TL;DR - the author claims to have hacked their encryption by reading the messages in phone memory.
I don't understand how this is a valid exploit/vulnerability? How would any device, Android or not, render the actual picture of the message on the GPU without having the unencrypted string in memory? It's not possible. If you have local memory/code execution, you will ALWAYS have access to the messages any client application is rendering/using.
Yeah, the memory thing didn't impress me. More concerning though is that apparently messages are stored in plain text on disk in that cache4.db file. It's not clear to me whether they are deleted when the app quits or what.
The files under `/data/data/[pkgname]` are only readable by the corresponding application. Encrypting them wouldn't add any security as the key for that cache would also be stored on the device.
I am not even a security novice, but isn't getting root on the devices basically a game over? The suggestions the author hard to encrypt the stuff in memory and on disk would just add a extra step for the attacker to find the key? If they key had to be entered by the user every time the attack can just wait until the user does so? If thats too hard... just monitor the user.
With root you can just wait and take screen shots... (as the author shows) which would work for any thing the user does ever and is simpler?
The attack vector wasn't even through the Telegram application but depending on if you get access to disk or memory. Sure that's not hard to do...but it's still safe in-transit? A pretty interesting read, but I'm not seeing the leetness here.
I did notice the same thing. As soon as I saw root access needed, I pretty much took everything else with a grain of salt. It's always game over if the attacker can get their hands on the device.
I am not knowledgeable in this field and I would like to learn more how to do most of these things, what would be a good resource to start off with?
Also neat that you really can recompose the entire conversation, as the timestamps are clearly available in the DB.
Offset 0056e1c, 0x54ba8a1d is unixepoch 1421511197 - which is January 17th, at 16:13:17GMT - which, given that the author is in Tel Aviv (GMT+2), corresponds with the 6:13PM timestamp for 'Shlookiedo' seen in the photos.
I find it hard to believe that Telegram did not respond to the author. How can one company simultaneously host a $200k security contest, yet not respond to a simple email disclosing a vulnerability?
Because this isn't really a vulnerability. It's "if you completely control the device that is sending/receiving encrypted messages, you can read the messages."
There's literally no way to defend against this attack. About the best they could do is show a warning like "Warning: The version of Android you are using contains vulnerabilities attackers could use to take control of your phone. Please update your softw... buy a new phone to get the latest version of Android."
I think at this point we are getting into the semantics of what qualifies as a "vulnerability." I agree there's very little telegram can do about this, but that doesn't lessen the validity of the attack. At the very least, they could respond to the bug report. To ignore it seems highly unprofessional.
I don't understand how this is a valid exploit/vulnerability? How would any device, Android or not, render the actual picture of the message on the GPU without having the unencrypted string in memory? It's not possible. If you have local memory/code execution, you will ALWAYS have access to the messages any client application is rendering/using.