Mobile
3/5/2014
09:45 AM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Cryptocat Wins Apple Approval

NSA surveillance and other worldwide events drive interest in secure messaging, and iOS users now have a new option.

Privacy? There's an app for that, and more are on their way. Cryptocat, an open-source app for encrypted online chat sessions, is now available for free through Apple's iOS App Store, after initially being rejected several months ago.

The Electronic Frontier Foundation, through its Coders' Rights Project, provided advice to Crypocat's developers that helped convince Apple to change its mind about the app. EFF attorney Kurt Opsahl in an email declined to provide details about the privileged counsel it provided. "However we are very pleased that Apple included the program in the App Store," he said.

Cryptocat is already available as a web app and an OS X app, and its mobile debut comes as ongoing revelations about the scope of NSA surveillance drive people's desire for countermeasures and dreams of entrepreneurship.

[Make sure to protect all your personal data. See LinkedIn Privacy: 5 Safety Tips.]

Wickr, which aspires to be a more secure version of Snapcat, on Monday said it had closed a deal for $9 million in venture funding. Silent Circle has just begun taking orders for its $629 Blackphone, a privacy-focused smartphone that features a customized version of Android called PrivatOS and a suite of secure communications apps. Last week, Whisper Systems released TextSecure, a free private instant messaging app for Android. The company also makes the RedPhone app for secure calls. Other secure communications software includes SafeSlinger and Off-the-Record Messaging.

It's not just blowback from the NSA documents leaked by Edward Snowden. It's also timing: Among the recent RSA Conference, TrustyCon (organized as a protest to RSA), and RightsCon Silicon Valley, there are a lot of security and privacy events at this time of year.

Nadim Kobeissi, lead developer of Cryptocat, said in an email that past criticism of Cryptocat has been addressed. He emphasized that Cryptocat relies on open, transparent code reviews in conjunction with professional audits.

"We published our codebase three months before the app's release, so that the code could be reviewed by independent enthusiasts and auditors," Kobeissi said. "No product is perfect, but we take every step to make our methodology, protocols, and cryptographic research verifiable by anyone who cares to look, months before the software is out there."

The absence of perfect security was underscored on Tuesday by reports of a cryptography processing flaw in the open-source GnuTLS library that renders hundreds of open-source packages vulnerable. Ars Technica suggested the bug may go back to 2005.

A year ago, Matthew Green, a cryptographer and research professor at Johns Hopkins University, published a blog post that highlighted some of the limits of encryption apps, including Cryptocat. While he found things to admire in each of the apps, he didn't consider any of them secure enough to employ in fighting an oppressive regime. And given what's going on in Ukraine at the moment, that's not a hypothetical use-case.

"The real issue is that they each run on a vulnerable, networked platform," Green wrote. "If I really had to trust my life to a piece of software, I would probably use something much less flashy -- GnuPG, maybe, running on an isolated computer locked in a basement. Then I would probably stay locked in the basement with it."

For truly secure electronic communication, it appears that the only way to win is not to play. Or did you think that a free app could thwart intelligence agencies with budgets in the billions and legal regimes that bend to accommodate their hunger for data? And if it did, torture tends to defeat even the strongest encryption. Risk comes with the territory.

Yet Green backs away from this depressing conclusion, noting that smartphones have already changed the way people interact with government and that encryption apps might just lead the way to truly private communication.

If that were ever to happen, if software flaws and government subversion of encryption standards were eliminated, we'd soon have laws requiring a backdoor.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
3/6/2014 | 12:17:25 AM
Good thing for Apple
This is a good thing for Apple - it can put in a plug for the new Cryptocat on iOS. The secure messaging and the also mobile security as a whole is a big concern from end user communities. The approval of Cryptocat will definitely help to boost the strength of iOS in this area.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

CVE-2014-2966
Published: 2014-07-26
The ISO-8859-1 encoder in Resin Pro before 4.0.40 does not properly perform Unicode transformations, which allows remote attackers to bypass intended text restrictions via crafted characters, as demonstrated by bypassing an XSS protection mechanism.

CVE-2014-3071
Published: 2014-07-26
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.