Threat Models over Space and Time: A Case Study of E2EE Messaging Applications

TL;DR

This paper investigates how real-world end-to-end encrypted messaging apps adapt their threat models over time and space, highlighting the importance of dynamic trust boundary management for security and privacy.

Contribution

It provides an empirical analysis of six messaging apps' threat model adjustments across platforms and time, using adversarial testing and threat frameworks.

Findings

Apps often fail to adapt threat models when expanding to new platforms.

Rescoping trust boundaries enhances security against evolving threats.

Understanding trust boundaries aids in better security management.

Abstract

Threat modelling is foundational to secure systems engineering and should be done in consideration of the context within which systems operate. On the other hand, the continuous evolution of both the technical sophistication of threats and the system attack surface is an inescapable reality. In this work, we explore the extent to which real-world systems engineering reflects the changing threat context. To this end we examine the desktop clients of six widely used end-to-end-encrypted mobile messaging applications to understand the extent to which they adjusted their threat model over space (when enabling clients on new platforms, such as desktop clients) and time (as new threats emerged). We experimented with short-lived adversarial access against these desktop clients and analyzed the results with respect to two popular threat elicitation frameworks, STRIDE and LINDDUN. The results demonstrate that system designers need to both recognise the threats in the evolving context within which systems operate and, more importantly, to mitigate them by rescoping trust boundaries in a manner that those within the administrative boundary cannot violate security and privacy properties. Such a nuanced understanding of trust boundary scopes and their relationship with administrative boundaries allows for better administration of shared components, including securing them with safe defaults.