The zero-trust philosophyOur entire platform was built on the premise that everything, and we mean everything, is already compromised. We then built Sky ECC from that philosophy to protect the app and your messages. Click the bullet points below to see how we have taken steps to secure the:
- Device, or hardware, that Sky ECC is on.
- Operating system that Sky ECC is installed on.
- Connections made by the device and app.
- Application features we built.
- Trust in our app with verification.
1: Zero-trust for devicesThe first step in building any sort of secure mobile device is to use equipment which has built-in tamper resistant chips. This is when they come straight from the factory with security assurances which prevent any sort of tampering with the device.We did our research on which devices met this high standard, and currently install Sky ECC on:
- iPhone 7
- iPhone 8
- iPhone X
- iPhone SE
- BlackBerry KEY2 LE
- BlackBerry KEYone
- BlackBerry Motion
- Google Pixel 3
2: Zero-trust for operating systemsHow we make sure that the operating system is performing in its most secure possible setting is by:
- Using all available security features for each OS. You can learn about these features by reading the whitepapers from Apple iOS, Android, and BlackBerry UEM.
- Using the newest settings for limiting USB connections. Weaponized hardware is a security threat beyond most people’s understanding of security, but it can be as simple as one bad USB drive or charging cable with malware loaded onto it.
- Preventing brute force passcode attacks. The most common ‘hacks’ aren’t hacks at all. They are simple tools which guess passcodes until the right one is guessed. We limit the number of guesses to limit opportunities for this exploit. We put this protection both on the device and the app itself.
- Enabling kernel and rollback protection. These prevent hackers from loading an older OS with known security flaws onto a phone and then exploiting those flaws. If a kernel problem is detected, the device is disabled and cannot be used to launch Sky ECC.
Disabled featuresPart of our assessment was looking at features available on every OS and disabling those which can be exploited. Here’s a look at the most commonly disabled features on all Sky ECC devices:
- App installs: You are protected from malware apps—even ones found on official app stores.
- Screenshots and screen recording: These two features compromise the security of your chats, as well as the chats of others. Why create an image, which is another vulnerable point of attack for your conversations, when you can store it in the secure Sky ECC Vault behind another password?
- Voice assistants: The issue with voice assistants, such as Siri, is that they can be told to display information by people who aren’t you or be tricked into allowing access to your device. They’re convenient, but the price of convenience is always security.
- AirDrop & iCloud: Disabling Airdrop and iCloud protects you from having files uploaded to your machine from someone using AirDrop (or a similar tool on other devices) maliciously for a number of reasons, all of them horrible or illegal. The reason for disabling iCloud is how insecure things are once they go to someone else’s servers, so instead you can keep all of these files in your Sky ECC Vault on your phone.
- Downloaded media: There are innumerable instances of media–music, TV, and movies–containing malicious code and malware that compromise devices. If it can’t get on your phone, it can’t compromise your phone.
Zero-trust for biometrics as security toolsUsing your fingerprint or face to unlock your device feels futuristic and sci-fi…until simple hacks compromise your device. Hackers have shown that a single photograph of your hand can compromise your fingerprint as a secure piece of information. It simply isn’t secure enough, nor is Face ID:Ok, so your child could pick up your phone and access your data. That’s embarrassing. What if hackers really want access to highly valuable information on someone’s phone which they have stolen? $150 spent on some 3D printing can do the trick:Every OS which uses biometrics has had this disabled in the OS to keep you secure against threats you may have never heard of. Not only are biometrics not foolproof, they are also easily fooled. You can not build the most secure phone with these features enabled. Sky ECC’s zero-trust philosophy protects you with this security feature of ours. Once your biometrics have been compromised, there is no going back. You can’t get a new face or fingerprint.
3: Zero-trust for connectionsUsing Wi-Fi as an attack vector is an easy task for the average hacker. A simple Man-in-the-Middle attack can intercept unencrypted traffic to steal passwords, login details, and payment card data. We simply could not allow that to happen as end-to-end encryption is a standard for any secure messaging app.How do you prepare for zero-trust from a communication standpoint? You build a secure server network which covers the globe. That’s the only way to do it, so we did it. We have secure servers in:
- North America
- South America
Encrypting your connection on Wi-Fi and mobileWe didn’t think that this was enough protection for your connection. Our next step in building layers of security was to encrypt your connection over both Wi-Fi and mobile data. Here’s what happens when you connect to Wi-Fi:
- All network traffic is encrypted.
- The traffic is sent through our secure servers.
- Only approved devices are allowed on our network, keeping bad actors far away from your device.
- The app won’t allow you to connect over an insecure connection.
4: Zero-trust features in the appOur app is where our main security features are found. We have thought through every step of the security needs of someone sending messages in a way that no one else has. Here’s a detailed accounting of features built behind the scenes and how they protect you:
- Environment checks: Our app is designed to check itself for security risks. If your device has been compromised, a very unlikely scenario, you are prevented from logging in.
- Secure container: We built the Sky ECC app within a secure container. This means that we have separated the app from the rest of the phone with a layer of encryption around it.
- Scrubbing push notifications: Apple and Google’s push notification servers are another vulnerable point. We scrub your data before it gets there.
- Metadata encryption: The lack of metadata encryption is a major issue with most ‘secure’ messaging apps. Metadata can reveal where you are, who you talk to, and when you talk to them (see our post on metadata for more details). Our solution is to use AES-256 encryption on all metadata, which is a higher security standard than some of our competitors use on the messages themselves, never mind the metadata.
- 521-bit ECC encryption: Your messages and files are the most important aspect of any chatting app. We encrypt all of your messages and files using 521-bit ECC (elliptic-curve cryptography, now you know where the name comes from), which is magnitudes more secure than the 128-bit ECC used by most of our competitors.
- Brute force prevention: We limit the number of password attempts to stop the most basic ‘hacking’ right in its tracks, which is using software which guesses your password over and over and over. The maximum is 10 wrong password attempts, but it can be set lower if you wish. There is also a CAPTCHA on the second-last password attempt. Set for 10 attempts? You’ll get a CAPTCHA on nine. After the last failed attempt, the app is programmed to reset and delete everything on it.
- Separate passwords: Your Sky ECC device will have a section for messages and a section for files and photos. These two sections are kept separate with different passwords for each one. Layers on top of layers is how you stay secure, and this is a perfect example.
- Message deletion: There are several aspects to this. First, all messages are deleted 7 days after they are read. This prevents too much data from ever being on your phone. You also can control how long your messages stay on other people’s devices, with 7 days as the default but 2 hours after reading being the quickest. Not fast enough? Send a flash message which self-destructs 30 seconds after being read.
- Full deletion: Did you lose your phone? It can be erased remotely so that no one can touch your data. Are you being forced to hand your phone over? Use your emergency password to erase all the data within the app—just like our brute-force protections. Don’t ever let your data fall into the wrong hands with these two powerful features.
5: Trust…but verifyBecause we set out to prove that we have the most secure phone available, we didn’t even trust ourselves. We took our phone to the people at BlackBerry to allow them to test two of our phones–a Google Pixel 2 and a BlackBerry KEYone.What was discovered by BlackBerry’s dedicated penetration testing team in Bedfordshire, UK was nothing less than perfection. Absolutely no flaws were found after three days of exhaustive testing by the BlackBerry team. If you don’t believe us, click this link to view the PDF which BlackBerry sent to us with their results.Here are the results which mattered the most:
“All test cases were assessed against, and the application was found to be secure and correctly prevented unauthorised and unauthenticated access to the application, user data and the service. BlackBerry Cybersecurity Services have therefore assessed the overall risk posed to Sky Global by the ECC Android mobile application to be…”As you can see, we are considered low risk. This is the best possible score that is given by BlackBerry as this is a summary of all the issues they found:You are reading that correct; they did not find any. BlackBerry went on to further elaborate on how long it would take to correct any of the errors they found. They summarised it here:You are reading that correctly; it will take no time to fix issues with our app or devices because there are no issues to fix. We took our zero-trust philosophy so far that we didn’t even trust ourselves. Bringing BlackBerry themselves in to do testing all ties into this philosophy. You should never trust someone who isn’t willing to put their money where their mouth is. We have done the testing, opened ourselves up to criticism by experts, and found that we built the most secure phone we could without any vulnerabilities.Here is one last parting shot from BlackBerry before we move on:
“Test case assessments against the application and devices identified that it is not possible to bypass the application’s authentication and authorisation processes. Therefore, BlackBerry can confirm it is not possible to access the chat messages, contact lists, or protected data from the devices or Sky server without providing valid authorisation credentials to the ECC application.”Testing done by BlackBerry has proven that we have the most secure phone possible. What you need is proof, not marketing jargon, and that is what we are showing you.
Bonus: Zero-trust in usageThe most secure phone in the world is useless if users need a long instruction manual just to send a message. Here is a screenshot of one of our devices:How complicated does that look? I’m sure that it looks like any messaging app you have used in the past, except for the fact that our app uses all of the zero-trust philosophies we have been looking at.
We didn’t trust that you were a security expert, so we built you something that is easy to use.Our recent comparison of WhatsApp vs. Signal and Sky ECC revealed the real difference is in security, and not usability, where all three are basically the same as you can easily send and receive messages.We have heard the complaints, time and again, of people purchasing secure smartphones and then not using them because they’re too complicated. That is not a secure smartphone, that is just another headache. Our secure phone has everything built simply. Here is a look at the vault feature where you can store images, notes, and chats:A simple place to store your most valuable files, chats, and pictures. All the security features in the world are useless if the average person cannot use them. Those of us here at Sky have advanced knowledge of cryptography, encryption, and online security–we have no problem with being secure. We put our decades of knowledge and expertise on device, OS, and connection security within the Sky ECC app in a simple to use package which makes it the easiest to use secure phone available.
Making the most secure phone possible–Sky ECCThere are many ways to build a phone which is secure. We believe that there is only one way to build the most secure smartphone–with zero-trust that everything is as secure as it’s supposed to be. We set out to secure all outside factors so that Sky ECC is protected against its hardware, OS, connections, and even the app itself. We did this with:
- Hardware: Starting off with the most secure phones available. Not only are they secure, but they are also so popular that people are always checking them to make sure that there are no security holes. When phones get old, and they aren’t supported with the latest OS updates, we no longer support them.
- Operating system: Enabling all security features for each OS, including kernel and rollback protections. Preventing brute force attacks against passcodes, disabling OS features which could be attack vectors (like Bluetooth and NFC), and using the newest settings for USB connection authorization.
- Connections: We encrypt all connections all the time, send you through our secure servers, and keep bad actors off our network entirely by only allowing known devices on it.
- App: The 521-bit encryption used by our app is powerful, but we went the extra step by securing the app in a container, having the app check itself for problems, stopping brute force attacks, and allowing for multiple options for automatic message deletion and revocation.