Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

Warning about TextSecure App: Possible Compromised Development

OP optimumpro

4th March 2014, 04:15 AM   |  #1  
OP Senior Member
Thanks Meter: 876
 
808 posts
Join Date:Joined: Jan 2013
Donate to Me
More
Some of us use Textsecure as replacement for Stock SMS app. Textsecure provides encryption for your SMS. However, my recommendation is: stay away or at least don't update to 2.X... versions.

The developer has introduced Google Cloud Messaging, which means that even if your sms are secure, the fact you are using the app will be recorded in Google Centralized database. In addition, he removed the ability of the user to regenerate new identity key. In last couple of releases, he forced the user to allow the app to contact the internet (otherwise, the app would crash). That is even if you compile the app from sources, which I did a couple of hours ago. If you download the app from Store, you can't even use it without Google account and GSF, the latter will record your every keystroke including the password used to encrypt the messages. In further addition, the app is only available through Googleplay and the developer is actively resisting third party distribution. If that is not enough, you should know that Whisper systems is owned by Twitter, which is a red flag in of itself. The code is growing larger and is more difficult to examine for back door purposes.

My advice: stay away from this development, which in my view is compromised...

Edit. In January of this year, the developer left Twitter. Interestingly, he is still working on Textsecure and it is published under Whisper, which is Twitter. About the same time, all those things described above started to happen. Also interesting is that the developer was put on federal watch list and was continuously harrased by various agencies when flying. So, I wouldn't be surprised to learn that his new employer is the previous harraser...

All more reasons to stay away from this app.
Last edited by optimumpro; 4th March 2014 at 10:44 PM. Reason: More info
The Following 8 Users Say Thank You to optimumpro For This Useful Post: [ View ]
14th March 2014, 10:38 PM   |  #2  
OP Senior Member
Thanks Meter: 876
 
808 posts
Join Date:Joined: Jan 2013
Donate to Me
More
Thumbs down
Quote:
Originally Posted by optimumpro

Some of us use Textsecure as replacement for Stock SMS app. Textsecure provides encryption for your SMS. However, my recommendation is: stay away or at least don't update to 2.X... versions.

The developer has introduced Google Cloud Messaging, which means that even if your sms are secure, the fact you are using the app will be recorded in Google Centralized database. In addition, he removed the ability of the user to regenerate new identity key. In last couple of releases, he forced the user to allow the app to contact the internet (otherwise, the app would crash). That is even if you compile the app from sources, which I did a couple of hours ago. If you download the app from Store, you can't even use it without Google account and GSF, the latter will record your every keystroke including the password used to encrypt the messages. In further addition, the app is only available through Googleplay and the developer is actively resisting third party distribution. If that is not enough, you should know that Whisper systems is owned by Twitter, which is a red flag in of itself. The code is growing larger and is more difficult to examine for back door purposes.

My advice: stay away from this development, which in my view is compromised...

Edit. In January of this year, the developer left Twitter. Interestingly, he is still working on Textsecure and it is published under Whisper, which is Twitter. About the same time, all those things described above started to happen. Also interesting is that the developer was put on federal watch list and was continuously harrased by various agencies when flying. So, I wouldn't be surprised to learn that his new employer is the previous harraser...

All more reasons to stay away from this app.

And here is some more fresh evidence. Today I posted this info on Cyanogen site related to Textsecure Push for CM.

http://www.cyanogenmod.org/blog/whis...ng-integration

The site says it is neither censored no monitored. Within 5 minutes, the post has disappeared... . So, stay away from this app as the development has been compromised. In my view, of course...
The Following 2 Users Say Thank You to optimumpro For This Useful Post: [ View ]
16th March 2014, 12:38 PM   |  #3  
Corndude's Avatar
Senior Member
Thanks Meter: 190
 
1,125 posts
Join Date:Joined: Aug 2011
More
You have no clue what youre talking about.
The Following User Says Thank You to Corndude For This Useful Post: [ View ]
17th March 2014, 02:39 AM   |  #4  
OP Senior Member
Thanks Meter: 876
 
808 posts
Join Date:Joined: Jan 2013
Donate to Me
More
Quote:
Originally Posted by Corndude

You have no clue what youre talking about.

Thanks, pal... for a very, very thorough, thoughtful and factual argument.

Edit: by the way, what does no gapps project have to do with textsecure being compromised?
Last edited by optimumpro; 17th March 2014 at 02:44 AM.
The Following User Says Thank You to optimumpro For This Useful Post: [ View ]
20th March 2014, 01:20 PM   |  #5  
Member
Thanks Meter: 7
 
51 posts
Join Date:Joined: Jul 2012
More
Thumbs up
Thanks for the heads up. Something is really amiss, and I won't want to directly experience it. I'm staying away from TextSecure for sure.
20th March 2014, 01:55 PM   |  #6  
wpkwolfseye's Avatar
Senior Member
Flag Cologne
Thanks Meter: 25
 
269 posts
Join Date:Joined: Jan 2011
More
Quote:
Originally Posted by abdelazeez

Thanks for the heads up. Something is really amiss, and I won't want to directly experience it. I'm staying away from TextSecure for sure.

Most messenger apps today work with Google Push Notifications, seems to be no problem for people there. Funny that it is here. As for SMS, I would never use that through another app. Besides, the phone carrier companies save those probably too, whats so different with that you said ? Text Secure is a very nice app I think. Right now people on iOS don't have that app yet, which makes it hard to establish in mixed system userbases among people. But I hope that will change.

Besides, most people here probably use Twitter. Funny to complain about something that might be related to Twitter then, isn't it ?

Wolfseye
21st March 2014, 08:26 PM   |  #7  
OP Senior Member
Thanks Meter: 876
 
808 posts
Join Date:Joined: Jan 2013
Donate to Me
More
Quote:
Originally Posted by wpkwolfseye

Most messenger apps today work with Google Push Notifications, seems to be no problem for people there. Funny that it is here. As for SMS, I would never use that through another app. Besides, the phone carrier companies save those probably too, whats so different with that you said ? Text Secure is a very nice app I think. Right now people on iOS don't have that app yet, which makes it hard to establish in mixed system userbases among people. But I hope that will change.

Besides, most people here probably use Twitter. Funny to complain about something that might be related to Twitter then, isn't it ?

Wolfseye

The difference is that Textsecure/Whisperpush/CMpush tell you your SMS are encrypted. If they are indeed encrypted and there are no backdoors, your carrier (and others) can only get encrypted SMS (good luck to them trying to decipher). All other SMS apps are in plain text. In my view earlier versions of Textsecure are indeed secure. Starting from version 2.X, we no longer know that considering all the facts I mentioned in the OP.
5th April 2014, 04:25 AM   |  #8  
Junior Member
Thanks Meter: 17
 
13 posts
Join Date:Joined: Aug 2013
You should really get your facts straight. Twitter bought Whisper Systems in 2011, mainly to get Moxie and the other Whisper Systems folks to work for them.
Moxie went on to lead Twitters security team. Twitter allowed them a month or so after they aquired Whisper Systems to open source their apps TextSecure and RedPhone. In January 2013 Moxie left Twitter and started Open Whisper Systems with a few others. They took the newly open sourced apps and developed them further.
This is also covered in their FAQ.
You can see all of their code on GitHub.
And if you don't have GAPPS installed, you will simply get a message that you won't be able to use push messages and that's it. Several friends of mine use it for SMS only, with Xprivacy restricting the internet access. It doesn't crash or anything.
If you experience this, you may either have a problem with your build or it's a bug specific to your device/Android version.
Moxie also wrote exactly why he doesn't want TextSecure to be released via F-Droid: for security reasons. They use central signing, which may very well compromise the update channel.
The whole discussion can be found in the most infamous thread in their GitHub: #127
The Following User Says Thank You to lindworm For This Useful Post: [ View ]
6th April 2014, 08:35 AM   |  #9  
OP Senior Member
Thanks Meter: 876
 
808 posts
Join Date:Joined: Jan 2013
Donate to Me
More
Quote:
Originally Posted by lindworm

You should really get your facts straight. Twitter bought Whisper Systems in 2011, mainly to get Moxie and the other Whisper Systems folks to work for them.
Moxie went on to lead Twitters security team. Twitter allowed them a month or so after they aquired Whisper Systems to open source their apps TextSecure and RedPhone. In January 2013 Moxie left Twitter and started Open Whisper Systems with a few others. They took the newly open sourced apps and developed them further.
This is also covered ir FAQ.
You can see all of their code on GitHub.
And if you don't have GAPPS installed, you will simply get a message that you won't be able to use push messages and that's it. Several friends of mine use it for SMS only, with Xprivacy restricting the internet access. It doesn't crash or anything.
If you experience this, you may either have a problem with your build or it's a bug specific to your device/Android version.
Moxie also wrote exactly why he doesn't want TextSecure to be released via F-Droid: for security reasons. They use central signing, which may very well compromise the update channel.
The whole discussion can be found in the most infamous thread in their GitHub: #127

Which fact did I not get straight? You can't get the app anywhere other than from Googleplay and for Googleplay you need GSF, which records your every keystroke. And by the way, try to restrict getnetworkinfo in internet settings in Xprivacy and the app will crash as soon as you try to open a conversation (checked on several devices). And why was it necessary to prevent users from generating new identity key? Why not have an app available on Whisper's github, as many devs do. And by the way, I asked the same questions on github and f-droid threads and in response got a suggestion to build an equivalent of Google's GCM, so then Moxie would stop using Google.
Last edited by optimumpro; 8th April 2014 at 05:02 PM.
11th April 2014, 01:59 PM   |  #10  
Junior Member
Thanks Meter: 17
 
13 posts
Join Date:Joined: Aug 2013
Quote:
Originally Posted by optimumpro

Which fact did I not get straight? You can't get the app anywhere other than from Googleplay and for Googleplay you need GSF, which records your every keystroke. And by the way, try to restrict getnetworkinfo in internet settings in Xprivacy and the app will crash as soon as you try to open a conversation (checked on several devices). And why was it necessary to prevent users from generating new identity key? Why not have an app available on Whisper's github, as many devs do. And by the way, I asked the same questions on github and f-droid threads and in response got a suggestion to build an equivalent of Google's GCM, so then Moxie would stop using Google.

You are not even trying to learn/understand why things are done the way they are done, but instead chose to blast an open source project by a security expert who has spoken at defcon various times and who is on a national security list and gets severely hassled by the TSA every time he tries to travel because of his involvement with secure communication projects.

You don't show the slightest form of objectiveness either. The truth content of what you are writing varies between "flat out wrong" and "there is a reason for how they do it that way, which you either didn't care to research or willingly ignored".

1. You can sideload the apk either from http://apps.evozi.com/apk-downloader/ or any of the dozens of sites that mirror packages from the app store.
They do not provide apks because it is a security risk: there is no automated upgrade channel from where a user can get a new version which may fix serious security flaws.
Everybody who is able to compile from source however should understand the importance of updating regularly and can do so on his/her own.
Moxie stated all of that in the github ticket I linked to.

2. GSF doesn't record your keystrokes.

3. If you had bothered to look it up, getNetworkInfo returns if a certain interface (like wifi) is used for internet.
This leaks no interesting information whatsoever. And it especially doesn't mean that TextSecure doesn't work without internet, because this permission does not give an app internet access. Xprivacy actually expects this behaviour by apps, that's why those fields are by default not restricted even if you restrict internet access of an app.

The program crashes without this, because it expects to get a needed value returned, which you chose to block. This is not something they willingly built in, to stop you from using it without Google Play.

If you can't manage the complexity of the permissions, you should use a simple firewall like AFwall+ to restrict internet access.

4. This was probably removed because it doesn't add any significant security and adds clutter to the user interface, because average users have no idea what it's for. The identity keys you are talking about are long term identity keys. TextSecure uses different keys in every message and actually uses the most secure protocol I know of. It has excellent forward secrecy, future secrecy and deniability. More so than OTR, which it is derived from.

You can learn more about that in their blog:
https://whispersystems.org/blog/simp...r-deniability/
https://whispersystems.org/blog/asynchronous-security/
https://whispersystems.org/blog/advanced-ratcheting/

5. You asked them to not use the only free world wide push network that has contracts with all major providers to not kill idle TCP connections.
Moxie always answered that they would love to use something else, but none exists. And that they don't have the resources to build a push network themselves.
This is all in the comments to https://whispersystems.org/blog/the-new-textsecure/ and on ycombinator:
https://pay.reddit.com/r/Android/com...fxhm?context=3
https://pay.reddit.com/r/Android/com...frv0?context=3

They are however working on using emails as identifiers and websockets as an alternative to GCM. Websockets are already implemented on the server side and people are working on the client side.

Right now you can use encrypted SMS without GCM, no problem at all. If you want to use it over the internet, you can help to speed up the websocket development:
https://github.com/WhisperSystems/Te...re/issues/1000

The Following 4 Users Say Thank You to lindworm For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes