Learn About the Powerful Network Security Features of SKY ECC

When it comes to secure phones, network security is one of the most important considerations. Yes, everyone is aware of end-to-end encryption (E2EE) at this point, but that is just one aspect of a much bigger picture. For true privacy and security, E2EE is the minimum requirement from any decent messaging app, but few apps add network security features needed for real security.

SKY ECC was built with secure network features which go far beyond anything offered by WhatsApp, Signal, or Wickr. These features include:

  • App and OS settings
  • Connection protections
  • Server configuration and storage

Each of these network security features within SKY ECC are a part of our zero-trust philosophy. We make sure that if any part of the system were compromised, there are fail-safes, preventing you from ever risking your security.

Network security features: App and OS settings

There are a number of features built into our app to secure all network connections, as well as operating system setting settings which we’ve leveraged for security. Here’s a colour-coded diagram with an overview of the system:

Let’s look at those steps now:

  1. The very first security-related task performed by the SKY ECC app is its very first task after you enter your password: checking if the network is secure.
  2. If the network connection is not secure you cannot use SKY ECC. 
  3. All of this occurs after you enter your password, but before key exchanges and authentication.
  4. Absolutely no connection is allowed over insecure networks.

When the first step of your app, not even the network, is to check for a secure connection you know you’re getting a product far beyond what any free app is offering.

Knowing that the network is secure is an incredible advantage, but we have taken extra precautions with our end-to-end encryption:

  • Private keys are generated randomly using your own device touches. These keys are stored on your device alone, never on a server.
  • 2048-bit SSL VPN or 256-bit SSL encrypted connections are used on every connection when they connect to our secure, anonymizing gateway and firewall.
  • Headers and metadata are encrypted using AES 256 bit encryption. This step is often overlooked by other apps, exposing your most basic data to hackers.
  • 521 bit elliptic-curve cryptography with Diffie-Hellman key exchange protects all messages. This is magnitudes more secure than that used by even the NSA for their Top Secret messages which use 384 bit ECC.

The first vulnerability for any network connection is the key exchange and authentication. Preventing the app from performing that function on an insecure network prevents issues long before they can happen. Next is encrypting everything sent over the connection, and SKY ECC handles that with levels of encryption you won’t see from WhatsApp, Signal, Wickr, or even most secure government communications tools.

Network security features: Connection

Above you saw all of the secure features which we send over connections, but we also take steps to secure those connections further. There are two separate ways we do this:

  1. Cell data: This is when you are using the cellular network of your phone provider. It is separate from Wi-Fi connections, but must be secured all the same, especially considering how easy it is to hack the cellular network. We secure this using APN settings which encrypt and protect the connection against SS7 attacks. Even though newer 4G (LTE) and 5G connections are better protected than 3G, we still encrypt and protect the connection.
  2. Wi-Fi data: Connecting to the local coffee shop’s Wi-Fi is a standard practice, but is terribly insecure for a wide variety of reasons. It could be an Evil Twin hack set up by a hacker to steal data, or, more commonly, it could just be a crappy network with no encryption that anyone could tap into and steal data from. SKY ECC secures all Wi-Fi connections with VPN encryption protocols so that you’re protected before you transmit any data. 

Most people don’t even think about mobile data security, believing that the phone company is keeping them secure.

They aren’t completely secure. At all.

How bad is it? The SS7 hack has been going on since the late 1970s. Let’s dig deeper into this network security issue:

  • SS7 is a core signaling system used by all cellular networks.
  • Traffic sent over it is not encrypted, and the system can’t tell the difference between real or malicious commands.
  • Encryption and signal separation weren’t required as nothing useful was sent over this signal until…
  • 2000 was the first year when processing SS7 commands over IP began. This risks exposing the SS7 layer to hackers and other people who wish to access it.
  • Poor regulations on licenses to connect to a node have lead to “Connection-as-a-service’ hubs where people pay to access this data whenever they want.

All of this isn’t a theory that you could be hacked, it’s an actual fact as an SS7 hack has recently happened. Wait, you think you live in a tech-savvy country that has fixed this? Try again, here’s a map detailing SS7 risks globally:

global ss7 hack risk map

This isn’t even getting into IMEI catchers which are fake cell towers set up by hackers (tech stolen from the police’s arsenal) to steal any unencrypted data sent to their fake cell tower. Sky protects you from all forms of these attacks with the combination of our APN settings and always-on network encryption.

Other apps don’t secure their network this thoroughly. Most do the absolute minimum to get by and placate the average user. If you’re above average, and have a need for true security, then you need a tool as powerful as SKY ECC.

Not convinced that it’s essential to secure against the SS7 hack, and others like it, still? Watch this video to see that it’s not all that difficult to do:

This is one of many reasons why we worked so hard to properly secure SKY ECC against a multitude of attacks.

Other connection strategies used by Sky

For even greater network security, our connections only send SIM and IMEI data in the clear. This is the absolute minimum amount needed to make a message go from your phone to that of another SKY ECC user. Your SIM number and IMEI are required to connect to cell towers to send any kind of data at all. 

The SIMs we sell with our devices are registered to, and owned by Sky, with no personally identifiable data linked to the user. All of this means that even if, some impossible way, an attacker got hold of the SIM of a user over the SS7 they still couldn’t find out who is actually using the SIM. This is zero-trust security in action.

Network security for servers

The servers that messages are sent through, and stored on, form a vital aspect of network infrastructure, and are a prime target for hacking. Communications servers are a prime target for hacking because they often store vast quantities of data on them like usernames, phone numbers, message logs, and sometimes the messages themselves. Most of the time this data are protected and encrypted, but all too often we find out sensitive data is stored unprotected and unencrypted.

SKY ECC has the following network security measures in place for our servers:

  • Restrictions can be placed on the app limiting connections to only our secure server network. This network is also protected to only allow whitelisted devices and IPs on it.
  • All messages are routed through Sky’s secure global network of servers.
  • Headers and metadata are encrypted using AES 256 bit encryption to and from the Sky servers.
  • All our servers are protected with layers of firewalls and gateways following our whitelist only connection policy.
  • All servers undergo audits by both internal and external personnel to be sure that they adhere to best practices.

The above strategies are all digital security concerns. The Sky server network also has more physical considerations put in place as well:

  • These servers are placed in countries which have strong data privacy protections in place.
  • Your can’t look up or discover ECC IDs through the app, you know someone’s ECC ID to add them to your have to be manually shared between the people who know the unique 6-digit hexadecimal number created for each account.
  • All public, session, and initial encryption keys are encrypted on the user’s device before they ever reach the server, further lowering the physical risk of the servers being compromised.
  • No messages are stored* on the Sky servers, they simply pass through the secure gateway from one phone to another.
  • The * above is for the fact that undeliverable messages, due to the recipient being offline, are stored on Sky servers for 48 hours. During that time they are encrypted with Sky’s 521 bit ECC encryption, which could protect these messages indefinitely, but to better protect users even more they are deleted after 48 hours so that no Sky server ever becomes a target…there’s nothing on them worth stealing.

Having secure servers is one thing, but how about data access? Our carrier partners ensure (nearly) wherever you are in the world, SKY ECC is available. We have data coverage everywhere from Afghanistan to Zimbabwe, or to put it visually:

Are you covered? I hope so! If you live in one of these countries, contact us to see if you can help expand our coverage by becoming a reseller of SKY ECC.

Bonus server security: push notifications

We all know how convenient push notifications are as they tell us when a message has been delivered to our phones without us having to open the app and look. As it is with all conveniences, there is a cost. The major cost here is that push notifications have to go through another set of serves, separate from the message, in order to be displayed on your phone.

Push notifications are handled by two server owners you’ve probably heard of before: Apple and Google. Which ones your messages go through depends on whether you’re using an Android or iOS device (and what devices your contacts are using).

Push notifications provided a major challenge for developing a secure solution. If you want push notifications, the only (practical and sensible) options are the ones from Google and Apple. So how do you push sensitive info to secure devices without compromising the message or information about anyone in the conversation?

The answer is twofold:

  • Send only the bare minimum of information to notification servers
  • When displaying notifications on screen, limit the message to “you have something new”.

Apps which display text snippets risk someone looking at your phone, and risk sending that data to the notification server.

To put it in simple English:

  1. When a new device is set up two random tokens are created. One is on the device and one is on the notification server. Think of them like a lock and key that have to match up for the notification to be sent to the right person.
  2. When you send a message to someone, when it gets to our servers the recipient(s) are matched with their device tokens.
  3. The absolute minimal amount of data is sent out to the notification servers—which is the device token(s) for recipients.
  4. Firebase/Apple’s server reads the device token and matches it with the server token and passes the push notification along.
  5. The receiving device has a push notification “You have a new SKY ECC message.” show up on their device.

Unlike other apps, we do not allow a snippet of the message to be shown within the push notification. This is because the simplest hack of all for stealing data is looking over someone’s shoulder when a message comes in or picking up their phone while they’re gone. Not sending this data to the notification servers also keeps it from being a vulnerable point of attack.

Network security and SKY ECC

Our zero-trust philosophy has pushed us to create multiple layers of network security so that our users aren’t just protected by E2EE but by a number of other fail-safes:

  • App and operating system settings which use all available tools to protect messages.
  • Connection settings which protect against both Wi-Fi and cellular data network hacks.
  • A network of secure servers with global data coverage controlled by Sky.

Other apps don’t secure their network this thoroughly. Most do the absolute minimum to get by and placate the average user. If you’re above average, and have a need for true security, then you need a tool as powerful as SKY ECC.