Feb 16, 2017

Confide defends messaging app's security


Confide, an ephemeral messaging app, has become popular among government operatives, as Axios reported last week. But now the app's encryption—how it ensures messages can't be intercepted by outsiders—is under question.

While the company claims that its app offers "military-grade encryption," some experts aren't so sure that it's as secure as it sounds.

What Confide says: According to co-founder Jon Brod, "Confide's message encryption is based on the PGP standard" and uses "recommended best practices to ensure the security of network connections, such as using TLS 1.2 with certificate pinning to prevent against [man-in-the-middle] attacks."

For each platform on which it's available, the company has selected various encryption tools—the latest version of OpenSSL for iOS and Spongy Castle for Android. Brod added that the company plans to upgrade to the newest version of OpenSSL in its app's next update. OpenSSL, in particular, raised concerns among security experts as it's been found to have a number of security vulnerabilities over the years, including the Heartbleed bug, which wreaked havoc on the Internet in 2014. Brod says that Confide's Android app uses OpenSSL for one single function but it's not one impacted by Heartbleed or any other published vulnerability.

Questions remain: With that said, it's still difficult to be fully certain of Confide's security as the company's software is proprietary and hasn't been reviewed by a third-party.

"This one's a tough call. The application doesn't smell fully kosher, but at least it uses some standard encryption routines, which many other applications fail to do," computer forensics expert Jonathan Zdziarski wrote in a blog post after taking a look at the app. "Ultimately, the application warrants a cryptographic review before I could endorse its use in the White House," he wrote, adding that since OpenSSL isn't FIPS 140-2 compliant (a government encryption standard), it shouldn't be used by government workers.

And as one security expert told Axios, it all depends on how well all of Confide's precautions have been implemented—a sloppy or faulty job could mean the app is far from secure.

What to watch: With reports of staffers using encrypted chat apps, some Congresspeople are already asking for investigations into whether their use violates federal record-keeping laws. On Tuesday, House Republicans Darin LaHood and Lamar Smith sent a letter to the EPA's independent watchdog following news that some employees have been using another app, Signal.

Go deeper