Saturday, October 5, 2019

Analysis of qTox for Linux and Windows

What is this post about?

This is my second post on the topic Tox. It will describe my analysis of the client qTox on Linux and Windows.
The first post was about Antox, an Android client for Tox.
Like I wrote there, I won't give a look into the used technics for encryption, authentication and anonymisation. This post is more about what you can get out if you have seized a PC with QTox on it.

Okay, let's start.

Overview of the app

Name: qtox
Version tested here: 1.16.3
Linux OS: Manjaro Linux with Kernel 4.19.69-1-MANJARO
Windows OS: Windows 10 Pro, Version 1903

Databases of interest

Chat History
The database with the chat history in it is located under:
Linux: $HOME/.config/tox/[tox_username].db
Windows: %APPDATA%\Roaming\tox\[tox_username].db

So, for a tox username like "4n6" the database would be named and located like:
Linux: $HOME/.config/tox/4n6.db
Windows: %APPDATA%\Roaming\tox\4n6.db

The database is encrypted if the account is protected with a passphrase.
In this database are four tables.

1. Table Faux_offline_pending:
I cannot see any data in here. At the moment no clue for whats this table is.

2. Table aliases:
Conatins the aliases of the contacts if one is set.

3. Tables peers:
Contains the contact tox IDs.

4. Table history:
The sent and received messages. BUT: Sent and received files/media files are not stored. So messages that contain e.g. an image won't be displayed.  The timestamps are in UTC.

I have created a SQL statement to get chat data out of the database.

Files of interest

The Tox-File
The tox file stores the account information.
Linux: $HOME/.config/tox/[tox_username].tox
Windows: %APPDATA%\Roaming\tox\[tox_username].tox

If the account is created with a passphrase than the content is encrypted.
Tox-Files can than be copied from one device to another to use the account. E.g. a tox file created with a passphrase in qtox can be copied on an Android device and used their with the passphrase.
But the protocol is not build to use the same account on different devices at the same time.

App Preferences Files

The preferences of the app are stored in the following file:
Linux: $HOME/.config/tox/qtox.ini
Windows: %APPDATA%\Roaming\tox\qtox.ini

It is a configuration file with stanzas and attributes.

Account Preferences Files
The preferences of the account are stored in the following file:
Linux: $HOME/.config/tox/[tox_username].ini
Windows: %APPDATA%\Roaming\tox\[tox_username].ini

It is a configuration file with stanzas and attributes.

The log file that can be found uner:
Linux: $HOME/.cache/Tox/qtox.log
Windows: %APPDATA%\Roaming\tox\qtox.log

E.g. you can find information which qTox user was used at what time in this file. I'Ve found also a line in the file that has the following content:

[07:31:35.631 UTC] core/corefile.cpp:132 : Debug: "sendFile: Created file sender 1 with friend 0"

Which indicates a started file transfer to a "friend 0". I first thought that the ID of the communication partner is 0. I looked it up in the database but it didn't match. I will look deeper into this later.

Media files

Okay so what happens when sending/receiving media files?

1. Both communication partners need to be online the moment one wants to send media via qTox.
2. Default: The receiver of the media needs to accept the file actively. The receiver cannot see the content of the file (no thumb) before it is completely received.
3. The sender of the media can see if the chat partner has accepted the file and when the download is finished.
4. Sent media is not stored separately.
5. The receiving chat partner is always asked where file should be stored.


Okay, now normal text messages, how does this work?

1. One can send a message even if the communication partner is offline.
2. One cannot delete single messages. One can only delete the complete history from a contact. Doing this I was not able to recover the data.
3. Deleting message only affect the application of the deleting person not the other ones.
4. Messages with media content are NOT stored in the databases. They are only displayed in the active session in the GUI. After closing qTox I could not find any information of sent/received media.
When restartin qTox one cannot see the media messages in the GUI. Seems like the message was never sent/received.

Some important findings

1. When a passphrase is used the database is encrypted. But, if you have have the passphrase you could move the database and the tox file to another machine that is offline and open the database with qtox. You don't need an active Internet connection. After this you can export all the chats for further anaylsis.
2. Media messages are never stored in the database. That's unfortunate because one loses a lot of information.


With qTox it is a bit more complicated to get data out as with Antox especially if a passphrase is used, which is mostly the case. Also the fact that media messages are not persisted in the databases was bad for my cases.

I am a fan of secure software where no 3rd Party stores any data and everything is as secure as possible. It's just that for the cases I work on qtox currently seems like a black hole for me. I can't get much out.
But at least, I can see the used qtox usernames and perhaps the id (if not encrypted in the tox file) and I can see if the messenger was actively used.

No comments:

Post a Comment