Washington Elites Use Secure Messaging Apps To Keep Or Leak Secrets

mobile security, endpoint security

Two secure messaging apps that discourage snooping – Confide and Signal – are doing the rounds in Washington

The buzz in official Washington these days is all about a smartphone app called Confide. This is an app that provides secure messaging and it works on Android and iOS devices as well as on Windows and Macintosh computers.

Confide is designed to make messages disappear as soon as they’re read. It also limits how much of a message or photo is visible at any time and it prevents message forwarding and screenshot sending.

The features have made Confide the darling of the White House. Staffers there use it to make sure their conversations are private. However, government employees in other areas of government are using Confide to develop plans to frustrate the administration in its efforts to make changes or reduce the power of some agencies.

This means that Confide has a major role in sending out leaks, whether it’s to the news media or to congressional investigators.

In case you were wondering how the seemingly endless flow of leaks was getting out of the White House without anyone finding the source, the answer is that the White House staffers involved are using Confide.

text message ©Shutterstock, Inc

Confide vs Signal

But there’s another secure messaging app that’s also making the rounds in Washington, although more quietly. That app is called Signal and it’s favored by security cognoscenti, the intelligence community and by members of the Washington media who really need to keep their communications secure.

Signal isn’t as flashy as Confide, but it does more because it can provide security for written messages, voice calls and video calls. It provides a means of confirming that the call hasn’t been intercepted.

Signal, from Open Whisper Systems only runs on iOS and Android devices. But unlike Confide, Open Whisper Systems uses a team of cryptographers; it allows its code to be inspected; and it follows industry standards for very strong encryption. So just to see how both of these apps work, I downloaded them to my iPhone and tried them out.

Confide is available as a free download, with a more advanced version available as in in-app purchase. When you use Confide, it certainly looks secure. You can’t see messages except as a line at a time when you run your finger down the screen. Images are handled the same way, only displaying a portion of each image as you slide your finger across it.

You can’t send screen shots with Confide and you can’t forward messages. Each message vanishes after you’ve looked at it. That means even if someone gets your phone and gains access to it, they can’t read your messages if they were sent using Confide. This may be why those new Republican staffers like it so much.

However there are serious questions about just how good the encryption methods used for Confide really are. One security expert was heard suggesting that he didn’t want to do anything to discourage the White House from using Confide. That wasn’t meant as a compliment.

It’s worth noting that people in Washington who are more aware of security tend to prefer Signal. Open Whisper Systems provides Signal as a free download as well. However, the complete product is free and is supported by donations. There are no in-app purchases. Signal is constantly updated, recently providing secure voice communications and it will soon to enable video communications, a features that’s available now in beta.

Messages in Signal looks just like messages in iMessage on the iPhone. There’s an icon at the top of the screen that lets you make a voice call. When you call someone, there’s a pass phrase that appears on the screen that you can use with whomever you’re calling to confirm that there’s no man-in-the-middle interception going on.

I used Confide to send text messages to people I know, as well as a couple of people in the administration. Reading a message while sliding your finger down the screen a line at a time is a little cumbersome, but it’s not a show stopper. Looking at a photo in the same way is secure from shoulder surfers, but you can’t see the whole photo at the same time.

I made several attempts to do screen shots, which it turns out can’t be sent. The recipient gets a gray box instead of a screen shot.

I used Signal to communicate with a different set of people. In this case they were members of the Washington media community and a couple of people who work with three-letter agencies. I was able to discern a slight latency in the text messages, which I presume was a byproduct of the encryption process. Voice calls were very clear and any latency was no greater than what’s already present in digital cell phone calls.

It’s worth noting that a number of cryptographic experts have been critical of the encryption used by Confide, which is an implementation of Open SSL. The company also says it uses TLS for some communications. However, the folks at Confide haven’t made their code available for review.
Both of these secure communications apps have their uses. Confide is a little easier to set up and it’s certainly strong enough to keep most people at most companies from reading your messages. But there remain questions about how effective the encryption may be.

Signal is the choice I’d pick if I were trying to protect messages that matter. This may be why so many really experienced people use that, although like most reporters here I’d never discourage White House leakers from passing along their secrets to me via Confide. What this means, White House staff, is that if you feel the need to pass along your boss’ secrets, I’m here for you.

Originally published on eWeek