{"id":5150,"date":"2024-12-17T07:21:47","date_gmt":"2024-12-17T07:21:47","guid":{"rendered":"https:\/\/filter.watch\/english\/?p=5150"},"modified":"2024-12-17T09:30:52","modified_gmt":"2024-12-17T09:30:52","slug":"investigative-report-december-iranian-messaging-apps","status":"publish","type":"post","link":"https:\/\/filter.watch\/english\/2024\/12\/17\/investigative-report-december-iranian-messaging-apps\/","title":{"rendered":"Open Technology Fund\u2019s Security Lab Finds Three Widely Used Iranian Messaging Apps Are Not Safe"},"content":{"rendered":"

Iran is consistently ranked \u201cnot free\u201d in Freedom House\u2019s annual <\/span>Freedom on the Net<\/span><\/i> research reports. The country received a dismal score of 12 (on a scale of 1 to 100, with 100 being the most free) in the <\/span>2024 report<\/span><\/a>, amid wide-reaching censorship and surveillance. In a bid to restrict access to the global, free internet and tightly control the domestic cyberspace, the Iranian government has blocked many foreign or independent applications, and is encouraging people in the country to use state-approved domestic apps. To increase usage, authorities are shifting essential online public services (e.g., banking, education, pension funds) to these homegrown platforms (which are often funded by the state), enabling interoperability between major Iranian messenger apps, and offering lower rates for domestic internet bandwidth while restricting international bandwidth.<\/span><\/p>\n

According to the Iranian government, <\/span>as many as <\/span>89 million<\/span><\/a> people have signed up to use Iranian messaging apps<\/span> and Eitaa, Rubika, and Bale, in particular, are gaining in popularity. All three are interoperable and claim to use end-to-end encryption (E2EE)\u2014whereby only the sender and receiver of messages are able to read their contents. With E2EE, third-parties (including the application server) are unable to read or modify the data. Do these apps truly use E2EE, though? And are there other privacy and security vulnerabilities that users should be aware of?\u00a0<\/span><\/p>\n

Open Technology Fund (OTF)\u2019s <\/span>Security Lab<\/span><\/a> performed an audit of these apps in December 2023 and October 2024 to try and answer these questions. All three apps were confirmed not to use E2EE. Auditors also identified that all three apps\u2019 backend servers monitor which websites users access, a mechanism for censorship and surveillance. Several other privacy and security vulnerabilities were uncovered in all the apps. Unlike the majority of OTF\u2019s <\/span>Security Audit Reports<\/span><\/a>, the auditors asked to remain anonymous given the sensitive nature of the inquiry.\u00a0<\/span><\/p>\n

More About Eitaa, Rubika, and Bale Messaging Apps<\/strong><\/h4>\n

Eitaa<\/b> was developed at the University of Qom\u2019s Incubation Center, an institution with close ties to the Iranian political establishment. According to the Iranian Communication Minister, <\/span>the app grew from three million to <\/span>19 million users<\/span><\/a> in just three months, from late September to late December 2023<\/span>. In a poll<\/a> conducted by the <\/span>Miaan Group<\/span><\/a> in 2023, many respondents said they had to use Eitaa and other domestic messaging apps for education purposes.<\/span><\/p>\n

Rubika<\/b> is a product of Hamrah-e-Aval (MCI), one of Iran\u2019s major mobile telecommunication service providers, which is majority owned by the state\u2019s Telecommunication Company of Iran. Features include banking services and access to a domestic version of Instagram. In May 2023, the Iranian Minister of Communications and Information Technology announced that <\/span>Rubika has nearly <\/span>40 million <\/span><\/a>monthly active users<\/span>.<\/span><\/p>\n

The features in <\/span>Bale<\/b> (\u201cYes\u201d in Persian) include banking services and many users are obligated to use the app in order to access e-government resources. It was reportedly created by <\/span>Sadad Informatics Corporation<\/span><\/a>, which receives investment from the state-owned National bank of Iran (Bank Melli). Per the Iranian Minister of Communications and Information Technology, <\/span>Bale had <\/span>16.5 million<\/span><\/a> monthly active users as of May 2023<\/span>.<\/span><\/p>\n

Audit Description<\/strong><\/h4>\n

Auditors conducted a multi-phased audit. Phase I, which occurred in December 2023, entailed static analysis (this entails examining the code without executing the program) and reverse engineering to evaluate encryption methods and platform-level privacy concerns. Project time was limited to the following questions in order to inform a more robust second-phase audit:<\/span><\/p>\n