The encrypted chat app Cryptocat has made it to iPhone and iPad, adding itself to the growing list of privacy-conscious mobile messaging apps.
"Easily have group conversations with your friends without fearing monitoring or interception," reads the app's description in Apple's iTunes Store. "Cryptocat is free, open chat that aims to provide an open accessible Open Messaging environment with a transparent layer of encryption that's easy to use."
Unlike other secure messaging apps — such as Wickr, TextSecure or SilentText — Cryptocat doesn't require fixed usernames or accounts. Instead, users can create a disposable username and then start a new conversation or join an existing one.
"There are no buddy lists or account activity or account history to link back to the user," lead Cryptocat developer Nadim Kobeissi wrote on the Cryptocat blog. "This way, Cryptocat offers a unique ephemerality that makes setting up encrypted conversations immediate and without any lasting history that can be traced back to users."
Cryptocat apps already exist for several Web browsers, including Apple Safari, Google Chrome, Mozilla Firefox and Opera. There's also a stand-alone client for Mac OS X. The iOS mobile app can interact with any other Crytocat build.
Asked whether Cryptocat was planning an Android version as well, Kobeissi told Tom's Guide, "Yes!"
Asked whether he planned to ever make money off Cryptocat, Kobeissi, a recent college graduate based in Montreal, said, "No!"
Cryptocat uses the Off-the-Record Messaging (OTR) protocol to encrypt its messages, but its developers warn that it's not perfect, and it certainly isn't safe from prying by the National Security Agency or other intelligence or police services.
"Cryptocat is not a magic bullet," the Cryptocat Chrome app warns users. "You should never trust any piece of software with your life. Cryptocat can't protect you against untrustworthy people or key loggers, and does not anonymize your connection" as Tor would. (An anonymizing Tor plugin for several chat applications is in the works.)
Jonathan Zdziarski, a Boston-based expert on forensic extraction of data from iOS devices, stressed the Cryptocat iOS app's limitations in a review he posted on the iTunes Store page.
"The app leaves behind a treasure trove of forensic artifacts that can be lifted from your device if it is ever stolen, hacked or seized by law enforcement," Zdziarski wrote. "All your past typing is logged into Apple's keyboard cache ... The app also intentionally stores the user’s private key, room name, nick[name], buddies and other identifying information in the configuration file."
"If I could figure this out in just a couple of minutes," Zdziarski added, "I'm sure bad guys/feds/etc. are figuring it out too."
Kobeissi told Tom's Guide that Zdziarski was aiming at the wrong target.
"His comments ignore the threat model," Kobeissi said in an email message. "If you seize any iPhone, surely you can get some data via forensics. Cryptocat's security goals are protecting data from interception, not protecting your phone from forensics."
Last year, serious flaws in Cryptocat encryption were discovered and patched.
"Every time there has been a security issue with Cryptocat, we have been fully transparent, fully accountable and have taken full responsibility for our mistakes," Kobeissi wrote on the Cryptocat blog following the patch.