skip to main content
10.1145/2594368.2601470acmconferencesArticle/Chapter ViewAbstractPublication PagesmobisysConference Proceedingsconference-collections
demonstration

Demo: Zero interaction private messaging with ZIPR

Published: 02 June 2014 Publication History

Abstract

Messaging app developers are beginning to take the security and privacy of their users' communication more seriously. Unfortunately, a recent study has shown that the developers of many popular apps incorrectly use cryptography. As a result, they make mistakes that may result in trivially broken encryption schemes. For example, the developers of Snapchat use a constant symmetric encryption key hardcoded into the app and it only takes 12 lines of Ruby to crack the encryption.
In this work, we propose ZIPR (Zero-Interaction PRivacy), a system that relieves developers from the task of using cryptography correctly. Designed for text-messaging apps, ZIPR automatically negotiates shared secret keys, and encrypts and decrypts messages as users of these apps chat with each other. No manual intervention is required by users for them to enjoy secure messaging.
There are two key ideas behind ZIPR. First, most text-messaging apps follow a basic UI scheme that contains (i) a text box for users to compose their message, (ii) a "send" button which they click on to send the message, and (iii) a list view to display sent and received messages. By intercepting events on these UI elements, ZIPR can manipulate the composed message before it is sent and before it is displayed. This allows the system to transparently encrypt and decrypt message data.
The second key idea is that ZIPR can reuse the communication channel defined by an app to negotiate a shared secret key between two users. This is done by piggy-backing negotiation data on the messages users send to each other. A major advantage of this approach is that ZIPR can avoid the difficult task of establishing user identities. After all, a user of a text-messaging app is likely to carry out a conversation only with someone she knows, and both of them would have signed up for the chat service using some personal data such as their email addresses or phone numbers.
Developers use ZIPR by tagging UI elements; no changes to their source code are required. This is similar to HTTPS where web developers only need to configure their servers with SSL certificates to encrypt data transmission with their users. However, unlike HTTPS, the end-to-end encryption in ZIPR takes place between the two users carrying out a conversation and not between a server and a user. This ensures that even if the app servers are compromised, users' messages would remain secure.
ZIPR is implemented in Android 4.3 and works with existing apps with very few modifications. In this demo, we show that our current prototype works with several apps including Whatsapp, Facebook Messenger, and Skype. These apps required only four, five, and three lines of modification to their UI XML definition files, respectively.
In Figure 1, we show a screenshot of Whatsapp running under ZIPR. In the first two messages exchanged between the users, a new shared secret key is negotiated. Subsequently, all following messages are securely transmitted, and these encrypted messages are prefixed with a ``*'' by ZIPR.
We are currently extending our prototype to use the Android Keystore API and the TrustZone hardware to allow users to identify MitM attacks, and to store the secret keys securely. We are also porting other messaging apps, such as Viber, to ZIPR.

References

[1]
Dmitri DB. https://security.stackexchange.com/q/52584/.
[2]
M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of CCS '13, November 2013.
[3]
The New York Times - Molly Wood. Can You Trust 'Secure' Messaging Apps? http://nyti.ms/1pbofVI.

Cited By

View all
  • (2015)Survey on Privacy Protection of Android DevicesProceedings of the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud)10.1109/CSCloud.2015.21(241-246)Online publication date: 3-Nov-2015

Index Terms

  1. Demo: Zero interaction private messaging with ZIPR

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    MobiSys '14: Proceedings of the 12th annual international conference on Mobile systems, applications, and services
    June 2014
    410 pages
    ISBN:9781450327930
    DOI:10.1145/2594368
    Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

    Sponsors

    In-Cooperation

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 02 June 2014

    Check for updates

    Author Tags

    1. secure communication
    2. security & privacy

    Qualifiers

    • Demonstration

    Conference

    MobiSys'14
    Sponsor:

    Acceptance Rates

    MobiSys '14 Paper Acceptance Rate 25 of 185 submissions, 14%;
    Overall Acceptance Rate 274 of 1,679 submissions, 16%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)4
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 18 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2015)Survey on Privacy Protection of Android DevicesProceedings of the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud)10.1109/CSCloud.2015.21(241-246)Online publication date: 3-Nov-2015

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media