Portal de Periódicos da CAPES

Exploring Encrypted Keyboards to Defeat Client-Side Scanning in End-to-End Encryption Systems

2023; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-031-29371-9_6

1611-3349

Mashari Alatawi, Nitesh Saxena,

Advanced Malware Detection Techniques

End-to-End Encryption (E2EE) aims to make all messages impossible to read by anyone except you and your intended recipient(s). Many well-known and widely used Instant-Messaging (IM) applications (such as Signal, WhatsApp, Apple’s iMessage, and Telegram) claim to provide an E2EE functionality. However, a recent technique called client-side scanning (CSS), which could be implemented by these IM applications, makes these E2EE claims grandiose and hollow promises. The CSS is a technology that scans all sending and receiving messages from one end to the other, including text, images, audio, and video files. Some in industry and government now advocate this CSS technology to combat the growth of malicious child pornography, terrorism, and other illicit communication. Even though combating the spread of illegal and morally objectionable content is a laudable effort, it may open further backdoors that impact the user’s privacy and security. Therefore, it is not end-to-end encryption when there are censorship mechanisms and backdoors in end-to-end encrypted applications. In this paper, we shed light on this hugely problematic issue by introducing an encrypted keyboard that works as a system keyboard and can be enabled on the user’s phone device as a default system keyboard. Therefore, it works on every application on the user’s phone device when the user is asked to enter some data. To avoid the CSS system, users can use this encrypted keyboard to encrypt and decrypt their messages locally on their phone devices when sending and receiving them via IM applications. We first design and implement our encrypted keyboard as a custom keyboard application, and then we evaluate the effectiveness and security of our encrypted keyboard. Our study results show that our encrypted keyboard can successfully encrypt and decrypt all sending and receiving messages through IM applications, and therefore, it can successfully defeat the CSS technology in end-to-end encrypted systems. We also show that our encrypted keyboard can be used to add another layer of E2EE functionality on top of the existing E2EE functionality implemented by many end-to-end encrypted applications.