Confide is the secure messaging app used by President Donald Trump’s staffers for their secret communication. The official website of the application defines the encryption implemented by the mobile application with this statement:
“Confide uses military-grade end-to-end encryption to keep your messages safe and to ensure they can only be read by the intended recipients.” states the website.
The app allows users to send encrypted messages that self-destruct implementing end-to-end encryption.
News of the day is that two separate studies revealed that Confide app is not secure as previously thought.
The experts at the security firm IOActive discovered multiple critical flaws in the Confide app while auditing the version 1.4.2 for Windows, Mac OS X, and Android. The researchers ethically reported them to the Confide development team that quickly resolved the issue.
According to IOActive, the confide flaws could be exploited for the following purposes:
According to the research paper published by IOActive, the researchers gained access to more than 7,000 account records created between February 22 and 24, out of a database containing between 800,000 and 1 Million records.
During their 2-day test, the team was able to find a Donald Trump associate and several employees from the Department of Homeland Security (DHS) who downloaded the Confide app.
Below the Timeline disclosed by IOActive:
As anticipated, a separate team of experts from Quarkslab also reviewed the code of the iOS app and demonstrated Confide exploits.
According to the experts, a series of design vulnerabilities in the Confide for iOS app could allow the company to read user messages, adding that the app didn’t notify users when encryption keys were changed.
“Confide server can read your messages by performing a man-in-the-middle attack” “The end-to-end encryption used in Confide is far from reaching the state of the art. Building a secure instant messaging is not easy, but when claiming it, some strong mechanisms should really be enforced since the beginning.” reads the analysis of Quarkslab.
“The confidentiality of the exchanged messages depends on the robustness of TLS. Confide can technically read all the messages that pass through its servers. End-to-end encryption, as it is implemented, solely relies on the server through which the messages pass.”
Confide is not just an encrypted messenger. It provides other interesting security features:
The Quarkslab researchers explained that Confide server could generate its own key pair and transmit the public key to a client when requesting the public key of a recipient.
“This client then unknowingly encrypts a message that can be decrypted by the server,” the researchers added. “Finally, when the server sends the message to the recipient, it is able to re-encrypt the message with its own key for the actual recipient.”
Which is reply of the company?
In response to the analysis conducted by Quarkslab, Confide co-founder and president Jon Brod explained that the researchers have intentionally undermined the security of their own system to bypass several layers of Confide’s protection.
“The researchers intentionally undermined the security of their own system to bypass several layers of Confide’s protection, including application signatures, code obfuscation, and certificate pinning. The attack that they claim to be demonstrating does not apply to legitimate users of Confide, who are benefiting from multiple security protections that we have put in place. Undermining your own security or taking complete control of a device makes the entire device vulnerable, not just the Confide app.” said Brod.
Confide has released a version that fixes the critical vulnerabilities discovered by the researchers. According to the company, there is no evidence for their exploitation by attackers in the wild.
(Security Affairs – Confide app, hacking)