Supply standing notifications can tip off your location
Individuals with unwell motives can perform one thing known as a timing assault whereby an adversary tries to deduce the situation of a consumer by measuring the time it takes for his or her message to get delivered. They depend on the message supply standing for this essential piece of data.
An attacker can measure these delays to determine a recipient’s nation, metropolis, or district and may even discover out whether or not they’re utilizing WiFi or cell web.
For this assault to work, the attacker and the goal should know one another and should have already got beforehand engaged in a dialog.
WhatsApp is utilized by 2 billion individuals world wide and though Sign and Threema have a smaller consumer base, with 40 million and 10 million customers, respectively, they invoice themselves as privacy-focused, protected, and safe apps, so these findings are extra alarming for the customers of those two apps.
In truth, Sign and Threema appear extra prone to those assaults within the sense that the timing assault can be utilized to deduce the situation of Sign customers with an accuracy of 82 % and of Threema customers with an accuracy of 80 %. For WhatsApp, this quantity stands at 74 % and though that is additionally worrying, we’d have anticipated the hole to be bigger.
Learn how to foil the timing assault
The researchers have found that the assault will possible not work with units which might be idling when a message is obtained. So that they have proposed that builders present randomized supply affirmation occasions to senders. If the timing is off by 1 to twenty seconds, it might make the timing assault ineffective with out impacting the sensible usefulness of supply notifications.
Customers frightened about location privateness can attempt disabling the supply notification function, if supported by their app of alternative. Additionally, assuming that the app isn’t set to bypass a VPN (digital personal community), customers can use a VPN to extend latency or delay.
RestorePrivacy reached out to the maker of the apps in query and acquired the next response from Threema: