SQLCipher has 100M+ Mobile Users (Thanks to WeChat!)

(Note: Originally this post had a title claiming 300 Million WeChat users… that would have included iOS and Android, and we don’t know if the WeChat iOS app also includes SQLCipher encryption or not. That said, there are 50-100M Google Play downloads of WeChat for Android, which does not include all of the users inside China)

Through some of our own recent sluething, Citizen Lab’s research into “Asia Chats” security, and now via this detailed look at WeChat security from Emaze.com, it has been recently discovered that WeChat for Android uses SQLCipher for local data encryption in its app. We co-developed SQLCipher for Android with Zetetic, and have been working to promote its adoption among Android developers who need to protect data stored locally on a device. While many people would point to Android’s Full Disk Encryption feature as a solution for that, only a small percentage of users ever enable it, and even then, once a device is unlocked, then all data is accessible by someone looking to extract it. With SQLCipher, the application can ensure its own data is encrypted, and if the app is closed, then the data is secured.

Now, as with most things WeChat, the actually implementation of SQLCipher is not that ideal, utilizing a short key, generated in part from the device’s ID, and some sort of server provided token. Still, at least they tried, and SQLCipher is considered stable enough to be used for the over 300 million WeChat users around the world. Who knows, though, maybe the devs are on our developer list or the SQLCipher list, and we can help them improve their implementation using CacheWord!

The biggest irony of this, is that I gave a lightning talk at Google IO 2013, highlighting the concern I had with the rapid growth of WeChat, and their parent company’s and country’s poor record on human rights, free speech, and generally defending their users. With the growth of WeChat beyond the borders of China, it is the first major mobile service to be exported and adopted outside of the Great Firewall, by non-Chinese users.

My part starts at about 17:00 in, and runs for about 5 minutes…

So, for now, I raise a toast to the Android developers at Tencent/WeChat, who at least took a shot at providing local message encryption in their app, and may they continue to endeavor to defend their users privacy and security, as best as they can, considering their circumstances.

More from the emaze-ing post below…

WeChat locally stores application data in an encrypted SQLite database
named “EnMicroMsg.db”. This database is located in the “MicroMsg”
subfolder inside the application’s data directory (typically something
like “/data/data/com.tencent.mm”).

The database is encrypted using SQLCipher, an open source extension for
SQLite that provides full database encryption. The encryption password
is derived from the “uin” parameter (see previous sections) combined
with the device identifier through a custom function. More precisely,
the key generation function leverages the mangle() function shown in the
previous Python snippet. The actual database encryption key can be
generated through the following pseudo-code:

password = mangle(deviceid + uin)[:7]

Here deviceid is the value returned by the Android API function
TelephonyManager.getDeviceId(). Follows a sample SQLCipher console
session that demonstrate how the EnMicroMsg.db database can be decrypted.

$ sqlcipher EnMicroMsg.db
sqlite> PRAGMA key = ‘b60c8e4’;
sqlite> PRAGMA cipher_use_hmac = OFF;
sqlite> .schema
CREATE TABLE conversation (unReadCount INTEGER, status INT, …
CREATE TABLE bottleconversation (unReadCount INTEGER, status INT, …
CREATE TABLE tcontact (username text PRIMARY KEY, extupdateseq long, …

It is also worth pointing out that, as the key generation algorithm
truncates the password to 7 hex characters, it would be not so difficult
for motivated attackers who are able to get the encrypted database to
brute force the key, even without knowing the uin or the device identifier.

5 comments for “SQLCipher has 100M+ Mobile Users (Thanks to WeChat!)

  1. Jing
    2014/02/21 at 7:36 pm

    Oh boy, I love your idea, but I have to say, you need an in-depth trip to China to really feel this country.

  2. droopy
    2014/04/18 at 11:07 am

    Is is very easy to crack the password just by smaili injection.
    A chinese guy have already do it, and the password is save in plain text on the device. It is just a good solution but not perfect.

  3. Wesley
    2014/05/11 at 10:37 pm

    Hi, I’m trying to download my wechat logs, and it sounds like this EnMicroMsg.db is what I need.
    However, I can’t find it anywhere.
    Does my phone need to be rooted for me to have access to a DB file like this?
    Can you please help me? It’s a matter of Love or Death. Well, actually, just Love, ha ha.

  4. neoludita
    2015/04/29 at 5:41 am

    Their encryption is a joke. Better not encrypt it and save users’ time and storage space, than do such a botched job.

    • Hans-Christoph Steiner
      2015/04/30 at 8:54 am

      I agree it is not a good way to implement encryption. The problem lies not with the encryption, it uses AES256 in SQLCipher, which is quite solid. The problem is that they used a password that can be derived by anyone who has access to the device. That said, even their technique provides a little benefit. It will take a while still before it becomes practical for most thieves to reliably decrypt the messages.

Leave a Reply

Your email address will not be published. Required fields are marked *