A man in Michigan has sued Confide, a secure messaging app that is reportedly used by Republicans in the Trump White House, over allegations that the app isn’t nearly as secure when run on a desktop computer, as opposed to a mobile device.
While the app does prevent screenshots on mobile devices, the new lawsuit, which was filed in federal court in New York on Thursday, notes that the app fails to block screenshots on Windows. Similarly, the mac OS and Windows version both allow for entire messages to be read all at once, rather than line-by-line, as the mobile app does. The two desktop platforms also lack a key feature—notification of a screenshot.
“By failing to offer the protections it advertised, Confide not only fails to maintain the confidentiality of messages sent or received by desktop App users, but its entire user base,” lawyers for the plaintiff, Jeremy Auman, wrote in their civil complaint.
“Though a consumer may use the App for iOS, which effectively blocks screenshots, the consumer might be sending a message to a user reading the message on the Windows App, through which they can freely screenshot the message for later use.”
Auman also notes that had he known the app had these flaws, he would not have paid the $7 a month for premium services.
When Ars e-mailed Confide for comment on Thursday, we received a reply from Jon Brod, one of the company’s co-founders.
“We have not yet received the complaint and have no comment at this time,” he wrote. “Additionally, it is the company’s policy not to comment on pending litigation, particularly when the company has not yet been served with process.”
However, a few hours later, he sent an updated comment.
“We have now received the complaint and had an opportunity to review it,” he wrote. “Not surprisingly, the accusations set forth in the complaint are unfounded and without merit. We look forward to responding to this frivolous complaint and seeing this case swiftly thrown out of court.”
Since the app emerged within recent months, in the wake of other more well-established apps, including Signal, WhatsApp, Wickr and others, Confide has raised the eyebrows of various security experts, including Jonathan Zdziarski, a mobile forensics consultant who now works for Apple.
“What seems different about this encryption is that it appears to regenerate the public key under certain circumstances,” he wrote in February 2017. “It’s unclear why, but unlike Signal and WhatsApp, which consider it something to alert you about if your public key changes, Confide appears to consider this part of its function. Key exchange is always the most difficult part of good encryption routines.”
Zdziarski concluded: “The app at least attempts to do what it says it does, and I don’t see any obviously gaping holes. That doesn’t mean its perfect, and obviously has at least a few disagreeable functions (such as retaining undelivered messages). On the whole, it may be fine for personal conversation, but I would recommend a more proven technology, such as Signal, if I were to have my pick of the litter.”
http://ift.tt/2p2cACS Source: https://arstechnica.com