Jump to content

User:Asr/SMSSecure

From Wikipedia, the free encyclopedia
Asr/SMSSecure
Original author(s)Moxie Marlinspike
and Stuart Anderson
(Whisper Systems)
Developer(s)Carey Metcalfe
and Bastien Le Querrec
Initial releaseMarch 2015 (2015-03)
Stable release
0.10.1 (July 16, 2015; 9 years ago (2015-07-16))
Written inJava
Operating systemAndroid
Size6.7 MB
TypeEncrypted SMS/MMS messaging
LicenseGPLv3
Websitesmssecure.org

SMSSecure is a fork of TextSecure, both advanced free and open-source encrypted messaging applications for Android which use the TextSecure encryption protocol. This protocol enables the secure transmission of SMS and MMS messages to other SMSSecure users. Users can independently verify the identity of their correspondents by comparing key fingerprints out-of-band or by scanning QR codes in person. The Android application can function as a drop-in replacement for Android's native messaging application. The local message database can be encrypted with a passphrase.

SMSSecure implements TextSecure's encryption protocol, but with no instant messaging features,[1] and therefore can not be used for instant messaging with TextSecure, WhisperPush, or Signal users. SMSSecure is developed by Carey Metcalfe and Bastien Le Querrec, who are not affiliated with Open Whisper Systems.

Screenshots from the application on a smartphone

History

[edit]

TextSecure

[edit]

Whisper Systems and Twitter (2010–2011)

[edit]

TextSecure started as an application for sending and receiving encrypted SMS messages.[2] Its beta version was first launched in May 2010 by Whisper Systems,[3] a startup company co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson.[4][5] In addition to launching TextSecure, Whisper Systems produced a firewall, tools for encrypting other forms of data, and RedPhone, an application that provides encrypted voice calls.[4][6] All of these were proprietary enterprise mobile security software.

In November 2011, Whisper Systems announced that it had been acquired by Twitter. The financial terms of the deal were not disclosed by either company.[7] The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security".[8]

Twitter released TextSecure as free and open-source software under the GPLv3 license in December 2011.[4][9][10][11] RedPhone was also released under the same license in July 2012.[12] Marlinspike later left Twitter and founded Open Whisper Systems[13] as a collaborative Open Source project for the continued development of TextSecure and RedPhone.[14]

Open Whisper Systems (2013–2015)

[edit]

Open Whisper Systems' website was launched in January 2013.[14] Open Whisper Systems started working to bring TextSecure to iOS in March 2013.[15][16]

In February 2014, Open Whisper Systems updated their protocol to version 2, adding group chat and push messaging capabilities.[15][17] Toward the end of July 2014, Open Whisper Systems announced plans to unify its RedPhone and TextSecure applications as Signal.[18] This announcement coincided with the initial release of Signal as a RedPhone counterpart for iOS. The developers said that their next steps would be to provide TextSecure instant messaging capabilities for iOS, unify the RedPhone and TextSecure applications on Android, and launch a web client.[19] Signal was the first iOS app to enable easy, strongly encrypted voice calls for free.[13][20]

In March 2015, Open Whisper Systems released Signal 2.0 with support for TextSecure private messaging on iOS.[21][22] Later that month, Open Whisper Systems ended support for sending and receiving encrypted SMS/MMS messages on Android. As of version 2.7.0, TextSecure only supports sending and receiving encrypted messages via the data channel. Reasons for this included:[2]

  • Complications with the SMS encryption procedure: Users needed to manually initiate a "key exchange", which required a full round trip before any messages could be exchanged. In addition to this, users could not always be sure whether the receiver could receive encrypted SMS/MMS messages or not.
  • Compatibility issues with iOS: Not possible to send or receive encrypted SMS/MMS messages on iOS due to the lack of APIs.
  • The large amounts of metadata that inevitably arise and are uncontrollable when using SMS/MMS for the transportation of messages.
  • Focus on software development: Maintaining SMS/MMS encryption and dealing with edge cases took up valuable resources and inhibited the development of the software.

Forking to SMSSecure

[edit]

Open Whisper Systems' abandonment of SMS/MMS encryption,[1] added to the dependency on Google Cloud Messaging (GCM) and the unavailability from F-Droid,[1] prompted some users to create SMSSecure as a fork.[1][23][24]

Features

[edit]

SMSSecure allows users to send encrypted text messages to other SMSSecure users with smartphones running Android. SMSSecure also allows users to exchange unencrypted SMS and MMS messages with people who do not have SMSSecure.

Management of regular SMS/MMS

[edit]

Messages sent with SMSSecure may be encrypted as soon as the user sends a private session request. This feature differs from the regular use of TextSecure protocol V2 in TextSecure, WhisperPush and Signal, which centralizes the users in federated directory servers, and therefore is able to automatically start ciphered sessions via GCM or WhisperPush, without requesting it from the user.[25]

Encryption of SMS

[edit]

When a private session is started in SMSSecure, any sent messages are automatically end-to-end encrypted, which means that they can only be read by the intended recipients. The keys that are used to encrypt the user's messages are stored on the device alone, and they are protected by an additional layer of encryption if the user has a passphrase enabled. In the user interface, encrypted messages are denoted by a lock icon.

According to the Slovakian website Cypersec.sk, with the abandonment of SMS/MMS encryption by TextSecure, SMSSecure is now the only one from their tests to provide this feature.[26]

Key verification

[edit]

SMSSecure has a built-in function for verifying that the user is communicating with the right person and that no man-in-the-middle attack has occurred. This verification can be done by comparing key fingerprints out-of-band. Users can also scan each other's personal QR codes.

Non-dependency on GCM

[edit]

TextSecure relies on GCM for a wakeup event in order to deliver messages over the data channel.[2] According to Carey Metcalfe and Bastien Le Querrec, their goal is to build an app which is independant from Google Services,[27] which is not be TextSecure because of this GCM dependancy.[28]

Stagefright

[edit]

On July 27, 2015, an Android bug called Stagefright was publicly announced,[29] which lead users to audit their MMS/SMS applications. Accoring to Yemen-Press.com, SMSSecure's default settings can be modified so that it is not vulnerable to this attack vector.[30]

Licensing

[edit]

The complete source code of SMSSecure is available on GitHub under a free software license. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copy of the application and compare it with the version that is distributed by SMSSecure.

Reception

[edit]

In April 2015, SMSSecure was included in a list of "The best 9 apps for Android" by the Dutch website Android Planet.[31]

Distribution

[edit]

SMSSecure is available through Google Play, F-Droid and Amazon Apps.

See also

[edit]

References

[edit]
  1. ^ a b c d "TextSecure-Fork bringt SMS-Verschlüsselung zurück". Heise (in German). 2 April 2015. Retrieved 29 July 2015.
  2. ^ a b c Open Whisper Systems (6 March 2015). "Saying goodbye to encrypted SMS/MMS". Retrieved 22 March 2015.
  3. ^ "Announcing the public beta". Whisper Systems. 25 May 2010. Archived from the original on 30 May 2010. Retrieved 22 January 2015.
  4. ^ a b c Garling, Caleb (2011-12-20). "Twitter Open Sources Its Android Moxie | Wired Enterprise". Wired. Retrieved 2011-12-21.
  5. ^ "Company Overview of Whisper Systems Inc". Bloomberg Businessweek. Retrieved 2014-03-04.
  6. ^ Andy Greenberg (2010-05-25). "Android App Aims to Allow Wiretap-Proof Cell Phone Calls". Forbes. Retrieved 2014-02-28.
  7. ^ Tom Cheredar (November 28, 2011). "Twitter acquires Android security startup Whisper Systems". VentureBeat. Retrieved 2011-12-21.
  8. ^ Yadron, Danny (9 July 2015). "Moxie Marlinspike: The Coder Who Encrypted Your Texts". The Wall Street Journal. Retrieved 10 July 2015.
  9. ^ Chris Aniszczyk (20 December 2011). "The Whispers Are True". The Twitter Developer Blog. Twitter. Archived from the original on 24 October 2014. Retrieved 22 January 2015.
  10. ^ "TextSecure is now Open Source!". Whisper Systems. 20 December 2011. Archived from the original on 6 January 2012. Retrieved 22 January 2015.
  11. ^ Pete Pachal (2011-12-20). "Twitter Takes TextSecure, Texting App for Dissidents, Open Source". Mashable. Retrieved 2014-03-01.
  12. ^ "RedPhone is now Open Source!". Whisper Systems. 18 July 2012. Archived from the original on 31 July 2012. Retrieved 22 January 2015.
  13. ^ a b Andy Greenberg (29 July 2014). "Your iPhone Can Finally Make Free, Encrypted Calls". Wired. Retrieved 18 January 2015.
  14. ^ a b "A New Home". Open Whisper Systems. 21 January 2013. Retrieved 23 January 2015.
  15. ^ a b Brian Donohue (Feb 24, 2014). "TextSecure Sheds SMS in Latest Version". Threatpost. Retrieved 2014-03-01.
  16. ^ Christine Corbett (27 March 2013). "Sure!". Open Whisper Systems. Retrieved 2014-03-16.
  17. ^ Moxie Marlinspike (24 February 2014). "The New TextSecure: Privacy Beyond SMS". Open Whisper Systems. Retrieved 26 February 2014.
  18. ^ "Free, Worldwide, Encrypted Phone Calls for iPhone". Open Whisper Systems. 29 July 2014.
  19. ^ Michael Mimoso (29 July 2014). "New Signal App Brings Encrypted Calling to iPhone". Threatpost.
  20. ^ Jon Evans (29 July 2014). "Talk Private To Me: Free, Worldwide, Encrypted Voice Calls With Signal For iPhone". TechCrunch. AOL.
  21. ^ Micah Lee (2015-03-02). "You Should Really Consider Installing Signal, an Encrypted Messaging App for iPhone". The Intercept. Retrieved 2015-03-03.
  22. ^ Megan Geuss (2015-03-03). "Now you can easily send (free!) encrypted messages between Android, iOS". Ars Technica. Retrieved 2015-03-03.
  23. ^ https://www.security.nl/posting/422674/Versleuteld+sms%27en+met+Android-app+SMSSecure
  24. ^ http://derstandard.at/2000013841576/SMSSecure-TextSecure-Abspaltung-belebt-SMS-Verschluesselung-wieder
  25. ^ LinuxFr : SMSSecure - Les sms et mms chiffrés sur Android, ce n'est pas fini
  26. ^ http://www.cybersec.sk/navody-a-programy/navody/ako-si-ochranit-komunikaciu-predovsetkym-na-androide/ (via Google translate) SMSsecure The only exception among the selected applications, which replaces the built-in Messenger Android. After you install it, use the SMS if only this application, including received messages. The authors have chosen this solution, especially for greater security - SMS messages are also encrypted locally in the phone memory. Note, however, that after uninstalling lose all SMS messages that have been received by it. The indisputable advantage of the application and its unique is that it does not require a data connection. If the application uses only one party sends unencrypted traditional SMS. If you have applications installed both, sender and recipient, it is possible to exchange messages in encrypted mode. Enough to exchange encryption keys (one-touch). This is a very intuitive application that the operator should not cause more trouble even inexperienced users.
  27. ^ SMSSecure focuses on SMS and MMS. This fork aims to: Keep SMS/MMS encryption ; Drop Google services dependencies (push messages are not available in SMSSecure). SMSSecure/README.md
  28. ^ SMSSecure est libre (sous licence GPL), ne dépend d'aucun serveur tiers, ne repose pas sur les API et services de Google et utilise un chiffrement de 256 bits. Korben : crypter sms et mms
  29. ^ http://www.zdnet.fr/actualites/stagefright-un-simple-mms-pour-controler-95-des-smartphones-android-39822978.htm
  30. ^ https://yemen-press.com/news52022.html
  31. ^ http://www.androidplanet.nl/apps/de-9-beste-android-apps-in-google-play-van-week-15-2015/
[edit]

Category:Cryptographic software Category:Free and open-source Android software Category:Free security software Category:Free software programmed in Java (programming language)