The dangers of web based messaging apps

TL;DR

• Anyone with a web browser and access to your phone in an unlocked state could potentially set up persistent access to your secure messaging platforms (without needing to know your credentials!).
• Whilst this clearly requires unfettered access to your phone, scenarios such as screen replacement at a repair shop, or even passing your phone someone to use for a short period of time creates opportunity.
• Once this access has been established, its presence is difficult to identify unless you know to look for it.
• It is possible to mitigate against these attacks by, for example, locking the app.
• There are, in the tested instances discussed, no lasting traces that any such access was ever established once the connection has been terminated.

Introduction

We were involved in a case where a client had noticed a number of deleted One-Time Passcode (OTP) messages in their Google Messages recycle bin. We were advised by the client that these OTPs were not generated as a result of any actions they’d taken in trying to access their own account. Concerningly, five days prior to these messages, the victim had left their phone in the care of a repair service to replace a damaged screen. We were also told that the phone’s passcode was provided to the repair service provider. This establishes the potential for full access to the handset, which is a pre-requisite for the next steps.

It’s already a well-known fact that authentication apps are safer than SMS codes for multi-factor authentication, however this scenario led us to question the security of two-factor authentication via other secure messaging applications.

Disclaimer

At the conclusion of this investigation, no evidence was found to suggest that the repair service provider was in any way involved in any wrongdoing, but hypotheses formulated and tested during the examination of this device, under these circumstances, led us to uncovering the risks of web based messaging platforms which we’ll discuss in this blog post.

Through analysis of various Android system logs, we were able to reliably determine there was no evidence of previously installed malware or otherwise suspicious applications present on the mobile device. Therefore, we moved to consider the more “human” aspect of what might have resulted in the deletion of these messages.

Web access to messaging apps

Applications like Google Messages or WhatsApp can use QR codes to link a configured account on the user’s phone to a browser session, which will essentially synchronise the data between the two.

The process is very simple, and easy to manage from the browser side. Once a device has been linked, the functionality behind the web interface is similar to that of the phone. What is missing is inconsequential to the motives behind this scenario.

What’s important to understand is that, through the web interface, a linked device can see the entirety of the linked account’s messaging history on that platform and, as long as the device remains linked, can view new messages, but also send and delete messages as well.

I don’t think it’s necessary to explain why this is concerning, but it does raise the questions:

How can you tell if this has happened to you?

The unfortunate answer is (unless someone currently has access to your messages) you can’t.

Once a linked device has been disconnected, regardless of which side facilitates the severance, there is currently no logging in place for WhatsApp or Google Messages (or on a wider scale, your Google or Meta accounts) that otherwise record that link ever having existed.

The only evidence of linked devices exists when an active session is still in effect. In WhatsApp and Google Messages respectively, you’ll either need to go to ‘Linked Devices’ or ‘Device Pairing’ and in here you’ll be able to see whether there are any currently linked devices and, in the event you don’t recognise them or otherwise want to end that link, you can do so with ease.

How can you stop this happening to you?

Of course, prevention is always better than detection. WhatsApp does stand a little above Google Messages in this respect, as the app currently requires the user to re-authenticate via their configured PIN / Pattern / Password or using biometrics before a link can be established.

Google Messages, however, requires no further authentication to link the browser session. Assuming someone has access to your unlocked device long enough to do so, there isn’t anything stopping them from linking a device of their own to your messaging app.

Outside of these applications’ inherent security measures (or lack thereof), there are other preventative measures you can take, but few of them will be of much help if the person in possession of your device happens to know your PIN / Pattern / Password.

App lock

On modern Apple devices, users can lock individual applications behind biometric security by long-pressing on the app icon. The menu that pops up allows the user to ‘Require Touch ID / Face ID / Passcode’ (specific Apple guidance here: https://support.apple.com/en-gb/guide/iphone/iph00f208d05/ios).

Android 15 saw the introduction of Private Space (Samsung calls this Secure Folder) that can be used to lock apps behind a second use of credentials, or even a different Google account. This does require more than just setting a flag within the device’s settings, but can provide extra protection if somebody gains access to your unlocked device.

With these in place, at the very least if someone is in possession of your phone then they’d still need your credentials or biometrics to be able to get into any apps you’ve locked down. This at least covers you in the event your device is stolen whilst unlocked.

Alternative user accounts

If you must hand over your device for any reason, such as for repair, Android devices do allow you to configure additional user accounts with their own security credentials. This won’t have access to any of your main account’s data and can be set up with an entirely different PIN/Pattern/Passcode.

Conclusion

Our simple recommendation is – don’t give out your passcode to anyone unless you really trust them and have a plan in the event your device is lost or stolen. Better still, take the necessary precautions now – you’ll thank yourself later if it ever does happen! I’ve written a related post about preventative measures for iPhones here.

Using messaging apps for MFA should also be avoided. Just like SMS, they can be vulnerable to interception. Use an authentication app instead.