Mobile messaging services have gained a large share in global telecommunications. Unlike conventional services like phone calls, text messages or email, they do not feature a standardized environment enabling a federated and potentially local service architecture. We present an extensive and large-scale analysis of communication patterns for four popular mobile messaging services between 28 countries and analyze the locality of communication and the resulting impact on user privacy. We show that server architectures for mobile messaging services are highly centralized in single countries. This forces messages to drastically deviate from a direct communication path, enabling hosting and transfer countries to potentially intercept and censor traffic. To conduct this work, we developed a measurement framework to analyze traffic of such mobile messaging services. It allows to conduct automated experiments with mobile messaging applications, is transparent to those applications and does not require any modifications to the applications.
IntroductionMobile messaging services like WeChat or WhatsApp see a steady increase in both active users and messages sent, with a particular success in emerging markets like China, Brazil or Malaysia [18,30]. Some researchers predict a shift in communication paradigms with mobile messaging services eradicating classical forms of electronic communication like email or text messages. As an example, the number of text messages sent in Germany shrunk by 62% from 2012 to 2014 [5], after it had been growing exponentially for over a decade.Mobile messaging services and their design strongly differ from classic Internet communication services: established means of communication-like email, internet telephony or instant messaging-often rely on federated or decentralized architectures, with operators providing services to their customers and from within their domain.Mobile messaging services tend to abandon established principles of openness and federation: messaging services are often realized in a closed, non-federated, cloudcentric environment built upon proprietary communication and security protocols neither standardized nor disclosed to the public.This paradigm shift puts at risk the user's freedom and access to secure, confidential and privacy-preserving communication. With such services, the user-relating to her social network through such applications-strongly depends on the service provider to not modify or restrict the service. The user's privacy also depends on the legislation the operating company is subject to: governments are often interested in controlling Internet services [13,31] and accessing messages [8] as well as metadata. The matters of security and privacy move along the same lines and generally involve a full trust into a closed system, a misleading assumption as we saw with WhatApp's announced endto-end-encryption, which is supported on Android, but not Apple devices [1], without giving feedback on encryption status to the user. First attempts to analyze the security p...