Dubious Claims Cloud John McAfee's Chadder Message App
Add another private messaging smartphone app to the growing list: "Chadder" has just been released for Android and Windows Phone, with an iOS version on the way. Chadder claims to let users send and receive encrypted messages that can only be read by the intended recipient.
However, Chadder's developers, who include John McAfee, the eccentric millionaire who founded the McAfee antivirus software company in 1987, have so far been vague about exactly how the app works. The information they have released about Chadder doesn't seem to support their claims of impenetrability.
The app was co-developed by NYC-based start up Etransfr and McAfee's own Future Tense Systems (FTC). Details on Chadder are light: A press release announcing Chadder says the app uses key server encryption, which the press release claims makes messages sent through the Chadder server so secure that even the server operators can't read them.
However, in an explanatory YouTube video about Chadder posted by Etransfr, the creators say the encryption process involves sending a message to a remote company-owned server to be encrypted. From that server, the message is then sent on to the intended recipient.
This implies that a plaintext (i.e. not encrypted) version of the message exists on the company's servers before it is encrypted. The server would presumably also have a record of which key was used to encrypt a given message, and who the sender and receiver were. In other words, Chadder doesn't sound very secure at all.
If you're looking for a secure Android or iOS messaging app, try Wickr, which is free, or Silent Text, which costs $10 per month. iPhone and iPad users already have a strongly encrypted messaging app in the form of iMessage. For secure text messaging over cellular voice channels instead of the Internet, Android users can use the free TextSecure app.
Update: Future Tense Systems contacted us with more detail about how Chadder works:
"Chadder encrypts the user's messages on the client-side, before messages are transmitted. There is never an instance where your message is in plaintext or otherwise human-readable format. A decryption key is also generated client side, and stored on our servers. The keys, messages, and identifier info (sender, recipient, date, etc) are not stored together or in an otherwise easily-correlatable fashion.
"Messages and keys (encrypted, no plaintext) are received by our servers and stored as applicable; the approach we've taken in storing the data ensures that even if we wanted to read your messages (which we don't), we'd have no way of doing so."