Iran is consistently ranked “not free” in Freedom House’s annual Freedom on the Net research reports. The country received a dismal score of 12 (on a scale of 1 to 100, with 100 being the most free) in the 2024 report, amid wide-reaching censorship and surveillance. In a bid to restrict access to the global, free internet and tightly control the domestic cyberspace, the Iranian government has blocked many foreign or independent applications, and is encouraging people in the country to use state-approved domestic apps. To increase usage, authorities are shifting essential online public services (e.g., banking, education, pension funds) to these homegrown platforms (which are often funded by the state), enabling interoperability between major Iranian messenger apps, and offering lower rates for domestic internet bandwidth while restricting international bandwidth.
According to the Iranian government, as many as 89 million people have signed up to use Iranian messaging apps and Eitaa, Rubika, and Bale, in particular, are gaining in popularity. All three are interoperable and claim to use end-to-end encryption (E2EE)—whereby only the sender and receiver of messages are able to read their contents. With E2EE, third-parties (including the application server) are unable to read or modify the data. Do these apps truly use E2EE, though? And are there other privacy and security vulnerabilities that users should be aware of?
Open Technology Fund (OTF)’s Security Lab performed an audit of these apps in December 2023 and October 2024 to try and answer these questions. All three apps were confirmed not to use E2EE. Auditors also identified that all three apps’ backend servers monitor which websites users access, a mechanism for censorship and surveillance. Several other privacy and security vulnerabilities were uncovered in all the apps. Unlike the majority of OTF’s Security Audit Reports, the auditors asked to remain anonymous given the sensitive nature of the inquiry.
More About Eitaa, Rubika, and Bale Messaging Apps
Eitaa was developed at the University of Qom’s Incubation Center, an institution with close ties to the Iranian political establishment. According to the Iranian Communication Minister, the app grew from three million to 19 million users in just three months, from late September to late December 2023. In a poll conducted by the Miaan Group in 2023, many respondents said they had to use Eitaa and other domestic messaging apps for education purposes.
Rubika is a product of Hamrah-e-Aval (MCI), one of Iran’s major mobile telecommunication service providers, which is majority owned by the state’s Telecommunication Company of Iran. Features include banking services and access to a domestic version of Instagram. In May 2023, the Iranian Minister of Communications and Information Technology announced that Rubika has nearly 40 million monthly active users.
The features in Bale (“Yes” in Persian) include banking services and many users are obligated to use the app in order to access e-government resources. It was reportedly created by Sadad Informatics Corporation, which receives investment from the state-owned National bank of Iran (Bank Melli). Per the Iranian Minister of Communications and Information Technology, Bale had 16.5 million monthly active users as of May 2023.
Audit Description
Auditors conducted a multi-phased audit. Phase I, which occurred in December 2023, entailed static analysis (this entails examining the code without executing the program) and reverse engineering to evaluate encryption methods and platform-level privacy concerns. Project time was limited to the following questions in order to inform a more robust second-phase audit:
- Do the apps use E2EE encryption for user-to-user messaging, as is publicly claimed?
- Are there notable security and privacy concerns for app users?
Phase II, conducted in October 2024, entailed dynamic analysis (a technique that involves analyzing a program’s behavior while it is running to gain insight into real-world behavior) to validate findings from Phase I. Auditors considered operational security risks as they planned the dynamic analysis, such as the risk posed to the individuals whose phone numbers were used to run the applications. Phase II explored the following concerns:
- Encryption: What types of encryption are used in the apps overall?
- Interoperability: Are communications between the target applications secure? What type of encryption is used to enable this interoperability?
- Unexpected Transmission of Private Data: Do the apps activate any sensors (e.g., a user’s microphone) or send any user data (e.g., location) in an unexpected way?
- Changes from Telegram: Two of the apps rely heavily on Telegram code. How closely do the applications’ implementations match that of the official Telegram app, and what—if any—significant changes have been made?
- Use of Artificial Intelligence (AI): Rubika’s public-facing documentation claims that it uses AI for image analysis (e.g., to detect women who are not wearing a hijab). Is there evidence this process occurs on client devices?
- Security Review: Do the apps contain design or implementation vulnerabilities that could be exploited by mobile application hackers?
Scope
Auditors investigated the Android Package Kits (a package file that contains all the files and resources an Android app needs to install and run) below.
- Eitaa (v6.4.2, SHA256:943d25d2cb842ee91e404922c9eeb7433158ba14ee5da821de3870cd92676731)
- Rubika (v3.7.5, SHA256:9f4ca46bbcec994063376f18cc3c3f7adcdf7c41fd5de9eabaafc4c050d4da6d)
- Bale (v9.41.5, SHA256:9bb94f028bb34e97123b26ca7baefd10c7191fa61b3c6ecbd1f4928a75bc3f8f)
Key Findings
In addition to the absence of E2EE in any of the apps, the most interesting findings include the monitoring of websites accessed and the use of Message Exchange Bus (MXB), a state-owned, backend process to exchange messages between the three apps.
In all three apps, when users clicked URLs in messages sent to them, they were redirected to the application’s backend server with the original URL in the query string. This would effectively allow the servers to monitor which websites are viewed by users within the app.
Given the lack of E2EE, it’s likely that MXB servers (in addition to the app-specific backend servers) can read every message sent through it—which would be a clear privacy violation.
Summary of Important Discoveries
- Encryption: All three apps employed different forms of client-server encryption, but none had E2EE enabled to keep conversations between users protected from the backend servers, despite government claims.
- Insecure Interoperability: All three apps could exchange messages with each other through a backend process called Message Exchange Bus (MXB), which is a state-owned service. MXB maintains a directory of participating users and its servers could potentially view plaintext messages due to the lack of E2EE in any of the apps.
- Unexpected Transmission of Private Data:
- Given the lack of E2EE in the apps, all chats and information about users (e.g., names, phone numbers) were readable by the applications’ backend servers.
- In the case of Eitaa, unsent draft messages were additionally reported to the application’s backend server.
- Auditors did not find sensor-based cases of unexpected data sent, such as unexpected enabling of a user’s microphone or camera.
- In all three apps, when users clicked URLs in messages that were sent to them, they were redirected to the application’s backend server with the original URL in the query string unless the URL was contained in a short allowlist of “safe” URLs. This would effectively allow the servers to monitor which websites were viewed by users within the app. This also adds a layer of censorship, as the apps are forcing users to go through their own web page to access unapproved external domains, and they could block them at any time. A user could easily circumvent this, though, by pasting the link into a separate web browser.
- Changes from Telegram: Only Eitaa and Rubika are based on Telegram source code. Key findings include the removal of Telegram’s secret chats (which have E2EE) in Eitaa. Bale was forked from the Actor Messaging Platform, an abandoned open source codebase developed by an ex-Telegram engineer.
- Use of Artificial Intelligence (AI): No evidence of the use of AI to analyze message content in app code.
- Security Review: Auditors were unable to conduct a thorough security review of the applications in the second phase of the assessment, primarily due to time constraints and challenges related to reverse engineering Bale’s messaging protocol and defeating its obfuscation. Some of the notable privacy and security concerns were discovered in Phase I include:
- Eitaa:
- Attempts to include the user’s International Mobile Equipment Identity (a unique 15- or 17-digit number that identifies a mobile device and can be used to track it) in the messages that are sent to the app server. In Android versions 10 and newer, due to protections added by Google, a random unique identifier is generated and sent instead.
- Attacker with physical access to the phone can download all private app data. This data may include cleartext message history and personal information about contacts.
- Rubika:
- Permits cleartext (unencrypted) traffic to all domains. This vulnerability allows anyone monitoring the network to intercept and read sensitive data such as passwords or personal information if transmitted in cleartext.
- Bale:
- Usage of one form of encryption that could be easily reversed in the context of encrypting a user’s credit card data.
- User location was sent to the app server during authentication.
Conclusion
This engagement points to the need to conduct more analyses of state-sponsored applications in contexts where censorship and surveillance is common, especially as authoritarian governments increasingly pressure citizens to use domestic technology to access public services.
The alternative messaging apps listed below employ better encryption than Eitaa, Rubika, and Bale. While they cannot grant users access to Iranian government services like Iranian messenger apps, they offer much greater privacy and security for communications. Signal, Session, and Wire provide E2EE.
- NewNode
- Signal (using their anti-censorship proxy service)
- Session
- Wire
- Delta Chat
Link to report:
