back to top
World

White House Staff Are Using A "Secure" App That’s Really Not So Secure

Some senior officials are using a new messaging app that may not be as secure as it claims. “We would not recommend this app to someone looking for secure messaging,” one expert told BuzzFeed News.

Posted on

SAN FRANCISCO — A number of senior White House officials, including press secretary Sean Spicer, have at one point downloaded the Confide messaging app that touts "military-grade encryption," allowing users to secretly and securely message one another. But it may be a great deal less secure than they think.

Cybersecurity experts warn that the Confide app, which boasts a feature that deletes messages as soon as they are read, is rife with security concerns. It also raises questions about whether senior members of the White House should be using an app that purposely deletes their conversations, potentially flouting rules requiring that they keep an accurate record of communications within the White House. The use of the app by government officials was first reported by Axios.

BuzzFeed News found the phone numbers of Spicer, along with Hope Hicks, the director of strategic communications, via a feature that allows users to see friends who have already joined.

In a phone call with BuzzFeed News, Spicer confirmed that he used the app, but said that he had done so only once, when asked to by a reporter “months ago." He offered to show a BuzzFeed News reporter his phone as proof.

“I downloaded it, but I'm glad to show anyone my phone and that I've literally sent one message on Confide,” said Spicer. “These are personal phones... I also have iTunes on my personal phone, Solitaire, and other apps. Frankly I think the idea that you guys are writing a story, the idea of what apps I use on my phone, is an invasion of my privacy.”

Spicer added that he kept a separate device for White House business, and that he used his personal phone for personal matters.

Hicks' cell number, which at first appeared on the Confide app, was no longer there when a BuzzFeed News reporter checked several hours later. A company insider said that it was possible she had deleted the app months ago, but that the company policy was to keep users listed even once the account was deleted.

The insider, who spoke to BuzzFeed News on condition of anonymity out of fears of retaliation, said that the primary purpose of the app was to be a social messaging platform, and that the security features were secondary. As such, it kept the numbers of any person who had downloaded it, even if they immediately deleted the app or never used it.

The expert said it was concerning that senior White House staff would use the app, and that it should not be trusted. While messages are deleted immediately from the phone, the company stores them for upwards of a week before manually deleting them. The expert also said that the company stores the metadata of all its users, meaning that while the content of the messages would not be available, it would be possible to see how often a user was sending messages, and to whom.

Confide did not respond to a request for comment from BuzzFeed News asking that they confirm the details of the app, or answer questions about the type of encryption they currently use to ensure the security of their users.

Confide is one of dozens of messaging apps gaining popularity in recent years, as users turn to apps touting end-to-end encryption as a way of protecting messages and calls. Cybersecurity experts, however, say that many of these apps make false or overly confident claims. Confide, they added, does not make its code public or offer details on the type of encryption it uses, making it difficult for independent researchers to fact-check its claims. Other apps, including the Signal app, which is widely supported by privacy experts, is open-source, meaning that it makes its code public so that researchers can see for themselves the type of encryption and protective measures it is taking.

In an interview with CyberScoop earlier this week, Alan Woodward, a professor at the University of Surrey, called the Confide app “a triumph of marketing over substance.” The app relies on the software library Open SSL, according to a review by Jean-Philippe Aumasson, a researcher at the cybersecurity company Kudelski Security. Certain versions of OpenSSL have been shown to be vulnerable to bugs and malware, though it is unclear which version Confide uses.

“It always worries me when someone starts by saying they use ‘military-grade encryption.’ That immediately makes me start to look for the snake oil,” Woodward told CyberScoop. “It sounds like sales puff over substance.”

An independent cybersecurity researcher, who spoke to BuzzFeed News Wednesday, said he was part of a team of researchers who were currently investigating the app and had found “a number of problems... we would not recommend this app to someone looking for secure messaging.”

He refused, however, to detail those problems, as he said his team was still in the midst of researching the app.

The problems, he added, are not limited to Confide. Cybersecurity researchers have recently found gaping vulnerabilities in the Telegram app, widely used by US government workers, as well as supporters of the ISIS militant group.

During a meeting in Washington, DC, earlier this year, two US intelligence officers shared that they had recently seen a spike in government officials, including members of Congress, national security staff, and White House staff, using encrypted messaging apps. The officers expressed concern over the apps government officials were using to share potentially sensitive information.

“On the one hand, it’s better than sending something sensitive over an open platform," said one officer. "I’m glad they are not Facebook messaging each other sensitive information. But the apps give a false sense of security and, depending on what they have downloaded, they may be putting themselves, and their communications, at greater risk.”

Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F

Contact Sheera Frenkel at sheera.frenkel@buzzfeed.com.

Got a confidential tip? Submit it here.

Promoted