Saturday, October 5, 2019

Analysis of Antox - Android Tox App

What is this post about?

In my latest examinations of devices I had several contacts with Tox or, to be more clear, apps that use the Tox Protocol to communicate. I had never heart of it before so I needed to look it up. 
In short, it is an Open Source Project to build a free and secure (E2E-encrypted without a centralized infrastructure)  instand messaging and video calling protocol.
You can find more infos about Tox under https://tox.chat/

Because in the cases I had worked on I really needed to see what and to whom the person has communicated with over Tox I started analysing it more deeply.
There are different clients for different operating systems. This post will start with the analysis of Antox, one client for the Androoid OS. The client qtox, for Windows and Linux, will follow in another post.


Btw, this post does not go into the technical detail of the used encryption, anonymisation and authentication mechanisms used within Tox and its clients. Everything is Open Source, so one can look this up in the documentation and in the source code.

Okay, let's start.


Overview of the app

Name: Antox
Current Version on Google Play: 0.25.515 (also the tested version)
Path (TOXPATH): /data/data/chat/tox/antox

Databases of interest

Chat History
The database with the chat history in it is located under:
TOXPATH/databases/[tox_username]

So, for a tox username like "4n6" the database would be named and located like:
TOXPATH/databases/4n6

In this database are four tables, the structure is really simple to understand, awesome clear design.

1. Table contacts: 
Like the name says the contact list is stored in here.

2. Table friend_requests:
The open received friend requests are stored in here

3. Table group_invites:
The open group invites are stored in here.

4. Table messages:
The sent and received messages are in here including media messages and calls. The media itself is stored separately (more later). The timestamps are in UTC.

I have created two sql statements to get data out of the database. One for the contacts and one for the messages.

User Account
There is also a database with information about the used tox accounts.
TOXPATH/databases/userdb

This database contains all used accounts. Also the ones that were deleted. But only the username is stored, not the tox_id which is the real identifier in tox.

Files of interest

The Tox-File
The tox file stores the account information.
TOXPATH/files/[tox_username]

If the account is created with a passphrase than the content is encrypted.
But with Antox itself it is not possible to create an encrypted tox file, you can just open them.
Tox-Files can than be copied from one device to another to use the account. E.g. a tox file created with a passphrase in qtox can be copied on an Android device and used their with the passphrase.
But the protocol is not build to use the same account on different devices at the same time.

Preferences Files

The preferences of the app are stored in the following file:
TOXPATH/shared_prefs/chat.tox.antox_preferences

It is a XML file. It contains information about teh settings. e,g, The used proxy address, if autostart is enabled, if notifications are allowed and much more.

Also very interesting in this file is e.g.:
1. The (last) active account including the tox id
2. If auto accept of files and media is enabled

Media files

Okay so what happens when sending/receiving media files?

1. Both communication partners need to be online the moment one wants to send media via Antox.
2. Default: The receiver of the media needs to accept the file actively. THe receiver cannot see the content of the file (no thumb) before it is completely received.
3. The sender of the media cannot see if the receiver has accepted and downloaded the media. But in the database of the user, table "messages" one has a column "successfully_sent". If the value is "1" the receiver has fully downloaded the file.
4. Sent media is not stored separately. In the database the original file name is stored. SO one can search for this file name. If it is still there and if it is not changed one can determine which file was sent.
5. Received filed are stored in /media/Downloads/Tox Received Files
6. In the folder /media/Antox there are the QR-Codes of the Accounts saved. They can be used to make it simple adding a new contact.

Messages

Okay, now normal text messages, how does this work?

1. One can send a message even if the communication partner is offline.
2. Deleting messages (also media) on sender side only affects the sender side.
3. Deleting messages (also media) on receiver side only affects the receiver side.
4. Deletion of files seems to zero out the content in the database. I was not able to recover data (I tested it with the sql parse script from Maria deGrazia. My old friend, the hex editor, only saw zeroes and I could not find the strings that were in the message. A WAL-File is not used by the database.
I will test the database with the Oxygen Forensics SQLite-Tool to see if it can recover anything. But because I cannot find anything with the Hex-Editor I don't think it will work.
5. When disabling the option "Keep Chat History on Logout" in the profile all messages are deleted in the database when logging out. Same we under number 4, I could not find any data left.

Some important findings

1. One needs to use the password of a tox account the first time one imports the tox file. But after this no password is needed.
2. The database with the messages in it is always unencrypted. Even if a passphrase is used.
3. If a account is deleted the whole database is deleted in the filesystem. But the info about the account is still in the userdb database and also the tox file of the deleted account still exists.

Conclusion

When finding Antox on an Android device you can have a really good chance to find valuable information because their is no encryption at the moment of the data in on the device.
Also, even if an account was deleted after its usage there is still information that this account was used on the device.
My analysis of qtox on WIndows and Linux will follow here on my blog. Just a short forecast -> The desktop app makes it more difficult to get data.

Analysis of qTox for Linux and Windows

What is this post about?

This is my second post on the topic Tox. It will describe my analysis of the client qTox on Linux and Windows.
The first post was about Antox, an Android client for Tox.
Like I wrote there, I won't give a look into the used technics for encryption, authentication and anonymisation. This post is more about what you can get out if you have seized a PC with QTox on it.

Okay, let's start.

Overview of the app

Name: qtox
Version tested here: 1.16.3
Linux OS: Manjaro Linux with Kernel 4.19.69-1-MANJARO
Windows OS: Windows 10 Pro, Version 1903

Databases of interest

Chat History
The database with the chat history in it is located under:
Linux: $HOME/.config/tox/[tox_username].db
Windows: %APPDATA%\Roaming\tox\[tox_username].db

So, for a tox username like "4n6" the database would be named and located like:
Linux: $HOME/.config/tox/4n6.db
Windows: %APPDATA%\Roaming\tox\4n6.db

The database is encrypted if the account is protected with a passphrase.
In this database are four tables.

1. Table Faux_offline_pending:
I cannot see any data in here. At the moment no clue for whats this table is.

2. Table aliases:
Conatins the aliases of the contacts if one is set.

3. Tables peers:
Contains the contact tox IDs.

4. Table history:
The sent and received messages. BUT: Sent and received files/media files are not stored. So messages that contain e.g. an image won't be displayed.  The timestamps are in UTC.

I have created a SQL statement to get chat data out of the database.

Files of interest

The Tox-File
The tox file stores the account information.
Linux: $HOME/.config/tox/[tox_username].tox
Windows: %APPDATA%\Roaming\tox\[tox_username].tox

If the account is created with a passphrase than the content is encrypted.
Tox-Files can than be copied from one device to another to use the account. E.g. a tox file created with a passphrase in qtox can be copied on an Android device and used their with the passphrase.
But the protocol is not build to use the same account on different devices at the same time.

App Preferences Files

The preferences of the app are stored in the following file:
Linux: $HOME/.config/tox/qtox.ini
Windows: %APPDATA%\Roaming\tox\qtox.ini

It is a configuration file with stanzas and attributes.


Account Preferences Files
The preferences of the account are stored in the following file:
Linux: $HOME/.config/tox/[tox_username].ini
Windows: %APPDATA%\Roaming\tox\[tox_username].ini

It is a configuration file with stanzas and attributes.

Log-File
The log file that can be found uner:
Linux: $HOME/.cache/Tox/qtox.log
Windows: %APPDATA%\Roaming\tox\qtox.log

E.g. you can find information which qTox user was used at what time in this file. I'Ve found also a line in the file that has the following content:

[07:31:35.631 UTC] core/corefile.cpp:132 : Debug: "sendFile: Created file sender 1 with friend 0"

Which indicates a started file transfer to a "friend 0". I first thought that the ID of the communication partner is 0. I looked it up in the database but it didn't match. I will look deeper into this later.

Media files

Okay so what happens when sending/receiving media files?

1. Both communication partners need to be online the moment one wants to send media via qTox.
2. Default: The receiver of the media needs to accept the file actively. The receiver cannot see the content of the file (no thumb) before it is completely received.
3. The sender of the media can see if the chat partner has accepted the file and when the download is finished.
4. Sent media is not stored separately.
5. The receiving chat partner is always asked where file should be stored.

Messages

Okay, now normal text messages, how does this work?

1. One can send a message even if the communication partner is offline.
2. One cannot delete single messages. One can only delete the complete history from a contact. Doing this I was not able to recover the data.
3. Deleting message only affect the application of the deleting person not the other ones.
4. Messages with media content are NOT stored in the databases. They are only displayed in the active session in the GUI. After closing qTox I could not find any information of sent/received media.
When restartin qTox one cannot see the media messages in the GUI. Seems like the message was never sent/received.

Some important findings

1. When a passphrase is used the database is encrypted. But, if you have have the passphrase you could move the database and the tox file to another machine that is offline and open the database with qtox. You don't need an active Internet connection. After this you can export all the chats for further anaylsis.
2. Media messages are never stored in the database. That's unfortunate because one loses a lot of information.

Conclusion

With qTox it is a bit more complicated to get data out as with Antox especially if a passphrase is used, which is mostly the case. Also the fact that media messages are not persisted in the databases was bad for my cases.

I am a fan of secure software where no 3rd Party stores any data and everything is as secure as possible. It's just that for the cases I work on qtox currently seems like a black hole for me. I can't get much out.
But at least, I can see the used qtox usernames and perhaps the id (if not encrypted in the tox file) and I can see if the messenger was actively used.