One of the most neglected aspects of a secure communications app is the contact list. Your contact list reveals a lot of information about someone. It shows who you’re connected to and who you communicate with, either of which can be exploited in a number of ways to undermine your privacy or security.
This article shows you all the ways SecureCrypt secures your contact list by looking at:
SecureCrypt ECC ID practices
Managing your contact list
Changing contact names
Contact list storage
Explore these points to learn how and why we’ve secured them, and see how they fit into the larger ecosystem needed for a truly secure phone.
SecureCrypt ECC IDs: First layer of defense
How SecureCrypt ECC IDs, the usernames of SecureCrypt ECC users, are created is the first step in how your contacts, and you, are secured. They work like this:
Every SecureCrypt ID is a randomly generated, unique 5-character identifier.
No personally identifiable information is ever associated with any SecureCrypt ECC ID. Absolutely nothing about it, or connected to it, will reveal who the user is.
These two facts are the first steps in how anyone can use SecureCrypt anonymously if they want to. There are no phone numbers, names, or any other information to compromise the identity of any user via their user ID, or any other records kept by SecureCrypt—because we keep no records with personally identifiable information.
Why SecureCrypt doesn’t use phone numbers
Many “secure” messaging apps get this part wrong. The worst case of this is that they allow users to search for people based on contacts in other apps or your phone’s contact list. This is very convenient, but this doesn’t help you, or who you talk to, remain private.
Why is this really a problem? Several reasons:
People can see your chat and definitively link your phone number to you. You can use an alias all you want on an app like Signal, but it’s been proven to not be a secure way of protecting your identity. Your phone number is displayed everywhere and it will get traced to you, right State Rep. Matt Shea? (reference): https://www.theguardian.com/world/2019/nov/08/matt-shea-republican-far-right-leaked-chats-washington-state
Those who don’t know you can find your number and add you to group chats. This seems harmless until someone adds you to a group chat without your consent, you ignore it, but there’s your identity on a group about criminal acts.
Being in a group chat with a bunch of people you don’t know exposes you to personal attacks. Your phone number, when registered with your phone company, is connected to a lot of information—like your address. A less nefarious issue is finding your number on spam call lists or, much worse, being contacted directly by a stalker.
These issues make any chat app insecure right away. SecureCrypt was built so that we don’t know the phone numbers connected to the dedicated SecureCrypt devices our users are using.
How your contact list is managed
Managing your contact list properly is next to impossible with so many chat apps using phone numbers as the way that users are identified. SecureCrypt uses a few tactics to help you manage contacts properly:
Users directly control who can message them before a message is sent. Every SecureCrypt user must authorize each contact request sent to them before any message can be sent. See a request from someone you don’t know, or don’t trust? Manage your contact list by not approving that user. You cannot be discovered on any SecureCrypt server through your SecureCrypt ECC ID. Your name isn’t associated with your ECC ID anywhere. This means that no one can go searching for your ECC ID and find you to send unsolicited messages. This is vastly different from directly linking your account to your contact list.
The only way to contact another user is to get their ID from another user who already knows it, or for you to give it to them personally. This one-to-one sharing vastly minimizes spam.
Those are the basics of how you build your contact list, but here’s how you protect it:
Any contact on your approved list can be deleted, or deleted and blocked. This has to be a standard feature of any decent messaging app, and SecureCrypt certainly has it.
Proper management of a contact list is about blocking and restricting as much as it’s about building. There are celebrities with tens of thousands of fans who would love to get their ECC ID somehow and contact them, but if their network has already been restricted they can’t possibly contact them, not even if this happened with their ECC ID instead of their phone number:
Self-Destructing Messages
Having chats stored forever can be a contact list issue. Chat services with backups stored indefinitely on a cloud server (WhatsApp, Signal, Threema, Telegram etc) can make it possible for chats you’ve deleted, and people you’ve disassociated yourself from, to remain a part of your network:
You add someone to your contact list and chat with them.
During the conversation you come across information about this person which prompts you to not want to associate with them any further.
You delete and block them from your contacts.
If you’re on SecureCrypt that’s the end of it. The chat is deleted from your phone, it’s not on a server, and that person is no longer on your contact list. With apps that store chat backups in the cloud (like every free encrypted messaging app in existence, besides SecureCrypt) that person is forever associated with you as someone who was on your contact list that you interacted with.
Custom contact names
One of the easiest hacks in the world for discovering contacts is by looking over someone’s shoulder when they have their phone out, or by taking their phone out of their hand when it’s unlocked.
The only way you should operate is by changing your contact’s names to something only you will recognize.
These names make it much more difficult to figure out who I have on my contact list, but I know exactly who they are. Someone who takes my phone would have a much harder time figuring out who each contact is, while someone looking over my shoulder (with a camera, perhaps) isn’t going to get any information useful to them.
Securing a contact list is about more than securing the numbers, it’s about securing every single aspect of how the data is stored, even locally on your phone, and names are part of it. If the real names of the people on my contact list were displayed at all times it would be much easier for an attacker to know who to target; think of it as superhero secret identities for your phone.
SecureCrypt and directory servers
This means that no data about you is stored on our, or any other, server in a searchable manner. This data is yours, so you manage it yourself with your device, we don’t manage it for you on a server in a way that could lead to data compromises. This has the benefits of:
There is no way for someone with access to a server to find your ID to contact you. This is both for your own privacy from those you don’t want to talk to, and to protect you from outright spam.
If we used a directory server based on the old model of phone numbers, anyone who has ever had your phone number could be notified of you being on a new communications platform. They could contact you before you could block them. No one is notified of you joining SecureCrypt because we’re not built that way. (Signal, WhatsApp are built without these same protections in place)
Directory servers filled with contact information are another one of those things which are really convenient for users, and are also really convenient for hackers to steal data from. With privacy and security in a zero-trust model being the most important aspects of SecureCrypt we knew that we couldn’t use a directory server the same way as other apps.
This is a very real issue as over 419 million phone numbers were exposed in September 2019 thanks to a bad directory server Facebook owned. This dwarfed what was thought to be a terrible breach of 49 million Instagram (owned by Facebook) users back in May 2019.
Having your phone number leaked by a directory server has worse consequences than getting spam or harassing phone calls as it can also lead to spoofing phone numbers for two-factor authentication, and can be used in SIM jacking attacks. Not using a directory server may seem like a small thing, but it has major consequences—so we don’t do it.
Absolutely everything on a SecureCrypt server is encrypted by verified 512-bit ECC, including the contact lists.
This is in stark contrast to Facebook’s practice above of storing personal data on a server with no password protections, which is completely unacceptable. Our strategy of ever-increasing layers of security keeps your contact list—and therefore you—private and secure.
You deserve secure and controlled contact lists
Securing a contact list is often the last consideration for “secure” communication apps you’ll find on the app stores of the world. This is because they want to do everything they can to get you talking on their networks with people you already know on the network. They do this because:
Creating open contact lists on their directory servers allows you to search for contacts already on the app, while also providing you with a backup if you switch devices.
This is convenient for both you and the app provider, but it is awful for privacy and security.
Anyone trying to minimize these two issues is doing you a disservice if you truly value security and privacy at the uppermost levels.
How SecureCrypt manages contact lists
We created SecureCrypt knowing that we had to do better, and we did by taking these precautions with building and managing contact lists:
SecureCrypt ECC IDs are randomly generated and not attached to your personal information, making it impossible for people to message you without them personally being given your ID number.
You control your contact list.
All chats disappear, which is another aspect of contact management.
You can create custom contact names to fend against direct observation tactics which steal contact list information.
Contact lists are not stored on searchable directory servers. Doing one, or a few, of these would vastly increase the contact list security of every major free app out there, but SecureCrypt does them all. This is another aspect of our secure phone ecosystem, and we hope you’ll contact us today to learn how SecureCrypt can help you and your organization.