London-based startup Qredo has announced the beta launch of an app encryption development platform hosted in the cloud, in an effort to make it easier for firms of all types to add high-level security to their apps.
The company claims to be the first to combine strong end-to-end encryption with cloud-based app development from the ground up, and describes the Qredo SDK as the next step in app security.
"If you want to embed end-to-end features in your app currently it's quite difficult and there is no toolkit in particular to do it. The problem is compounded when you want to use cloud services," Justin Megawarne, lead developer at Qredo, told V3.
The toolkit lets developers create a range of professional applications spanning social media, secure messaging, protected bitcoin wallets and even gaming. The kit is currently in beta for iOS and Android, and will be expanded to Windows and Web SDK in the full release.
Qredo's approach is different because it is founded on encryption. "Our servers have no idea what your app is storing or how it is communicating. Only the devices know what's going on," he said.
"The cloud infrastructure in the middle that relays the message has absolutely no idea who is communicating or what they are talking about. Of all the security measures out there, cryptography is the champion. The net result is that if someone breaches our infrastructure they see nothing but encrypted data."
Many popular software applications boast strong encryption, including Snapchat, Dropbox and messaging service Kik, but the way in which these apps manage encryption keys leaves them vulnerable to attack, according to Megawarne.
"The way [Dropbox] works is they claim to encrypt the data, but actually they hold the keys to the encryption so they can decrypt the data any time they feel like it. Consequently, someone who hacks their infrastructure can also decrypt that data and see what's going on," he said.
"If they had built it on top of Qredo the only person that would have access to the data would be the end user."
A Dropbox spokesperson told V3 the firm uses "industry leading" security standards and manages encryption keys "to remove complexity", yet stressed keys are held to strict industry standards.
Open source security
Qredo's architecture is open source and the code and security standards can be openly scrutinised by others. Megawarne told V3 that this will make the final product more secure.
"If you are serious about security, leaving the source code open for everyone to analyse means that problems are found much earlier and you benefit from the entire security community, not just your close-knit [development] group," he said.
"There are a lot of products out there that are not open source. They claim to encrypt things on the device but actually there is no way to know without reverse engineering the software, which in some jurisdictions is illegal.
"You don't have to take our word for it; the security community at large will be able to attest to what [the platform] does."
The beta release comes as strong end-to-end encryption is being openly debated around the world.
The UK government, for example, has been criticised by major technology firms including Facebook, Google and Twitter for its stance on cryptography following the publication of the Draft Investigatory Powers Bill, or so-called Snoopers' Charter.
The bill aims to increase the surveillance powers open to the government, police and intelligence agencies, and includes proposals to legalise bulk equipment interference, or ‘hacking'.
However, Megawarne told V3 that security specialists in the government are well aware that strong encryption is needed to protect citizens online.
"People like David Cameron are coming out and saying we can't have strong encryption, but the technical experts in government, in the Civil Service and particularly in places like GCHQ, know that strong encryption is absolutely vital for the country's national security," he said.
"In terms of legislation, the clarification they have made to us is that the government is not so much interested in the right to compromise the product from the outset or by asking a company to build in a backdoor, they are much more interested in the right to peek.
"So, if they have their own hackers who try to interfere with network equipment they want that to be legal. Basically the ability to attempt a hack on a server, for example. It's not hobbyist hackers any more, it's hostile nation states and large criminal organisations that are trying to breach data. Weak encryption will weaken everybody."
Qredo aims to make its application development platform accessible and easy to use while still providing a foundation of security.
"The issue at the moment is not that there aren't encryption or security products out there, but that they are too damn hard to use," Megawarne said.
"What we are trying to do is make them easy to use. It's very easy to make something convenient and compromise security and we don't want to do that.
"We are currently in an early access programme. We have been in development for a long time because it's a security product. It's one of those things you don't want to release too early. You have got to get it right."
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal
Microsoft, Google and Samsung all targeted as Avast admits to the scale of the CCleaner compromise
Not all loose ends tied yet, admits Bain backer SK Hynix