Secure messaging app found to contain vulnerability
6 November 2014
A mobile app claiming to provide encrypted, secure messaging has been found to have a vulnerability which potentially allows messages to be accessed by another person.
There are many products available on the internet that claim to provide ‘secure’ features. Mobile apps in particular, may make assertions about their security credentials which, in many cases, have not been tested or validated.
You should be cautious about using apps which claim to secure your messages or other information unless they have been independently verified.
The vulnerable app, singled out by recent research, is a ‘secure messaging’ app called TextSecure Private Messenger. It is available on the Google Play store. The research found that the encryption used was mostly secure, but an attack was possible against the app’s messaging system.
Despite its claims of secure messaging, it was possible for messages to be forwarded to another person without the sender’s knowledge. The developers of TextSecure have been notified and are working to fix the issue.
The research also noted there were no other major vulnerabilities found in this app.
Security of information in apps
Securing information properly is a growing issue for mobile apps. A large number of apps claim to offer high levels of security, although few of these claims have been independently verified.
Because of this, you should be careful about what information you provide and share on apps, particularly if they claim to offer ‘secure-features’.
Currently, there is no formal, reliable and consistent method for ensuring the information stored and sent by apps is encrypted or secure.
If you do need a highly secure messaging app, you should seek technical advice before choosing a product.
A full technical description of the security testing and the attack can be found in the released paper.
Stay Smart Online contains more information on securing your mobile phone and other devices.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.