Cyanogenmod adds encrypted SMS from WhisperSystems


#1

[Permalink]


#2

Even exchanging SMS messages with someone who doesn’t use TextSecure, there is some benefit - you still get locally encrypted storage of all SMS messages on your phone. That means (as long as you have set your passphrase timeout appropriately and such) that if your phone is seized by police / your nosy sibling, they will not have access to all your stored conversations.


#3

Good point, though if the police want your SMS messages, they’ll just ask your carrier for them (yep, they’re stored for quite a while).


#4

In the event your receiving party isn’t on CM or using TextSecure, the implementation will silently fall back to a normal SMS message (unencrypted).

This of course opens the question of whether it’s possible for a third party to make it look like the recipient isn’t using encryption, to remove the benefit by forcing the fallback.


#5

Piggy-backing on the FreeBSD post: Does it use a hardware based random number generator?


#6

Absolutely right - it’s some protection, but not strong.

In at least some jurisdictions, arresting officers can look through a cellphone without a warrant, if there’s no password lock on it. Where the arrestee has taken some measures to protect their privacy, that needs a warrant, the same as requesting texts from the carrier (again - depending on jurisdiction"

So, in this case, it might raise the protection to the level of requiring a warrant.


#7

Once you’ve established encrypted communication, I don’t think it is possible to force a fallback without the sender’s approval.


#8

I think it’s smarter than you give it credit for… but it almost doesn’t matter at this stage. Consumer crypto fails because it’s really hard to get people to use it, not because advanced attackers subvert it. If the defaults are too weak they can be adjusted later… but if this app doesn’t fail silently, it will be a hassle to use and I will disable it.


#9

They’ll give you fifteen years if you don’t fork over the password here, like.


#10

I’m not quite sure what you mean - I’ve used the app for over a year; it’s not hard to use and only gotten better with time.

Also, what do you mean by “smarter than you give it credit for”? If an attacker can force the app to send plaintext when the sender means to encrypt, there’s no way of spinning that as “smart”.


#11

This is already doable with 3rd party apps across all platforms.

https://guardianproject.info/apps/chatsecure/

★ WORKS ON EVERY PLATFORM: Android with ChatSecure, iPhone with ChatSecure, Mac with Adium, Linux with Jitsi, Windows with Pidgin, and more!
https://play.google.com/store/apps/details?id=info.guardianproject.otr.app.im

If you run it with Orbot (android tor proxy) you’re as anonymised as you can be.
https://play.google.com/store/apps/details?id=org.torproject.android&hl=en


#12

This topic was automatically closed after 5 days. New replies are no longer allowed.