Upstart encryption app walks again privateness claims, pulls from shops after probe

A brand new-ish messaging service that claims to place customers’ privateness first has modified its tune – and the end-to-end encryption claims on its web site – in addition to pulling its app from each the Apple and Google app shops after being referred to as out on-line.

Converso – a comms app launched in September 2022 – billed itself as a “next-generation messaging app that retains your conversations utterly non-public.” This, in keeping with the developer’s web site, included “proprietary state-of-the-art end-to-end encryption know-how,” no storage of messages on servers, and “completely no use of person knowledge.” It claimed it might stand as much as the likes of Sign and WhatsApp within the safety stakes. 

A blogger who goes by Crnković and has an curiosity in encryption protocols heard about Converso from an advert on a podcast and determined to poke round to see if the software program lived as much as the hype. 

To this finish, he downloaded the APK and stated he’d discovered Converso’s code, amongst different points, contained a Google Analytics tracker – which is frowned upon in knowledge privateness circles. The app additionally appeared to make use of RSA and a drop-in software program growth equipment from Seald for encryption and public key authentication.

“Dissecting Converso was largely a learn-as-you-go train for me, as I haven’t got prior expertise reverse engineering cell apps,” Crnković advised The Register. “I used to be shocked at every exponentially worse mistake.”

Crnković revealed an article about these findings on Could 10, and The Register contacted Converso on Could 12 for its response. By Could 13, a lot of the wording on the web site – together with the “proprietary” E2EE claims – had since disappeared or been watered down fairly a bit. 

Converso CEO and founder Tanner Haas, in a protracted electronic mail to The Register, stated his startup “takes points with privateness very critically, and after we have been knowledgeable of vulnerabilities we instantly labored to patch them as shortly as doable.”

“Any info associated to customers, telephone numbers, and knowledge is protected and never accessible to attackers,” Haas continued. He declined to reply a query concerning the Google Analytics tracker.

Converso is “in talks” and “going to work immediately with Seald,” in keeping with Haas. When requested what encryption protocol(s) Converso makes use of, Haas directed The Register to the Seald web site.

We additionally requested Haas if Converso makes use of Seald because the app’s solely certificates authority for mapping identities to public keys, as Crnković famous within the weblog. 

“Though Seald is used as a 3rd get together certificates authority, there are extra authentication steps which are designed to stop anybody from studying different customers’ protected messages,” Haas wrote within the electronic mail. “This contains stopping customers from accessing cipher texts that aren’t meant for them.”

The messaging service had “already rebuilt the app authentication move earlier than any potential points have been uncovered. Any secrets and techniques which are leaked on the consumer aspect are from an older model of the app, and anybody who’s on the most recent updates is not utilizing the identities generated on the earlier model,” he added.

Haas inspired Crnković to retest Converso in 60 days “with the identical enthusiasm” as the unique weblog. He additionally reiterated “we by no means have and by no means may have business use of person knowledge.”

Moreover, the app has been “quickly taken off” of the App Retailer and Google Play “whereas we tackle and enhance any remaining potential vulnerabilities.”

Let the countdown start. ®