White House staff members are using a 'secure' app that's really not so secure

The insider, who spoke to BuzzFeed on condition of anonymity out of fears of retaliation, said that the primary purpose of the app was to be a social messaging platform, and that the security features were secondary. As such, it kept the numbers of any person who had downloaded it, even if they immediately deleted the app or never used it.

The expert said it was concerning that senior White House staff would use the app, and that it should not be trusted. While messages are deleted immediately from the phone, the company stores them for upwards of a week before manually deleting them. The expert also said that the company stores the metadata of all its users, meaning that while the content of the messages would not be available, it would be possible to see how often a user was sending messages, and to whom.

Confide did not respond to a request for comment from BuzzFeed News asking that they confirm the details of the app, or answer questions about the type of encryption they currently use to ensure the security of their users.

Confide is one of dozens of messaging apps gaining popularity in recent years, as users turn to apps touting end-to-end encryption as a way of protecting messages and calls. Cybersecurity experts, however, say that many of these apps make false or overly confident claims. Confide, they added, does not make its code public or offer details on the type of encryption it uses, making it difficult for independent researchers to fact-check its claims. Other apps, including the Signal app, which is widely supported by privacy experts, is open-source, meaning that it makes its code public so that researchers can see for themselves the type of encryption and protective measures it is taking.

In an interview with CyberScoop earlier this week, Alan Woodward, a professor at the University of Surrey, called the Confide app "a triumph of marketing over substance." The app relies on the software library Open SSL, according to a review by Jean-Philippe Aumasson, a researcher at the cybersecurity company Kudelski Security. Certain versions of OpenSSL have been shown to be vulnerable to bugs and malware, though it is unclear which version Confide uses.

"It always worries me when someone starts by saying they use 'military-grade encryption.' That immediately makes me start to look for the snake oil," Woodward told CyberScoop. "It sounds like sales puff over substance."

An independent cybersecurity researcher, who spoke to BuzzFeed News Wednesday, said he was part of a team of researchers who were currently investigating the app and had found "a number of problems… we would not recommend this app to someone looking for secure messaging."

He refused, however, to detail those problems, as he said his team was still in the midst of researching the app.

The problems, he added, are not limited to Confide. Cybersecurity researchers have recently found gaping vulnerabilities in the Telegram app, widely used by US government workers, as well as supporters of the ISIS militant group.

During a meeting in Washington, DC, earlier this year, two US intelligence officers shared that they had recently seen a spike in government officials, including members of Congress, national security staff, and White House staff, using encrypted messaging apps. The officers expressed concern over the apps government officials were using to share potentially sensitive information.

"On the one hand, it's better than sending something sensitive over an open platform," said one officer. "I'm glad they are not Facebook messaging each other sensitive information. But the apps give a false sense of security and, depending on what they have downloaded, they may be putting themselves, and their communications, at greater risk."

CNBC

Get the latest news delivered to your inbox

Follow us on social media networks