French government releases in-house IM app to replace WhatsApp and Telegram use

French government open-sources in-house-made end-to-end encryption IM app named Tchap.

Au revoir WhatsApp! The French government launches in-house IM app French government open-sources in-house-made end-to-end encryption IM app named Tchap.

The French government has developed its own end-to-end encrypted instant messenger (IM) app to replace government employee use of Telegram, WhatsApp, and other third-party IM clients.

The app, named Tchap, was launched yesterday, April 18, and is available on the official iOS and Android app stores. A web dashboard is also in the works.

Only official French government employees can sign-up for an account; however, the French government also open-sourced Tchap's source code on GitHub so other organizations can roll out their own versions of Tchap for internal use as well.

Tchap is based on Riot

Work on the app started in July 2018, and the app itself is based on Riot, a well-known open-source, self-hostable, and secure instant messaging client-server package.

The app was officially developed by DINSIC (Interministerial Directorate of Digital and Information System and Communication of the State), under the supervision of ANSSI, France's National Cybersecurity Agency.

The French government plans to enforce Tchap use for any informal communications between government employees, agencies, and some (carefully selected) non-government entities and civilians.

The general idea is to keep government communications flowing through internal servers, and away from third-party services, like Telegram, Signal, WhatsApp, Wickr, or other encrypted IM clients, which may be vulnerable to attacks or under the surveillance of foreign intelligence agencies.

Security flaw found hours after release

But despite the French government's plans, the app's launch didn't go as planned. On the same day it was released, French security researcher Baptiste Robert found a security flaw in Tchap that would have allowed anyone to register an account and spy on the French government's internal communications.

The researcher found that by adding a government email domain on top of his regular email, like so name@domain.com@french-government-domain.com, he could register on the app, even when not being authorized to do so.

tchap-hacked.jpg

Image: Baptiste Robert

Matrix, the company behind the Riot client fixed the issue on the same day, and the patch is expected to reach Tchap users in the coming days.

Tchap was named after French scientists Claude Chappe, the inventor of the Chappe optical telegraphy system that was once deployed across France between 1792 and the 1850s, until it was replaced by a more sturdy electrical telegraph system.

Just like its US counterpart, the NSA, the French cyber-security agency has a habit of open-sourcing some of its cyber-security projects. Last October, ANSSI open-sourced CLIP OS, a secure Linux-based operating system that its engineers also developed for internal governmental use. ANSSI also released ADTimeline, a tool for Active Directory forensics investigations.

More cybersecurity coverage: