It turns out that even communication apps that are considered encrypted and safe to use may reveal the user’s exact location, according to a study published by a group of researchers from universities in Germany, the United States and the United Arab Emirates. The researchers developed a method that was found to be effective in 80% of cases for locating users on WhatsApp, Signal, and even Threema – a relatively expensive application for encrypted communication intended for businesses.
The method relies on confirmation of receipt of the message, which is sent by the application upon its arrival to the recipient, and even before he has read it. The time that passes between sending the message and receiving it can be measured using software for monitoring network traffic with a high level of accuracy, and then using previous information to calculate the user’s location through the time it takes for the message to arrive.
A number of ‘calibration’ messages sent to the user while the attacker knows his exact location are sufficient to locate him later. The method, then, will not be useful in locating the location of random users, but for targets at risk it is quite possible that this is a tool that may reveal them to intelligence organizations with resources.
The researchers recommend that the application developers incorporate a mechanism that adds an element of randomness to the confirmation of receiving the messages – a random delay of a few seconds, which will not fundamentally change the user experience but will completely disrupt the method described for locating the user’s location. Threema has already responded that they are looking into such a possibility.
In the meantime, you can simply turn off the confirmation of receiving the message through the application settings, or use a VPN that also disrupts the measurement of the delivery time.