> The attacker and the victim must know each other and must have engaged in previous conversation on the IM app, which is a requirement for both the attack and the preparatory work.
> If the attackers perform enough tests to formulate an extensive dataset against a target, they could infer their position among a set of given possible locations in a city, like “home”, “office”, “gym”, etc., based on nothing else but the delivery notification delay
This feels like one of those "well duh" conclusions. If you care about privacy and don't want anyone to know who or where you are you should be piping your traffic through TOR.
I still like Session as a private/privacy respecting messenger despite its shitcoin blockchain architecture in part because it has mitigations for this very attack baked into the design. It does some basic onion routing for you as a matter of course without needing to teach non-technical users everything about VPNs, TOR or preventing data leakage. But I'm concerned about its longer term prospects (who pays for all of the ponzicoin transactions, when will that money run out, is that network going to be around for a while, etc.) It would be nice to see Matrix or another more widely used messenger adopt some of the better features Session offers if S. doesn't manage to reach a critical mass of users, preferably without the niche blockchain backend.
> The attacker and the victim must know each other and must have engaged in previous conversation on the IM app, which is a requirement for both the attack and the preparatory work.
> If the attackers perform enough tests to formulate an extensive dataset against a target, they could infer their position among a set of given possible locations in a city, like “home”, “office”, “gym”, etc., based on nothing else but the delivery notification delay