



CyanogenMod Integrates Text Message Encryption 118
sfcrazy writes "People are now more concerned regarding their privacy after discovering about efforts made by governments to spy on their communications. The most practical solution to keep messages, emails and calls secure is to use a cryptographic encryption mechanism. However, just like the name of the method, the installation process is complex for most users. To solve this, CyanogenMod will come equipped with built in encryption system for text messages."
Whisper System has integrated their TextSecure protocol into the SMS/MMS provider, so even third party sms apps benefit. Better yet, it's Free Software, licensed under the GPLv3+. Support will debut in Cyanogenmod 11, but you can grab a 10.2 nightly build to try it out now.
Key exchange (Score:5, Interesting)
The most important part of any crypto communication system is key exchange. Looks like this protocol uses automated SMS key exchange, and implementations should store keys similar to SSH. It's trivial to MITM, but it's a high risk attack because people can simply meet in person to compare keys.
Hard to take CM privacy concerns seriously (Score:4, Interesting)
Even before the buyout, the CM team refused patches to basically integrate pdroid into the mod, for fear of "angering developers." So even if something like this works, all the bad guys have to do is hit up the app market for the data it's sucking up anyway.
Spy vs Spy (Score:5, Interesting)
Re:Spy vs Spy (Score:2, Interesting)
You show...good but not total understanding. In current systems this works.
In past systems this has been handled.
See mixmaster, remailers, etc.
If whisper does this right, what people know is "35 messages go into mixmaster3 at time t" and "15 messages go out of mixmaster3 to mixmasters 1..n at time t+1" and "16 go out to realworld addresses A1...Ai"
A good enough tumbler chain crushes most metadata analysis for short messages, provided you'll live with limited message loss, and a bit of latency that makes real time not highly practical.
It could work given enough volume.
Other problems (not MITM but end-to-end) (Score:5, Interesting)
It's trivial to MITM, but it's a high risk attack because people can simply meet in person to compare keys.
Avoiding MITM has been successfully solved using the Socialist Milionaire [wikipedia.org] problem.
At most, 2 contacts need to call (voice) each other and compare a bunch of keywords. From that point onward, their communication can be trusted.
I see another problem:
The best (and nearest-to-perfect) secure solution requires end-to-end encryption. (the absolute first and last application on the chain to the encryption / decryption. Encryption is done on the first ever software getting the message, decryption is done on the last software drawin the message on the screen)
But CyanogenMod's implementation isn't end-to-end. They instead have integrated crypto in the SMS messaging service of the OS. ... These 3rd party app could actually be spying.
The intention is noble: You're not forced to use CyanogenMod's SMS App. You could use Skype or Facebook chat app (as long as the app supports handling SMS in addition to other communication)...
The main problem is easy to spot:
RTOS on the chip that controls wireless, etc. (Score:3, Interesting)
Re:I personally find this very important... (Score:5, Interesting)
How do you feel about the private contractor that's doing the snooping knowing what you've had for dinner and that your wife has breast cancer and selling that information to companies who can now try to sell you miracle cancer cures? How comfortable are you with prospective employers knowing your child has autism and needs extra attention, which might possibly mean more absences from work?
Remember, most of the data collection and first-level analysis is not done by "the government" but by a private company that works for the government. And, that private company has corporate clients besides the government. How comfortable are you knowing that anyone who can afford to pay having access to all your personal communications?
And what happens that day you disagree with what the government is doing? How comfortable are you knowing that you're planning to go to a political demonstration? How comfortable are you with your boss or potential employer knowing?
How comfortable are you with a techie with anti-social tendencies having access with all your family's communication? Your wife's, your daughter's? Because who do you think is working for that private contractor who's working for the government?