The Bylock Report

Posted on Posted in Uncategorized

 (This article may seem a bit out of place for normal visitors. It has to do with the dangerous situation in Turkey. Some of the pictures and navigation didn’t translate well to WordPress. I will likely fix these over the upcoming days. You can also view the full version here: https://www.dropbox.com/s/uu4zjyim6a76xcw/BYLOCK%20Report_Ver_Walter_4_19_2017.docx?dl=0)

 A BYLOCK APP REPORT WITHIN THE SCOPE OF ALLEGATIONS

Contents

INTRODUCTION.. 4

WHO USED BYLOCK?. 4

FROM WHERE AND HOW WAS IT DOWNLOADED?. 4

GooglePlay and Apple Store History Report 5

Rank of Bylock in App Store: 5

Rank of Bylock in GooglePlay : 8

David Keynes Interview: 9

Bylock Users in Web Forums: 12

Figure-8: One of the forum messages mentioning Bylock. 12

Bylock User Comments on Google Play Store. 12

UN International Crime Court Judge Aydin Sefa Akay: 13

Congressmen from Turkish Parliament 14

Is It Possible to Install an Application Non-Existing on App Store and Google Play Store?. 14

TECHNICAL SPECIFICATIONS. 15

Bylock Provides Encrypted Communication. 15

What Does It Mean a Reference is Needed to Use the Program?. 19

What does it mean to Add a Friend with Special Code?. 21

User Account Search and Adding as a Friend by Using Name-Surname and Phone Number 23

Are Phone Number, Personel Identification Number, E-mail Address Required?. 26

Does Application Perform Address Book Syncronization?. 27

ENCRYPTION FEATURE OF THE APPLICATION.. 27

Are encryption algorithms used by the application proprietary?. 27

Usage of Private and Public Keys. 28

MD5 ve SHA 256. 29

2048-bit RSA and AES-256 encryption methods. 29

ByLock by EFF Criteria. 33

Use of Self-Signed Certificates. 35

An Example of a Self-signed Certificate of ChatSecure Application. 38

USE OF APPLICATION AND ITS RECOGNITION IN THE MARKET. 39

Was the Application Known Before the Coup Attempt?. 39

USER PASSWORDS AND SECURITY.. 42

IT IS NOT POSSIBLE FOR BYLOCK TO BE USED AT JULY 15 COUP ATTEMPT. 43

RESULT AND EVALUATION.. 43

 

 

 

List of Figures

Figure 1- Bylock App History in GooglePlay Store. 5

Figure 2- Popularity Rank of Bylock Application in App Store. 7

Figure 3- Popularity Rank of Bylock Application in GooglePlay. 8

Figure 4- Bylock download statistic according to Downloadatoz.com.. 9

Figure 5- The latest comments on Bylock. 10

Figure 6- Data Statistic about Bylock Google Trend. 10

Figure 7- The record that shows right holder of Bylock in App Store is David Keynes. 11

Figure 8-One of the forum messages mentioning Bylock. 12

Figure 9- Bylock users and comments on GooglePlay page. 13

Figure 10- Device Owner Info screens on Android and iOS. 22

Figure 11- User name info on Whatsapp. 22

Figure 12- Screenshot shared by Emre Erciş. 23

Figure 13- Hangouts User Search Options. 24

Figure 14- Searching with Name and Surname in Hangouts Application. 25

Figure 15– End-to-end encryption9. 28

Figure 16- Usage of public and private keys in asymmetric cryptography. 29

Figure 17- Comparison of encryption algorithms and their security levels. 31

Figure 18- WhatsApp Security Code Verification Method17 34

Figure 19- Secure Connection Illustration. 36

Figure 20- Unsecure Connection Warning. 36

Figure 21- Certificate information of google.com.. 37

Figure 22-The self-signed certificate option of Jabber program38. 38

Figure 23- Download statistics of applications on GooglePlay store. 40


 

INTRODUCTION

This report is designed to examine and clarify the claims about the Bylock application, which is required after the July 15, 2016 coup attempt and the extensive cautionary arrest and detentions.

The only report about Bylock is still the report that has been prepared by Turkish National Intelligence Agency (“MIT”), and the whole knowledge about it is just the part that takes place in Turkish media. According to the ‘Bylock App Technical Report’ prepared by the MIT (National Intelligence Agency), the members of the organization were alleged to have used this secret communication program, and it was based on the arrest of tens of thousands of people. In this context, the program is being used by people who download or use the program, and tens of thousands of people are arrested for this reason.

The government’s media organs are publishing Bylock news intensely, misleading the courts and the public. In this news, Bylock app is developed and used by the organization members to meet the need for encrypted communication. It is said that the same news is used only by the members of the organization without mentioning that the application is a global application.

Under these conditions there is information the government did not reveal. The information is obvious when you see news and comments together in the light of law, logic and knowledge.

From this point of view, it is taken all allegations on board with law, logic and technical aspects in this report that aims to reach reasonable result with common sense. If there are, objections are needed using proofs and justifications.

 

A SUPPORTING ARTICLE

FROM TECH EXPERT WALTER MCDANIEL

Many of you are familiar with the recent news on the ByLock app in Turkey. Over 100,000 people are in jail due to using a phone app. Today we are going to look at the technology behind this claim. Government authorities claim that dissidents used a low-level app to stay in touch. They also assert that this made them easy to track.

Detractors believe the government jails people unfairly. Both sides are completely sure of their claims. Today we will look at the evidence for both sides.

First, is it possible to send secure transmissions with ByLock, or was it? The answer is no. A skilled hacker or anyone with access to the phone could get the data without any trouble. It is not something that a technology expert would ever use.

What would we use? That is simple. A complicated server set up using  Tor, a VPN, or some combination of other programs. Experts can route a message through several computers and use encryption. They would never make such a stupid mistake as using a basic app messaging program like ByLock. It does not happen in technological circles.

Could the members have used it by mistake? Did they believe their communications were secure? The possibility is there but remote. We also have no way to quantify this. The government invalidated that when they confiscated the phones. How did they do that?

Once the government has the phones this program becomes the perfect “evidence-factory”. Skilled technical teams can do anything. They can create all the evidence they want. I know how to alter SMS data, dates, and much more. With ten phones in my possession it would be easy to put anyone into the middle of a conspiracy. The evidence gathered there is worse than useless.

With an international order the government could take the server itself, in theory. They have not done this so far. Without the stored server files, they have no evidence. All the data they currently have is suspect due to government intervention. Until an unbiased third party downloads and parses the server data it is useless.

The situation only grows more complicated from here. The ByLock APK is still available. Organizations interested in framing people could extract the data from it. It would also be possible to set up an illegal server. Someone would need extensive data about ByLock to do this.

Despite those facts it is possible for individuals or groups to create a conspiracy. They could set up their own server and send messages.  In doing so they would have the opportunity to put crimes on innocent people. Anyone can do this by stealing a phone then including it in the fake network. Was this the case here? We have no way to know until they release the data.

Now let us look at the other side. Is there opposition to Erdogan in Turkey? The answer is yes. There appears to be no clear link between the opposition and ByLock. Both opposition members and those in support of the government used the app. Uninvolved third parties with no side also used the app in Turkey. Once again we have no evidence that this was opposition-specific.

What about the WhatsApp program which the government believes supporters are now using? Once again, it is not secure enough that a technology expert would recommend it. It would not even be in any of our top 10 choices.

These claims do make it easy for the Erdogan government to create a media campaign. It helps label the opposition party as foolish.  If they are using inefficient programs, then there is no reason to join them. This is perfect for marketing a strong government party and weak opposite party.

On the technological end these claims are baseless and even laughable. Any other tech writer in the United States who looks at the issue will say the same. The government is looking in the wrong places for terrorists. Meanwhile organizations that want to hurt Turkey’s people go unnoticed. This situation must change.

What about the other side? Violence and conflict are important words in Turkey today. Due to this the Erdogan government is grabbing all the power it can. Authorities jailed more than 100,000 Turkish people in recent years. It is a frightening time for government officials and they react in a very human manner.

As you can see from the evidence here there is a problem in Turkey. There also isn’t a clear solution. Imprisoning people over weak communication programs is not it. Hunts for app users are not the answer either.  We must step back and look at the situation with clarity. Only the global community can help Turkey during this time of crisis.

Biography: Walter McDaniel is a former journalist who now works with nonprofits. He has more than 10 years of encryption experience. Walter worked as a writer for various groups including Technorati, the Camden Chronicle and Digital Journal. His expertise comes from setting up complicated encryption networks for journalistic purposes. Walter is a graduate of Winthrop University with a degree in Journalism and holds extensive coursework in Computer Science. He continues to write technological articles for many smaller sites and manage private networks.

 

WHO USED BYLOCK?

FROM WHERE AND HOW WAS IT DOWNLOADED?

 

MIT reports and Government-controlled media organs news contained conflicting information about how to access the setup file of the application and how to download it. In some news and comments, it is advocated that there is no way to download Bylock from web or stores (Apple and GooglePlay stores), just organization members can reach setup file and share it each other by the means of USB Flash Drive, Bluetooth etc. On the other hand, in some media organizations, it is stated that Bylock is an international app that exists in web and stores, therefore it is possible for anyone to download and use this app globally.

When we piece media information together, we understand that Bylock is a public application that existed in GooglePlay and Apple Store in the past and it can be still downloaded from different web pages.

 

5

GooglePlay and Apple Store History Report

Although Bylock does not exist anymore in Apple and GooglePlay stores, it is possible to get information from online resources whether it did exist. According to AppAnnie and AppBrain companies that share analyses of applications and digital industries, Bylock existed in the period of;

April 2014 – September 2014 in App Store

            April 11, 2014 – April 3, 2016 in GooglePlay

 

All product events such as launch, update and removal dates are shown in Figure-1.

Figure 1- Bylock App History in GooglePlay Store

 

Rank of Bylock in App Store:

According to AppAnnie report, it is stated that Bylock was ranked top 100 in 12 countries and top 500 in 47 countries among social media tools in App Store between the dates of May-Sep 2014.

Bylock was popular in different countries according to the AppAnnie Company report. Table (Figure-2) indicates the rank of Bylock App among “social media” apps and all apps in App Store based on countries. To give an example, Bylock was ranked 90th among all applications and 13rd among social media applications in Gambia on August 17, 2014. Similarly, Bylock was ranked top 100 within 12 countries and top 500 within 47 countries among social media applications at that time. When looking at the list carefully it is seen that there are African countries such as Tanzania and Madacascar, European countries such as Romania and Belgium, Asian countries such as Turkmenistan and Uzbekistan, American countries such as Venezuela and Panama; shortly, it is seen that many countries from all corners of the world exist. Those ranks are set by using the number of app downloaded from App Store in related country. Thereby, Bylock is popular due to download numbers and times across countries.

Figure 2- Popularity Rank of Bylock Application in App Store

Rank of Bylock in GooglePlay :

According to the AppAnnie report, it is stated that Bylock was ranked top 100 in 5 countries and top 500 in 41 countries among different categories in GooglePlay in the period of June 2014-December 2015.

Bylock ranks highly among communication, news-journal, widget and all applications in GooglePlay Store in related countries is indicated below figure. Bylock was ranked top 100 in a country, top 500 in 28 countries and top 1000 in 35 countries among communication applications in related times. Country breakdown shows that there are many countries from all over the world. Those ranks are set by using the number of apps downloaded from GooglePlay in a related country. Thereby, Bylock is an application that can be downloaded from GooglePlay and it is popular based on download number in related times in many countries.

Figure 3- Popularity Rank of Bylock Application in GooglePlay

 

David Keynes Interview:

The other indicator that shows Bylock is an application that exists in the GooglePlay and App Store is Ismail Saymaz’s interview with David Keynes who is the publisher of Bylock in related stores. This interview was made with David Keynes on October 16, 2016 in New York and it was published by Ismail Saymaz in Hurriyet Newspaper.

In this interview, Mr Keynes mentions that his application was published in March 2014 in Apple and GooglePlay stores.

It is underlined that Bylock was downloaded by 500 000 users from GooglePlay and 100 000 users from the App Store. However, because of app update it was removed from Apple and GooglePlay stores and after removal people continued downloading it from web pages.

AppBrain data that shows Bylock was launched in GooglePlay on April 11, 2014 supports David Keynes’ statements. (Figure-1)

Additionally, it is possible to find information about application’s GooglePlay history and number of download. According to  David Keynes’ statements the app was downloaded 500,000 times. (Figure-4)

Figure 4- Bylock download statistic according to Downloadatoz.com

 

Keynes tells that he stopped making payment to GoDaddy host company in October 2015 and for that reason, Bylock server was canceled in January 2016. He points out that Bylock has not been used since then. This makes it impossible for the main program to be used in a coup attempt.

 

The app was canceled in February-March 2016. More evidence of this comes from the dates on user comments. The latest user comments can be obtained from AppAnnie report. By looking at comments such as “A warning massage is displayed like close by peer and I can not login” by a You Tube user on March 12, 2016; “Any idea on how to register. I couldn’t register for how many days. Samsung s5” by Sabahola Atli on February 29, 2016, it is understood that Bylock went out of use at the beginning of 2016. (Figure-5)

Figure 5- The latest comments on Bylock

 

Another data point shows that Bylock went out of use at the beginning of 2016 is Google statistics. Google’s data of Bylock usage trend includes the period from beginning of 2014 to the end of 2015. (Figure-6) Having continuous statistical data before 2016 and having no data after the beginning of 2016 proves that Bylock was removed from store.

Figure 6- Data Statistic about Bylock Google Trend

 

 

Besides, in the Keynes interview, official correspondences about acceptance and launch of the application is in this data. The results say that Keynes and Apple Company launched it on clear dates. According to this information, Apple ID number is 842 680 855. (Figure-7)

Figure 7- The record that shows right holder of Bylock in App Store is David Keynes

 

Confirmation of the shared document can be made with App Apple ID. Information about Bylock can be obtained from different web pages with the ID number of 842680855. Here are a few examples of these sites:

http://www.iphoneappstorm.com/iphone-apps/social-networking/net.Bylock.Bylock/Bylock.php?id=842680855

http://www.appster.es/app/Bylock-842680855

http://www.appdropp.com/ios/Bylock/842680855

http://www.appster.de/app/Bylock-842680855

Another aspect that is mentioned in this interview is that app setup file can be still obtained from various web sites. Keynes’ this expression can be confirmed from internet easily. A few sites you can still download Bylock from there:

https://m.downloadatoz.com/Bylock-secure-chat-talk/net.client.by.lock/

http://www.apkmonk.com/app/net.client.by.lock/

https://apkpure.com/Bylock-secure-chat-talk/net.client.by.lock/

http://choilieng.com/apk­on­pc/net.client.by.lock.apk

http://apk-dl.com//Bylock-secure-chat-talk/

 

 

Bylock Users in Web Forums:

Another indicator showing Bylock is a public application is that entries, communications and requests for help by Apple users who had difficulties in downloading it to iPhone 6 device.

It is understood by looking at user adema66’s sharing in http://www.iphoneyardim.net forum page on May 1, 2015 (Figure-8) that Bylock existed at a time before May 2015, and after that time its download folder (ipa) exists in different web pages.

 

  Created On: May 1, 2015

Message: Hi Guys, Bylock app was present on AppStore but now I cannot find it. I tried to install it on my device by using the installation file(ipa) but I could not. Can anyone provide me the username and password so that I can install the application? In return of it I can provide my username and password and you can install IGO Primo Turkey App which I paid. Then we will change our passwords.

Figure 8-One of the forum messages mentioning Bylock

Bylock User Comments on Google Play Store

The Bylock Android App is not present currently on Google Play Store, it is easy to see it on the snapshots of websites acquired from WEB achieve portals. Looking at web.archive.com one can easily notice 2 different snapshots of the landing page of Bylock application present on Google Play Store. The snapshots are taken at August 18th 2014 and March 22nd 2015.

 

These snapshots prove that Bylock was a global, legitimate application provided on Google Play Store between August 2014 and March 2015. Snapshot on August 18th 2014 shows the user comments on Bylock App. Comments are written by Android users from various nationalities: Moe Moe Masaung, Patrice Clark, Vand Haid, Fada Mark…(Figure-9)

Figure 9- Bylock users and comments on GooglePlay page

 

 

UN International Crime Court Judge Aydin Sefa Akay:

It is inferred from media news that the application was used by lots of people having diverse political views. Not only in Turkey but also in Europe, the arrest of UN International Crime Court Judge Aydin Sefa Akay is highly condemned. According to the newspaper news[1] Judge Akay testified that:

 

  • He is a member of The Grand Lodge of Free and Accepted Masons of Turkey
  • He downloaded and installed Bylock App from Google Play Store
  • He downloaded the app with the recommendation of Secretary of State of Burkina Faso, Djibrill Bassole
  • During the installation, he did not enter any password or encryption key

 

We may infer that the application can be downloaded and installed without a password or a secret key. Besides, a judge who expresses himself as a Mason and is totally opposite to the ideology of FETO used that application. Another important point that may be inferred from the news is “Secretary of State of Burkino Faso knows and uses the application”.  Besides on the news it is mentioned that Sefa Akay discussed with 2 other contacts some issues related to Mason Lodge by using Bylock. Hence, we may infer that Bylock App is a well-known and widespread messaging application respecting communication privacy. The users do not need any organizational reference or a secret key. A user can communicate with others just having their usernames.

 

Congressmen from Turkish Parliament

Turkish media highly discusses the celebrity users of Bylock App. Some of the Congressmen, even some ministers are accused to be a user of this application. These politicians are from each and every party of the congress[2]. Even on some WEB sites the list of congressmen who used Bylock App is serviced[3].

This claims shows that the application is used by variety of political parties, celebrities and different sects.

Briefly;

  • AppAnnie and AppBrain data
  • The information exposed on the David Keynes interview, who is the inventor of the app
  • Google Play Store statistics
  • Accessible setup files of the application from various WEB sites even today
  • User comments on forum sites and Google Play store

shows that

  • The application was very popular on Google Play Store between April 2014 and January 2016
  • David Keynes is the inventor of the app
  • This is a global well-known and public application
  • Users are from diverse ideology and sociological background
  • There is no need to an organizational reference to add a new contact and install the app

Is It Possible to Install an Application Non-Existing on App Store and Google Play Store?

Applications present on Google Play Store and Apple App Store can also be found on various 3rd party providers. Bylock Application can also be downloaded from various sources on Internet even it has been removed from Google Play Store and Apple App Store. Some of these websites are mentioned above. Searching “Bylock download” on Google yields more than 200,000 pages and searching “Bylock app download” yields more than 20,000 pages on Google. That shows us, Bylock is currently provided on lots of websites.

Besides, we must understand that an application is active if the central messaging server is active even if the application is removed from Google Play Store or App Store. People who previously installed the application continue to use it if the central server is up and running. The communication is not related with the presence of the application on App Markets.

Due to the interview with David Keynes, information gathered from AppAnnie, AppBrain and the other open sources we know that Bylock central server was turned off before March 2016. Hence it is not possible to use Bylock after March 2016. Even if we find the installation file from websites, download and install it on our device, we are unable to communicate through Bylock.

 

TECHNICAL SPECIFICATIONS

Bylock Provides Encrypted Communication

The most popular topic discussed on Bylock is the encrypted nature of the application. Bylock provides a secure and encrypted communication between users like the other hundreds app (Whastapp, Skype, FaceTime, Hangouts, Viber etc.) on markets. This encryption feature is manipulated as a proof of a secret organization.

First of all, data privacy and personal security is an important feature for today’s communication world. People prefer to use encrypted and secure chat services even for their daily communications. Application providers embed the encrypted communication feature to meet those privacy requirements of users.

Today the most used applications; Whatsapp, Viber, Tango, Twitter, Facebook, Instagram, Facebook Messenger, Blackberry Messenger, Gmail, Hotmail, Skype, iMessage, Hangout, Yahoo, Threema, Hike, Line, Wechat, Telegram, Confide, Chatsecure, Snapchat, Coverme, Facetime, Signal, Textsecure, KakaoTalk, Kik, Nimbuzz, Wickr, Ebuddy XMS, Silent Phone ve Silent Text, Gliph, Gdata, Surespot, Ceerus, Pryvate, Hushmail, Ipgmail, Jitsi, Mailvelope, Adium, Pidgin, Retroshare, Startmail, Virtru, Cryptocat, Cyberdust, Cyphr, Privatore, AMD Chat, AMES Messenger, Babble Messsenger, Biocoded, Chat Bots, Chiffy Messenger, Cryptox, Hoccer, İmperium Messenger, Schmoose, SecEms, Secure MMX, Sicher, Squre Messenger, V Pal Messenger, Vigilant Secure, Burn Note, Ansa, Tictoc, One Krypto, Redact, Cashew, Cellcrypt, Nod CoCo, Onechat Messenger, N-gage Messenger, İCrypt, Rokacom, SIMSme, Snap Messenger, SumRando Messenger, SecretChat, TeT-a-TeT Messenger, Vanishh, Salusafe, Wire, Dontalk,  Voyse, Wakachat  etc. and they have advanced encryption techniques.

Whatsapp has 1.2 billion, Google Hangouts has 1 billion, Facebook has 1,86 billion, Facebook Messenger has 1 billion, Wechat has 850 million, Instagram has 400 million, Hotmail has 400 million, Skype has 320 million, Twitter has 319 million, Kik has 300 million, Snapchat has 300 million, Line has 220 million, Yahoo has 225 million, Viber has 800 million and Instagram has 600 million active users online.

Communication application providers use various cryptographic algorithms and infrastructures in diverse layers of their applications to meet the privacy and security concerns of the users. Some of these cryptographic algorithms are decrypted by the intelligence agencies of developed countries but some or not. An exposed internal information from Drug Enforcement Agency says: “It is not possible to interfere an iMessage conversation between 2 users”[4].

 

In a recent conflict between FBI and Apple, decryption of personal messages and information on an iPhone was an issue. FBI asked and pushed Apple to decrypt the device which is used in a terrorist attack. Apple declined this request mentioning the privacy agreement provided to iPhone users by the company. Apple expressed that such a backdoor to decrypt the devices means a vulnerability in security of the device[5].

 

In today’s conditions, cryptography is an important expectation of users. Besides it is a very well figured argument for companies to protect users’ privacy and confidentiality. The companies which cannot protect the users’ private information and communication face with a rapid and dramatic churn. For that reason, today’s communication companies’ number first agenda is designing products usable by the means of user experience besides a highly-protected information security and data privacy.

 

There exists tremendous competition between the communication software companies. Each company brings new secure design specification in each version of products. Companies denotes the new security features in each release and claims the total 100% data privacy for their users. Those companies are developing new features protecting the information from anybody even the company itself. They are establishing total end-to-end encrypted communication infrastructures.

Some of the well-known end to end encrypted secure messaging platforms are Whatsapp, Viber, Facetime, iMessage, KakaoTalk, Blackberry Messenger,  Line, Ipgmail, Jitsi, Privatoria,  Mailvelope, Adium, Pidgin, Retroshare, Signal, Wickr, Threema,  Ceerus, Pryvate, Cyphr, Cyber Dust, Telegram, Nxtty, Silent Phone, Silent Text, Textsecure, Confide, Bleep, Surespot, Sicher, Clipchat, Chatsecure, Tigertext, AMD Secure Chat, AMES Messenger, Babble Messenger, Biocoded, Chat Bots, Chiffy Messenger, Confide, Cryptox, Hoccer, Imperium Messenger, Schmoose, SecEms, Secure MMX, Sicher, Squre Messenger, İCrypt, V Pal Messenger, Vigilant Secure, Cashew Messenger, Cellcrypt, Chatsecure, Nod CoCo, GData, Onechat Messenger, Rokacom, SIMSme, Snap Messenger, Wakachat, Sumrando, Wire.

End-to-end encryption provides 100% privacy ensuring that only the sender and the receiver can read the plain text message. By this technology no any 3rd party can interfere the communication including intelligence agencies, internet service providers, even the company itself[6].

 

End-to-end encryption has an extra security layer ensuring the privacy even the encryption keys of endpoints are stolen by the attacker. This advanced security feature is called Perfect Forward Secrecy (PFS). PFS uses each private-public encryption key-pair for a pre-defined time period. PFS creates new keys for each period. This means, having an encryption key of and end-user does not mean anything when the period ends. Whatsapp, Facetime, iMessage, Telegram, Chatsecure, Jitsi, Adium, Pidgin, Retroshare, Signal, Silent Phone, Silent Text, Salusafe, Textsecure, Threema, Wickr applications are using Perfect Forward Secrecy[7].

When the applications are examined, it is observed that the developers did not find the encryption just enough for user ID security, communication secrecy and security but offered extra features to their users for secrecy and security. These features are:    

  1. Self-destruction of messages after they have been read and/or life span set by users on which  communication content are been deleted synchronously both at sender and receiver  sides are features offerred by developers to the users for sake of their personal data security. Examples of such programs which possess this feature are Viber, Facebook Messenger, Telegram, Snapchat, Clipchat, Nxtty, Confide, Privatetext, Tigertext, Wickr, Silent Text, Bleep, Coverme, Speakon, Dontalk, Stealthchat, Surespot, Ansa, Burnnote, One Krypto, Redact, RingID, Sicher, Soma, Cyber Dust, GData, Gliph, Chat Bots, Cashew Messenger, Criptext, Dontalk, Frim, ProtonMail, Kag Messenger, N-gage Messenger, Squre Messenger, Wire, SecretChat, İCrypt, Secure MMX, TeT-a-TeT Messenger, Nod CoCo, Criptext, Wakachat.

 

 

  1. Mechanisms to prevent replication, copying, forwarding, even taking screenshots and  displaying the message partially, just showing the portions word by word, line by line by finger swiping/touching, notification of the counter-party if a tampering effort occurs are a bunch of mechanisms offered in some communication applications to the users.  Examples of such programs which possess these features are Confide, Boops.

 

 

  1. Some of the applications which  just prevent taking screenshots as a feature are Vanishh, Telegram, Criptext, Cyber Dust, Imperium, Babble Messenger, Nod CoCo

 

  1. Some of the applications offer randomly selected servers in different locations of world (distributed server method) instead of a centralised server, thus making harder, even making impossible, to undercover the communication data as a feature are: Chat.Onion, Privatoria, Anonymous Messenger

 

  1. Some of the applications which offer the ability to select user’s own server or use a third party server selected/approved by users are: QRTalk

 

  1. Some of the applications which permit to use one time (disposable) identity by users are: Coverme, Dispostable, Guerilla Mail, ThrowAwayMail, AirMail, YOPMail

 

  1. A feature to withdraw the message sent already: With this feature, users can take back the messages as if they were not sent at the first place if the messages sent are not delivered/read or even delivered. Some of the applications utilising this feature are: Coverme, Telegram, Confide, N-gage Messenger, RingID, SpeakON, Dontalk, Criptext

 

  1. Some applications which enable the use of different IDs simultaneously are:    Surespot, Eleet, Rokacom, SafeMessenger

 

  1. Some applications which encrypt the contact directory and communication contents in the application in tandem with the highly secure cryptographic algorithm they used: Square Messenger

 

Thus, communication applications offer not just bare cryptography but offer higher security level and authenticity in cryptography, and being resilient to cracking, also being able to hide identities and to become anonymous for users, and extra features to ensure security, secrecy, privacy of communication.

Put clearly, if any communication program is used today in a computer or on a phone, independent of user’s requests and expectations using cryptographic communication applications, this means that the messaging happens through secure/cryptographic channels. Some of these applications have strong encryption and the others do not. Due to user expectancies, technological opportunities, and market dictations all of the communication applications become encrypted.  Under these constraints, term used and overemphasized ceaselessly for Bylock such as “Bylock is a crpyptograpic communication application” can only be juxtaposed with a trivial phrase like “car with a steering wheel”.

What Does It Mean a Reference is Needed to Use the Program?

According to media coverage and some of the allegations, in order to communicate between users, another person or people who manage the system should reference these users, is claimed. It is referred that with this allegation would support the claim which says  “program could only be used of  organization members”.

At this point it becomes utterly important what the claim “…being referenced by someone in the system … ” is really means.  It is not clear what is intended with the phrase “…someone in the system…”. Are these people are the ones you want to communicate or are the third party people. Who are these other people that aren’t in the organization, who they want to communicate with? The government does not give us any information on these claims. Therefore it is not clear what these allegations really meant. Hence every possibility will be evaluated.

There are two possible scenarios for the allegations:

  1. The other person, to whom the user try to reach, references the users as a valid party.
  2. In order to use the program and communicate with other users, the specified person or people in the organization should refer the user as a valid user, or in other cases invalidate program usage.

 

  1. Scenerio: The other person, to whom the user try to reach, references the users as a valid party. (two-way opt-in)

There is no clue/relation showing an organizational mechanism claim when in order to communicate with the other Bylock user; he/she, to whom the user tries to reach, should refer/validate the person in question after the program setup. This intended scenario just states the validation/confirmation process of two users each other. This kind of referencing mechanism is already used in a lot of programs widespread.

In this mechanism called as “Two-way opt-in” when “user A” wants to communicate/message “user B”, firstly “user B” is asked whether he/she confirms the friendship request of “user A” or not.  When “user B” referenced “user A”, in clearer terms, when B confirmed friendship request of user A or gave OK to conversation demand, the communication is permitted. This mechanism is beyond human intervention but is a software based mechanism.

This mechanism is a method used in a lot of applications in communication market. Whatsapp, Blackberry Messenger, Hangouts, Hike, Kik, Line, Nimbuzz, Skype, Surespot, Telegram, Threema are widely recognized applications which have this same feature.

As an example, in Whatsapp, the users, to whom the user want to communicate, receives friendship requests (invitations) submitted by Whatsapp and 3 options are presented: 1- Confirm 2- Decline 3- report as a spam (complain). If the corresponding user confirms, hence gives reference, users can communicate/message each other.

A Two-way opt-in mechanism is implemented in different ways. In some applications reference/validation mechanism is pre-defined, thus anybody can reach any user when he wants. Programs using phone number as user IDs and has the feature of contact-directory matching, users are accepted as pre-validated if they are on each other’s directory. But this kind of programs also have deny/block options and users can easily remove reference/confirmation of pre-validated users.

This reference/confirmation mechanism is developed to prevent user harassment/disruption, to block reaching users by anyone and sending message/picture/video etc.

  1. Scenario: To use the program and communicate with other users, specified persons or people in the organization should refer the user as a valid user; on the other cases invalidate program usage. (Organizational Reference)

In the scope of claims, reference is intended as a central confirmation mechanism through organization. Because the other scenario cannot provide any organizational claim.

Since the server of the application does not work anymore, this claim cannot be answered directly. But using data in hand, a deduction can be sought. In such a manner that, existence of   a so called organizational reference mechanism in a program can be used as evidence to a claim stating this program belongs to an organization and is a secret program. But this claim has a huge dilemma and contradicts with life facts, logic and wisdom since this secret and organizational program is widely known and distributed to world via well-known app markets such as Apple AppStore or Google Play.

Also, this claim of central reference mechanism challenges/disproves the other claim of an organization built with hierarchical cellular small groups. Because each user needing to be referenced by many higher user reference, will expose/unveil this users in the organization. Such a method would be an unwise step for a secret organization.

Another data supporting that this central referencing mechanism claim is unfounded, is the fact that there were more than two hundred thousand (200,000) users in Turkey. It would be nearly impossible to reach a user base with this number of users in a secret program utilizing a centralized referencing mechanism.

Also, to the date, there are no statements, declarations or evaluations regarding this central referencing mechanism claim on subjects/questions such as; “Who are the people claimed to be central reference authorities? Where are they? How many references are needed (in claims/media reporting this number varies in between 2 and 8)? How this mechanism is managed? How do they evaluate new users? What are the criteria to validate new users? Which one of the central reference authority validated which user on the Bylock lists? How is this correspondence uncovered? etc.

As a summary, it is not possible to reach a net/solid information on the reference mechanism claimed to be existed in Bylock application. On the other hand,

  • claimed 200 thousand user base of application
  • Presence of the application on the global stores such as Apple AppStore and Google play for a long period
  • Allegations on that the organization has a hierarchical cellular small group structure
  • No extra information or document regarding how this central organizational reference mechanism worked

clearly shows and proves that the referencing mechanism  in allegations is not the centralized referencing mechanism but is the “Two-way Opt-in” reference mechanism which widely used many popular applications in market such as WhatsApp, Google Hangout, Microsoft Skype, Telegram, etc.

What does it mean to Add a Friend with Special Code?

It can be easily understood that these claims in this scope roots from lack of information on working principles of communication applications. From the claims it can be deducted that the alleged special “code” is no different to the account information (User-ID).

Every communication program needs a unique identifier named as “User-ID” to identify its users and in every application without an exception every user adds or removes each other via “User-ID”, can communicate through “User-ID”.

Due to the differences and variaty of these unique identifiers in each and every application used as a “User-ID”; this debates and allegations around Bylock are experienced.

When the applications are examined, it can be observed that the phone number, email address or a unique number generated by the application itself are used as “User-ID”. Many application offer a “user name” beside the “User-ID” which can be used to find the designated user easier. This information might be requested at the sign-up period from the user or might be created automatically via different mechanisms. For example, systems using email address as “User-ID” might use user name as the email address’ first name, last name info.

            It would be more understandable to explain via the best known application. Whatsapp uses phone number as the “user-ID” of users, “Device Owner Info”(Figure 10) is used as the “user name” and it is extracted from the device automatically. Whatsapp users can ONLY add and communicate each other if a phone number is already a User-ID. Friendship requests are transmitted to each other ONLY via User-ID( phone number). On invitations, the user name (device owner info) belonging to request owner is shared with the party invited. The Whatsapp user name is used also for notification of group members in group messaging mode. If a user is not on other users contact directory, the name printed along phone number is the “user name” of that user. (Figure 11) 

 

Figure 10- Device Owner Info screens on Android and iOS

 

Figure 11- User name info on Whatsapp

  

 

A screenshot of a Bylock report prepared by MIT (Turkish National Intelligence Agency) shared by Emre Ercis on January 23, 2017[8] (Figure-12) . Shared screenshot shows database entry of a messaging claimed gathered from the report. It is seen that the first column of the shared screenshot has  user-ID data and corresponding numerical values.

Figure 12- Screenshot shared by Emre Erciş

 

Moreover, various websites show the registration/login window of Bylock application which resembles two rows as “username” and “password”. In the light of data gathered, it is understood that   Bylock application uses a self-generated numerical data as the “User-ID”.  Information regarding that the application did not request e-mail, phone number or alike info also coincide with this determination.

Based on the explanations above, Bylock users can add each other by ONLY “User-IDs” like many other popular applications and can request frienship via ONLY “user-Ids”.???????User-name???

Similar to applications like Whatsapp or Hangouts, etc, it is estimated that the “user name” info requested from users, when they register, are also added on the new friendship invitations along the “User-ID” and shared with the other party, though a clear solid info can not be deducted since application server is not working anymore.

As a result, it is understood clearly that the allegations of using codes in order to add friends in Bylock App originates from lacking knowledge on account management mechanisms of applications. As shared in the details, it is understood that the term “code” in allegations is definitely used instead of user-id. It is shown by taking the equivalent applications in the market that, the usage of user-ids is not different from those other applications.

User Account Search and Adding as a Friend by Using Name-Surname and Phone Number

It is obvious that the allegations on this topic is a result of lack of information on user account management methods of applications. As stated earlier, in all applications, the ONLY way of adding a friend is by using user-id that is specific to application. Meaning that, in an application, like WhatsApp, in which phone number is used as user-id, sole way of adding a friend is by using phone number of the contact. In the same way, in an application, like hangouts, in which e-mail address is used as user-id, addition of a friend can be accomplished by using e-mail address.

Nevertheless, extra methods can be presented to the users to make users to find one another more easily. The extra search options like name-surname, e-mail address, username, nickname, which are not assigned as the user-ids, are examples of these methods.

As an example, users can search other users by using not only e-mail address but also name-surname and phone number in hangouts application (Figure-13). So that, user can contact with other users by using name-surname and phone numbers defined in their Google+ accounts. For example, once “John Smith” is searched, all users with name “John Smith“ in Google+ are listed (Figure-14).

 

Figure 13- Hangouts User Search Options

Figure 14- Searching with Name and Surname in Hangouts Application

WhatsApp application also provides the functionality of searching by using name-surname to its users. However, this functionality is limited to the address book of the users. A user who want to search for other WhatsApp users with their name-surname can see only the users in his address book. Search result also shows whether searched address book entry has a WhatsApp account.

The applications that use a numeric value as user-id have two options. Some applications may ask for phone number (optionally) as an extra information during registration period. Therefore, the users that share their phone numbers will have the opportunity to find each other by using their phone numbers.

All these search capabilities that are offered to the users are optional properties offered by applications. There are also other applications that do not have such kind of extra capabilities. In an application without extra search capabilities, a user can ONLY search with the piece of information that is defined as User-ID, which can be any information (numeric value or string value) specified by the application. (Example applications of this kind is: wickr, Redact, RingID, Blink, Buzz, Pintel, Chat.onion, CryptoX, Onechat)

Technically speaking, the ability to add contacts just by providing name-surname is not possible for all applications. Once a contact is added to application by using name-surname search, that contact is added by using the User-ID information. Because this process is performed by hiding the details from the users, a false impression of creating contact only by using name and surname might have been aroused by mobile phone users.

In short, there are allegations of Bylock lacking an on name-surname based search and user addition. However, it is the result of lack of information on the operating logic of that kind of application.

It does not seem possible to possess sound knowledge on whether this Bylock application has the properties that are claimed to have, because the application server is not active. Nevertheless, the existence of other applications that have search capability based only on user-id falsify the claims on stealthiest and secrecy of Bylock.

Are Phone Number, Personal Identification Number, E-mail Address Required?

As explained, every application has its own user account management system and each user of the application must have a unique User-ID.

For the applications like Whatsapp and Hangouts, because User-ID is phone number or e-mail address, it is required to request that information from the user to create the user account.

However, for the ByLock application, it is shown that a numeric information is assigned to user by application as User-ID. Therefore, it is not required to a submit phone number as in Whatsapp application and e-mail address as in Hangouts and Facebook Messenger.

Besides, in some applications some verification methods like sending a code by SMS or e-mail, making phone call can be used to prevent abuses and to confirm that registered user is a real person. However, it is obvious that this verification method is not preferred by all applications.

There are many applications in application stores that can be used by solely entering User-ID and not requesting any extra information like phone number or e-mail address. Threema, Wickr, Surespot, Nimbuzz, Cryptocat, Kik, KakaoTalk, Coverme, Eleet, Hoccer, Frim, Privatoria, QRTalk, Titanium Messenger, Zendo Messenger, Psst, Biocoded, CryptoX, Babble Messenger, İmperium Messenger, SumRando, Epicorb, Connected2.me, Redact, RingID, Buzz, Pintel, Chat.onion, Onechat Messenger are applications like that. The following list compromise of some of the application in GooglePlay market with the approximate number of users:

  • Kik: 100-500 million
  • KakaoTalk: 100-500 million
  • Nimbuzz: 10-50 million
  • Plus Messenger: 5-10 million
  • me: 1-5 million
  • Threema: 1-5 million
  • Hoccer: 1-5 million
  • Frim: 1-5 million

To the best of our knowledge, there is no application that requests Republic of Turkey Citizenship Identification Number as User-ID or requests Citizenship Identification Number (CIN) as extra information. As Republic of Turkey CIN is peculiar to Turkey and is a private information, it is clear that an application requesting Republic of Turkey CIN wouldn’t be rational and sustainable. Therefore, invalid allegations for Bylock application related to not requesting Republic of Turkey CIN are not evaluated within this report.

To conclude, the features like requesting extra information like phone numbers, e-mail address from users are not applicable for all applications. It is impossible to have certain information on what kind of information might be requested from users by Bylock application, because Bylock servers are not in use. However, even though the allegations had been accepted, Bylock is not a one of a kind application with extreme privacy and security features; rather it is much like other similar applications in the market that do not request extra information from their users. It is also worth mentioning that some of these similar applications are quite widespread.

Does Application Perform Address Book Synchronization?

This feature is related with the aforementioned user account management method and/or the possibilities of the application presented to its users. If phone number is not used as User-ID within the application and/or if there is no “address book merging/synchronization” feature, address book will not make sense for the application and application will not access the user in the address book and will not add the users in the address book.

When the allegations of assignment of random numbers as User-ID by Bylock application and not requesting phone numbers are evaluated together, it is understood that Bylock application does not have address book synchronization feature. Under this circumstances, it is not technically possible for users to add their contacts in the address book automatically.

Nonetheless, it is obvious that working principles and features of the application are not sufficient to reach a conclusion like Bylock application is stealth and peculiar to the organization. There are applications like Kik and nimbuzz that have millions of users and also do not have address book merging/synchronization feature.

ENCRYPTION FEATURE OF THE APPLICATION

Are encryption algorithms used by the application proprietary?

One of the allegations on Bylock application written by media is the false claims of having military grade encryption or strong encryption features compared to equivalent applications in the market. Although there is no formal information on this matter, the alleged encryption Technologies and their parameters are listed below as the source of this information is media:

  • The usage of 2 different keys as public and private
  • 2048 bit RSA asymmetric encryption
  • MD5 hash algorithm
  • 256 bit AES encryption
  • SHA-256 hash algorithm

Usage of Private and Public Keys

It is known that; many companies have been intensely trying to be transparent for the data of their own users. For his purpose, the usage end-to-end (E2EE) encryption architecture has been increasing day by day. With the help of this technology, user data like messages, call history, sent/received photographs, files e-mails, etc.) have been stored cryptically (permanently or temporarily) even in the servers of the service provider and/or have not been stored (Figure-15).

Figure 15– End-to-end encryption9

 

In E2EE technology, two keys are used in encryption process. One of the keys is named as public key, the other is named as private key. The data to be transmitted (message, document, Picture etc.) are encrypted by using public key of receiver and encrypted data are decrypted by private key of the receiver. (Figure-16). Public and private keys have been used widely in several occasions. The name of this method is asymmetric cryptography. The peculiarity of this method is the impossibility of decryption of message/data without providing private key. Therefore, the allegation of “impossibility of decryption without private key in Bylock” is nothing but the true definition of asymmetric cryptography.

Figure 16- Usage of public and private keys in asymmetric cryptography

 

Asymmetric cryptography is not a new technology. It is not a proprietary feature of the Bylock application. It is a well-known method Since1970s, and it finds a wide are of application by proliferation of technology and fiber Internet infrastructure. The applications with millions and billions of userbase like Whatsapp, Telegram, Signal, Facebook Messenger, Blackberry Messenger, Facetime, Cryptocat, Google Allo, iMessage, Line, Surespot, Threema, Viber, Wire have been using E2EE namely asymmetric cryptography.

MD5 ve SHA 256

MD5[9] and SHA 256[10] algorithms are not encryption algorithms, rather they are hash algorithms used for data integrity. They are mainly used for the verification of the integrity of picture/message in messaging applications. The outputs of SHA256 are used in the phase of encryption key creation at the same time. However, these technologies cannot directly be regarded as encryption algorithms. Moreover, these technologies have been used not only in messaging but also in almost every type of applications, web sites namely in digital work. Therefore, these encryption technologies have not been evaluated.

2048-bit RSA and AES-256 encryption methods

While investigating the claims that ByLock used 2048-bit RSA and AES-256 encryption methods, it has been determined that many other applications on the market use encryption methods from 256-bit to 8192 bit algorithms.

 

Many of the claims seen in the media focus on ByLock’s alleged use of 2048-bit RSA methods.

 

RSA is an asymmetric encryption algorithm and it is used widely in today’s communications applications. Messaging applications such as Telegram, Threema, Cyber Dust use 2048-bit RSA encryption as allegedly used by ByLock.

 

However, other applications such as WhatsApp, Telegram, Facebook Messenger, Google Also, Signal, Silent Phone, Threema, Too, Viber, Wire use another encryption algorithm known as Curve25519, providing 128-bit encryption. Curve25519 uses a different mathematical calculation method from the one used by RSA.

 

When 128-bit and 2048-bit encryption technologies are compared, it may first look like 2048-bit encryption used by ByLock is a lot stronger than 128-bit one, but it is not exactly the case.

 

The security of an encryption cannot be evaluated solely by whether 128-bit were used vs 2048-bit, these numbers make sense in the context of encryption method used. A booklet titled “Recommendations for Key Management” published by National Institute of Standards and Technology, NIST[11] compares the strength of various encryption technologies in a table. According to the table, a 160-bit Elliptic Curve (ECC) general key that uses the same mathematical fundamentals as Curve25519 provides the equivalent of that provided by 1024-bit RSA (IFC) key (Figure 17). In short, 2048-bit RSA algorithm allegedly used in ByLock provides one level higher strength than those provided by the most common messaging applications. Unlike what the authorities claimed, the encryption method used in ByLock is not a very high level encryption algorithm and does not provide very high level of security.

[12]

Figure 17- Comparison of encryption algorithms and their security levels

 

The following points should be considered while making these comparisons:

 

  1. The encryption algorithms used in messaging applications and key lengths in terms of bits used in those algorithms are closely related to the number of users of the application. More security means extra cost (devices with higher performance, etc) per user for companies producing the applications. Therefore, companies prefer the optimum level between security and cost.

 

  1. Practically all the encryption methods mentioned in the table are considered secure. According to NIST, technologies providing at least 128-bit encryption are considered secure and unbreakable until 2030[13].

 

As a result, theoretically 2048-bit encryption preferred by ByLock is not different from 128-bit encryption preferred by WhatsApp.

 

It is not a different case for AES-256 technology either. It appears to be used not only in messaging applications but also by applications in different domains.

 

Some of the applications that use both 2048-bit RSA as in ByLock and 256-bit AES encryption are the following:

 

  • Telegram
  • Chatout
  • Smapp
  • Chitthi
  • What’schat
  • D Messenger
  • XCessMsg
  • EnCrypto
  • MailForSure
  • Kag Messenger
  • Kryng.me
  • Kryptos
  • Schmoose

Applications using stronger RSA algorithms are:

  • Kryptochat                 AES-256, 8192 RSA
  • Kryptotel                    AES-256, 8192 RSA
  • Mail1Click                 AES-256, 4096 RSA
  • Squre Messenger    AES-256, 4096 RSA
  • Pryvate Now             AES-256, 4096 RSA
  • Salusafe                    AES-256, 4096 RSA
  • Besafemail                AES-256, 4096 RSA
  • Vigilant Secure        AES-256, 4096 RSA
  • İCrypt                          AES-256, 4096 RSA

 

In short, the following facts show that ByLock is not a very special and secret application, on the contrary, it is an application providing a standard security as done by many others on the market:

– The fact that public and private keys used in ByLock are part of a technology known as asymmetric encryption and is a standard technology widely used today.

– The fact that applications using stronger encryption exist in the market.

– The fact that it provides similar level of security as in the most widely used messaging applications in the world today, such as WhatsApp, Facebook Messenger, Google Also, etc.

– The fact that applications such as Telegram, Threema, Cyber Dust, etc., provide the same level of security by using the same technologies RSA and AES.

– The fact that there are applications providing stronger security by using the same RSA and AES technologies as ByLock.

– The fact that per NIST all applications supporting at least 128-bit security are considered secure (all the mentioned applications provide security at 128-bit or higher level).

ByLock by EFF Criteria

Security levels of messaging applications are investigated by US based Electronic Frontier Foundation[14] (EFF) which work toward protecting citizens’ cyber rights and shared globally. EFF analyzes the applications in the areas of security, level of encryption, privacy, etc. and scores them based on their satisfying the requirements[15]. Criteria subjected to EFF’s analyses are the following:

 

– Have the messages been encrypted during transport or communication?

– Have they been encrypted so that service provider cannot read them?

– Can the identity of individuals be verified?

– If the keys are stolen, is the messaging history secured?

– Is the source code available for independent audit?

– Has the security design been properly documented?

– Has the source code been audited recently?

An explanation is needed for the verification of the identity of individuals. Although at first it may be understood as determining the real identities of individuals, these criteria determine if the application provides a mechanism by which users can verify each other’s identity and integrity of the channel on which they communicate[16]; as in WhatsApp’s “Security Code Verification” (see Figure 18).

Figure 18- WhatsApp Security Code Verification Method17

 

These criteria encompass security of users’ contacts and history of their communications with them in the event application providers’ backend servers are hacked.

As mentioned above, in this regard, according to a leakage of internal communications of DEA to media in 2013, EFF scored the so-called unbreakable iMessage application used in iPhone devices as 5 out of 7, whereas it gave a score of 5 out of 7 to FaceTime, 5 out of 7 to Wickr, and 6 out of 7 to WhatsApp. These applications use End-to-End security and Future Perfect Secrecy techniques as mentioned above and even though one can steal the private keys of users, they cannot access to content of their past communications[17].

Obviously ByLock cannot be as secure as WhatsApp, FaceTime, iMessage or Wickr given the claim that contents of communications have been accessed.

In the light of facts provided in encryption paragraph, it can be said that ByLock does not provide a superior security than those provided by similar applications on the market, on the contrary, one can easily say it provides an inferior security than many of messaging applications on the market.

Use of Self-Signed Certificates

SSL (Secure Socket Layer) is a security standard that describes how a link between a server (i.e. web server) and client (i.e. web browser) as well as data transferred between them are encrypted. An SSL certificate is a digital information that guarantees the security of SSL connection between the server that starts the secure connection and a browser. In an SSL certificate, there is digital information about the web site or application being connected with SSL. It can also be defined as a public key of the internet site that browsers connect[18].

First it must be noted that SSL and SSL certificate are mechanisms that provide and guarantee security on only the connection between a server and client. In terms of messaging applications, they do not have any affect other than providing secure transport of the messaging content and user information. For example, since Skype does not employ an end-to-end encryption among its users, even though it provides SSL connection between its servers and users, content of messages can still be seen by Skype[19]. In short, SSL mechanism has nothing to do with the encryption technology used.

The claim that ByLock has not used an SSL certificate approved by an authority has to do with the mechanism by which their SSL certificates have been verified. Verification of their SSL certificates mean to confirm the information regarding their web server or application.

There are two ways to confirm validity of SSL certificates:

  1. SSL certificates signed by a known authority,
  2. Self-signed SSL certificates

In the former, authority signed SSL certificates, a globally known authorizing company such as Globalsign, Comodo, Symantec, GoDaddy, Digicert or Verisign authorizes the SSL certificates.

In self-signed SSL certificates, application developer or web site signs the SSL certificate that it uses themselves.

One of the methods is not more secure than the other in terms of the security of certificate they use, or the security of the connection they provide. Authority signed certificate only verifies the identity of the web site users connect to, just like validating the address of someone we wish to visit in a post office. Obviously, these are paid services.

SSL certificates only function with domain names (www.hurriyet.com.tr, google.com, etc.)

To give an example, when connected to the domain name https://www.wikipedia.org via a browser, there will appear a sign on the browser showing the connection is established securely and the SSL certificate is verified by GlobalSign. (See Figure-19) To the contrary, when connected to the same page via typing its IP number https://91.198.174.192, the browser will pop up a warning that an unsecure connection is being established – meaning the SSL certificate which is even signed by an authority becomes useless in this case. (See Figure-20)

Figure 19- Secure Connection Illustration

Figure 20- Unsecure Connection Warning

 

The main reasons why self-signed certificates are being used in applications are as follows:

  • Solely IP-based connections are established
  • Too many IP and/or server replacement necessities
  • Frequent change of server root certificates due to security purposes
  • Certificate renewal costs due to reasons specified above
  • Frequently facing the “Your connection is not secure” error on browsers
  • Many software products offer self-signed services (Windows RDP, SSH, OpenVPN, some VOIP services)
  • To use different encryption algorithms in certificates
  • Ease of capturing sensitive server data via querying SSL info (www.sslsorgulama.com) and use of this information by the hackers for attack purposes. (See Figure-21)

Figure 21- Certificate information of google.com

 

An Example of a Self-Signed Certificate of ChatSecure Application

ChatSecure is a secure messaging program that uses external services rather than relying on its own security protocols. It allows Jabber(XMPP)’s users -one of the services it supports- to use self-signed SSL certificates. (Figure-22)

Jabber, that operates on XXMP protocol, is an instant messaging service used in various products’ infrastructures.

Figure 22-The self-signed certificate option of Jabber program38

 

With the lack of clear information about why an authority signed certificate was not used in Bylock program; it is a common practice not to use an authority signed certificate; considering similar applications functioning in the same way, it is not correct to claim that Bylock is a secret application used by members of an organization.

 

Code Obfuscation is an Ordinary Approach

By reviewing the codes of Bylock, it is claimed that

  • Code obfuscation
  • Masking the class, function and variable names

were applied to obstruct the reverse engineering process once the code is captured.

It is normal for a developer to keep the code he wrote secret. To preserve his effort and not let anyone steal it, it is ordinary for a coder to take all the precautions to prevent it from happening. Most of the applications on the market also keep their source codes secret. Whatsapp, Skype, Viber, iMessage, Gmail, Hotmail,  Facebook Messenger, Facetime, Google Hangout, Wickr, Yahoo, Threema, Virtru, Blackberry Messenger, Snapchat, StartMail, Ebuddy XMS, Hushmail, Kik, etc. are to name a few. They are better than Bylock in terms of code obfuscation, yet one cannot collect data from them by reverse engineering.

This attitude is not specific to the coders, though. For many years, Coco-Cola keeps it formula secret.

Besides that, there are applications that prefer to share their own codes with public. (e.g. Telegram, Signal) Those applications are called as “open source”.  Sharing the source code is a sign of including but not limited to assurance of their code’s security. Eventually, code obfuscating and sharing are both frequently used approaches in coding. So, accusations regarding the intentions of code obfuscation of Bylock cannot be considered well-grounded and valid.

 

USE OF APPLICATION AND ITS RECOGNITION IN THE MARKET

Was the Application Known Before the Coup Attempt?

Lack of market recognition of this application was one of the reasons it’s considered as a secret application only used by the FETO organization members. In the news and commentaries, some people claimed that if it was not a secret application, than why wouldn’t they hear about it ever.

First of all, it’s better to point out that these are the expressions of average mobile phone users[20]. There are more than five million applications on the application stores. An average user uses max of 25 applications, yet heard about only 50 applications in average. This means an average mobile phone user is most probably aware of only 1/100.000 of all applications in the market. Under these circumstances, it cannot be considered as a logical claim to think if one has not heard of Bylock makes it a secret application.

Giving the facts that,

  • Live on Apple store between April 2014 and September 2014[21]
  • Live on GooglePlay store between April 11, 2014 and April 3, 2016[22]
  • Downloaded 600.000 times only in the stores

It’s bare that the application is known by many people. The application was open to public download on the stores, so it’s a baseless claim this application is a “secret” application open to only organization members.

Following data is a clear example of why Bylock is not and cannot be known by everybody: There are still more than 2 million applications on the GooglePlay store. According to the download statistics, there are around 90.000 free similar applications that have same/close download numbers with Bylock. (Figure-23)

Figure 23- Download statistics of applications on GooglePlay store

 

When we looked into the download numbers of other messaging applications on GooglePlay store, many of the applications that have more users than Bylock are not also known by average mobile phone users.

The following entries are among the previously mentioned applications that have over one million users:

  • Wickr me: Between 1-5 million
  • Nimbuzz: Between 10-50 million
  • Kick: Between 5-10 million
  • Ebuddy XMS: Between 5-10 million
  • Threema: Between 1-5 million
  • Wire: Between 1-5 million
  • imo: Between 10-50 million
  • Soma: Between 10-50 million
  • Hike: Between 50-100 million
  • Kik: 300 million

Some of those applications might still not heard by an average mobile user even though some have ten millions, even some have hundreds of millions of users.

The critics about ByLock’s low/lack of advertisement is also valid for some applications mentioned above. 

Some people claim that Bylock was not known by the public before the coup attempt (July 15, 2015). However this claim contradicts with the news about ByLock application published at the beginning of 2015.

This 2 different news can be found at the very first page via a basic Google search (when the results are filtered with a date before July 15, 2017):

  • Yeni Akit’s online news web site. Date: February 13, 2015[23]

 

When searched in detail, more news will probably come up.

In addition to all the information mentioned above, in other sections, and the posts[24] on internet forum pages about ByLock application barely shows ByLock was known and used publicly before July 15, 2015.

 

USER PASSWORDS AND SECURITY

There are 2 aspects of protecting the security of a connection. One is user side the other is application side. On the application side, following are crucial: password algorithms, company’s policies to protect user data and communications, and application’s security features. However, user side is the weakest link in the chain when current robust application security and company policies are taken into consideration. Users’ lack of security awareness makes all of the precautions taken on the application side useless, yet threatens the privacy and security of the communication.

The most crucial thing a user can do is to choose a strong password to protect the account. Passwords utterly define the security of a communication apart from all of the precautions taken by the application side. This is why companies force users to choose strong passwords and impose their own password policies to the users. Many applications used in education, finance, health, and telecommunication industries require users to create passwords that are at least 8 characters long that are alphanumeric and a combination of upper/lower case letters.

According to the experts, a secure password should at least have 8 characters that are a combination of letters, numbers and symbols. And a good password should at least be 14 characters long. [25]

There are software to create secure passwords such as PWGen, Random Password Generator, Quicky Password Generator, Infinite Password Generator, LastPass Password Manager, KeePass Password Manager, etc. These softwares can generate complex multi-character passwords. Online password generator web sites mostly create 8-character long passwords, yet some prefer to create 12 character-long[26] ones.

All the conditions of a strong password are not limited to these. Although these conditions are met, weak passwords can be used. Some examples of passwords that can be easily guessed that fit these conditions are: “1234567890”, “1qaz2wsx”, “12345qwert”, “Password”, “111111111”, “12341234”, “asdf1234.”, “aaaaaaa”, “asdfgh”, “1a2b3c4d” etc.

In Turkish media, the news related to Turkish National Intelligence Organization report mentions that more than half of the users specify passwords with 9 or more characters and passwords up to 38 characters in varying lengths are also available. In the context of the above information, almost half of the Bylock users use passwords that are 8 or fewer characters that are considered insecure, and a large majority of them use passwords that are far away from the ideal password (at least 14 characters) criteria.

Moreover, in a system with approximately 230.000 users, the use of a 38-character password by one or a few persons does not make sense for the generic of the users, even if there are 3 character passwords among such users. Although the majority of users have used passwords that are far from safe or ideal password criteria, an inference that the used passwords are intended to conceal themselves is not a reasonable and logical deduction in terms of communication confidentiality and security. Nobody wants the content of communication, pictures, videos, files and other material related to private life, to be captured by unwanted persons or institutions and it is indisputable that this is a universal right.

Organizations such as NIST publish standards at the level of mandatory security passwords. Leading digital companies such as Microsoft, Google, Facebook set some minimum requirements for users who set passwords. These are a part of the importance given to the issues of privacy and security of personal data and communications worldwide.

In short, it is clear that Bylock users are unfounded in their claims that their password lengths are intended to hide themselves and store their correspondence. Because for the reasons mentioned above; It is senseless and unnecessary to seek password length or type of consciousness as it is the most natural right of the user to protect his or her personal data and communication contents in the ordinary course of life, to take own security measures and to create a password that he or she sees securely, it is a coercive attitude.

 

IT IS NOT POSSIBLE FOR BYLOCK TO BE USED AT JULY 15 COUP ATTEMPT

David Keynes Interview, Bylock users’ GooglePlay store reviews, shares on internet forum pages, AppBrain and AppAnnie data, etc  and all data shared under this report shows that The Bylock server has been removed from use before March 1, 2016.

As a result, It is not possible for an application that serves from a central server like Bylock to be used in the July 15 coup attempt as it is not possible to operate without a server.   

RESULT AND EVALUATION

This report has tried to evaluate the allegations in the media about Bylock application. In this context, efforts have been made to utilize open source data and presented with references to confirm the information provided.

Within the scope of the report, the issue of correctness and consistency of claims has not been addressed. For example, how was the data of an application alleged to provide security at the military level acquired/captured and how it could be resolved? How the 38-character length passwords of users can be resolved technically? How is it technically feasible to resolve over 1 million message content while each message is claimed to be encrypted with a separate encryption key? Such confusing issues are not included in the report content.

The information reflected on the media in the context of the allegations about the application of Bylock in the light of concrete data has been subject to evaluation.

The report summarizes;

In the light of the program’s GooglePlay and Apple Store histories;

  • It was available in GooglePlay store between April 11, 2014 and April 3, 2016
  • It was available in Apple Store between April and September in 2014
  • It was in the top 100 in 12 countries and the top 500 in 47 countries in Apple Store
  • It was in the top 100 in 5 countries and the top 500 in 41 countries in GooglePlay store
  • The information in the interview with David Keynes can be confirmed by other open source resources on the internet
  • Application server has been removed from use before March 1, 2016
  • The installation file of the application is available in various websites

In terms of the nationalities and profiles of application users;

  • In the period when the application was serving, people from different regions of the world was using it
  • It has been used by people with different world views, the most notable of which is the UN International Criminal Tribunal Judge Aydin Sefa Akay and members of different political parties

 

As claimed features and capabilities of application provided to users;

In terms of the technical capabilities of the application and the features offered to its users, allegedly found in the program

  • Self-destruct media / message feature
  • Users can add and call each other only by ID
  • Mobile phone number, any ID number or information and e-mail address are not requested from users
  • The lack of phone contacts matching feature

With these specifications, it is compared to other similar applications in the market

In terms of the encryption algorithms of the application;

  • The encryption algorithm that is used is the standard asymmetric encryption algorithm and it is an algorithm that is used by many applications,
  • The use of two different keys, hidden and open, 2048-bit RSA asymmetric encryption and 256-bit AES encryption are also used in similar applications,
  • Security level 128 bit and above security with all the encryption is considered authoritarian safe. In this respect, all applications are considered safe,
  • There are applications in the market that provide lower and higher security than the security level that the application provides,
  • In terms of EFF criteria, there are some applications that are more secure than this application and that are known and have billions of users around the world are more secure,
  • It is self-signed SSL certificate usage of reasonable grounds and the availability of similar applications,
  • It is reasonable that program codes are obfuscated in terms of protecting the intellectual property,
  • Before the July 15 coup attempt, the program was known in the digital world and news about the program before 15 July was made in the Turkish media,
  • It is important to note that program users’ password lengths overlap with today’s secure password criteria, as well as the number of mentionable users with lengths not meeting these criteria.

 

Regarding the use of the application on July 15 coup attempt;

  • It is not technically possible to use the program on the July 15th coup attempt after March 2016 due to the unavailability of the application server issues have been identified.

It has been observed that the Bylock application is a global application in the framework of all these data, that the data at hand does not make any technical sense that the Bylock application is an organizational and confidential program, and that the claimed subject matter is not satisfactory and cannot go beyond the hypothesis scientifically.

[1]              http://www.hurriyet.com.tr/fetocu-degil-masonum-40274540

https://www.sadecehaber.com/o­disisleri­bakani­yuklememi­tavsiye­etti

[2]              http://www.yenicaggazetesi.com.tr/milletvekilleri-de-bylock-kullaniyormus-146765h.htm

http://www.hurriyet.com.tr/bylockta-geriye-tarama-40233476

http://www.viratrabzon.com/haber/mecliste-125-vekil-bylock-sisteminde-30237.html

[3]              http://www.dilekhaber.com/haber/iste-bylock-kullanan-akp-milletvekilleri-340/

[4]              http://www.huffingtonpost.com/2013/04/04/dea-imessage-memo_n_3015464.html

https://www.cnet.com/news/Apples-imessage-encryption-trips-up-feds-surveillance/

[5]              http://fortune.com/2016/04/20/fbi-san-bernardino-iphone/

http://www.usatoday.com/story/news/nation/2016/03/28/Apple -justice-department-farook/82354040/

http://www.vox.com/2016/3/29/11325134/Apple -iphone-fbi-san-bernardino-case-ends

http://www.latimes.com/local/lanow/la-me-ln-fbi-drops-fight-to-force-Apple -to-unlock-san-bernardino-terrorist-iphone-20160328-story.html

[6]              https://en.wikipedia.org/wiki/End-to-end_encryption

[7]              https://www.eff.org/secure-messaging-scorecard

https://www.eff.org/tr/secure-messaging-scorecard

https://www.eff.org/node/82654

[8]                      https://twitter.com/EmreErcis1/status/823475006273372160

[9]                      https://tr.wikipedia.org/wiki/MD5

[10]                    https://en.wikipedia.org/wiki/Hash_function

[11]                    NIST is an independent organization that is responsible for developing standards and procedures that includes the ones required to ensure information security for all US agencies, processes and assets. The NIST standards and procedures gain word wide recognition.

[12]                    NIST Special Publication 800-57 Part 1 Revision 4; Recommendation for Key Management Part 1: General; sayfa 66.

[13]                    NIST Special Publication 800-57 Part 1 Revision 4; Recommendation for Key Management Part 1: General; sayfa 55.

[14]                    https://www.eff.org/

[15]                    https://www.eff.org/tr/secure-messaging-scorecard

[16]                    Two acceptable methods are mentioned::

  • An interface that users can personally prove, that each user can see their own or communicated user finger prints. (hash)
  • Key interchange protocol that has like Socialist Millionaire protocol as in short authentication string.

[17]                    https://en.wikipedia.org/wiki/Forward_secrecy

[18]                    https://en.wikipedia.org/wiki/Transport_Layer_Security

[19]                    https://www.eff.org/tr/secure-messaging-scorecard

https://support.skype.com/en/faq/fa31/does-skype-use-encryption

[20]                    http://www.makeuseof.com/tag/6-secure-ios-messaging-apps-take-privacy-seriously/

39                    As common mobile app user: it implies  not expertise in mobile technology user,  but common users that uses cell phone for communication purposes.

[21]                    https://www.appannie.com/apps/ios/app/bylock/app-ranking/#type=best-ranks

[22]                    http://www.appbrain.com/app/bylock%3A-secure-chat-talk/net.client.by.lock

[23]                    http://www.yeniakit.com.tr/haber/orgut­irtibati­kriptolu­programlarla­sagliyor­52106.html

[24]                    https://www.technopat.net/sosyal/konu/ios-icin-bylock-kurulumu.279723/

http://www.iphoneyardim.net/topic/123054-bylock/

[25]                    http://www.cs.umd.edu/faq/Passwords.shtml

https://www.google.com/accounts/PasswordHelp

http://www.schneier.com/blog/archives/2007/01/choosing_secure.html

http://www.microsoft.com/protect/yourself/password/create.mspx

https://pages.nist.gov/800-63-3/sp800-63b.html

[26]                    https://identitysafe.norton.com/password-generator/

https://lastpass.com/generatepassword.php

https://www.dashlane.com/password-generator

3 thoughts on “The Bylock Report

  1. We are indebted to you as the victims of this so-called app. It is really a detailed report, but I have a kind request. While we need to use this report so as to make ourselves understood by the judicial authority here in Turkey, I really need this same report with an official signature by you. Is it also possible to send this report as a pdf file to my email. Another question: I really wonder where the so called figures noted in the text.

  2. I have a really important question for you. Do you believe whether a certain technique is available to detect and resolve between the real users of this application and the unreal ones that are mistaken because of being available in the same common Wi-fi network? That is a really vital question in this case existing in Turkey.

    1. I sent you an e-mail Ayse from a different e-mail. I’ve also updated the document. This is a difficult situation so please understand if I can’t respond to everyone’s comments. I am reading them.

Leave a Reply

Your email address will not be published. Required fields are marked *