Mobile Messaging is pretty hot right now. You could easily spend an entire afternoon installing the myriad WhatsApps and Kiks and WeChats of the world. You should already be preparing yourself to tune out the endless series of imminent TechCrunch interviews and “Show HN” posts that are inevitable when a wave of forty identical proprietary messaging apps are soft-launched at SXSW this year. And who can blame developers for jumping on the bandwagon when prominent analytics companies are effusively proclaiming that mobile usage is being “Propelled by Messaging Apps”?
But what if you care about privacy in a post-DISHFIRE world and would like to securely communicate with your friends and family? What if you have an iOS phone but some of your friends are on Android (or vice-versa)? What if you want something that works as well as standard SMS or, perish the thought, even better? Sadly, things are currently quite bleak. But there are a few options out there, and some of them are getting tantalizingly close to making your dreams come true.
The ideal client would:
It seems more than appropriate on The Day We Fight Back to take a look at the various options that are available right now:
The Guardian Project recently rebranded their Gibberbot client as ChatSecure in order to match Chris Ballinger’s iOS client of the same name. The move was not without controversy. But, hey, ChatSecure uses OTR and everyone loves OTR! It’s a proven solution, and as a nice side-benefit ChatSecure is able to work with all of the various desktop applications that support XMPP.
The bad news is that maintaining a persistent connection to an XMPP server on a mobile device doesn’t perform very well. It sort of works on Android, but frequent server disconnects, dropped messages, and reduced battery life make it a frustrating experience. It’s not even possible on iOS. The iOS version of ChatSecure can only run in the background for ten minutes before it gets shut down by the operating system. This is annoying enough that the sole question in the ChatSecure FAQ is one that addresses the issue.
When it’s running, ChatSecure works incredibly well; messages arrive instantly and OTR protects their contents. The Guardian Project also deserves special recognition for the ancillary tools like KeySync that they are developing alongside ChatSecure. KeySync makes it possible to transfer your desktop OTR keys and fingerprints to the Android client so that you can seamlessly communicate with existing contacts while leveraging the trust database that you’ve already established.
But the iOS situation makes regularly using ChatSecure completely, heartbreakingly, untenable—even if you have a very patient friend. You can try to let the iOS client initiate all of the conversations and condition yourself to reply really, really quickly. Or perhaps the Android side could send an SMS to the iOS side saying “Relaunch ChatSecure so we can talk” and then wait patiently, ready to pounce? God help you if you are both on iOS because then ten minutes becomes a best-case scenario.
The Android and iOS clients both fail to provide adequate warnings when a conversation is not encrypted. If you install a program called ChatSecure whose description proudly (and repeatedly) touts its built-in cryptographic prowess, security should be enforced. Bogging users down in the mundanity of manually-triggered OTR handshakes and miniscule on/off switches is the wrong approach, and it is potentially very dangerous if it leads to people speaking freely in accidental plaintext (which has almost certainly occurred). A warning message that says something like “A conversation with this user is not possible because their client does not support OTR encryption” would be dramatically better than falling back to no encryption whatsoever. Users should have to dig deep in an Advanced Settings menu and dismiss several prominent warning dialogs before they are allowed to communicate in plaintext.
If you talk to someone who is extremely tech-savvy at exactly the same time every day for around ten minutes, ChatSecure is perfect! Otherwise it’s not even remotely close to a cross-platform replacement for SMS. Fortunately, The Guardian Project and Chris Ballinger appear to be aware of this and are working on a solution that uses push notifications, though the last commit happened almost four months ago.
Nice summary! We have some new plans for solving push on iOS. I’m sorry we haven’t finished it sooner.
This is excellent news. No apology is necessary!
Many of the limitations you pointed out are based on support for XMPP interop, which we are committed to. All the other systems you reviewed (save for Cryptocat), roll their own servers and protocols, which is great, but different. Also, supporting Tor/anonymity means push is not really viable for all. Ultimately, we have made life hard for ourselves!
Also, it was a conscious choice not to require OTR always, and not something we are ashamed of by any means. Along the same lines, TextSecure using SMS is a bad choice from a privacy perspective, but logical for practical reasons.
These are great points, and I have taken them into account by adding two new bullets in the Pros category for ChatSecure. I still think it is worth asking whether or not the convenience of allowing plaintext conversations to happen by default is worth the potential downsides. I remain convinced that the answer in this case is “no” but I can see how the argument is more nuanced than I originally thought.
It’s only possible on Android, but ChatSecure’s ability to combine OTR with a self-hosted server that can be anonymously accessed via Tor is damn impressive. I have an enormous amount of respect for the ChatSecure team and for The Guardian Project as an organization. Their feedback is sincerely appreciated and I am eager to see what else they have in store.
Cryptocat has gone from an upstart that people viewed with bemused skepticism (and sometimes outright disdain) to a relatively well-respected open source project that has an admirable record of transparency. There have been some extremely serious vulnerabilities in the past, but they have always been addressed quickly. The project has recently been placing a larger emphasis on security than ever before, even going so far as to commission several outside audits of its codebase by paid consultants. The most recent analyses were conducted by Least Authority and iSEC Partners.
Cryptocat’s efforts to prioritize usability and simplicity, thereby making encrypted messaging more accessible to mere mortals, is an example that more projects should follow. In contrast with ChatSecure, for instance, it’s not possible to accidentally have a plaintext chat using Cryptocat. Encryption is an implementation detail that is largely obscured from users. This is a good thing.
The Android and iOS versions were announced on December 5th and the source code for the projects is available for review on GitHub. A public release of both clients should happen soon. Unfortunately it looks like Cryptocat is going to suffer from many of the same issues as ChatSecure. A cursory review of the source code does not reveal any push notification support at the moment, for either platform, which means that users will need to have the application open in order to communicate or else they will run into the dreaded 10-minute time limit on iOS. This is a huge step backwards compared to SMS in terms of usability.
Normal users always choose convenience over security and Cryptocat Mobile is unlikely to win any new converts. But it will significantly improve the lives of existing users. Even if it may not immediately be the secure messaging replacement that we all want right now, the world will be better off with a mobile Cryptocat. I look forward to seeing how it develops over the coming months.
Update: Cryptocat for iOS is now available. As expected, it cannot run in the background and does not support extended sessions. A notification appears just before you get logged out that says “Your chat session will end in a minute if you don’t come back.” But it’s really simple and fast, and it perfectly matches the aesthetic of the browser extension. Cryptocat fans should be pleased. Good work, Thomas!
Heml.is made a big splash last July when their crowdsourcing initiative successfully reached its lofty $100,000 funding goal in only 36 hours. The timing was perfect, coming right on the heels of the initial PRISM outrage. Oh and when you are pursuing an “us against the MAN” narrative, it really helps if your project is the brainchild of Peter Sunde, the co-founder of The Pirate Bay.
The Heml.is team haven’t revealed enough details for me or anyone else to have much of an opinion yet, but I was wildly unimpressed by the passive-aggressive tone in Hemlis update #3 that was posted on August 28, 2013. Is the Heml.is team really so worried about their feelings getting hurt that they have chosen to proceed blindly and begin implementing their protocol without first verifying its design? Meanwhile, cryptographers and security researchers are worried about properly structuring systems so that no one gets tortured and killed. Step it up, Heml.is, or get out of the game. This quote is just pathetic:
Most questions about heml.is is about the encryption we’re going to use. How it’s going to work and details about it. For different reasons, we’ve stayed away from talking too much about the details. It’s not because we’re arrogant, it’s just that dealing with the crypto community is really time consuming. Whatever solution we’ve decided on would be criticized and we aren’t really interested in the flame war that’s inevitable. We’d rather create and get things going. Maybe a small lesson for the crypto geeks out there would be to be supportive instead of negative.
There aren’t enough sighs in the world.
But now they are claiming that their implementation will use libsodium (which is based on the highly-regarded NaCl library from Daniel J. Bernstein, Tanja Lange, and Peter Schwabe). They are also claiming that the clients will be open source. Perhaps there is hope after all? There’s no set release date, but it’s probably only a few months away. I am so skeptical that this will become my messaging platform of choice, but perhaps it won’t be the unmitigated disaster that it was looking like last summer.
Pros and Cons:
The Silent Circle Founders and Leadership page is impressive enough that you almost have to forgive these titans of cryptography for the “Created by Navy SEALs and Silicon Valley cryptography experts” tagline. It’s kitschy and that seems like the wrong order to me, because off the top of my head I don’t know what Navy SEALs have to do with cryptography or digital security. Maybe Silent Circle’s data centers have been thoroughly fortified against rival amphibious assault teams? Maybe their logo is still visible when you are wearing night vision goggles? In all seriousness, over-the-top marketing aside, the Silent Circle suite of products is basically the only available cross-platform option at this point that covers both voice and text communications.
Silent Text, their messaging solution, is impressively calculated in its use of rhetoric. Everything about the application is designed to make you feel like the main character in a Tom Clancy novel. You don’t delete a message, you issue a “Burn Notice,” and instead of verifying fingerprints that are comprised of stodgy old hexadecimal groups you do it using phrases like “Six Romeo India Five.” I think the Android version is pretty ugly overall, like a real-life manifestation of an early 90s CGI sequence, but it gets the job done.
The biggest problem that I have with the package is that Silent Phone and Silent Text both require an active Silent Circle subscription. At $9.95 per month (or $99.95 annually) the prices aren’t unreasonable if you are a business, but there’s essentially no chance that you’ll be able to convince anyone you know that they should spend more than they do on Netflix for an esoteric messaging application that almost no one uses. Silent Phone and Silent Text are also both closed source. Silent Circle appears to be attempting to do some sort of “open core” strategy but this ends up being more confusing than comforting. For example, their Silent Text repo was last updated on March 26, 2013 and refers to version 1.5.0. But the most recent version in the Google Play Store came out on December 17th, 2013 and is version 1.2.0. Are they decrementing version numbers as they move forward, and why is this repo so damn musty and nearly a year removed from its last commit?
Surespot has by far been my favorite encrypted messaging application on Android. I have had fewer problems with it than with anything else that I’ve tried, and it has also universally been the most positively received option among my friends. For the past month or so I have been using it with one friend in particular who is a beta tester for the iOS version and it has performed wonderfully. We might only be a few days away from an open source, cross-platform messaging solution that actually works. The iOS version was submitted to the App Store on January 28th and rejected for a seemingly silly reason ten days later. It has since been resubmitted, and it shouldn’t be long now.
Update: Surespot for iOS is now available.
Surespot is extremely fast, simple, and well-designed. The interface is spartan, yet playful. Messages are sent and received instantly using Socket IO when the app is open. Apple’s APN and Google’s GCM push notification frameworks deliver notifications to iOS and Android devices respectively. It’s free, and there are no ads.
There is a voice messaging feature that is very useful and also a lot of fun. Unlocking the ability to send voice messages requires a $2 in-app purchase, but anyone can listen to them. Users are also able to donate money to the project directly and the Surespot documentation promises that a portion of the proceeds will be shared with the EFF. The in-app voice purchase and donation strategy is a clever way to subsidize the development of the application and so far it seems to be working well. The 2 million message threshold was announced on November 19th and took more than six months to reach. Just over two months later on January 27th, Surespot had delivered over 4 million messages. It looks like it is picking up momentum, and the iOS release will certainly help.
Perhaps the biggest compliment that I can pay to Surespot is that it’s easy to articulate to friends why they should install it. It offers clear advantages over SMS in terms of speed; image quality; support for long messages that won’t be split into pieces first and frequently received in the wrong order; and voice messaging. The fact that the messages are encrypted can be a big deal to you even if it’s not on your friend’s radar.
Smarter people than me have analyzed Telegram to death. I have very little to add. The consensus is that the MTProto protocol is not all that great and is based on puzzlingly obscure techniques and ancient cryptographic primitives like SHA-1 that are eagerly being deprecated by the rest of the world. In the interest of fairness, Telegram’s response to all of this can be found here.
Telegram is growing like crazy and recently has been racking up more than 200,000 new users every day in Spain alone. I was really excited when I first heard about it. I mean, here was an encrypted messaging application that was available for iOS and Android, and it was open source! People are actually using it! But cryptography is hard, and they seem to have done a poor job of it. I’m staying away for now.
If I could pick a single client and magically will it into immediate cross-platform existence, this is the one. Moxie Marlinspike and the rest of the fine individuals at Open Whisper Systems have somehow improved upon OTR’s design in every possible way and managed to do so while solving all of the problems that would typically prevent it from working well in a mobile environment. TextSecure’s V2 protocol, lovingly detailed in a series of blog posts, represents the current state-of-the-art in encrypted messaging.
So far the TextSecure V2 protocol has only been rolled out to Cyanogenmod users as part of its WhisperPush functionality. This is a major accomplishment in its own right because it means that approximately 10 million people will automatically get the benefits of encrypted messaging without any effort on their part. TextSecure is available on Android, of course, and has been for years, but the current version in the Play Store is still using the old protocol. The release of the new Android version that incorporates a brand-new design, push-based data channel messaging (instead of SMS), the Axolotl ratchet, prekeys, Curve25519, and all of the other massive improvements looks to be imminent. I can’t wait.
Update: TextSecure version 2.0 is now available for Android!
The current Android version is tough to recommend to everyday users because the MMS support is so poor. To be clear, I place all of the blame for this on the carriers who developed such an awful standard in the first place. When I try to send a picture to an AT&T user they receive only an obscure message size failure warning even though Verizon, Sprint, and T-mobile subscribers can all receive them just fine. TextSecure has no support for group messaging either, so MMS messages that are sent to multiple people don’t get threaded properly. You used to be able to work around these issues by telling TextSecure not to handle MMS and using the standard messaging application for pictures, videos, and group messages, but this is no longer possible in Android 4.4 KitKat. More than half of the people I convinced to install TextSecure ended up uninstalling it due to the MMS and group messaging issues. The new version will solve this by skipping the SMS/MMS transport layer entirely.
Update: TextSecure version 2.0 fixes most of these issues. Using it as a standalone application that only processes messages from other TextSecure users is once again possible. MMS group messages also work perfectly. Sending images via MMS to AT&T users is still broken for me.
OK, great, it’s already decent on Android if you can deal with some hiccups and is about to get even better. What about iOS? The good news is that it’s already in progress. The bad news is that it’s probably going to be a while. At Whisper System’s recent Spring Break of Code event, Christine Corbett, one of the lead developers of TextSecure for iOS, announced plans to merge TextSecure and RedPhone (Whisper System’s open source encrypted telephony program) into a single unified application. This is a great move because it means that users won’t be fragmented across two different mediums. If someone has Whisper installed you will be able to use your choice of text or voice to communicate with them. Sometime soon, Whisper for iOS will come out with voice support. Text support will come later.
How much later? That’s a good question. My hope is that the RedPhone for iOS team members (who are currently toiling away in a skunkworks non-GitHub repo) will join forces as soon as possible with Christine and Frederic to help them finish the TextSecure functionality so that it can be merged into the nascent iOS application shortly after it is released. Not having to duplicate efforts on contact list management and other shared UI areas should prove to be helpful. At the moment, TextSecure’s V2 protocol is still being fleshed out on iOS and there are several other components that have not been implemented yet. Major progress has been made, but there is still a lot of work to be done. If I had to guess (and I should stress that this is just a hunch) I would say that it’s probably going to be sometime this summer at the earliest before Whisper for iOS supports text messaging functionality.
Update: I’m extremely happy to report that I might be wrong about this. The rate of commits has picked up significantly over the past few days, and Christine Corbett now says that they are “racing the RedPhone iOS team” instead of waiting for them.
When Whisper is released, Silent Circle will finally have a cross-platform competitor that supports voice and text. Unlike Silent Circle, it will be open source (instead of “kinda”) and supported by community donations (instead of mandatory $9.95 subscriptions). Moxie et al. are in their own league entirely, and they have big plans. Whisper will be worth the wait.
Threema hails from the country that brought us no-questions-asked banking and all-purpose knives with scissors and corkscrews, Switzerland! All of its servers are located there for instant marketing cachet, as though any text-based secrets stored therein will be held as sacrosanct as the One Percent’s tax havens. But then they go ahead and make that analogy fall apart because Threema is really easy to use—a messaging application for the 99%, if you will.
It does a lot of things right: Threema is using the excellent NaCL Cryptography Library; the onboarding process for new users is very friendly; it looks great on both iOS and Android; it uses push notifications; and the FAQ does an excellent job of explaining technical concepts in an accessible way. Threema also prominently features three dots (which are the application’s namesake) next to every contact. These dots represent that user’s verification level. One red dot means no verification, two yellow dots mean that the server has verified a user’s identity, and three green dots mean that you have personally scanned and verified that user’s key and ID. This is a smart way to motivate users to practice strong security and avoid MITM attacks.
So far, so good! Except, Threema is closed source. That makes it significantly harder to trust and wipes out many of these benefits. Are they really doing what they claim to be doing? Did they make any mistakes? Does the Swiss NSA (if there even is such a thing) have a secret backdoor?
Threema has introduced a unique validation feature in an attempt to assuage these concerns. The idea is that you can tell the application to log its encrypted payload, and then you can use some open source tools that they provide in order to independently verify that the payload has been encrypted properly using NaCl. This is great, and it’s dramatically better than nothing, but as with any closed source application it’s impossible to fully audit. Perhaps the program logs one strong payload but delivers another that is significantly weaker? Maybe it only does this occasionally (and only when it is on a non-wifi network) to make it more difficult to detect? You can’t really be sure, and that’s a problem when your target demographic is paranoid.
Like skeptical parents who are on the verge of letting you go to the cool sleepover, Threema seems to really want to do the right thing. They can keep their server proprietary because a proper encrypted messenger never trusts the server in the first place, but the clients should be open source. People will still pay for the clients because they are useless without the servers, and access to the servers can be controlled. Come on, Threema! Make it official and you can help continue the proud open source tradition of being a great program with an awkward name.
Android to Android:
iOS to Android (or vice-versa), iOS to iOS:
Android and iOS:
That’s the state of things at this point in time. Perhaps some of you may be wondering where myEnigma, Redact, TigerText, Wickr, and various other options are in the above comparison. Well, if they can’t be bothered to release any source code, fail to provide even basic protocol documentation, and have not posted a threat model analysis, then they are not worthy of your time or your attention. BBM should also be avoided at all costs.
If there is something that I have missed, or if you notice any mistakes, please let me know and I will take care of it immediately. If the developers of any of the above applications would like to respond in detail to any of the points that were raised, I will happily include such comments alongside my writeup.
My sincere thanks to all of the organizations that are fighting to protect our messages from dragnet surveillance. I am optimistic that we will soon have several viable choices for securing the thoughts and hopes and dreams that we share with all of the people who are close to us—a list that does not include the NSA or GCHQ.
SMS is dead, long live privacy.