OSINT & Messenger Apps

(First Published On Medium January 2020)

Throughout 2019 one thing that is obvious about the OSINT community is how much work people do in their own time and how willing they are to share their work.

So I decided that over the Christmas Holidays I would look at the many messenger apps that are available and see what information could be leveraged using a Subject’s mobile phone number. I wanted to see what information could be obtained from the app and the desktop versions. This is very much a whistle stop tour and please take what I have done and build on it.

Below is an illustration of which apps are popular across the Globe.

Source www.messengerpeople.com

Much of what you will be able to discover about a target mobile number will depend not just on the privacy settings of your target app but also your privacy settings.

It is important to learn how each app works and what potential trace you leave your Subject to see.

All the apps seen here offer the investigator / researcher different things and rely somewhat on the on the information that the target has supplied when creating their accounts.

Strava, Voxer, Skype, have the potential to give location information and other personal information. Apps such as GroupMe, Line, Skype, Strava,Telegram, Wire will provide you with the name that the target has provided when the account was created and not the one that you may have created in your contacts.

Apple Facetime and Google Duo do not seem to offer much in relation to profile photo or personal information. Where they do come in useful however is that you are able to potentially confirm the existence of an Apple or Google account.

Facebook, Facebook Messenger and Instagram appear to make searching contacts difficult in that they will blend you contact in amongst other people so obfuscating your Subject.

You have to sometimes be patient too as not all the apps sync straightaway or are consistent in how often they sync.

Google Duo - App & Website

Confirms a person is on Duo.
It will tell the person that you have added them to your contacts that you are now on Duo too, so this may be an issue depending on what your objective is.
For those in LE however it does present an opportunity because you have a real world number associated with a Google product.

Facebook Messenger - App / Website

Profile Picture and details from a Facebook bio.

Facetime


What I have noticed is that if you add a contact on an Apple I-Phone it will tell you whether that contact number is on Facetime. So we can easily establish that your subject is potentially using an Apple product.
For those in LE it presents an opportunity because you have a real world number associated with an Apple product.

GroupMe - App / Website

Will provide Profile photos the name of the contact on the Server not from your phonebook.

ICQ - App / Website


Profile Picture, Nickname, Name, BIO & last seen.
Will show when someone is on-line.

IMO - App / Desktop

Profile Picture and also the name they have provided to their account as well as last seen.
It will show the other person if they are on IMO that you have joined and that you have added then to your contacts.
IMO also shows everyone who is presently on-line (not just your Subject) and also nearby groups but this is something I am still exploring.

Line

Profile picture. The other person has to have altered the settings to allow them to be added as a contact
Your subject will see you as a Friend / Friends Recommendation depending on their phone. It will also show when someone is on-line.
When you click on your contact it will show the name you have given them but underneath it will also show you the name they have given them themselves, as their display name.

Skype - App / Desktop

Skype is one of my favourites as people who use it tend to give up more information, which I assume is down to the fact this is a professional / business messenger service.
Skype will display, username, profile picture. It will provide the name as per the server not your contacts, also location information of where they say they are from along with a date of birth.

SOMA - App

Profile Picture, last scene online, status (Very similar to Whatsapp)

Telegram - App / Desktop

You can see a user’s profile photo, username and bio along with their last seen.
If you are using the desktop client of Telegram it will show their previous profile photos too.
Now I have had mixed results depending on the device I have been using. If your Subject  is not on Telegram it will tell you how many of their contacts are.
One of my favourite bloggiest @aware-online has an excellent tutorial on how geolocate groups on Telegram.

Strava

Will show profile picture and the name on Strava server not in your contacts. Will also show the location they are from if this field has been completed and Bio info.

Viber - App / Desktop

Viber will enable you to see a person’s profile picture as well as last seen, online. (Very similar to Whatsapp)

Voxer

• Profile Picture, username, location of where they say they are from.

WeChat - App

• I am still working with this one as I am having issues with the web version.
• With WeChat you have to get another user to scan your QR code to enable you to use the app.
• You can see a person’s profile picture.
• Similar to Telegram you can see nearby users which will show you their profile picture and name.

WhatsApp ¬– App / Desktop

Profile picture, Last seen, Status & About Me.
Even if, “Last Seen,” is disabled and their privacy settings are locked down you can still appear to be able to see when your subject is on-line.

Wickr – App / Desktop

Username & profile picture.
You can choose to add a phone number too which is then searchable, email and names are also searchable. You can see their online status. You can search for rooms.

Wire - App / Desktop

Profile username, picture and name from Wire servers.

Now I have left this one to the last:-

Signal - App / Desktop


From what I can see it is very difficult to leverage anything from Signal apart from confirmation that somebody has the app. For those who like their privacy this may just be the app for you.

 

Facebook Lockdown

(First Published January 2020)

Now, I am not a fan of Facebook purely from a privacy perspective. I can see the appeal of social networking platforms like Facebook.

I have an acquaintance who recently decided to set up a Facebook account as a friend he knows was moving to country where Facebook was the only means of messaging people. I did ask him why he had not simply downloaded the Facebook messenger app instead of creating a Facebook account.

Anyway he assured me that it was completely locked down and private. Needless to say when I checked it wasn’t. So I thought a short blog on taking control of your Facebook’s privacy settings maybe necessary.

Now basic privacy principals is about looking at the platforms and apps you use and adjusting the privacy settings accordingly. Moving forward there maybe be a necessity to invest in your privacy some of which I will explore in future blogs.Now Facebook has been involved in some nightmare privacy scandals and to give them their due they have made life difficult for people to leverage the site for information. A couple of years ago you could place a mobile number in the search bar and it would find you the account it was linked to. That no longer exists but you could still use the messenger feature within Facebook to add a number to find the account, that too has recently disappeared. Facebook have also announced that they will no longer link a mobile number used for 2FA (Two Factor Authentication) to an account.

In June 2019 Facebook also discontinued the Graph Search feature. Now all this may potentially thwart the casual researcher however a dedicated and methodical OSINT (Open Source Intelligence) practitioner is still able to leverage the site. Does Facebook monitor the OSINT community? I do not know however if I was Facebook I would be.

Moving forward however Facebook looks like it is rolling out a new preventive health tool and is asking user to participate in their facial recognition tech. There has been some discussion for a while that Facebook intends to bring all their messenger apps, Facebook messenger, WhatsApp & Instagram under one platform. What this would mean for privacy awaits to be seen.

I completely understand why people use Facebook. If you have ever been stuck on the M25 commuting to and from work, there are plenty of groups that provide live updates. If you have a favourite sports team or personality what better way to follow them. Lets not forget staying update to date with what friends are doing whether that is a genuine reason of just because we are nosy by default. In a later blog I will write about how you can setup an Alias account to protect your privacy. Something that journalists or people working in sensitive positions may find useful too.

So firstly to lock down your privacy you need to go to the settings

Then the Privacy tab. This is where you can then lock your account down.

Once you are happy with your privacy settings you can then preview how it looks to the outside world. Go to your timeline and click on the three dots next to the Activity Log an select, View as.

One new area of privacy that has hit the headlines of late is the how other apps share your data with Facebook. Thankfully you can view this and also turn it off.

To do this you need to navigate to you information settings where you will find the Off-Facebook Activity. You can download your activity and also see who has been sharing your activity with Facebook. You maybe surprised by what other apps are sharing with Facebook.In here you can then turn off this feature by going to;- Manage Future Activity – Future off-Facebook Activity and toggle the off switch. You will get the usual warnings about how this affects how Facebook can serve you however this should not stop you from confirming you wish to turn it off.

Hopefully you have found this introduction to Facebook privacy helpful so go and have a look for yourself.

A New Year, New Privacy

(First Published January 2020)

For my first blog of the New Year. I wanted to do a small introduction as to why I felt the need to write blogs relating to privacy in the modern world and how it relates so closely to OSINT (Open Source Intelligence), Social Engineering & inadequate security measures.

In the last few years I have seen how others have used the aforementioned to commit crimes against non-suspecting innocent people often with tragic consequences. Then there are the unscrupulous companies who harvest our information so that they can make money. So I will look to pass on my knowledge and experiences to anyone who wants to protect their privacy. I am not a tech wizard and have learnt from reading articles, exploring different practices and experimenting.

The reasons for a person to protect their privacy will differ from person to person. Someone who is high profile may need to take measure far and beyond what most of us may deem necessary but you can guarantee that some of the techniques are also suitable for the vast majority of people too.

There is a lot of material available both online and offline that will help you however I have always found these to be in the whole orientated towards the US and finding similar solutions in the UK is a little bit more challenging. On the whole it doesn’t need to cost a penny but there may be occasions where you have to invest some money to regain the privacy you desire. I will explore this in future blogs. My intention is not to single out or berate companies whose products do not serve our privacy but is more to help people navigate this world.

As it is the New Year I have decided that this would be a good time to have a clean out of all those Apps that you no longer use. We do not seem to want to delete anything, in the same vain as we do like to throw our old clothes away.

There are over five billion mobile users in the world, with global internet penetration standing at 57%.

As of the first quarter of 2019, these app users could choose to download between 2.6 million Android, and 2.2 million iOS apps. And they certainly are choosing: App Annie sets the total number of app downloads in 2018 at 194 billion; up from 178 billion in 2017.

Apps come and go just like the seasons. What is a popular one year may not be so the next. We download apps on the recommendation of others and never truly buy into its use but it stays there on our phone. I have friend with nearly four screens of Apps most that he freely admits that he does not use and has no idea what the log on details are.

One thing I will say is please unless you know what you are doing only download Apps from reputable sources such as Apples App Store or Googles Play Store.

An App when it is downloaded will ask for certain permissions giving it access to parts of your phone such as, microphone, camera, location data and so on. Most of the Apps do not even need to have those permissions to work. So why is it they ask during the setup and why do we agree? I have denied Apps permission requests that I thought that it did not require and they have worked fine.

Easy one, why does your calculator need access to your location? Some Apps will need access to your location, such as a weather app but then you need to consider do you need to have your location switched on all the time or can you use it when you need to. You can set your permissions so that apps only have them when the App is in use instead of carte blanche.

Ask yourself the question, “Have I ever looked at what data the Apps on my mobile are harvesting?”

It’s beyond the scope of this blog to detail specific cases but there are many great articles detailing how Apps capture your data and how that data is abused or monetised. if you prefer watch the Netflix documentary ‘The Great Hack.’

So this new year when your on the train or bus home do some App house keeping and delete the Apps you do not need or no longer use. I bet you won’t find it as easy as you first thing and you may have to be brutal in your decision making. If you delete an App you no longer use ensure you also delete the account on it too.

Now that was part one completed.

Once you have purged your phone the next step is to then check what permissions the remaining Apps have. You will generally find these permissions in the privacy section of your settings. If you are unable to find it you can type, “Permissions” in the search bar at the top of the settings page, this will generally provide you the options available. Now clearly how these are displayed will differ from device to device.

Once you have located the permission you will then be able to see which Apps have been granted which permissions. From there you need to work your way through them. It will be a case of determining what the Apps is for and what permissions it has been granted.

Taking the weather App, location permission seems appropriate, microphone and contacts maybe not so. The calculator does it need to know my location, I think not. You will find that in the majority of cases a common sense approach will serve you well.

Now you will find some apps especially those that are important to how the device works a little bit more problematic. I have found that I was presented with a warning that the App may malfunction if I altered the permission settings. I would say in my experience it has been a 50 / 50 split whether the App malfunctions or not but if you it does you can reinstate the permission. It’s not for the faint hearted and if in doubt leave it as it is.

Last but not least keep a check on those pesky permissions because sometimes when an App is updated they have been known to reinstate the previous permissions.

One last quick snippet consider buying a privacy screen for your device, whether it is a mobile, tablet or laptop. Have you ever been sat next to someone or behind someone on the bus or train and seen their screen clear as day whether intentionally or not. Most people I know do buy screen protectors and the extra cost of a privacy screen protector is negligible.