I don’t think there is anyone who doesn’t know what WhatsApp is. With Signa, I have my doubts that everyone knows the application and the benefits it has. With Threema I think I’m not wrong if I say that not many people know him. All three are instant messaging applications that promise to do what they do well. Signal and Threema are also characterized because they are applications whose identity is privacy and security in communications. So much so that they are even used for state services. And yet all three suffer from the same problem: Location data may be exposed.

One of the characteristics that instant messaging applications must guarantee is the privacy of communications. WhatsApp has suffered from this problem for a long time and its fame was rather the opposite. But it is true that lately it is putting the batteries and it seems that the data is safe. Signal and Threema have always raised the flag of privacy in communications as a sign of identity.

Now, security researchers have found a surprising method to expose location data in secure messaging apps WhatsApp, Signal, and Threema. It is possible to infer the locations of users with an accuracy that exceeds 80% by launching a specially crafted timing attack. This is about measuring the time it takes for the attacker to receive the message delivery status notification when it has been sent to the target.

Because mobile Internet networks and instant messaging application server infrastructure have specific physical characteristics that result in standard signal paths, these notifications they have predictable delays based on the user’s position.

It doesn’t seem like an easy system to reproduce or something that can happen continuously. But it is good to know that the system is there and that It is possible that the location data of users can be exposed in applications that fight precisely against these leaks.