Updated 25 April 2018.
Copyright: European Union Public License, version 1.2 (EUPL-1.2).
SID is a messenger that allegedly uses End to End encryption. Our findings showed that all traffic between users went straight to Madrid where Sid servers are based rather than between countries where our consultants were testing from.
Disclaimer: We are not affiliated in any way to any of these Companies, this article is 100% our findings. There is no affiliate marketing in place through the links provided below, they’re for your convenience.
How we write our reviews: To ensure an unbiased and thorough review all apps are tested:
• In real time, i.e. we use it on real projects.
• By different team members located in different countries.
• With different devices and operating systems.
• For a minimum of two weeks, four on average.
• Article is peer reviewed by other team members then sent to the app’s publisher for final review.
Contents of this article.
- What is SID?
- Criteria used for testing.
• Zero knowledge.
• End to end encryption.
• Encryption implementation.
• Peer to peer file transfer.
• Sid address.
• Open source.
• Resistance to state sponsored criminals.
Have you ever wondered if that encrypted app you’re using is truly secure, encrypted and does not store your data? In light of different revelations that the big tech companies store and use our data as they wish, it is highly imperative that we ensure our privacy and security when using apps be it for personal use or for business use.
How do we verify claims that an app is secure, how do we ensure an app does what is says or offers and is not a decoy by fraudulent people? We took the time out to research some encrypted apps, thoroughly reviewing them and putting them through various tests on different devices, one of such apps is SID. Our revelations came to us as a shock. Before I delve into details, let’s take a quick look at the app;
1. What is SID?
SID is a messenger that allegedly uses End to End encryption, it makes communication within teams simple, more efficient and secure. You can decide to communicate with your team using group chats or one-on-one chats, you can also securely send files between team members without fear of data compromise. For every new team member that comes on board, the team contacts are exchanged automatically. You can create dedicated channels to structure and organize your communication with your team, customizing and editing them on the go as it suits you.
The unique selling point of SID is security and privacy. It was purportedly structured and designed to meet these criteria. Their philosophy is that your private messages only belong to the eyes of the user and all messages between communication partners shouldn’t be intercepted by state sponsored criminals.
- Website: http://sid.co/
• SID is free to use.
• Stream encryption for SID cannot be turned off and is always in place.
• Fast file transfer of any size makes it convenient to send large files, especially on local networks. (See Criteria used for testing: peer to peer transfer).
• No personal information about the user is entered on SID. (See Criteria used for testing: Zero knowledge).
• The app is good for individuals and businesses who cherish data security and privacy.
• The app is compatible with the major devices in the market, iOS, Android, Linux and desktop. (See Criteria used for testing; Multiplatform).
• You can create and edit/customize groups and multiple chatrooms on SID.
• When you’re through with a group you can leave the group.
• You can add various members to a group chat as you wish.
• SID uses bittorrent protocol with a central server for offline chat, there is no central point of failure.
• When you install on a new device, SID will prompt you to enter your ID and then you can confirm the new device from another active device which will get a notification. It’s simple, no need for a login/password. Note that when you add a new device you won’t see the previous conversations but all the chat rooms are there, they will be empty. (See Criteria used for testing: Sid address).
• No voice/video chat possible.
• Documents are not synchronized and updated in a peer to peer fashion. Only you have access to the files sent to you. There’s no file harmonization and synchronization like Resilio and SyncThing. This is a major disadvantage especially for teams, companies and organization that want to collaborate on files securely.
• There’s no panel within the app to contact support.
• The code for SID has not been published as at the time of writing of this article, so it’s not open source. (See Criteria used for testing: Open source).
• Images used as thumbnail for chat rooms have to be of a specific size otherwise if they’re too small they won’t upload.
• Messages do not sync across devices uniformly i.e. if a message is read on one device e.g. pc, it does not sync on mobile immediately. It starts syncing when you open the app and it shows as an unread message.
• There’s no seen notification to confirm your messages have been read or not by the recipient.
• You can’t quote messages on Sid, which means that the recipient can follow your train of thought.
• Their servers are located in Madrid which is part of the 9 eyes. (See Criteria used for testing: Resistance to state sponsored criminals).
• For offline use, messages are stored on their server, though encrypted, it can still be intercepted by state sponsored criminals. (See Criteria used for testing: Resistance to state sponsored criminals).
• Deleting selected messages during chats only removes it from the senders end and does not delete it from the receivers end.
• No ephemeral (self-destructing) messages.
• All files sent and received on Sid can be retrieved from the installation folder. This negates the security feature of the app, if the hard drive is not encrypted, data can be breached by state sponsored criminals.
Note: For more details, please refer to the detailed explanations on the Criteria used for testing below
We comprehensively tested the app Sid with different consultants in different countries using different devices that run on different operating systems, we also used a software called Wireshark to verify their peer to peer encryption. Our findings showed that all traffic between users went straight to Madrid where Sid servers are based rather than between countries where our consultants were testing from. This shows that Sid stores messages on a central server contradicting their claim that they do not store user’s data.
Another con is the fact that the source code for the app is not open source, hence we can’t verify their claim about end to end encryption neither can we verify their zero knowledge. Most importantly, their servers are located in Madrid, a country that’s part of the 9 eyes. A neutral country would’ve been the ideal option to locate their servers, a country that has no relationship with the US and EU. After our research, we sent this article to Sid support for review, as at the time of publishing, we haven’t gotten their feedback.
6. Criteria used for testing.
• Zero knowledge: The sender and receiver are the only ones that have access to their data. In situations where data is stored on their offline servers either for back up purposes or for offline delivery, the data is encrypted and can only be decrypted by those who have the keys on their devices i.e. the sender and receiver of the information. The sent data is not altered, read or analyzed for any purpose whatsoever.
• End-to-End encryption: according to SID messenger, they use a trusted strong encryption that fully encodes the complete transfer chain unlike https (Secure Hyper Text Transfer Protocol) the secure web server solution that is commonly used. For peoples using this, it implies that when a device is connected via https, only the connection from your device to the server is encrypted. The problem with this is that the transferred data is available in clear text on the server side which means your service provider or anybody else who can access the cloud system can get/read your data.
• Encryption implementation: one of the major downsides of other secure messengers is encryption that uses weak number generators. SID counters this by using its own random number generators based on the Whirlpool512 hash with a 4096 bit entropy pool. It means your device generates and stores your secret key. They are used as authentication for your contacts, so it is only signatures that matches that accepts your data ensuring you’re communicating with a secure contact without interception.
• Peer to peer file transfer: You can send files like documents, videos, photos of all sizes on SID. If you decide to send a file to another contact on SID, it is send directly to the receiver’s device, if you send to a group on SID, to backup network availability all the devices act as sender. If you send files using a local network e.g. in an office, school or organization to, it is sent at the fastest speeds avoiding problems of internet connectivity with ease.
• SID address: when signing up for SID you do not need to use any personal data. Sign up processes like email, phone numbers and addresses are not needed on SID as SID as has its own address system. It uses a username appended with an asterisk (*) and a 5 digit unique number. This way you can always use your preferred username and decide who you wish to make contact with. It is a wonderful preventive measure of Spam.
• Open source: as at the time of writing this article, SID’s source code is not open to public yet, but according to them, they plan on publishing their source code and the technology that powers SID for auditing and review in the nearest future. But should you wish to review their source code, you can always write them on firstname.lastname@example.org.
• Multiplatform: SID is available on desktop, Windows, Mac, Linux, iOS and Android.
• Resistance to state sponsored criminals: These are police, prosecutors etc. Their crimes are considered legal since the state institutions have been corrupted and there’s no one to put them in check. They are the most dangerous sort of criminals either to an individual or to a country. If they’ve done something illegal, they can cover it up whatever way they like. They can intercept and read IMAP, POP3, TLS, and SSL. They can also spoof your email provider’s SSL certificate. They can access your SMS and emails, meaning a recovery option is often an easy form of attack for them. That’s why you should always use encryption software, encrypt your devices, and buy hardware outside the country you operate.
- Download.com. (2018). Sid. [online] Available at: http://download.cnet.com/Sid/3000-2654_4-76641095.html %5BAccessed 28 Mar. 2018].
- Sid. (2018). Sid | End-to-End Secure Team Communication. [online] Available at: https://sid.co/en/security-by-design %5BAccessed 28 Mar. 2018].