Paper 2024/2057

Leveraging remote attestation APIs for secure image sharing in messaging apps

Joel Samper, LASIGE, Universidade de Lisboa
Bernardo Ferreira, LASIGE, Universidade de Lisboa
Abstract

Sensitive pictures such as passport photos and nudes are commonly shared through mobile chat applications. One popular strategy for the privacy protection of this material is to use ephemeral messaging features, such as the view once snaps in Snapchat. However, design limitations and implementation bugs in messaging apps may allow attackers to bypass the restrictions imposed by those features on the received material. One way by which attackers may accomplish so is by tampering with the software stack on their own devices. In this paper, we propose and test a protection strategy based on a multiplatform system that encrypts and decrypts sensitive pictures on top of messaging apps and performs remote attestation with available app integrity APIs to safeguard its security. Our analysis and experiments show that, compared to previous proposals for image encryption in a middleware, remote attestation offers increased security, adds privacy benefits, simplifies integration, and improves usability by not requiring users to exchange key material a priori. In our experiments, it incurs an added average latency of 3.8 and 4.5 seconds when sending and receiving private pictures, respectively.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Major revision. 20th European Dependable Computing Conference
Keywords
app integrityremote attestationmiddlewareimage sharingmessaging platformmobile appsextingprivate picture
Contact author(s)
jsamper @ ciencias ulisboa pt
blferreira @ ciencias ulisboa pt
History
2024-12-22: approved
2024-12-20: received
See all versions
Short URL
https://ia.cr/2024/2057
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/2057,
      author = {Joel Samper and Bernardo Ferreira},
      title = {Leveraging remote attestation {APIs} for secure image sharing in messaging apps},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/2057},
      year = {2024},
      url = {https://eprint.iacr.org/2024/2057}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.