Repository logo

Threat models over space and time: A case study of end‐to‐end‐encrypted messaging applications

Published version

Repository DOI

Change log


jats:titleAbstract</jats:title>jats:pThreat modeling is one of the foundations of secure systems engineering and must take heed of the context within which systems operate. In this work, we explore the extent to which real‐world systems engineering reflects a changing threat context. We examine the desktop clients of six widely used end‐to‐end‐encrypted mobile messaging applications to understand the extent to which they adjusted their threat model over space (when enabling clients on new platforms, such as desktop clients) and time (as new threats emerged). We experimented with short‐lived adversarial access against these desktop clients and analyzed the results using two popular threat elicitation frameworks, STRIDE and LINDDUN. The results demonstrate that system designers need to track threats in the evolving context within which systems operate and, more importantly, mitigate them by rescoping trust boundaries so that they remain consistent with administrative boundaries. A nuanced understanding of the relationship between trust and administration is vital for robust security, including the provision of safe defaults.</jats:p>


Publication status: Published

Funder: REPHRAIN: Research Centre on Privacy, Harm Reduction and Adversarial Influence Online; Grant(s): EPSRC: EP/V011189/1


46 Information and Computing Sciences, 4604 Cybersecurity and Privacy

Journal Title

Software: Practice and Experience

Conference Name

Journal ISSN


Volume Title