Vysk EP1 review: 'The anti-NSA' iPhone case delivers more privacy questions than answers

vysk-ep1-review-the-anti-nsa-phone-case-that-raises-more-privacy-questions-than-answers-v1.jpg
  • Editors' rating
    3.4 Poor
  • $119.99

Pros

  • "Privacy-mode" rear and front-facing camera shutter to prevent remote viewing

  • Rugged, durable, rubberized design and feel, making it easy to hold

  • Case does not add considerable weight to the iPhone, though still bulky in size

  • Micro-USB connection for charging and data transfers

  • Includes external battery for 120 percent extra charge

Cons

  • "Privacy-mode" slider is difficult to lock into place with just your finger

  • Case is so thick it requires a headphone extender cable

  • Doubts over privacy and security — despite claims it increases protection

  • Both apps, for messaging and photos, are thin on features

  • Easy to put on the case, but not so easy to take it off

Vysk EP1 anti-NSA iPhone case delivers more privacy questions than answers
Vysk EP1 case with camera shutter Image: ZDNet/CBS Interactive

In the wake of the Edward Snowden revelations on mass surveillance by the National Security Agency, everyone has a right to be a little on edge.

One company, with already one widely lauded product designed to encrypt phone calls and block out your phone's microphone from prying eyes, aims to succeed in the "everyday privacy" space. In offering both a hardware case and a software-based set of services, the smartphone case maker Vysk aims to protect your data from prying eyes.

However, Vysk's encrypted photo gallery and messaging app for iPhones comes with a number of red flags that reflect poorly on the company.

Privacy-focused case with integrated external battery

ep1-sidebar
Image: Vysk; ZDNet

The Vysk EP1 smartphone case is a durable and strong case that clips around the bottom and the upper-half of the iPhone.

Top ZDNET Reviews

Compatible phones -- currently the iPhone 5 or 5s -- slot into the Lightning port in the bottom portion of the case, and can be charged through a bottom-edged micro-USB connection.

The back of the case is rubberized, making the phone and case easier to grip in your hand.

The case's build quality is excellent for the price. It's made out of strong plastic, and has separate buttons along the side to correspond to the iPhone's volume and mute switches. Also, there are two speaker grills to prevent any muffling of the phone's loudspeaker.

The case adds a modest 3 ounces weight to the iPhone 5s. With the case on, your iPhone 5s becomes almost exactly the same dimensions as an iPhone 6, although twice as thick. It's comfortable to hold in your hand, but it feels bulky in your pocket.

Along the top edge of the case close to the power button is the EP1's flagship feature: a camera shutter allows the iPhone owner to cover the rear and front-facing cameras. The aim: to prevent prying eyes, such as those of hackers and NSA officials alike. The feature may sound basic, but it lands less than a year after the Snowden revelations pointed to the U.S. spy agency being able to view people's webcams , while its U.K. counterpart had programs ( named after "The Smurfs" ) able to remotely listen to an iPhone's microphone -- even if it's turned off.

In testing, the camera shutter was easy enough to operate -- a small rectangular slider protrudes slightly from the case -- but the locking mechanism from open to close required a fingernail rather than a fingertip to avoid mild discomfort. It's the flagship feature that in some cases hurt to operate. The more you use it the easier it becomes.

The external 2,200mAh battery included in the case's design is said to offer 120 percent more battery life. A light-up indicator on the back of the phone displays how much additional battery power remains.

However, one disadvantage for music or video watchers is that the case may require the use of a headphone extender, which is included in the box. Apple's Earpods are difficult to plug in without the extender.

The case is available in black, blue, gold, and red. A case designed for the iPhone 6 and Samsung Galaxy S5 will land late this year, or early next year.

'Secure' photo, messages app: Bare bones, concerning

Vysk's new text message and photo gallery software may well be the next-best thing since sliced bread. The two apps, called "Private Text" and "Gallery," could be secure, privacy-minded, and a perfect solution to prevent prying eyes -- from either hackers, or government agencies.

Here's the problem: We don't actually know how secure it is.

IMG_7029

"What we have here is a product we know little to nothing about, can't look at, and nobody can really vouch for," independent cryptographer Justin Troutman said in an email to ZDNet.

The photo app, with barebones functionality, does offer a few standout features. Users can choose up to two photo galleries to store photos, protected by two different (or the same) four-digit passcodes.

The encryption scheme is said to be a "standard implementation of AES-256," according to Vysk, using a key that is derived from the passcode. Data that is stored in Apple's iCloud is encrypted using a different key, allegedly adding a new layer of security.

A "self-destruct" passcode can be set, allowing someone under duress to enter a passcode that wipes the entire storage of the user's photo galleries.

Although there are few features to sing or dance about, there's potential for improvement over time. But the photo gallery app suffers a similar fate as the messaging app.

How can one be assured that a product in development for less than two years delivers apps that can be trusted? Some cryptographic standards have been in development for decades, and after years of extreme scrutiny, are now considered good enough for mainstream use.

Like the photos app, the messaging service is basic and bare-bones, which, emulating Apple's homebrew photos app, keeps it light and easy-to-use -- which many want in a messaging app. There is a settings page filled with options, allowing you to time-out your session and set a returning passcode. You can also activate "screen snoop protection" for Snapchat-like warning when a recipient takes a screenshot of your message thread.

Sending and receiving messages has the same responsiveness you might expect with similar, popular, native messaging services, like Apple's iMessage. In our testing with two iPhones, your messages are delivered in an instant.

For Android users, the Private Text app will be available in the first-quarter of 2015, and will be fully compatible with the iOS app, Vysk chief executive and co-founder Victor Cocchia said.

There's a caveat, however. Messages are sent asynchronously, meaning they are sent to Vysk's servers to be later delivered. It takes a similar approach from Apple, which also temporarily stores messages in an encrypted form.

Read this

Meet the shadowy tech brokers that deliver your data to the NSA

These so-called "trusted third-parties" may be the most important tech companies you've never heard of. ZDNet reveals how these companies work as middlemen or "brokers" of customer data between ISPs and phone companies, and the U.S. government.

Read More

Another warning flag: In order to use Vysk's messaging app, a user must upload their entire contact list to the company's servers. This action is required in order to match users on the service to each other. Despite Vysk's in-app warning that this must happen, it feels nonetheless defeating knowing full well that your personal contacts must leave your device.

Controversy stirred last year when Twitter and other notable app makers quietly uploaded contact list data without warning, forcing Apple's hand to implement a barrier between apps and user data.

The code isn't public, and it's not open for scrutiny. Publishing an iPhone or iPad app doesn't mean it can't be open-source. For products and services that rely on encryption -- for their success and future development -- they must be open for inspection. Or, at very least, they should use a standard that has been tried and tested and proven over time.

Vysk did exactly this with its QS1 smartphone case, which comes with a microphone blocker and encrypted voice software. It runs a modified, proprietary version of the AES-256 dubbed "Orbital AES."

This modified version of AES-256 aims to fix a number of weaknesses in its key schedules. AES-256 is not perfect, and can be improved, as recent research has shown. Employing Orbital AES is said to protect the contents of the user's calls before the data is transmitted.

However, Vysk's software products are at the mercy of the alterations it makes to the standard. Not knowing what those revisions are makes it difficult -- or impossible -- for the security community to ensure that a product is in fact secure and does what it says it does.

#IMG_7034

The QS1 was to be launched before the December holiday season, but will now arrive in early-2015.

While only the QS1 uses Orbital AES, the wider concerns cast a shadow over the security of the EP1 messaging and photo apps.

Vysk explained the EP1 runs an "out-of-the-box" version of AES-256. It uses an elliptic curve Diffie-Hellman (ECDH) for the key exchange. This alone isn't a problem. What caused further concern was Vysk's co-founder Dr. Michael Fiske, a cryptographer, who explained on the phone that, "you can't trust U.S. cryptography right now" in the wake of the Snowden disclosures.

He added: "What we're doing is we're using key generators, where the key is not static." That process, he said, is under peer review by a group whose name was not disclosed on-the-record.

"If you're worried that AES-256 isn't good enough, there are far better alternatives than a modified version of AES," Troutman explained.

Vysk's Cocchia said an Italian cryptographer tested the apps for a few months and "couldn't find any vulnerabilities." The co-founders declined to reveal the cryptographer's name. The work of the cryptographer or their credentials could not be verified at the time of publication

One of the reasons Vysk has not published the code in its entirety, as other cryptographic standards have been, was in order to "protect our intellectual property," Cocchia said. "In regards to the Gallery App and our Text App we have entertained requests for the source and we are in the process of making the source available in a public location."

Verdict: Strong hardware, but unproven app security

The secure case idea is good for those wanting a crypto-phone without having to compromise on style and elegance of the smartphone you want and pay for. Although the case has a hardware privacy option and comes with a battery extender, one has to wonder if that justifies the $119.99 price tag -- especially when cheaper battery extenders are out on the market, and for newer devices.

The accompanying software, however, has too many question marks hovering over them.

Without knowing what powers the nuts-and-bolts on the inside, the wider security community cannot scrutinize it. Without that, for all you know you could be using a product that -- despite Vysk's best intentions -- may have vulnerabilities or even backdoors.

"It's a sensitive process and it takes time," Troutman said, detailing the process behind designing cryptographic algorithms. "If you rush it, you probably won't achieve that profile."

"You publish, you have people analyze it, you publish those results, and so on; it's a process that you alter and analyze over a period of time, and with any luck, you might find that the end result achieves the security you intended when you made those changes."

The bottom line is trust. Like it or not, in this day and age, those who require secure communications have to be -- and to a degree are right to be -- paranoid.

Do I trust these apps to securely transmit my messages and store my photos? I don't. A lot of it boils down to gut feeling, made worse by a lack of substantial evidence to counter that ad the knowledge that the product has been scrutinized only by an unknown person with unknown credentials.

What I can't tell you, during this week of testing, is that the apps in question are insecure, or fall foul of privacy standards. We don't know enough to prove that. However, these apps have not proven to be secure either, which reflects in our final rating.

Top ZDNET Reviews

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All