Upstart encryption app walks back privacy claims, pulls from stores after probe

2023-05-17 06:30

A new-ish messaging service that claims to put users' privacy first has changed its tune - and the end-to-end encryption claims on its website - as well as pulling its app from both the Apple and Google app stores after being called out online.

Converso - a comms app launched in September 2022 - billed itself as a "Next-generation messaging app that keeps your conversations completely private." This, according to the developer's website, included "Proprietary state-of-the-art end-to-end encryption technology," no storage of messages on servers, and "Absolutely no use of user data." It claimed it could stand up to the likes of Signal and WhatsApp in the security stakes.

"Dissecting Converso was in large part a learn-as-you-go exercise for me, as I don't have prior experience reverse engineering mobile apps," Crnković told The Register.

Crnković published an article about these findings on May 10, and The Register contacted Converso on May 12 for its response.

The messaging service had "Already rebuilt the app authentication flow before any potential issues were exposed. Any secrets that are leaked on the client side are from an older version of the app, and anyone who is on the latest updates is no longer using the identities generated on the previous version," he added.

The app has been "Temporarily taken off" of the App Store and Google Play "While we address and improve any remaining potential vulnerabilities."

News URL

https://go.theregister.com/feed/www.theregister.com/2023/05/17/converso_e2ee_app/

#encryption #privacy