Thailand infosecurity consultancy ACIS has published a paper detailing the security failings of Naver’s LINE instant messaging app. Researchers confirmed that LINE turned off encryption when on cellular data and went further to list all the information they could pick up from looking at the intercepted data stream.
Voice messages were uploaded via plain http in an unencrypted m4a format that could easily be reconstructed by a man-in-the-middle. LINE status updates, timeline posts, comments to those posts and user IDs were all clearly visible in plain text, in addition to the chat messages and server login tokens as revealed last week by TelecomAsia.
LINE is one of the world’s most popular OTT IM apps with over 230 million users worldwide and 18 million in Thailand alone.
The paper also looked at rivals Whatsapp and WeChat. Both those programs remained encrypted when on 3G as well as on Wi-Fi.
Naver was sent a copy of the research paper and asked to comment but has so far refused to provide any feedback on any of the reports.
ACIS founder and CEO Prinya Hom-Anek refused to be drawn into any conspiracy theories of mass surveillance and said that lack of security was probably simply a very bad design choice to improve performance. LINE has ambitious goals of soon attracting 400 million users. Adding encryption would have significantly increased costs and slowed response time.
However, Prinya did say that Naver should come clean about what has happened and simply update the app, enabling SSL.
“If I were LINE, I’d tell the facts and confess, not apologise, but tell users that this platform is insecure by design and built only for performance,” he said.