3

I am trying to implement linking of the desktop app to the mobile counterpart for my project. The assumption is that the mobile app is secure and the desktop app simply needs to link the session to mobile for convenience.

In my research I came across the QRLjacking exploit. It is a social engineering exploit that isn’t much different from getting users to reveal their passwords.

The interesting thing is that Signal app does not appear to be vulnerable to QRLjacking exploit, despite the fact that they too link the desktop to mobile via QR code.

I am trying to figure out what is the secret sauce the Signal applies. Luckily, the code is here: https://github.com/signalapp/Signal-Desktop

Based on my analysis, here is what I think they do:

  1. The user registers mobile device. The device sends signed pre-keys to the Signal server
  2. The user can chat with other Signal users using the end to end encrypted protocol, but what is more interesting to me is how they prevent QR vulnerability when linking to desktop.
  3. User installs the desktop app. First thing to note is that it is a JavaScript app packaged using electron. This makes it difficult to use in social engineering techniques. The installation package can be signed and verified to be trusted.
  4. Upon installation, the desktop app generates the pre-keys and sends them to the server.
  5. The desktop uses its own public key to check with the server if it is linked to mobile. If not, proceed to step 6.
  6. Send the public key to the server under a UUID key. The server stores it. The UUID is used for QR code.
  7. The user lifts up his mobile device and scans the QR code with the signal app.
  8. The mobile app uses the QR code to download the desktop app's public key.
  9. The mobile app sends an encrypted confirmation message to the desktop app, which the desktop app verifies using it's private key.
  10. The desktop app app asks the user to name this desktop app, typically this is the name of the host it is running on. The desktop app sends this message to the mobile (encrypted, of course).
  11. On the mobile, the linked device now shows up. At any time the user can remove the linked device, which becomes immediately known to the desktop.
  12. I do not believe the server is used to retain messages at all. I think the desktop synchronizes with mobile on-demand.

In summary, the QRLjacking exploit is mitigated by Signal in the following manner:

  • The app is not browser-based and is instead installed. The installation package can be signed and verified with a certificate.
  • The desktop app can also securely store keys locally, not on the server. That makes it difficult to pursue a social engineering attack since that would require physically taking over the machine the desktop app is running on.

Is my analysis correct?

Oleg Dulin
  • 131
  • 2

0 Answers0