Pssst. Can I tell you something? Something private? In complete confidence?
This is Zendo, my new favorite messaging app.
Now you might well ask who needs (yet) another way to ping, poke, prod or otherwise pester their friends? The answer is simple: anyone who cares about privacy.
If you don’t think privacy is important, ask yourself whether you’d be happy to share your online banking password with strangers. Or your social security number. Or your medical history. Or your physical address. Or, ehem, some of those personal/intimate photos you have on your phone…
There are lots of types of data that most people care about safeguarding. And even the other stuff you might not think is so sensitive — where you go, what you like, who you talk to, what you buy, and so on — is being systematically collated and data-mined by mainstream social media services to build an increasingly detailed profile of you and your life to sell to advertisers.
Being stalked around the Internet by adverts for mortgages or baby products or hair loss cream is pretty tedious — as well as a visible privacy invasion. But pervasive, passive surveillance is the price of free services, isn’t it?
For sure, it’s one business model. And a dominant business model if you’re using communications products like Gmail and Facebook whose makers’ businesses are all about profiling users to sell intel to advertisers. Messaging products with an alternative philosophy do exist (e.g. Wickr, Threema, TextSecure, Silent Circle’s Silent Message app).
So how does a new secure messaging app stand out in such a crowded space? By making something that’s super easy to use, given that security can still be synonymous with tedious complexity. And also by using a type of encryption that technically cannot be cracked.
Something that’s impervious to man-in-the-middle attacks. Yet which has been overlooked by cryptographers for decades.
One-time pads ride again
“This is the first consumer implementation of One-time pads which is the only unbreakable form of encryption,” says Zendo co-founder Jack DeNeut, who it should be noted is something of an old friend of TC, having helped organize our PragueCrunch meet ups in recent years. You’ll also find some of his old posts on TC (like this one). Formerly an investment banker, DeNeut quit Wall Street to chase the original Internet boom back in the 90s, taking the plunge with ecommerce startups. Followed by travel guide site Nelso.com (his Nelso apps have racked up some 4 million downloads).
His Zendo co-founder and long-time friend plus business partner across various other startups, Tom Newbold, is also an American based in Prague who hails from a banking background. The pair came up with the concept for Zendo at the start of last year, while they were kicking around ideas to ride the messaging app boom — and Newbold, who was reading Neal Stephenson’s Cryptonomicon, joked about using One-time pads to secure a messaging app.
They both laughed.
One-time pads, for those not up on their cryptographic history, are the stuff of old school spy sagas. Burner books of random numbers (or letters) used to encode messages, with each page (pad) used only once before being destroyed. By burning it. Or eating it, for spooks in a matchless bind. So long as the pads are kept away from prying eyes and used only once their randomness ensures an uncrackable code. Only the person with the corresponding pad pair can decode the message. This is known as ‘perfect forward secrecy’ in the trade.
The problem with One-time pads is they’re not very practical. You have to get together with your fellow spook periodically to share pads to encode future missives, and agree on which pad will be used for each specific message. Plus pads run out, given you’re destroying them after usage. All of which explains why other types of encryption — that involve managing the remote exchange of secret keys in various ways — have become the standard for online security. (That and a whole crypto industry growing up to service this need.) And why One-time pads are mostly a historical footnote.
One-time pads are the unicorns of cryptography. Everyone knows they’re unbreakable, they’re perfectly secure, but historically they’ve been so hard to use that only spies and diplomats ever used them…
But after initially laughing at the notion of implementing One-time pads in a consumer app, DeNeut gave it more thought, and decided modern smartphones were the perfect vehicle for removing the barriers to bringing this type of encryption to the average consumer — given on-board processing power, ample storage, secure transfer technologies, built in camera, and so on. All that ubiquitous tech could suddenly make One-time pad transfer and management practical.
“One-time pads are the unicorns of cryptography. Everyone knows they’re unbreakable, they’re perfectly secure, but historically they’ve been so hard to use that only spies and diplomats ever used them. And so it became common knowledge that it was so impractical that a consumer could never use it,” DeNeut tells TechCrunch.
“The last time that anyone looked at this was the 1990s. When laptops barely existed. So the idea was you’d bring your PC over to my house, we’d connect them and we’d exchange key pad material and then you’d take your computer home and then we could securely message each other. But of course now everyone has powerful computers in their pocket, which have huge amounts of memory, secure storage, can generate large amounts of random data.”
Why hasn’t someone thought of combining One-time pads and smartphone before? “A lot of things in technology are like that,” he responds. “Simply somebody just thinks about it and goes ‘no wait; that old constrain doesn’t actually exist anymore. There’s no reason why we can’t do this’.”
The only requirement for using Zendo’s One-time pad encryption is users meet in person to exchange pads. And while that’s certainly a limitation it can also be seen as a benefit in some ways. A USP. This is an app for communicating in ‘perfect secrecy’ with people you are close enough to have actually spent time with at some point. Such as your close friends and your significant other. It’s also a welcome contrast from the communication overload that increasingly defines online social spaces these days, where an apparently limitless supply of strangers (who may or may not be human) hurl contextless missives in each others’ general direction while others stand on the sidelines commenting and taking notes. Zendo is the opposite. It’s necessarily selective, and thus the app can becomes a filter for substance; for conversational importance; for the people and topics that require your special attention.
You also can’t be spammed via Zendo (as you can by iMessage) — unless you are close friends with spammers. And if you’re a parent worried about who your kids are communicating with online, the app could be a way to ringfence messaging to school friends and family members. The co-location pad exchange requirement is also an excuse (not that you should need one) for people to meet up with their friends, catch up and top up their pads. While celebrities tired of having to change their phone numbers and messaging IDs every few weeks to stay ahead of contact information leaks might well appreciate the benefit of a physical pad exchange. So Zendo’s sales pitch can be about fostering intimacy, as well as protecting privacy.
There’s also an obvious appeal for businesses wrestling with the ongoing challenge posed to corporate security by the BYOD trend. And while Zendo is initially being positioned as a consumer app, and is free to download and use, Newbold suggests one avenue for future monetization could come by licensing the software to businesses who want to use it and also run their own server, rather than relying on Zendo’s servers (thus affording enterprises even greater control).
In-app purchasing for premium features could be another monetization route. But they’re in no hurry. They have plenty of runway for the startup thanks to a seven-digit investment from a Prague-based angel investor so are fully focused on acquiring users first, before nailing down a business model.
How Zendo works
After you download the app and get together with whoever it is you want to message, either one of you selects the in-app option to display a QR code and the other person scans it within Zendo. That initiates the one-time pad exchange — which takes place over Multipeer (if you’re using iOS) or Wi-Fi Direct on Android. You need to do this exchange with every person you want to message via Zendo’s One-time pad encryption so there’s certainly an on-boarding barrier as people will need to gradually add their friends as they meet up with them IRL.
“The first step is always optical, and that is an exchange of an AES 256bit key, plus an authentication key, and so those are the keys to encrypt the One-time pad as it’s being transferred wirelessly via Multipeer [or Wi-Fi Direct]… with a symmetrical AES key that was exchanged optically. So even if somebody was listening to every single packet, even trying to sniff on Wi-Fi Direct or Multipeer, the data that they would get would be meaningless because it would be encrypted with the optically exchanged keys,” says Newbold.
“The first step is always that optical scan, which doesn’t involve any packets going over any radio waves. So you can’t packet sniff it. If somebody wanted to get in the middle of that they would literally have to be looking over your shoulder with the camera to capture that code,” he adds.
The process takes a few seconds for 0.5MB of pad to be exchanged — which is enough for “thousands” of messages between the two users. More than 3,000 based on a conservative estimate of average text message length, according to Newbold. You can also exchange multiple pads to stockpile more megabytes for even more future missives. (To be clear, if users run out of pad, the app defaults to AES encryption so messages are never sent unencrypted — it just steps down to industry standard levels of security.)
Pictures can also be sent via Zendo, and those are encrypted with a single use AES 256bit key and an HMAC key (for authentication), which are then sent using One-time pad encryption, so the photos are secured via OTP without needing to use up too much of the pad to send them. The same method will be used to encrypt and send videos, audio and documents/attachments — file transfer features which will be coming in future updates to the app.
Another thing to note is that usage of Zendo is entirely anonymous. They are taking no sign up data (no email, no phone numbers etc). Users are merely assigned random identifiers. “What we see is unbreakably encrypted stuff attached to some random name” is how DeNeut sums up their view of the data flowing through their servers.
They do see IP addresses but he notes they don’t log or store these. “We’re throwing away all the logs… so we don’t have to not turn them over. We don’t have them to turn over,” he continues. “We think it’s very possible we’ll get requests from law enforcement. But that they’ll learn their lesson pretty quickly.”
“We are assuming it’ll be banned in China almost instantly,” he adds. “I’ll be psyched if it lasts a couple of days without getting blocked by the Great Firewall.”
One neat feature allows users of the app to send an encrypted Zendo message via another messaging app. So after composing the message in Zendo there’s an option that allows the user to select a different messaging app to carry the message — say iMessage (such as in the below example) — and then the encrypted message appears as a Zendo link in that other app. When the recipient clicks on it they are automatically transferred to the Zendo app where they can now view the unencrypted message.
This feature could be useful, says Newbold, if Zendo’s own servers are subject to attack — as a workaround for users getting messages out. Point being: once you have exchanged pad, the encrypted messages can be conveyed in a variety of ways — they could even be posted to Twitter or published in the classified section of a newspaper if you want to get really old school spooky — and all the recipient has to do is copy/paste the encrypted text into Zendo to convert the cypher back to plain text.
How secure is secure?
Zendo is not currently open source, so they are asking users to trust their claims as it stands, given there’s no option for community code review. But they have opened the source code to an independent security reviewer for audit (Geoffroy Couprie) — who they describe as being generally happy with it, making only a few suggestions for changes.
“I did not find many [problematic] things in there because the design of the app — the protocol — is quite straightforward,” says Couprie when I contact him for comment. “Basically a lot of messaging apps… suffer from the remote trust problem. Which is that at some point if you want to communicate securely with someone you have to establish a safe channel and it cannot be done to an extent. And what Zendo provided is that you meet in person, you do the exchange, and then you have a safe channel so there’s much less risk than another [messaging] app.”
“One-time pad is simple, and the key exchange is simple, that’s what makes it easy to audit and easy to use,” he adds.
“It’s trivial for anyone to packet sniff their device while they use it and see that we don’t have key servers, we don’t have registration servers that have your email address or anything like this, so it’s trivial to do a key exchange and just sniff the packets while you use the app and see that the keys don’t get sent,” adds DeNeut.
“What the app does internally is one thing but the biggest problem with all the other systems that have men in the middle is that they have to exchange the keys over the network. And any researcher can just do packet sniffing and see what the devices send to each other.”
What about the fact that creating truly random numbers is nigh on impossible? Does that weaken the robustness associated with One-time pads? That’s really a theoretical constraint, argues DeNeut. “If there is some flaw in the randomness you would need to collect billions of messages on our system to even maybe take a crack at determining some flaw in our random number generator,” he says.
Newbold also makes the point that the general brevity of most mobile messaging likely adds to the challenge of identifying exploitable patterns in the randomness — given there isn’t going to be a whole lot of source material for would be crackers to get their teeth into, at least not initially.
You could also raise concerns about the security of QR codes — given the potential to inject malicious code into the barcode and that then be an avenue for compromising the security of the app at the point of optical exchange. However you’re still scanning a QR code from a person you know well enough to meet in person and want to swap pads with, so presumably you trust them. Ergo that human trust layer helps shrink the associated risk.
The bigger question is whether the online chattering classes can be convinced to add another messaging app to their phone’s homescreen — especially one with such an esoteric twist. Take away the OTP feature and Zendo is a minimalist messaging app which is either uncluttered or feature-lite, depending on your preference. Buzzy broadcasting app du jour, Meerkat, this is not.
And while One-time pads are cool if you’re into espionage genre fiction, the mainstream are likely to be nonplussed as to the cryptographic advantages (although the team has made a cutesy video to get their message across in as plain a way as possible).
“Who are our competitors? Basically everybody. I don’t imagine for a second that the One-time pad thing is so unusual that it means that we have no competitors. Wickr, Threema, TextSecure, iMessage to a certain extent, Silent Circle,” says DeNeut, listing multiple pro-privacy rivals, before once again pointing to Zendo’s OTP USP. “None of those that we know of have an in person key exchange process.”
Albeit Threema, which uses asymmetric cryptography so requires public keys and has a public key directory, does actually offer a QR code scanning option for an in-person exchange, although this does not involve the exchange of actual encryption keys (rather it’s a public key confirmation step for validation). Plus, given it’s not One-time pad encryption Threema can’t lay claims to any ‘cryptographic unicorns’.
“They all suffer from this man-in-the-middle risk,” adds Newbolt. “For us one thing is the optical component, the QR code, for us that’s a really important part of the process but a lot of users think that’s the whole thing. They think ‘oh you’ve exchanged the keys now’… But the really cool thing is the One-time pad stuff that happens invisibly in the background to negotiate between the two devices where we’re really exchanging the encryption keys in person.”
One more thing: Zendo is not claiming it’s created an ‘NSA proof’ messaging app. They are not even officially claiming perfect forward secrecy. Insecurity risks undoubtedly remain. “I don’t know what renegade software you’ve installed on your iPhone,” says DeNeut, pointing out one threat vector, and adding that “no sober person” should claim to have made a digital service that’s ‘NSA proof’.
User-added malware is not the only issue either. There’s also the cellular hardware itself. Baseband chipsets remain an unknown in the (in)security equation, given they run proprietary software meaning it’s not possible to lift the lid and peer inside to do a sweep for built-in backdoors.
But where security is concerned, there are ever caveats. I ask a privacy expert for his opinion on One-time pads and he responds with: “pretty NSA unhackable, for friends/family & politics”, adding that OTP running on a mobile handset might also be a “good idea” if implemented very cautiously — e.g. “on a hackerspace manufactured air-gap primitive Blackberry device with keyboard & LCD, and NO CPU (discrete logic gates)”. However his concise verdict on OTP on mainstream smartphone hardware is not positive. “Bugatti into skateboard is wrong,” he says — pointing to baseband backdoor risks, and also the potential of generated randomness not being random enough.
So One-time pad’s perfect, paper-based secrecy is one thing. But it does not necessarily translate into perfect security in a technology context. It comes down to how you implement it. And mainstream smartphones are certainly convenient but they are not perfectly secure. So Zendo entails (yet) another security vs convenience balancing act.
Who is Zendo for?
Even so, the app remains compelling as an easy to use tool for selectively shrinking passive surveillance — whether that’s web companies doing ad profiling, or casual hackers trying to get access to your passwords, or even dragnet digital state surveillance that’s indiscriminately tapping the Internet’s backbone to harvest haystacks of data — given that an offline key exchange for One-time pads does offer a more robust security guarantee for protecting messages in transit. (“When you reduce the attack surface and you make it near to you, you’ve seen it’s constrained and you can do less stuff, but it’s [better for] security,” is how Couprie puts it.)
“If you are the active target of an investigation then it gets harder for me to guarantee your security,” adds DeNeut.
We think the app’s for everybody. Because you don’t need to use a single messaging app in your life.
So people on the NSA’s watchlist won’t find much in Zendo to reassure them. Nor should they. That’s not the aim. This is a messaging app for average web users who are tired of all their digital movements being ceaselessly snooped on for others’ financial gain and want a channel that’s harder for dragnets to trawl. And maybe also for those who feel social noise on mainstream digital services is diluting the signals they do really want to hear. Who are looking for a way to have a more intimate conversation, that doesn’t necessitate shouting to be heard over the branded hubbub.
“We think the app’s for everybody. Because you don’t need to use a single messaging app in your life,” says DeNeut. “It’s very easy to have two or three or four, you get a notification, you tap on the notification, you go to that, it opens that app and you respond or whatever. So it’s trivially easy to use multiple apps.”
“Everybody probably has someone they want to communicate with privately,” he adds. “Significant others, business partners, people that you want to send passwords to occasionally, or you want to send them the door code for the apartment building or whatever. And then close friends and things. Since you meet them in person anyway it’s no trouble to exchange keys. So if you want to send them something that’s not going to be added to your profile at Facebook or whatever.”
“Millennials are super sensitive about their entire lives having been documented in social media from the moment that they were born,” adds Newbold. “And they are more and more aware of alternatives to the GooglePlex services where you’re giving up all of your data for services. Snapchat is ephemeral messaging but it’s definitely people who don’t want to have all of their private moments become part of their permanent record.”
Digital communications are already fragmented across scores of messaging apps and services. And that’s no accident. It’s absolutely about user preference. The digital medium is the message. So with that in mind, Zendo’s pro-privacy, pro-intimacy message feels novel enough to find an appreciative audience. I for one welcome this cryptographic unicorn.