WeChat devs introduced security flaws when they modded TLS, say researchers

Messaging giant WeChat uses a network protocol that the app's developers modified – and by doing so introduced security weaknesses, researchers claim.

WeChat uses MMTLS, a cryptographic protocol heavily based on TLS 1.3. The devs essentially tweaked standard TLS but in turn that left the app with an encryption implementation, which "is inconsistent with the level of cryptography you would expect in an app used by a billion users, such as its use of deterministic IVs and lack of forward secrecy."

That's according to the University of Toronto's Citizen Lab, which carried out a comprehensive review of MMTLS's network security.

It identified MMTLS in previous work, but a more thorough analysis revealed it offers two layers of encryption instead of one as first thought. Plaintext content is wrapped in what's referred to as "business-layer encryption" and the resulting ciphertext is then wrapped in MMTLS encryption, the ciphertext from which would be sent over the WeChat network.

Researchers found that most of the cryptographic security issues were in WeChat's AES-CBC-based business-layer encryption, which until the introduction of MMTLS in 2016 was the sole layer of encryption for network requests.

In fact, the only reason why researchers weren't able to successfully attack WeChat this time around was because this is now enveloped in MMTLS. Before, various types of attacks were possible such as a padding oracle attack, and just last year Citizen Lab claimed it found a different cryptography scheme developed by a Tencent company was still vulnerable to an attack of this type.

The most serious issue the researchers found, however, was that the business-layer encryption doesn't encrypt metadata such as user IDs and request URIs, leaking them in plain text. 

"It could be the case, for instance, that after MMTLS is terminated at the front WeChat servers (handles MMTLS decryption), the inner WeChat request that is forwarded to the corresponding internal WeChat server is not re-encrypted, and therefore solely encrypted using business-layer encryption," said Citizen Lab. 

"A network eavesdropper, or network tap, placed within WeChat's intranet could then attack the business-layer encryption on these forwarded requests. However, this scenario is purely conjectural. Tencent's response to our disclosure is concerned with issues in business-layer encryption and implies they are slowly migrating from the more problematic AES-CBC to AES-GCM, so Tencent is also concerned with this."

Ultimately, thanks to the wrapping of ciphertext in MMTLS, there are no vulnerabilities in WeChat's encryption protocol that could lead to any known attacks today. However, the issues described as "minor" ones by the researchers aren't present in the standard, unmodified version of TLS.

Messages sent using WeChat, to the researchers' understanding, are safe from eavesdroppers. Although, Tencent would still have to comply with any data requests from the CCP given local laws, and WeChat communications aren't end-to-end encrypted – the app's servers decrypt and read every message, Citizen Lab said.

The researchers may have stumbled on other findings if they had access to the version that's actually used in China. However, given the difficulty in accessing Chinese phone numbers due to government requirements linking them to national IDs, they had to use non-Chinese numbers, which makes the app behave differently.

A trend unique to China

Only in China is it common for developers to against the grain and whip up their own cryptography system, the researchers said, and generally none of these are as effective as the standard TLS 1.3 or QUIC implementations.

Citizen Lab spotted the same practices across various apps in recent years and despite previous concerns over the TLS certificate authority system, the standard implementations are usually the best options from a security perspective. They described it as "a growing, concerning trend unique to the Chinese security landscape."

Similarly, developers are also known in China to implement custom domain lookup systems to mitigate the pervasive actions of shady ISPs. They often engage in DNS hijacking to display ads or redirect web traffic for ad fraud. It's a longstanding, widespread issue that's been challenged by large internet companies, but it remains a problem nonetheless.

Much of WeChat's code, for example, is taken straight from Tencent Mars – an open source infrastructure component that provides apps with common fundamental functionality such as networking and logging.

Mars has a feature called NewDNS – an example of this bespoke domain lookup system present in WeChat.

The researchers believe Mars is highly prevalent in apps outside of WeChat, which the infoseccers said was a problem given that the component doesn't provide any transport encryption. MMTLS is not part of the open-source Mars component, it's bespoke to WeChat.

• 700K+ DrayTek routers are sitting ducks on the internet, open to remote hijacking
• ServiceNow root certificate blunder leaves users high and dry
• FBI boss says China 'burned down' 260,000-device botnet when confronted by Feds
• How $20 and a lapsed domain allowed security pros to undermine internet integrity

Combining this with the lack of formal documentation guiding developers on Mars' implementation – many rely on community wisdom on platforms like GitHub – means mistakes are more likely to occur, leading to potentially weaker security.

Citizen Lab said it suggested to Tencent that it adopt the standard TLS or a combination of QUIC and TLS for better app security. ®