Confide app used by White House staff not as secure as claimed, report suggests

The phone numbers of two high-level White House officials — press secretary Sean Spicer, and director of strategic communications Hope Hicks — were discovered through a feature in the app that lets people find friends who have already joined, BuzzFeed News said. Spicer in fact confirmed his use of Confide in a call with BuzzFeed, calling their story "an invasion of my privacy." He insisted however that he only sent one message several months ago at the request of a reporter, and uses a separate phone for official White House business.

The number listed for Hicks was unreachable, but a source within Confide suggested that she could have deleted the app months ago. The company's policy is to keep users listed even after they delete an account, the source said.

A security expert told BuzzFeed that while read messages are deleted immediately on a person's device, they're kept up to a week on Confide's servers, and the company is also saving metadata. If exposed legally or otherwise, this could at least be used to identify how often a person is sending messages and to whom.

Another issue is that Confide doesn't make its code public or identify which brand of encryption it uses. A researcher with Kudelski Security, Jean-Philippe Aumasson, indicated that the app relies on the OpenSSL library, some versions of which are known to be vulnerable to hacking.

The Washington Post recently said that White House staff are using Confide to avoid being blamed for a stream of leaks to the media, something allegedly being scrutinized in an investigation ordered by U.S. President Donald Trump.

Other reports said that the app is popular with journalists at the White House, as well as a number of people in the Republican Party worried they could fall prey to the same sort of hacking that victimized the Democrats during last year's election campaign.