In reviewing WeChat’s modified MMTLS protocol, researchers indicated that the alterations to the encryption implementation resulted in security weaknesses, particularly regarding deterministic IVs and lack of forward secrecy.
The investigation by the University of Toronto's Citizen Lab highlighted that WeChat’s business-layer encryption, reliant on AES-CBC, remained vulnerable prior to MMTLS, which only improved the situation marginally by preventing specific attacks.
A serious concern is the business-layer encryption's inability to protect metadata, such as user IDs and request URIs, which can leak sensitive information in plain text during communication.
Despite the two-layer encryption structure, the researchers concluded that the encryption mechanisms in WeChat fall short of the cryptographic standards expected for an app used by over a billion users.
Collection
[
|
...
]