Encrypted chat app Signal suggested in a blog post published on Wednesday that products sold to law enforcement from Israeli surveillance provider Cellebrite can easily be sabotaged.
Cellebrite DI Ltd, which specializes in helping law enforcement and intelligence agencies copy call logs, texts, photos and other data off of smartphones, has repeatedly come under fire for past sales to authoritarian governments, including Russia and China.
Signal, a privacy-focused app eager to show the lengths it goes to protect users' conversations, clashed with Cellebrite last year when the Israeli company said its equipment was upgraded to allow law enforcement to scoop up Signal messages from devices in their possession.
Signal creator and CEO Moxie Marlinspike said in his blog post on Wednesday he had come into possession of a bag of Cellebrite equipment and examined the gear inside.
He was "surprised to find that very little care seems to have been given to Cellebrite's own software security," Marlinspike said, noting it would be easy to add a specially crafted file onto a phone that would derail Cellebrite's functionality.
In a statement, Cellebrite did not directly address Marlinspike's claim but said that the company's employees "continually audit and update our software in order to equip our customers with the best digital intelligence solutions available."
Elsewhere in his blog post, Marlinspike alleged he had found snippets of code from Apple Inc inside Cellebrite's software, something he said "might present a legal risk for Cellebrite and its users" if it was done without authorization.
Apple did not immediately respond to a request for comment.
Signal's allegations come as Cellebrite prepares to go public through a merger with a blank-check firm, valuing the equity of the combined company at around $2.4 billion.
(Reporting by Raphael Satter; Editing by Richard Chang and Edwina Gibbs)