A few things we should be looking very critically in secure messaging apps are:
1. How are keys generated? PseudoRandomGenerator() used? What sort? This is one of the key break-in areas into a crypto framework.
2. Software based crypto used? It's prone to channel attacks where another app maybe inspecting the memory.
3. How are keys shared?
4. How are keys stored?
"Security" would just be illusion, a flawed insurance policy if these aspects are not properly catered for. There's a reason why hardware crypto exists.
The weakest link in any security system is the "key". Does not matter how strong the crypto algorithm is as long as key management is not rock solid.
1. How are keys generated? PseudoRandomGenerator() used? What sort? This is one of the key break-in areas into a crypto framework.
2. Software based crypto used? It's prone to channel attacks where another app maybe inspecting the memory.
3. How are keys shared?
4. How are keys stored?
"Security" would just be illusion, a flawed insurance policy if these aspects are not properly catered for. There's a reason why hardware crypto exists.
The weakest link in any security system is the "key". Does not matter how strong the crypto algorithm is as long as key management is not rock solid.