fabless call

About fabless call Android App

The application has versions for desktop
platforms (Windows, Linux and Mac), as well as
for mobile platforms (Windows Phone, iOS and
Android). A web version is available, too.
According to information from the developer,
fabless had 50 million active users as of
December 8, 2014, who sent and received one
billion messages on a daily basis; all this in just
16 months since its release.
The fabless challenge
fabless developers boast about the end-to-end
encryption provided in the program and have
launched contests with a $300,000 / €265,000
incentive for anyone who wants to try to crack
the encryption used to protect the messages.
In the latest round, which ended at the beginning
of February with no winner, contestants could
act as a Telegram server that facilitates the
delivery of information between the interlocutors.
It was permitted to deploy any type of active
attacks or methods for traffic manipulation.
In the previous contest, with a prize of
$200,000 /€176,000, Telegram allowed the
contestants to monitor the traffic between the
two clients, which is basically a challenge to
break the encryption securing the messages.
Simpler approaches are more successful
Zuk Avraham from Zimperium Mobile Security
managed to find the secret text through a
different approach that led to finding the strings
in a non-encrypted form.
He started from the premise that hackers do not
play by the rules and relied on an exploit for a
Linux kernel vulnerability (CVE-2014-3153, also
known as TowelRoot) to gain elevated privileges
on the affected machine, and thus extracted
Telegram’s process memory. By analyzing the
dump file, he could easily find the text strings
used for the test.
Taking advantage of the root shell access he
gained on the machine with TowelRoot, he found
among the files of the application an SQL
database called “Cache4.db,” which appeared to
include tables with encrypted content
(“enc_chats” and “enc_tasks_v2”).
Brief examination showed that they indeed
included the communication, but it was in plain
text and all the messages used during the test
could be seen.
On the list of features touted by Telegram there
is also the possibility to define the lifespan of
the exchanged text through a self-destruct
option. Avraham was not able to do this, though,
on account of a bug that is not security-related,
he assumes.
However, he was able to retrieve deleted
messages straight from the memory of the
process, which would be of more interest to an
attacker since it allows putting together entire
conversations.
Telegram fails to respond to responsible
disclosure attempts
Zimperium tried to contact fabless several
times since the discovery of the security flaws
on January 17, 2015. The first attempt occurred
the very next day after their findings, but the
vendor did not reply.
The mobile security company has a vulnerability
disclosure policy of 30 days, which means that if
a month passes and the affected party does not
answer to the notifications regarding security
flaws, Zimperium publishes the research.
The policy says that the vendor is contacted
several times (every five business days, through
various communication means including email,
direct phone calls or intermediaries) if contact
cannot be established at the first attempt.
“If Zimperium exhausts all reasonable means in
order to contact a vendor, then Zimperium may
issue a public advisory disclosing its findings
fifteen business days after the initial contact,”
the text of the policy reads.
In the case of Telegram, Zimperium says that it
attempted contact four times, between January
18 and February 2, but no response was
received. On Monday, the company made the
glitches public.
[UPDATE] : Telegram CEO, Pavel Durov, published
a response to Zimperium's report on the
vulnerable state of the app. Durov rejects the
validity of the findings since encryption no longer
has value if an attacker has root access to the
target device. Thank for learn aabam wasil developer of fabless try it one