Viral communications app Plague changes its name – sort of

When Lithuanian developer Deep Sea Marketing launched its app Plague last year, there was a fair bit of confusion over its app and a popular game by Ndemic Creations called Plague Inc. Now Ndemic has asked Deep Sea to change the app’s name, and Deep Sea is kind of obliging. The new name of the app will be “Plag**” with the two asterisks representing blacked out letters in its logo.

Yes, Deep Sea is being cute, but the company has always had a rather twisted sense of humor. After all it named an app designed to facilitate communications between people in disparate parts of world after a global biological catastrophe. For those of you who haven’t tried out Plag**, it doesn’t use social networking principles to spread its content. Rather it distributes content like a disease, infecting users of nearby smartphones who further infect new users they come in contact with.

To be fair, Plague Inc. is pretty twisted as well, though highly addictive. In the game you control a pathogen, and your goal is infect and wipe out the entire world’s population before the globe’s scientific community can research a cure. My favorite level is “Neurax Worm,” a parasitic organism that burrows into its host’s brain.

Deep Sea is launching a new website plag.com as well, and while Deep Sea may not be thrilled it needs to undergo a semi-rebranding as it’s just gaining international attention – it reported 150,000 users in January two months after launch – the move will hopefully prevent some confusion. Web and apps store searches for “Plague” intermix results for both apps, and they both use many of the same epidemic-related terms in their marketing.

Researchers slam Telegram app’s “visual fingerprint” security

Security researchers Alex Rad and Juliano Rizzo claim to have discovered significant weaknesses in the Telegram secure messaging app, mainly to do with the “visual fingerprint” that correspondents must use to ensure the security of an end-to-end encrypted conversation.

Telegram chats are not end-to-end secure by default, and when users want to set up a fully secure chat they need to compare these visual fingerprints — derived from the shared secret key for the conversation — to check that they see the same thing, so the shared key has not been tampered with.

Telegram visual fingerprint

Telegram visual fingerprint

The biggest problem they highlighted in a Friday blog post was a simple one: As users don’t tend to be standing next to one another, the easiest thing for them to do is share screenshots of the fingerprint through the not-yet-properly-secret conversation – which a man-in-the-middle (MITM) attacker could “auto-replace.” Sharing them via MMS could also cause problems, due to the vulnerability of that channel.

Even if the users don’t make such mistakes, the researchers argued, a very well-resourced “super villain” – as in, one with tens of millions of dollars to spend, or a botnet or supercomputer under its control — might be able to spoof the visual fingerprint. However, Telegram responded on Twitter to say they got their numbers wrong, and this would be prohibitively expensive…

… and also argued that the researchers were wrong to say that social engineering would be able to make the calculation of the fingerprint more manageable.

Rizzo shot back:

Rad and Rizzo also criticized Telegram for using SMS as a user authentication mechanism, as “SMS can be sniffed and cracked, targets can be connected to false base stations, and carriers can be compromised.” This would obviously also affect those using MMS mechanisms to compare visual fingerprints.

The researchers called on Telegram to make all chats end-to-end encrypted by default, switch from per-chat authentication to proper public key cryptography (as used by the likes of OTR, Threema and TextSecure), and introduce a new user authentication scheme.

“Finally, to honor privacy, Telegram must enable communications decoupled from the requirement for address books and a phone number so that people can use Telegram anonymously, which is not currently possible,” they added.

Berlin-based Telegram sent me a statement in response to the blog post, noting in response to the “super villain” attack theory that — on top of the $1 trillion issue — “people usually contact support if a secret chat takes more than a few seconds to be created — and here it would have to take 30 days”. The statement continued:

In terms of comparing key visualizations, pretty much any way of remote identity verification (like sending screenshots) poses similar problems, including public keys suggested in the post. A secure independent channel is required — personal communication being, naturally, the only truly secure option.

As for the possible login SMS interception — it does not affect secret chats. For additional protection of cloud chats, we’ve been working for the last two months on introducing cloud passwords for users who are concerned about the safety of their SIM — that work is nearing conclusion.

On the whole, we’re glad that Telegram’s open structure, code and documentation makes it possible for researchers to contribute and suggest solutions. We’re grateful for each comment of this kind, regardless of whether it describes a realistic attack or not.

This article was updated at 5am PT to note that the insecure channel for sharing visual fingerprints would be MMS, not SMS, and again at 5.30am PT to note Telegram’s statement. It was also amended at 11.40pm PT to remove my erroneous assertion that TextSecure is known as Signal on iOS — the apps are made by the same people and the idea is for TextSecure-compatible messaging to be added to Signal, but for now Signal is only a secure voice app, equivalent to Redphone on Android.

Has Snapchat peaked? Comscore numbers suggest flat growth in 2014

Snapchat’s user growth seems to have stalled toward the end of 2014, according to new Comscore numbers I obtained on Friday. As you can see from the below graph, Snapchat hit a peak around March 2014 and has slowly declined in unique visitors since then. I’ve reached out to Snapchat for comment and will update this if I hear back.

One caveat: Comscore only reports numbers from the 18 and over user group for legal reasons. Companies like Snapchat and Kik have big teen bases, so the Comscore numbers aren’t 100 percent representative. At the same time, given that Snapchat has saturated the teen audience at this point, the slow growth from the 18+ demographic is troubling.

The trend graph comes from a Comscore Mobile Metrix report that charts the number of monthly active users aged 18 and over in the United States. It looked at five messaging applications from October 2013 to October 2014 — Snapchat, Kik, WhatsApp, Line, and WeChat. It tracked “total unique app visitors,” but Comscore confirmed to me that’s the same as MAUs.

Comscore’s numbers are notoriously fickle and publishers frequently report more traffic than Comscore says they have, but in terms of overall growth trends the company is usually pretty accurate.

Comscore's Mobile Media Matrix 2015

Comscore’s Mobile Media Matrix (shows growth 2013-2014)

It’s not just Snapchat that has flatlined. Other messaging apps are seeing similar stagnation, with Kik hovering near the 15 to 16 million mark since April, WhatsApp at 7 million since March, and Line around 4 million since August. WeChat has been below 1 million since January.

So have we hit peak messaging app overload?

The Comscore graph also shows us where the most popular apps stack up against each other in the U.S. market. Snapchat is in the clear lead, despite flatlining. Kik is a not too distant second, which might surprise some. We also get a sense of WhatsApp’s American user base. The company hasn’t shared its U.S. metrics before, which led many to believe they were low.

But the fact that WhatsApp’s US monthly active users are this low — near Japanese-based Line — is new information.

 

This story has been updated since publishing to highlight the 18+ caveat higher in the post.

With 1M downloads, Between shows the promise of couples apps

The latest rage in mobile social apps are private networks built for couples. But are lovers eager to commit their lives to each other through an app? Between, a couples app, thinks so. It just hit the 1 million download mark after launching in November.