Cryptocat, the popular open source application that enables users to chat online easily and securely, is now available for iPhone users (on Apple’s App Store), as well.
Cryptocat initially took the form of a web app for Mac OS X and browser extensions for Chrome, Firefox, Safari, and Opera, but last December the team behind it publicly released the source code for Cryptocat for iPhone and Android and invited the security community to review it and help find security bugs.
“Our mission has always been on making encrypted chat fun and easy to use, first and foremost,” commented Cryptocat creator Nadim Kobeissi in a blog post announcing Cryptocat for iPhone.
The iPhone version is a native application – it uses iOS’ APIs instead of web cryptography.
“Cryptocat for iPhone uses the OTR protocol for private conversations, and our solidly maturing multiparty protocol for group conversations. With our current research into mpOTR, we hope to soon offer an upgraded global standard that brings Cryptocat’s encryption system to other platforms as well,” Kobeissi added.
The app works smoothly with the computer-based Cryptocat clients, so it’s not required that all parties in a conversation use the iPhone app. The functioning and look remained the same.
Kobeissi noted that they welcome feedback from users and has enumerated some future improvements they are working on.
The app release has already been criticized by well-known iPhone forensics expert Jonathan Zdziarski, who claims that Cryptocat’s touted user history ephemerality is absent from the app.
“I was really excited to see this app hit the app store, but unfortunately the iOS version does not appear to have been written with privacy/security in mind,” he warned in a review of the app.
“The app leaves behind a treasure trove of forensic artifacts that can be lifted from your device if it is ever stolen, hacked, or seized by law enforcement. The most notable of which is that all your past typing is logged into Apple’s keyboard cache, so that previous conversations, including word counts, can be extracted from the device. Cryptocat could have prevented this by turning off auto-correct or writing their own.”
“The app also intentionally stores the user’s private key, room name, nick, buddies, and other identifying information in the configuration file,” he added. “This can all be used to identify you, past conference rooms, and other information that could expose you. And sadly, if I could figure this out in just a couple of minutes, I’m sure bad guys/feds/etc. are figuring it out too. This can be recovered forensically from most commercial forensic tools on devices of any model.”