Viewing entries in
mobile security

Threat Post - Confide Updates App After Critical Security Issues Are Raised

The makers of the popular messaging app Confide said Wednesday that it has patched multiple security vulnerabilities that could have allowed hackers to intercept messages sent using its secure end-to-end messaging platform.

The flaws were identified in two separate reports, both released Wednesday, by security firms IOActive and Quarkslab. Both allege there are critical security vulnerabilities in versions of Confide’s encrypted messaging app, including version 4.0.4 for Android and 1.4.2 for Windows and OS X .

The security of Confide’s platform has taken center stage ever since reports surfaced last month that senior White House staff, including press secretary Sean Spicer, were using the app. Confide claims to offer “battle tested, military grade encryption.” According to Google Play, the Android app has been installed between 100,000 to 500,000 times.

Researchers with IOActive said the Confide suffered from a bevy of security vulnerabilities including:

  • Confide’s notification system did not require a valid SSL server certificate to communicate, therefore opening the door for an attacker to perform a man-in-the-middle attack.
  • The app lacked sufficient notifications when unencrypted messages were sent and received.
  • The application failed to have adequate protections to prevent brute-force attacks on user account passwords.
  • Confide’s website was vulnerable to an arbitrary URL redirection, which could facilitate social engineering attacks against its users.

IOActive also raised issues with Confide’s handling of public keys.

“Confide failed to provide a participant fingerprint authentication mechanism, allowing Confide to conduct man-in-the-middle attacks on encrypted messages by changing the public keys sent to parties of a conversation,” wrote IOActive researchers Mike Davis, Ryan O’Horo and Nick Achatz, who co-authored the report.

Quarkslab also took issue with some of security vulnerabilities highlighted by IOActive, and singled out the way Confide handled public and private encryption keys.

“The most obvious problem… is linked to the fact that the encrypted message origin and the authenticity of the public encryption key transmitted by the server can in no way be verified by the client,” wrote Jean-Baptiste Bédrune, security researcher with Quarkslab.

“The Confide server could generate its own key pair and transmit the public part to a client when the latter requests the public key of a recipient (we only note that Confide is able to do so, not that it does so). This client then unknowingly encrypts a message that can be decrypted by the server. Finally, when the server sends the message to the recipient, it is able to re-encrypt the message with its own key for the actual recipient,” Bédrune wrote.

Similar public key concerns were raised earlier this year when researchers commented on how WhatsApp and earlier versions of iMessage handled key change notifications. In February, Jonathan Zdziarski, an independent security researcher and forensics expert, wrote about Confide’s key exchange approach.

“What seems different about (Confide) encryption is that it appears to regenerate the public key under certain circumstances. It’s unclear why, but unlike Signal and WhatsApp, which consider it something to alert you about if your public key changes, Confide appears to consider this part of its function. Key exchange is always the most difficult part of good encryption routines. Depending on whether or not Confide is able to detect this and warn the user, it’s possible (although not confirmed) that the application could be susceptible to the same types of man-in-the-middle attacks that we’ve seen theorized in WhatsApp (if you leave the alerts off) and iMessage,” Zdziarski wrote.

Bédrune said the confidentiality of the exchanged messages depends on the robustness of TLS.

“Confide can technically read all the messages that pass through its servers. End-to-end encryption, as it is implemented, solely relies on the server through which the messages pass,” he said.

Quarkslab also claims that security features in the Android, iOS and desktop app, such as message deletion and screenshot prevention, can be easily circumvented.

For its part, Confide co-founder Jon Brod told Threatpost via email Wednesday the company was able to fix the issues quickly.

“We were able to detect anomalous behavior and remediate many of the issues during IOActive’s testing in real time starting on February 24. We were able to quickly address the remaining issues after the initial contact and roll out client updates in less than 48 hours. Not only have these issues been addressed, but we also have no detection of them being exploited by any other party. We do acknowledge the findings, but believe that the firm is overstating the severity level of some of them.”

IOActive claims the company privately disclosed its research to Confide in February and that Confide fixed the issues and updated the app on March 3, 2017.

Brod did not address the security concerns raised by Quarkslab.

“All the issues have been reported to Confide, and they are working on fixing them. In the meantime, do not consider your conversations to be so well concealed,” Bédrune wrote.

.author-name { display: none; }


Mobile security company Zimperium said Tuesday that it will start buying exploits, but in a departure from most other programs, it will not be buying zero-days.

The company’s N-Days Exploit Acquisition Program will pay researchers from a pool of $1.5 million for exploits targeting vulnerabilities in Android and iOS that have already been patched.

Zuk Avraham, founder of Zimperium, said the program will not only serve to train the company’s core internal Z9 machine learning engine, but also encourage and reward exploit writers to develop proof-of-concept exploits that could nudge carriers and handset makers to improve patch delivery to devices.

“We are not an exploit acquisition company; we don’t do offensive stuff. We get the same value from our perspective working on N-days,” Avraham said. “Right now N-days are worth zero. We are going to help create value for vulnerabilities that sell for zero and make them worth more than that.”

Avraham said exploits for iOS 8 and later, and Android 4.0 and later, will be eligible for the program. Exploits from the program will be first delivered to Zimperium partners and members of its Zimperium Handset Alliance, which includes some large mobile manufacturers such as Samsung and BlackBerry. Within three months, the exploits will be publicly released. Members of Zimperium’s Zlabs research team will evaluate submissions and determine payouts on a case-by-case basis.

“These things need to be shared in order for the community to get better and safer,” Avraham said, pointing to other exploit acquisition programs that do not share exploits publicly. “We have to change that; that’s what triggered creation of this program.”

Having a working proof-of-concept exploit, Avraham said, should add urgency—especially on the Android side of the equation—for handset makers and carriers to deliver patches and improve the overall security of the ecosystem. Exploits coming out of the program, for example, puts more PoCs in the hands of industry, some of which could be hesitant to deliver timely patches without working public exploits, Avraham said.

“Android got better, and much safer if you’re on the latest version, but only .5 percent are on the latest version unfortunately,” Avraham said.

One glance at the monthly Android Security Bulletins will show you the multitude of vulnerabilities Google regularly assesses and remediates for the mobile operating system. And while Google patches its Nexus phones in over-the-air updates, that process represents only a percentage of the mobile market running devices at current patch levels.

The Android ecosystem still lags overall on comprehensive patching, and it’s not alone given that while Apple regularly pushes updates to its devices, it still relies on users to download and install them.

“We are not there yet, and we can get better,” Avraham said, conceding the improvements made since the initiation of the monthly Android patch releases from Google in particular and the number of critical bugs in Mediaserver and Stagefright that have been found and patched. “It’s gotten better, but it’s still very challenging work.”

Avraham said the program is scheduled to run at least one year, but depending on whether it’s successful, it could be extended.

“With this program, we thought we would get creative, support the community and do something different for once,” Avraham said.

.author-name { display: none; }