Bug #2717

Implement In-Memory Message Storage Only

Added by Anonymous about 4 years ago. Updated about 4 years ago.

Status:NewStart date:12/05/2013
Priority:HighDue date:
Assignee:-% Done:

0%

Category:-
Target version:v15 - AWESOME APP
Component:

Description

Gibberbot had an option to have "In-Memory Message Storage Only". What this meant is that no messages were ever stored to flash memory and were instead kept in system memory.

Chatsecure removed this option.

I believe that the reasoning for removing the option is as follows: If messages were stored in system memory (RAM), then any program (perhaps only with root) could retrieve the messages. However, chatsecure now has local encryption, which means it is possibly safer to store messages to the flash memory.

However, I believe the option should be reimplemented for the following reason: For the encryption to be good, the user would have to use long passwords - but realistically most users will use less than 20-character-long random passwords. This means that if the phone is detained (by police, border agencies, thieves), they can still easily recover the messages from the flash storage - the most you are usually able to do in such situations is to quickly take the battery out which does not prevent this attack.

If the messages were only ever stored in RAM however, then taking the battery out will immediately prevent the attacker from ever recovering the messages because they simply no longer exist on the device. (and cold assisted attacks on memory stored on cell phones are not as efficient as they are on computers)

Additionally, there are many scenarios where losing a message (because it was stored only in RAM) is preferable to having the message recovered by an adversary.

In the above scenario, it means that chatsecure is less secure for chat than gibberbot and an upgrade cannot be advised.

History

#1 Updated by devrandom about 4 years ago

  • Priority changed from Normal to High
  • Target version set to v15 - AWESOME APP

I agree.

#2 Updated by n8fr8 about 4 years ago

Happy to put the option back in, but I don't think it should be on by default. Too many people complained about losing messages, missing messages, etc, and the solution to that was using SQLCipher for persistent local storage.

Now when you say "easily recover the messages from the flash storage" with passwords less then 20 characters, I think we should talk about what that means. First, the device needs to be unlocked in most cases to even get into via adb or USB. You are saying though that once the device has been rooted or had an alternate recovery flashed to it using a device like a Cellebrite, and the SQLCipher database from the ChatSecure app has been extracted, then that AES-256 encrypted db can be "easily" brute forced? Have you reviewed the SQLCipher design docs? http://sqlcipher.net/design/

In addition, the "Panic" feature we have implemented in ChatSecure means the app can be quickly stopped, uninstalled and all the data, including the fully encrypted database, keys, salts, etc can be quickly cleared. In most cases, this means the adversary will have to look closely to even know you were using the app in the first place.

All in all, I cannot agree that ChatSecure is "less secure" because of this unlikely scenario.

However, that said, I am happy to add the "in memory db" option back in for those who feel they need it.

Also available in: Atom PDF