Decoding the Spin on Fake News in the Private Phone Industry
Business leaders need to take the chaos out of their everyday decision-making. To simplify this process, they look for experts to help them prioritize what they need and expect their advisors to be brutally honest to arm them in the fight against misinformation.
When it comes to encrypted mobile solutions, Myntex® is on a mission to ensure the facts are front and centre. We are always clarifying the hollow promises made by some companies in our industry vertical. This article aims to set the record straight on the latest round of confounding “features” we’ve seen advertised by private phone companies, which don’t live up to real-world expectations.
Why Do You Need A Private Phone?
Before you can make an informed decision about which end-to-end encrypted offering is right for your business, you need to understand the risks of using the shiny new cellphones available today. Cybersecurity expert Adam Levin used this analogy to explain the problem. “Smartphones are the digital equivalent of a zoologist’s tracking tag. On our person each and every day allowing service providers and device manufacturers alike to compile enormous amounts of data on nearly every aspect of our lives.”
Therefore, executives are wisely seeking guarantees their corporate communications are protected, Encrypted calling and messaging is an excellent cybersecurity tactic, but privacy apps alone won’t do. Third-party apps can be gateways to malware, spyware, or other threats.
Beyond the risks these pose, you want to prevent someone from being able to hack your phone if it was lost or stolen. Device hardening prevents prying eyes from accessing your confidential information if your phone gets into the hands of a threat actor.
No Safety In Numbers
While millions of people use free apps like Telegram, Wickr or WhatsApp, these are known for data breaches or delivering payloads, like Pegasus.
The sheer volume of third-party apps available makes it impossible to properly expect these are not going to be harmful. When Google recently replaced its App Permissions List with a Data Safety Section supplied by app developers, alarm bells rightfully went off in the cybersecurity space. Hoping the makers will properly articulate how they collect user data from the apps they publish and what they do with this intel has been likened to “the fox guarding the hen house.”
Read Between The Lines
Don’t assume the encrypted device you’re shopping for will secure your private communications. Some company’s make bold statements that sound like they have a superior product, but they don’t prove it. This leaves the onus on you to be an informed consumer. You want to see their encryption protocols stated to know what tools they use to protect you.
Some companies still use old and unsafe methods of encryption that can leave you prone to attack. If a company is saying messages cannot be sent to offline contacts, it is likely using a very old style of messaging called off-the record. OTR did not work when it was offline, it had to be online.
Another clue they may be using outdated systems is if they indicate any warning that their architecture requires more energy to run, informing you that your phone battery life will last longer if you use a WI-FI connection instead of GSM data.
Myntex CEO Geoff Green explains, “They are using a polling style instead of push technology. This drains your battery fast. This is several years old, like Android 6 or 7. Using email as an example – your phone would reach out to the server looking for email. They set it to do that every minute, to get regular updates. But push technology today uses 15-minute intervals. This means any company still using that method doesn’t know how push technology works. And your battery won’t last.”
If a company claims it provides immunity against Pegasus or BeethoveN, and yet the product still allows you to download third-party apps—that’s a blatant lie and would be impossible to secure. Many encrypted phone companies do this. We recently saw one company admit that it can’t protect users against remote attacks with apps installed on their product, citing malware and backdoors introduced by apps. It therefore only allows a couple of extra apps to be added to the phone, noting a browser shouldn’t be added. That’s not protection. That proves it’s vulnerable.
The worst part of this scenario is if one user’s phone gets spyware, say from adding WhatsApp, and they communicate with another user of the same product, thinking they’re protected, they can unwittingly also become victimized. Once on your phone, Pegasus can spy on you, taking over your GPS, camera, and microphone, collecting passwords, data, keystrokes, and your browsing history.
You don’t have to click on a link to get it on your phone (hence the term zero-click attack). Simply missing a WhatsApp call can introduce the spyware. Apple users were exposed to a zero-click vulnerability affecting iPhones, iPads, and event Apple watches. The company released a patch to fix it in mid-September, but exploits were found by the University of Toronto’s Citizen Lab to have been successfully exploited.
Selling Standard GSM Encryption As A Strength
Global System for Mobile communications is the most used standard for cell phones. There are a few companies in the US that still use CDMA, which is Code Division Multiple Access. If a phone has a feature that highlights GSM encryption, you need to know that this is standard in most cellphones around the world. Nothing special. If the company says it lets you make secure GSM phone calls with military grade AES encryption, don’t believe it. It’s regular phone calling.
What They’re Not Saying Says Something
Often, inadequate privacy and security solutions masquerade as something they’re not. These companies are exploiting the fact you lack knowledge on the topic.
For example, a company may say they protect against Man-in-the-middle attacks, which are interceptions by cybercriminals. If they don’t explain how they do it, you can’t believe them. Saying something obscure like their product is immune across every communication layer is not an answer. What does that even mean? They should be able to describe their process.
With ChatMail™, when we do a client presentation, we explain how we use PGP to prevent MitM attacks. Our authentication process uses SAS Rendering. SAS stands for Sharing a Secret, and we use it with the PGP word list to convert strings of code into simple phrases used for encrypted calling.
If a product warns you the encryption doesn’t work in roaming, that’s a big red flag. Even more problematic is if a company says it has a solution to the problem, but they won’t implement unless you’re purchasing in bulk. There is a company advertising this on their website. Be sure to read the promotional material on their website or ask for a customer brochure before deciding.
Be cautious of a product that charges you one time and then you can use it for free. However, if they are not continuing to monetize your use, how are they sustaining their business? Additionally, will they continue to support, upgrade, or even fix bugs for their product and continue to provide you with a reliable service in the future? Perhaps they are storing your data on their service and marketing it to third parties?
It is essential to know how your messages are sent and if they are being stored. If the service provider relies on third-party servers, there is a security risk. Remember, even if the company says it is using the cloud, it’s a server. One of the essential aspects of a secure phone is knowing your communications are not being stored on a server, which makes it vulnerable to breaches if it is not encrypted at rest.
Competitors can’t compare with our solution. ChatMail. Engineered for Security. Designed for Privacy.