both WhatsApp and iMessage), saved locally (for example, on an SD card if using an Android phone), or turned off altogether. Any local backups should be encrypted as well.

Compare encryption keys with the people you chat with. This procedure is called Сontact Key Verification (in iMessage), Safety Numbers (in Signal), Security Code (in WhatsApp), and Encryption key (in Telegram), and it helps make sure that you’re chatting with the right person – using the right device. Encryption keys can be verified for each chat by comparing codes or meeting face-to-face.

Protect yourself against account hijacking by turning on two-factor authentication. This feature comes under a variety of names, such as Two-Step Verification, Registration PIN, or something else, but the essence remains the same: logging in to the same account on a new device requires an extra verification step.

Train the people you chat with. This is critical for groups that chat about sensitive subjects. This requires that the members all share and observe the following ethics and security rules:

  • No forwarding of confidential information
  • No screenshots or other copies of the information in the chat
  • Supporting a culture of privacy within the community
  • Using the app settings wisely
  • Disabling potentially risky chat features

What’s the securest messaging app?

Signal is the clear leader in the study, but the requirement to expose your phone number makes the situation somewhat complicated. The table below contains a comparison of the key messaging-app security features, with the safest option in each row highlighted in green.

Apple iMessage Meta (FB) Messenger* Google Messages Signal Telegram WhatsApp
End-to-end encryption in one-to-one chats In certain cases* Special type of chat In certain cases* Always Secret chats only Always
End-to-end encryption in group chats In certain cases* Special type of group In certain cases* Always Never Always
Verified encryption protocol No Yes Yes Yes No Yes
Encrypted backups Yes, optional No backups No Yes, on by default No backups Yes, optional
Manual comparison of encryption keys Yes Yes No Yes Yes Yes
Phone number-free registration Yes Yes (complicated) No No No No
Hiding phone number from contacts Yes Yes No No Yes No
Links with other services or accounts in these Yes Yes No No No Yes
Hiding metadata** Partial Partial Partial Yes Partial Partial
Storing metadata** Yes Yes Yes No Yes Yes
Self-destructing messages No Five seconds or longer No One second or longer One second or longer 24 hours or longer and one-time viewing
Disabling link previews No No No Yes Secret chats only No
Blocking screenshots No No No Yes Secret chats only No
Screenshot alert No Yes No No No No
* Available as long as all parties are using the same platform (iOS or Android) and the appropriate app settings.
** Confidentiality settings to avoid showing to other users the following metadata partially or in full: the user’s photo, the user’s other contacts, chat and group memberships, IP address, and chat times.
The table is based on the data of the report What Is Secure?


#encrypted #messaging #apps #properly #chats #confidential