A “backdoor” is code that is designed to provide unofficial or unauthorized access to a computer or piece of software. Many types of malware variants are designed to create backdoors, and software and hardware manufacturers sometimes put backdoors in their systems to support maintenance after deployment.
Backdoors always pose a threat to a system’s security. Even if a backdoor is designed to be secret, information about it may be leaked or cyberattackers may discover it.
This is why secure messaging applications should never have backdoors. Ciphr is committed to providing a secure messaging platform, which means that Ciphr software does not contain backdoors.
Inside a Secure Messaging App’s Backdoor
A backdoor is anything that can allow unauthorized access to a messaging application. Some examples of potential backdoors include:
● Hardcoded Credentials: Software manufacturers may build default accounts with set passwords into their applications. This makes it possible for the manufacturer to access the application if necessary (i.e. for maintenance).
● Authentication Bypass: Applications may also contain bypasses for authentication mechanisms. For example, calling (or triggering) a particular function may allow access to the software without logging into a user account.
● Server-Side Password Storage: Secure messaging applications commonly backup encrypted user messages on their servers (Ciphr does not backup messages, but you can backup Contacts). If the manufacturer also has access to the user’s encryption keys, then they could gain access to the user’s data without needing access to the application itself.
All of these features could provide the app developer with access to a user’s app and/or the messages that it contains.
End-to-end encryption means that messages are encrypted between two apps but decrypted by the apps themselves (so that you can read them). This means that remote access to an app may mean that an attacker has access to the messages themselves.
How Backdoors Get into Software
Backdoors are designed to provide access, and they can be inserted into software in multiple ways. Some examples include:
● Manufacturer Access: In some cases, a manufacturer may include a “maintenance mode” within an application. While this may be installed with good intentions, it is still a backdoor and carries the potential for unintended consequences.
● Malicious Implants: Attackers may be able to implant malicious code within a legitimate application. The recent SolarWinds hack - which involved the attackers injecting malicious code into the company’s Orion product updates - is an example of this.
● Vulnerability Exploits: Vulnerabilities in application code may allow remote access or code execution. This makes these vulnerabilities potential unintentional backdoors within an application.
Any backdoor within an application places it at risk. For this reason, secure messaging app developers should do everything possible to prevent backdoors within their systems. This includes not only avoiding the use of intentional backdoors in apps but also implementing secure development practices to decrease the probability of implant injection or exploitable vulnerabilities.
Ciphr Provides Backdoor-Free Secure Messaging
It is impossible to provide a truly secure messaging experience with an app that contains backdoors. Ciphr has implemented a number of features to help protect our users against backdoors including:
● No Backdoors: Ciphr apps don’t have backdoors and we have taken all possible steps to secure our systems.
● User-Controlled Keys: All messages (including images and voice notes) sent using Ciphr are encrypted with keys that never leave a user’s device. There is no way for messages to be decrypted until they reach the intended recipient. This means that Ciphr can’t identify which messages belong to which users, nor decrypt and read messages. Messages are also only kept on Ciphr’s servers long enough for them to be sent, and Ciphr doesn’t keep any copies.
● Composite Keys: Composite Key is a feature unique to Ciphr, that protects data from both online and offline attacks. Part of an encryption key is stored on Ciphr’s servers and uses the user password to derive the other half. This makes it impossible to decrypt data in-app without access to Ciphr’s servers, protecting against attacks on the app.
It’s important to thoroughly research any communication apps you are using or plan to use. Having a backdoor is not a sign of a truly secure and private messaging app, which is why Ciphr does not have a backdoor.