Confide, a messaging app used inside the White House and touted for its ability to allow staffers to privately leak to the press, isn’t as secure as the company claims.
The multi-platform app, which first broke onto the security scene three years ago but only recently made headlines for its use across the Trump administration, claims that nobody can intercept and read messages that disappear after they are read.
But two separate researcher teams have poured cold water over those claims.
An analysis of the app’s code by security researchers at Quarkslab found a string of design flaws in the company’s iPhone and iPad apps, which could allow the company to read user messages. The researchers say that the app’s security features, such as message deletion and screenshot prevention, “can be defeated.”
The researchers made a number of modifications to the client to analyze the Confide protocol.
“The end-to-end encryption used in Confide is far from reaching the state of the art,” say the researchers. “Building a secure instant messaging app is not easy, but when claiming it, some strong mechanisms should really be enforced since the beginning.”
Confide is just one of many security-focused apps that have been built in the aftermath of the Edward Snowden revelations, which lit a fire under many tech companies to properly implement encryption and secure messaging in their products and services.
The app came to prominence when it was revealed senior White House staff were using Confide, including press secretary Sean Spicer and director of strategic communications Hope Hicks, as well as other senior staff, which was reported by BuzzFeed.
It’s also been reported that Irish politicians are also using Confide.
But with popularity also comes increased criticism from the security community.
In a statement, Confide co-founder Jon Brod said: “The researchers intentionally undermined the security of their own system to bypass several layers of Confide’s protection, including application signatures, code obfuscation, and certificate pinning. The attack that they claim to be demonstrating does not apply to legitimate users of Confide, who are benefiting from multiple security protections that we have put in place.
“Undermining your own security or taking complete control of a device makes the entire device vulnerable, not just the Confide app,” he said.
Kenneth White, a security researcher, added context.
“The part about modifying the executable to disable TLS verification was completely reasonable for testing, but (on that specific point) unfair as a criticism,” he said. “If an app binary can be modified by an attacker, it’s not the app any more,” he added.
But White emphasized that in the case of Confide, the “entire design is flawed” because it assumes that Confide’s central server isn’t malicious.
“It’s ‘Pinky Promise as a Service’. And in that way, similar to much of the criticism directed towards Telegram,” he added, referring to a similar messaging app that rose to infamy after fighters of the so-called Islamic State were found to use the app, which was littered with vulnerabilities.
Quarkslab is not the only security firm to raise red flags about the Confide.
Seattle-based IOActive found “multiple critical vulnerabilities” after a recent audit of the Windows, Mac, and Android apps, at least one of which leaks decrypted messages to attackers.
IOActive also found that the Confide website returned incorrect passwords back to the browser, which could help an attacker gain access to an account.
Another flaw in the app “allowed an attacker to enumerate all Confide user accounts, including real names, email addresses, and phone numbers,” said IOActive. “The application failed to adequately prevent brute-force attacks on user account passwords.”
Confide also came under scrutiny for not employing cryptographers or security experts, and using terminology, such as “military grade,” which in security circles is known to be a marketing term that has zero practical and technical meaning.
Or as White said, “in many cases, ironically, it can actually be an indicator of a poorly designed, over-hyped, insecure product.”
It’s no secret that not all encrypted messaging apps are created equally, but some have earned more praise than others. Security experts overwhelmingly agree that Signal, an open-source ephemeral messaging app, is the gold standard among the sea of “secure” apps.
Other messaging systems, including Apple’s own encrypted iMessage service, like Confide, are more vulnerable to server manipulation.
Brod said while “it is theoretically possible that we could man-in-the-middle attack ourselves, obviously, we would never do this,” he said.
When asked, Brod confirmed that Confide was considering issuing a transparency report going forward, adding that the company had “never received” any legal request from any government.
For now, we only have the company’s word on that.