Henry Dalziel | Pentesting Tools, Product Reviews, Resources and Tutorials | October 22, 2013
This blog post is to compliment another post we wrote not that long ago titled: “Bitmessage: The world’s most secure messaging platform” which received a lot of interest.
Here’s the deal: for what seems to be completely (99.99% secure) email messaging – use bitmessage. For what seems to be completely (99.99% secure) text messaging – use surespot!
What is surespot?
The folks behind surespot sum it up perfectly on their website, namely: ‘only the person you send the message to can read it. Period.’ That seems to be exactly what it is doing and what it does very well. As a brief overview, think of surespot (which we believe should be written all in small caps) as a secure mobile messaging mobile application that uses exceptional end-to-end encryption for all text, shared files, and images. An amazing and smart feature of this app is that the sender is able to delete the message they sent to their receiver – now that is just plain cool.
How does surepost work?
We’d never imagine doing a better job at explaining how it works compared to the developers – so go and hit up the explanation here, but if you want a real quick layman’s summary, think of it like this: surespot solves prying and snooping problems by using strict end-to-end encryption. Whilst SSL does a good job sending secure data from a client to a server with encryption, there is still an air gap with regards to SSL being read outside of the designated hops. For those that don’t know ‘a hop’ in computer networking refers to a portion of the path between source and destination. Data sent through the Internet travels in packets that pass through routers and gateways on the way. Each time packets, or in this case, a text message, are passed to the next device, a hop occurs. It is possible to calculate how many hops are used from sender to recipient by using a ping or traceroute/tracepath command (nmap is good for this).
surespot comes hot on the heals of a memorable and frankly brilliant Hacker Hotshot web show with the creator of CreepyDOL. CreepyDOL very accurately shows how much data our Android devices are leaking, and it is a staggering amount. Coupled with the NSA revelations and overall a greater sense of overall awareness with regards to personal information, it is hardly surprising that surespot has been getting the coverage it has.
One of the downsides to surespot, which actually affects most messaging apps, is that it is only useful if your friends and contacts are using it too. However, as ‘negatives’ go – the former downside is hardly a bad thing, just tell your friends to accept and download the app.
We have had a lot of Android related security events this year, examples include “Android: One Root To Own Them All” with and Jeff Forristal and “Status of App (in)Security: A look at common risky behaviors in the top 400 iOS and Android apps” with Domingo Guerra. Of our past events, you should take a look at Jeff Forristal’s research and presentation since he demonstrates how insecure Android was until the release of a patch for the Android Master-Key Vulnerability. If you connect this Android Vulnerability with the evidence of the vast amount of data we leak through our mobile devices (see the CreepyDOL talk) it is no wonder why we are compelled to use surespot!
Do you use surespot? We’d love to hear from you and your thoughts regarding the app.