Jump to content

TextSecure

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Nullnullthree (talk | contribs) at 15:01, 21 March 2014 (edited a line in the introduction). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
TextSecure
Original author(s)Moxie Marlinspike, Stuart Anderson (Whisper Systems)
Developer(s)Open WhisperSystems
Initial releaseMay 2010 (2010-05)[1]
Repository
Written inJava (client and server)
Operating systemAndroid, CyanogenMod
Size3.9 MB
Available in32 languages[2]
TypeEncrypted instant and text messaging
LicenseGPLv3 (client),[3] AGPLv3 (server)[4]
WebsiteTextSecure on GitHub Open WhisperSystems

TextSecure is an instant messaging and text messaging application for Android. It is intended to be used in place of the standard text messaging application.[5][3] TextSecure can be used to send and receive text messages, media and attachments.[6] TextSecure encrypts both the message database on the user's device and all messages that are sent to other TextSecure users.[5][7][8]

TextSecure is developed by Open WhisperSystems and is released under the GPLv3 license.[3] It is supported, developed on, and recommended by the Guardian Project.[9]

History

Security researcher Moxie Marlinspike and roboticist Stuart Anderson co-founded Whisper Systems in 2010.[10][11] In addition to launching TextSecure in May 2010, Whisper Systems produced RedPhone, an application that provides encrypted voice calls.[1] They also developed a firewall and tools for encrypting other forms of data.[10] RedPhone and TextSecure played a role in protester communications during the Arab Spring uprisings.[12]

On 28 November 2011, Twitter announced that it had acquired Whisper Systems for an undisclosed amount.[13] Shortly after the acquisition, Whisper Systems' RedPhone service was made unavailable,[14] though it was later released as free and open source software in July 2012. Some have criticized this removal, arguing that it was "specifically targeted [to help] people under repressive regimes" and that it left people like the Egyptians in "a dangerous position" during the events of the 2011 Egyptian revolution.[15]

Whisper Systems' TextSecure software was released as free and open source software about a month after the acquisition by Twitter.[10][16] The software has since been under open development by the community and has seen a number of new releases based on that open development. The project for this continued work was named Open WhisperSystems.[17]

Open WhisperSystems has been working to bring TextSecure to iOS since March 2013.[6][18][19]

In September 2013, it was announced that the TextSecure protocol had successfully been integrated into CyanogenMod, growing its user base to ten million.[20][21][22]

In his keynote speech at SXSW 2014, NSA leaker Edward Snowden praised Open WhisperSystems' applications for their ease-of-use.[23][24]

Features

The application prevents screenshots of conversations by default. This is a privacy feature.

TextSecure allows users to send text messages, documents, photos, videos, contact information, and group messages over Wi-Fi, 3G or LTE to other TextSecure users, thus providing an alternative to text messaging for users with smartphones running Android 2.3 or later.

By default, TextSecure will send the messages over the user's data connection if possible.[7][8] This means that if the user sends a message to another registered TextSecure user, there is no SMS charge associated with the message. It is merely treated as an additional data transfer. If the data connection is unavailable, the application will fall back to using SMS/MMS to transport the message.[7][25]

TextSecure can use SMS/MMS to communicate with non-TextSecure users. The app can therefore be used to replace the default SMS/MMS application. Messages that have been sent via SMS/MMS and messages that have been sent via the user's data connection can be distinguished by color. Green text bubbles indicate SMS-based communication and blue text bubbles indicate communication over a data connection.

The application will automatically encrypt all conversations held with other registered TextSecure users. In the user interface, encrypted messages are denoted by a lock icon. Media attachments are encrypted in the same way as other messages.

Regardless of whether the messages were sent to another TextSecure user or not, TextSecure can store the messages in an encrypted database on the user's device if the user has a passphrase enabled.[1]

TextSecure also allows users to chat with more than one person at a time. Group chats are automatically encrypted and held over an available data connection if all participants are registered TextSecure users.[6]

Open WhisperSystems does not have access to the contents of any messages sent by TextSecure users. Additionally, the complete source code for the TextSecure clients and the TextSecure server is available on GitHub. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copies of the applications and compare them with the versions that are distributed by Open WhisperSystems.[26]

Architecture

Encryption

For the encryption of messages sent to other TextSecure users, Open WhisperSystems took the Off the Record (OTR) protocol and made some improvements to the deniability and forward secrecy aspects, and added a mechanism to allow the ephemeral key negotiation to work asynchronously.[27][28][29]

TextSecure uses Curve25519, AES-256, and HMAC-SHA256. The security of these algorithms has been tested over many years of use in hundreds of different applications. Messages sent via TextSecure are end-to-end encrypted, which means that they can only be read by the intended recipients. TextSecure makes it easy for its users to verify that they are communicating with the right people and that no MITM attack has occurred. The keys that are used to encrypt the user's messages are stored on the device alone, and they are protected by an additional layer of encryption if the user has a passphrase enabled.[6][26]

The Axolotl ratchet in TextSecure is the most advanced cryptographic ratchet available (as of March 2014). Axolotl ensures that new AES keys are used for every single message, and it provides TextSecure with both forward secrecy and future secrecy properties.[29][30] The TextSecure protocol also features enhanced deniability properties that improve on those provided by OTR, except unlike OTR all of these features work well in an asynchronous mobile environment.[26][27][28]

Servers

The software that handles message routing for the TextSecure data channel is called TextSecure-Server. The complete source code of the TextSecure server is available on GitHub under the AGPLv3 license. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copies of the software and compare them with the software that is used by Open WhisperSystems and others.[4]

Client-server communication is protected by TLS/SSL. Communication is handled by a REST API and push messaging (both Google Cloud Messaging (GCM) and Apple Push Notification Service (APN)).[4] Support for WebSocket has been added.[31]

Open WhisperSystems pays for hosting fees out of donations they receive. The server-side architecture is federated. The developers hope this will help spread the cost over time. The developers of CyanogenMod already host the servers that handle the traffic for their users. As Open WhisperSystems will launch more clients, their hope is that other stakeholders will take on hosting as well.[32]

Distribution

Following an incident in August 2012, Open WhisperSystems has declined requests to distribute the application through 3rd party sources, such as F-Droid.[33] They have defended this position with the following arguments:

1. Users who install the application outside of the Play Store do not receive timely software updates. The ability to provide users with rapid fixes for any vulnerabilities that are found is extremely important to the security of our software. Alternative app catalogs like F-Droid rely on a centralized trust model and necessitate allowing the installation of apps from unknown sources which harms Android's security for average users. Open WhisperSystems is developing an update framework that will allow distribution outside of the Play Store to happen in a responsible and secure fashion.
2. Outside of Google's GCM, the fact is that there are no alternative push messaging frameworks for Android that can scale to the millions of users that TextSecure has. GCM requires Google Play. As a solution, Open WhisperSystems has added WebSocket support to the open source TextSecure server. This won't work as well as push messages that are sent via GCM, but it will provide a way for TextSecure to work outside of Google's GCM push messaging framework once support has been added to the client.

— Open WhisperSystems, Why do I need Google Play installed to use TextSecure on Android?

Open WhisperSystems has acknowledged that this is an important issue for some of TextSecure's users, and have assured that they are working on it. They have, however, chosen to focus on serving the millions of users who have Google Cloud Messaging (GCM) capabilities first. They have invited the community to help them add WebSocket support to TextSecure for Android.[31]

See also

References

  1. ^ a b c Andy Greenberg (2010-05-25). "Android App Aims to Allow Wiretap-Proof Cell Phone Calls". Forbes. Retrieved 2014-02-28.
  2. ^ "List of languages supported by TextSecure". Retrieved 15 March 2014.
  3. ^ a b c "TextSecure on GitHub". Retrieved 26 February 2014.
  4. ^ a b c "TextSecure-Server on GitHub". Retrieved 2 March 2014.
  5. ^ a b Molly Wood (19 February 2014). "Privacy Please: Tools to Shield Your Smartphone". The New York Times. Retrieved 26 February 2014.
  6. ^ a b c d DJ Pangburn (3 March 2014). "TextSecure Is the Easiest Encryption App To Use (So Far)". Motherboard. Retrieved 14 March 2014.
  7. ^ a b c Moxie Marlinspike (24 February 2014). "The New TextSecure: Privacy Beyond SMS". Open WhisperSystems. Retrieved 26 February 2014.
  8. ^ a b Martin Brinkmann (24 February 2014). "TextSecure is an open source messaging app with strong security features". Ghacks Technology News. Retrieved 26 February 2014.
  9. ^ The Guardian Project. "Secure Mobile Apps". GuardianProject.info. Retrieved 26 February 2014.
  10. ^ a b c Garling, Caleb (2011-12-20). "Twitter Open Sources Its Android Moxie | Wired Enterprise". Wired.com. Retrieved 2011-12-21.
  11. ^ "Company Overview of Whisper Systems Inc". Bloomberg Businessweek. Retrieved 2014-3-4. {{cite web}}: Check date values in: |accessdate= (help)
  12. ^ Robert Lemos (2011-02-15). "An App for Dissidents". MIT Technology Review. Retrieved 2014-03-07.
  13. ^ Tom Cheredar (November 28, 2011). "Twitter acquires Android security startup Whisper Systems". VentureBeat. Retrieved 2011-12-21.
  14. ^ Andy Greenberg (2011-11-28). "Twitter Acquires Moxie Marlinspike's Encryption Startup Whisper Systems". Forbes. Retrieved 2011-12-21.
  15. ^ Garling, Caleb (2011-11-28). "Twitter Buys Some Middle East Moxie | Wired Enterprise". Wired.com. Retrieved 2011-12-21.
  16. ^ Pete Pachal (2011-12-20). "Twitter Takes TextSecure, Texting App for Dissidents, Open Source". Mashable. Retrieved 2014-03-01.
  17. ^ "A New Home". Open WhisperSystems. 2013-01-21. Retrieved 2014-03-01.
  18. ^ Brian Donohue (Feb 24, 2014). "TextSecure Sheds SMS in Latest Version". Threatpost. Retrieved 2014-03-01.
  19. ^ Christine Corbett (Mar 27, 2013). "Sure!". Open WhisperSystems. Retrieved 2014-03-16.
  20. ^ Andy Greenberg (2013-12-09). "Ten Million More Android Users' Text Messages Will Soon Be Encrypted By Default". Forbes. Retrieved 2014-02-28.
  21. ^ Seth Schoen (2013-12-28). "2013 in Review: Encrypting the Web Takes A Huge Leap Forward". Electronic Frontier Foundation. Retrieved 2014-03-01.
  22. ^ Moxie Marlinspike (2013-12-09). "TextSecure, Now With 10 Million More Users". Open WhisperSystems. Retrieved 2014-02-28.
  23. ^ Max Eddy (Mar 11, 2014). "Snowden to SXSW: Here's How To Keep The NSA Out Of Your Stuff". PC Magazine: SecurityWatch. Retrieved 2014-03-16.
  24. ^ Hanno Böck (Mar 11, 2014). "Snowden empfiehlt Textsecure und Redphone" (in German). Golem.de. Retrieved 2014-03-16.
  25. ^ Dean Takahashi (July 29, 2010). "How to hide yourself from Google and cell phone carriers". VentureBeat. Retrieved 2014-02-28.
  26. ^ a b c Open WhisperSystems. "Is it secure? Can I trust it?". Retrieved 2014-03-13.
  27. ^ a b Moxie Marlinspike (July 27, 2013). "Simplifying OTR Deniability". Open WhisperSystems. Retrieved 2014-03-01.
  28. ^ a b Moxie Marlinspike (Aug 22, 2013). "Forward Secrecy for Asynchronous Messages". Open WhisperSystems. Retrieved 2014-03-01.
  29. ^ a b Moxie Marlinspike (Nov 26, 2013). "Advanced Cryptographic Ratcheting". Open WhisperSystems. Retrieved 2014-03-01.
  30. ^ "The Axolotl Ratchet Wiki on GitHub". Retrieved 2014-03-14.
  31. ^ a b Open WhisperSystems. "Why do I need Google Play installed to use TextSecure on Android?". Retrieved 2014-03-13.
  32. ^ Moxie Marlinspike (Mar 11, 2014). "How is openwhispersystems paying for the its server costs?". Open WhisperSystems. Retrieved 16 March 2014.
  33. ^ "Issue #127 on GitHub". Retrieved 2014-03-14.
Retrieved from "https://en.wikipedia.org/w/index.php?title=TextSecure&oldid=600602929"