Privacy and data security have quickly become one of the world's hottest topics, and companies constantly appear that attempt to fill the privacy niche desired by consumers.
What's more, with Bitcoin hitting all-time highs, more and more people are choosing to invest in cryptocurrencies – and those consumers have a desire for secure wallet integration they can enjoy on their mobile devices.
Status.im has noticed the gap in the market and is hoping to hook privacy advocates into using its service by providing private browsing, messaging, and a place to hold altcoins – all under one hood.
Overview
Launched in 2020, Status.im is the result of a project involving developers from all around the globe. Despite the collaborative nature of the project, Status is officially based in Switzerland – a location that is considered favorable in terms of privacy.
The Status app is available for both iOS and Android devices. It provides a peer-to-peer instant messenger, a crypto wallet, and a Web3 browser. The app makes use of a fork of the Whisper protocol called Waku – to enable encrypted P2P communications. According to its developers, this custom fork of the Ethereum P2P protocol makes it less resource-intensive and better suited to mobile devices.
The Status App is open-source and available on GitHub, which means that its source code can be verified by third-party cryptography experts. However, the app is still in its infancy and it could potentially harbor vulnerabilities that have yet to be exposed via audits of this kind.
The good news is that the company has paid for third-party auditing on two occasions. The first was performed by Deja vu Security in Seattle ahead of Status' beta release in 2018. and another audit was carried out by Trail of Bits ahead of the production v1 release. Thus, the company has sought to verify its work as much as possible.
Those audits uncovered issues that have since been patched, which is great. Of course, more vulnerabilities could exist, but there is no doubt that Status is working hard to open source everything and engage with professional auditors to check that everything is as watertight as possible.
Decentralized
What's interesting about Status, is that it provides completely decentralized messaging. When it is fully up and running (it isn't yet), it will not need to rely on any central servers to pass messages from user to user (though it is using servers of this nature for the time being).
Instead, it connects users Peer-to-Peer in such a way that there should be no central point of failure – or place for government snoops to go in search of data. And, because of this decentralized nature, even if Status as a company (in its current form) disappeared – the service could theoretically still continue being used.
Pricing
Status is a free app that you can download and start using without paying a dime. In fact, as a member of the community who deploys a Status node, you become a stakeholder and can earn SNT tokens (an ERC-20 token used to access and power decentralized services in the Status Network and application). That means you could actually earn coin by using the service.
Later in the article, we have included some use cases for the SNT token. However, please bear in mind that some of these features (Tribute to Talk and Node Incentivization) are still a work in progress and not yet available to users. Thus, they are currently just part of Status' road map of objectives. Despite this, they are very interesting features and well worth taking a closer look at.
The SNT token creates incentivization for members of the network and encourages users to deploy network nodes that will be available should the Status-hosted cluster go down. Users who do so are paid for storing encrypted messages and forwarding them to the intended recipient once they come back online.
In addition, users can engage in the creation and purchase/sale of originally designed stickers. These stickers can be used to interact within messages and create another way for the generation and circulation of SNT tokens.
Features
- Peer-to-peer messaging that removes the potential for snooping by third parties.
- End-to-end encryption for messages by default with Perfect Forward Secrecy (leverages the double ratchet algorithm).
- The potential for completely decentralized message delivery without the need for company-run servers.
- The ability to send private chats, group chats, or public channels for communicating with a community of Status users.
- Cryptographic keys as account identifiers to enhance privacy and enable pseudonymity.
- The ability to send payments worldwide within the app (avoiding exchange rates, fees, and facilitating rapid value liquidity across borders).
- Send and earn SNT tokens by creating stickers or deploying a node.
- Completely private account creation with no need to provide a name, email address, phone number, or payment information.
- A data-agnostic network that is resilient to censorship by design.
- A completely open-source platform that can be audited by anybody.
- A non-custodial crypto wallet that can be used to securely send and store all ERC20 tokens (including ETH, SNT, DAI) and ERC721 tokens; collectibles and non-fungible tokens (NFTs).
Spam filtering by design
Another useful purpose for the SNT token is the way in which it reduces the potential for spam messaging by design. In a traditional electronic messaging environment, spammers are incentivized by the fact that messaging is free and provides an opportunity to contact huge numbers of people in such a way that message recipients can be tricked or scammed in some way.
In this traditional messaging model, a spammer's efforts can be rewarded simply by playing the numbers game. Status turns this potential on its head by permitting users to demand an SNT payment to receive a message from someone outside of their network.
By requiring users to make a payment in order to send a message, Status creates value by ensuring that those who send messages have an actual rationale for sending that message to that user. This not only stands to make spamming economically unviable, but it allows network users to earn SNT through the process of receiving messages.
Imagine a world where people only message each other when there is a genuine need to, and where people can set a barrier to entry for communication based on their importance to the community – and you start to understand the benefits of this economics-based messaging model.
This feature is not yet available, but is part of the road map ahead.
Status Token
One benefit of Status is the ERC20 Status Token itself. This will allow people who contribute to the network by acting as nodes to be rewarded and creates the potential for spam prevention by design.
In theory, this allows each user to get paid for participating, and it increases the potential for the P2P network to have longevity by theoretically permitting it to become decentralized.
However, for this to materialize, the value of Status Token when exchanged for another asset (such as Fiat currencies) must be enough to make doing those tasks worthwhile. If the value of the token is not high enough, the exchange of the token will not provide the value needed to support the ecosystem.
Whether the platform attracts enough users to make the token appreciate in value in such a way that it can legitimately be exchanged for these purposes remains to be seen.
SNT is also used for governance within the decentralized autonomous organization (DAO), by allowing users to pay SNT to make decisions on proposals for the future development of the platform.
Perhaps the only potential frustration that users might encounter with regard to SNT and Status, is that if they want to pick their own user name (rather than use the random one provided by Status) they will need to change some Fiat or crypto funds into SNT to get their custom ENS User Name.
This is a minor quibble, but it may annoy some users who do want a custom name – but don't want to exchange to SNT. A custom ENS costs 10 SNT. After a year, you can either continue with the name or release the contract and get those funds back. Thus, you do not actually lose anything by using SNT to get a custom identity for Status messenger.
As previously mentioned, some of these use cases for SNT (Tribute to Talk and Node Incentivization) have not been rolled out yet. Thus, they are still part of the road map ahead, and you will need to keep your eye on the messenger to see when those features are eventually rolled out.
Ease of Use
Getting hold of Status on your Android or iOS device is super easy. Simply head over to its website where it will link you to the app to download from the Apple of Google Play store. With the app installed, you are prompted to "get your keys". To do so, tap the button that says Generate keys. This takes a few seconds.
One of the Keys that is created is for chats, and this requires you to choose a chat name. Unfortunately, you can't pick this chat name yourself. Instead, you are offered five choices.
As you can see, ours were Floralwhite Quirky Goldenmantledgroundsquirrel, Square Smoggy Brownbutterfly, Orderly Quick Herring, Even Shy Adouri, and Guilty Oily Kangaroo.
Next, you will need to pick a password this protects your keys and is needed to unlock Status. Following that simply choose your notification settings and launch the app. This process took around 2 minutes, which definitely makes setting up Status both quick and easy.
Your pre-defined chat name is attached to a Chat key, which is a code you can send to fellow users in order to begin a chat. This is the public key part for the E2EE encryption that uses public-key (asymmetric) cryptography.
To start a chat, you can share your public key by clicking on Profile in the bottom nav of the app and then your name at the top.
open up the share screen and then click Share link. this can be sent out via email, via another messenger, social media, cloud storage services, or even using airdrop. You can also save it locally as a test file for sharing at a later date.
Opening the wallet for the first time reveals to you your signing phrase. This is a three-word combination that allows you to verify everything is secure before signing each transaction. Status reminds you to check this three-word verification code before signing a transaction, and if you see a different combination – cancel the transaction and sign out.
From that point on you gain access to your Ethereum wallet, which comes with an Ethereum address you can share to receive Ether, SNT, or any other ERC20 tokens. You can add secondary accounts for receiving funds as and when you like.
For a moment, the availability of this built-in wallet might seem like witchcraft to those who have been storing their coins in other hardware, software, and paper wallets over the years. It is certainly easy to see why this instant accessibility (alongside a secure messenger) is interesting.
The wallet intelligently shows you not just how much ETH and SNT you have stored, but also its total value in USD, which is useful. We used the wallet address to transfer a nominal amount of ETH into the wallet to ensure it all works as it should. As you can see, the balance of our account updated correctly and without issue:
We also like that the wallet lets you check on your collectibles by connecting to a third-party wallet. Authorizing a DApp allows it to retrieve your wallet address and enables Web3 (a collection of JavaScript libraries that permit you to interact with an Ethereum node using HTTP, IPC, or WebSocket).
If you have collectibles you want to track from inside Status, you will need to enable these permissions. Remember, the third-party wallet will still store your digital collectibles and other altcoins, you can simply track them from the Status wallet.
In addition to storing and sharing crypto assets and chatting directly with friends, you can join public forums to start chats and meet new people. To join one of these chats, simply click on the hashtag that piques your interest and start chatting with the other hilariously (automatically named) users.
Security
Status is an open-source project that publishes its code on Github. This means that anybody can audit the platform to ensure it is working securely. That said, Status has not yet been audited by independent, professional third-party auditing firms – so it is hard to guarantee that the platform is 100% secure.
That said, the cryptographic primitives from which the messaging platform is derived are open-source and considered highly robust. This should mean that end-to-end encryption implemented by Status messenger can be trusted – despite the fact that it is still a relatively new service.
How does the Peer-to-Peer messaging network actually work?
For transport privacy, Status leverages a fork of the Ethereum Whisper protocol called Waku. Waku is a protocol developed by Status that enables better usability on resource-restricted devices like smartphones.
Below, we have included a list of the cryptographic primitives used by Status.im Messenger:
Whisper
- AES-256-GCM
- KECCAK-256
X3DH
- Elliptic curve Diffie-Hellman key exchange (secp256k1)
- KECCAK-256
- ECDSA
- ECIES
Double Ratchet
- HMAC-SHA-256 as MAC
- Elliptic curve Diffie-Hellman key exchange (Curve25519)
- AES-256-CTR with HMAC-SHA-256 and IV derived alongside an encryption key
- Key derivation is done using HKDF
These cryptographic primitives are fundamentally sound, and the E2EE appears to be extremely robust – as well as future proof – thanks to the implementation of the Double Ratchet method for Perfect Forward Secrecy.
While this is fantastic at face value, it is impossible for us to 100% vouch for Status' implementation of its encryption without seeing a full third-party audit of the Waku protocol itself. Thus, despite appearing to be secure from what we have seen from the white paper, Status is still new and relatively unproven in terms of reliability (much like WireGuard when it first came on the scene for VPNs a few years back).
What is unique about Status (when compared to messengers like Signal or WhatsApp) is that it is designed for decentralized Peer-to-Peer connections that don't require the client to communicate with central, company-controlled servers to pass messages along to the recipient. Instead, Status can make use of a network of nodes provided by users to send messages to fellow users (in a securely encrypted state) Peer to Peer.
Until it has the user base to support this framework, Status is providing servers in place of nodes – to ensure that users can always send messages to one another without the need for these user-provided nodes.
Over time, however, (as long as the project sees uptake from the public) the need for those company-owned servers will vanish. This means that even if the company were to disappear, users could still theoretically continue to use the service to send secure P2P messages via the community of decentralized nodes.
Seed Phrase
After installing and setting up a Status.im account, you will notice that you have a notification in the privacy section of the app. This reminder asks you to make a note of and store a seed phrase comprising 12 different words.
This seed phrase can be used at any time to prove that the crypto-wallet is yours, and it gives you a way to recover your funds if you lose access to your phone or need to reinstall the app for some reason.
It is vital to remember that you will only see this seed phrase once, so you must write it down and store it somewhere extremely safe, or you will not be able to access your wallet funds in the event of a problem.
Once you have stored your seed phrase, Status will ask you to enter a few of the words to ensure that you know them correctly. Following that, this step is complete.
Signing phrase
In addition to needing to remember the Seed Phrase, you must also remember a three word signing phrase. These three words will appear each and every time you send funds using your Status wallet.
As a user, all you need to to is remember these three words to ensure that they are correct at the time of making transaction. This is designed to prevent phishing attacks, so always look for the signing phrase and if the words are unfamiliar (or there is no signing phrase at all) log out of Status at once and report the security issue to Status.
Remember that Status will never ask you for your password or seed phrase, and that it will always show you your signing phrase at the time of sending a transaction.
Privacy
End-to-End Encryption
When you make a Status account, it generates a cryptographic key pair to encrypt your messages. This key pair is stored locally on your device.
When you add a messaging contact in Status, you exchange public keys so that you can exchange messages securely over the network. Thus, Status uses normal asymmetric encryption methods that are commonplace in this kind of messenger.
That asymmetric encryption implemented by status includes Perfect Forward Secrecy (PFS) for all messages. This ensures that the security of messages is future proof, by providing a mechanism that prevents anybody from being able to read messages in the future, even if they compromise the public key.
Status implements PFS using the X3DH and Double Ratchet specifications developed by Open Whisper Systems (the company that made Signal). However, it builds on those specifications to suit Status' decentralized message exchange system.
Privacy Policy
As is always the case when we review products and services, we looked at the privacy policy to ensure that nothing stood out as problematic.
The policy reveals that data such as the user's IP address are collected automatically when the user visits the website. The company uses this data for analytical purposes. Status.im also informs users that their email address and any details they voluntarily provide on the site will also be collected.
The policy also states that the website also uses tracking cookies to provide its services. It also advises that Status does work with third-party service providers for various reasons (including Shopify for which a separate privacy policy applies).
These third-parties, which include technical service providers, mail carriers, hosting providers, IT companies, communications agencies, for example. The policy explains that these third parties may both receive and provide information about website visitors to Status. None of this is particularly unusual.
In addition, the policy provides clear definitions regarding the legal basis for data collection, and it provides information about filing data requests and exercising the right to erasure. Thus, the policy is GDPR compliant, which is good.
Where the service itself is contained, users can sign up without providing their details and they retain control over their assets and the keys to their messages and assets themselves, which means that no sensitive data is ever accessible to Status.
Conclusion
Status messenger is extremely interesting, brings innovation to the forefront of its service, and provides a lot of benefits for its users. And it stands to create a private messaging ecosystem that is completely unstoppable and removed of the potential for government intervention.
The concept of a P2P messenger with robust E2EE is always going to be a winner, and integrating a ETH wallet is really cool. The SNT token, which will reward users for acting as nodes in the network, is innovative not only because of how it can provide benefits such as spam deterrence, but because it incentivizes users to pick this messenger over others.
That said, it seems fair to say that this service is still in its infancy and still has a relatively tiny user base. Thus, until more people get on board and the community grows, it is hard to judge just how successful the open-source project might be.
Overall, however, we really enjoyed using the app which makes sending and receiving encrypted messages and storing and transacting crypto funds very easy for both Android and iOS users.
From what we have seen, the fundamentals used for providing security and privacy on the platform are sound, and it will be interesting to see how the wider community reacts to the platform when gains some momentum.
All-in-all, we give Status messenger a thumbs up. An extremely interesting app that is definitely worth keeping an eye on.