Entrust Privacy to a Free App, and You’ll Get What You Pay For
After years of headlines about data breaches and hacks, it’s unsurprising today that free communication platforms emphasize the lengths they go to provide privacy. Free apps like Signal and WhatsApp highlight their “end-to-end encryption” in a bid to increase trust in their products.
Of course, issues like encrypted phone communication wouldn’t be in the headlines so much if there weren’t so many entities trying to undermine it. A company from Israel called Cellebrite, which specializes in “digital forensics,” launched an online feud with Signal after it claimed it had found a decryption key allowing it to access Signal messages on Android devices.
In response, Signal founder Moxie Marlinespike then hacked Cellebrite to prove that the forensics company could have installed files onto a user’s phone to plant fake evidence. Heated arguments like this in news articles make for compelling implications of this fallout for privacy?
Did Cellebrite actually undermine Signal’s encryption, and is that the only question here that matters?
“They Could Have Just Opened the App to Look at the Messages”
Originally, Cellebrite claimed to have found a decryption key granting access to Signal messages stored in a database. To hear their side, it was as if the vulnerability lay in Signal’s key feature — encryption, or at least parsing data for forensics.
Marlinspike then claimed that the supposedly “advanced techniques” used to decode a Signal message on an unlocked Android device were more like “amateur hour.”
Marlinspike explains why Cellebrite’s claim was not what it seemed. It was not the equivalent of finding clues in Signal’s open-source code to breach the database. “They could have just opened the app to look at the messages.” In other words, Cellebrite didn’t decrypt Signal’s encryption.
It was more like a privacy breach caused by stealing a phone and accessing private communications by simply opening an app and looking at them. The opening was not caused by an encryption weakness.
But the end goal of a smartphone home security system is privacy, and preventing decryption is just a means towards that end. What does it say that Marlinspike readily conceded that if a Signal user’s phone was stolen that there’d be nothing to safeguard their communications?
Secondary Security Measures to Complement Encryption
ChatMail offers military-grade encryption, but there is also a suite of security features that protects all information on the phone in case it gets misplaced or stolen. The underlying principle is simple: it should be impossible for anyone to obtain the information on your phone, even if they have it in their hands.
Multiple layers of protection prevent your sensitive information from getting out. For example, the Tamper Proof feature lets users create their own duress password. Then, if an unauthorized user tries to enter the wrong password too many times, the phone instantly and automatically deletes all sensitive information before it falls into the wrong hands.
Self-destructing messages let users control the lifespan of sensitive material and prevent it from circulating. Such messages can’t be forwarded, favorited, or saved, and when they’re deleted, they’re erased from both devices, even if there’s no data connection. Pictures and Notes can also be set to self-destruct.
The auto-wipe feature eliminates all texts after seven days. The notebook lock screen lets users make a custom pin for two-factor security. Even the camera and photos are encrypted, as sometimes pictures can contain information as sensitive as any text message.
In short, ChatMail phones sidestep the security risks of third-party applications and even in the situation that Marlinspike assumed a phone using Signal would be vulnerable. Our goal is not merely to create “end-to-end encryption” that cannot be decrypted; it’s to make sure that your sensitive information remains confidential no matter what happens.
If you lost your ChatMail phone and Marlinspike himself was holding it in his hands, you could wipe the data remotely, and this expert in encryption would never be able to read a single message.
Ease of Use
Just like software is designed to be easy to use for people who don’t know the first thing about coding, you can enjoy cutting-edge security without knowing how encryption works. One-touch access to apps like notes, contacts, voice, picture messages and groups makes important features easy to navigate.
Adding contacts used to be an annoying and time-consuming process, but now you can add them without requiring notaries or manual verification of keys.
What good is security technology, if in practice, it is too cumbersome or complicated to keep up with the rapid pace of modern life? Our proprietary approach to security works without the user’s awareness.
For example, ChatMail is the first PGP email solution that supports end-to-end encryption, rather than just text messages. On the back end, the system is designed to protect your communications without you having to do anything. We never store your sent or received messages, so there’s nothing to delete.
Our parsing algorithm eliminates all the unnecessary bits of text related to PGP encryption and converts messages into readable texts. You’ll always have the encryption key because it stays with the device, and new ones can be generated with one click.
Encryption doesn’t have to be hard for non-tech specialists to use or ugly to look at.
After Cellebrite claimed Signal had weaknesses, Marlinspike decided to look for weaknesses in their system, and he found that “industry-standard exploit migration defenses are missing, and many opportunities for exploitation are present.”
Cellebrite had to notify customers of a security update shortly afterwards, and while the company insisted that it was precautionary and that the timing was coincidental, even their own customers were included among the skeptics.
The weakness found in Cellebrite’s systems was enough to make a human rights lawyer urge the Israeli government to stop using the technology until it could be fully audited.
Everyday phone users want to steer clear of these issues altogether. If you rely on free apps to safeguard your communications, you won’t get the level of security you find when you partner with a security specialist like ChatMail.