‘Secret Chat’ Messages Aren’t So Secret After All

The universal truth about secrets? They almost always tend to get leaked. This was the case for a cross-platform messaging app, which flaunted the privacy offered by a “Secret Chats” messaging feature.

This messaging app describes itself as a privacy-oriented app, intended for sending encrypted personal or business secrets without storing them to memory. However, as one security researcher discovered, this could not be further from the truth.

The secret chat feature was designed to be a one-on-one chat where all messages sent back and forth were encrypted with a key known only by the chat’s participants. Theoretically, no third parties could access or unencrypt the content without first obtaining one of the chat participant’s devices.

Upon closer inspection, it can be seen that these supposedly “secret” messages are copied and stored in plain text on a cache database on the device. So, anyone with access to the device could easily read them from the phone’s memory.

What’s even scarier is that it was also found that any deleted messages from the chat were in fact not actually deleted from the app’s memory. Although a message may appear to be deleted from the conversation, it is not truly gone and still lives on in the cached files.

The lesson to learn here? While encryption is a wonderful thing, there is a right and wrong way to approach it. Only encrypting one element of an app does little for security’s sake. Complete end-to-end encryption is needed to ensure that your messages are safe from prying eyes.

While mobile messaging apps work to implement stronger security practices, there are a few steps you can take to ensure the protection of sensitive, personal information:

  • Be wary of the secrets you share with mobile messaging apps. Thanks to their various security flaws, mobile messaging apps all too often spill the beans when it comes to sensitive information. For this reason, it’s a good idea not to even put that information in their hands in the first place.
  • Install comprehensive security software on your mobile device. Every device you own should have safety precautions installed on it. McAfee® Mobile Security is available for both Android and iOS, and offers a variety of protections to help keep unwanted people out of your devices.
  • Keep your passwords secure and change them often. Hackers love when you use the same password for each account, as it makes them that much easier to guess. So, assign a different password to each account or device and keep each one personal and private. To help you deal with the hassle of creating multiple complex passwords and managing them all, leverage a password management app, such as True Key™ by Intel Security.
  • Upgrading to a new device? Wipe the old one. Make sure your old phone is restored to factory defaults and all personal information has been completely wiped – before you sell back the device. This way when someone buys your mobile phone, they won’t also be getting all of your personal information for free.

As always, to keep up with the latest security threats, make sure to follow @IntelSec_Home on Twitter and like us on Facebook.

lianne-caetano

Leave a Comment

two + 4 =