Monday, December 9, 2013

On "Free" Security Apps...

I came across a new smartphone security app the other day which caught my eye. It promised...
  • Free and secure phone calls.
  • Send self-destructing messages.
  • Recall or remotely wipe sent messages.
  • Safely share private photos and videos.
  • Photo vault to hide photos and videos.
  • Hide text messages, contacts, call logs.
  • Private vault for documents, notes and diary.
Just load the app on your phone (and the people you want to communicate with), and you're good to go. It sounded like something which my readers would like to know about. I downloaded it with the thought of giving it a try. But then, I thought again.

In my mind, I could hear my father saying, "there is no free lunch, if it looks too good to be true..." The years have always proven him correct.

The app's web site had a foreign country URL. Not a big issue. Perhaps it was the only place where the site's name was available. A little more digging and I came up with a company address here in the United States; a residential address. Again, not a big issue. The company is just over a year old, they have no other products, and software development from home is common. Both the Chairman and CEO of the company have names normally associated with a foreign country. I am still not phased. The United States is the world's melting pot.

A question on their FAQ page was the first red flag. "Why do you need my cell phone number to activate the service?" The answer, "we need the number so we can send you the activation code." My question is, why does a free encryption product need an activation code? It sounds like a ploy to identify users. Apparently, enough people felt this was an invasion of their privacy. The next part of the company's answer was that the code would no longer be needed after version x.xx.

The next FAQ was, "Why do you upload my contact book to your servers?" The answer smelled like more dung. Apparently, everything the app does goes through their servers.

On to the fine print. 

The product is specifically not guaranteed: not the encryption, not the self-destruction of the messages, photos or videos, nothing. They accept no liability. The are held harmless in the event transmissions are decrypted, deleted, copied, hacked, or intercepted.

Apps cost money to develop. Even allowing for ads, as these folks do, that is not enough money to justify an app this fancy (assuming it fulfills all its claims). There must be another payoff. What's worth money here? 

Information. 

People who use encryption are a select group; easy to target. For whatever reason, they feel their information is valuable. Hummm, a free security app could be great espionage tool. Let's see what information the company admits to collecting...

"We have the right to monitor..." Boom! What!?!? 

And, they collect: IP addresses, email addresses, phone numbers, address books, mobile device ID numbers, device names, OS names and versions. They can know who you are, where you are, and information about everyone you know. Even if you never use this app, if you are in the address book of someone who does, you're now coin of their realm.

"Photos and videos are cashed on servers..." and you can't delete them. They claim they will do this for you after, "a period of time."

Throughout all of this, the user's fire-of-fear is dowsed with, don't worry, it's all encrypted, no one but you can see it, trust me. Right... how about a little trust, but verify. Other security software companies allow vetting. I saw no claims that their code was independently vetted for bugs, back doors, or spyware. And, what about that "We have the right to monitor..." clause? How is that accomplished without a back door?

They, "May collect statistics about the behavior of users and transmit it to employees, contractors and affiliated organizations outside your home country." Yikes. Who are you affiliated with anyway? Please don't tell me, "if I tell you, I will have to kill you."

Here's another kicker. If they sell the company, "user information is one of the assets which would be transferred or acquired by the third party."

This may be a perfectly legitimate app. Maybe I'm paranoid. But, money, power, politics, espionage and blackmail all come to mind. Any government intelligence service, business espionage agent, or organized crime boss could have come up with this as a ruse. 

Which brings me to the moral of this story...

Before you trust any security service, vet it thoroughly. 
If your OTHBD needle starts to tremble, don't rationalize, move on. ~Kevin