A British start-up has launched a fully encrypted communications platform for mobile devices that aims to challenge established apps such as FaceTime and Skype, and even heavily-touted privacy-engineered devices like the BlackPhone.
Pryvate from Criptyque offers encrypted email, voice and video calls as well as secure instant messaging.
Initially available on Apple and Google Play stores, the service provides security by generating unique encryption keys on the devices of both users who communicate via the application.
Once a key is used, a new key is created for every subsequent interaction and renewed for every call, IM, message or other communications session.
Keys are never known, even to Pryvate. Once a key is created it expires and a new key is used for every subsequent interaction, according to Criptyque. Pryvate only establishes the communication signalling and authorises the connections (user verification/authentication); then Pryvate’s servers step out. These keys are generated and destroyed within the app, which is fully sandboxed away from users’ device operating systems.
Criptyque execs told El Reg that the firm has no access to encryption keys, which are held on users’ devices. The firm reckons its Jersey, Channel Islands base offers a more privacy-friendly regime than if it operated on the UK mainland. There, providers of end-to-end encryption have chosen countries with privacy-friendly regulations such as Iceland and Switzerland as a bulwark against government surveillance requests, as Criptyque explains.
Cryptique is incorporated in Jersey in the Channel Islands because Jersey has its own independent government and legislature placing it outside the jurisdiction of the United Kingdom. This eradicates any possible request to have a backdoor built into the application and therefore providing our users with the utmost confidence in our independence from any government interference.
The engine underpinning Pryvate makes use of 4096-bit encryption, with AES 256-bit key management and Diffie-Hellman key exchange. Criptyque’s blurb refers to this as “military grade” and “government grade” encryption, as if either term inspires confidence in the post-Snowden era.
But we digress.
Criptyque’s technology also bundles compression to aid lower latency and sandboxing, as a defence against the possibility that mobile malware somehow introduced to a device might make it possible to steal encryption keys.
Jan Vekemans, technical director at Criptyque, told El Reg that physical threats rather than malware were the main limitations to the privacy offered by its technology.
“The limitations are not with the app but, as always with security, it is with human error,” Vekemans explained. “What Pryvate secures is users communications in transit rather than the phone itself. For instance, Pryvate can’t stop your phone being stolen or someone putting a bug on your person to listen into your calls.
“These responsibilities need to be taken on board by the individual as no technology can stop user errors of this nature. What Pryvate does is make security simple/efficient and shield users from the element of security. This means there is less reluctance to use it and there is less danger employees will find an alternative (non-safe) way of doing things. It also allows Pryvate to proactively update obsolete algorithms or counter threats safely, without any user intervention, should any unforeseen event occur,” he added.
Other players in the secure communications space, such as Silent Circle, openly state that mobile security is compromised in cases where a device is contaminated with malware, so El Reg’s security desk is not altogether convinced on this point. Sandboxing is a worthwhile security approach but it’s not always bulletproof, as evidenced by recent problems with Adobe’s sandboxing tech.
Criptyque’s service has been certified by application security firm Zion Security, which is in the process of achieving industry accreditation for the app. All core components are also open source and open to public scrutiny, we’re told.
The Pryvate suite consists of three subscription products: Pryvate, a mobile app that offers secure communications, Pryvate Premium, which also includes added storage and account management controls, and Pryvate Enterprise, which also adds desktop functionality and products. All three products default to the free-to-use Pryvate Lite, which offers users secure free phone calls of up to one minute.
Available for a free 30 day trial, Pryvate Consumer costs £4.49 / $5.99 per month or £44.99 / $54.99 a year, Pryvate Premium costs £5.99 / $7.99 per month, and Pryvate Enterprise for £9.99 / $13.99 per month.
Pryvate Enterprise offers a secure desktop IP video phone, a separate hardware-based device. Individual users can plug in the preconfigured phone which offers the advantage of protection against eavesdropping on communications and other forms of snooping. ®