TextSecure Review

Let us start our review of TextSecure by looking at why we all need an encrypted text service for our day-to-day lives.  As many of you probably know, text messages that we send from our phone are not secure.  Smartphones send non-voice communication (text, video, audio, etc.)  using both SMS and MMS (Short Message Service) and (Multimedia Messaging Service).  SMS is used for messages of a maximum 160 characters.  MMS is used for messages larger than this with the maximum set by the carrier and includes text, photographs, video and audio files.

TextSecure Messenger

Generally these messages on Android devices are sent using subpar encryption or just plain text and can be read by anyone who has access to them.  These messages are usually sent to a carrier messenger center and then sent to the recipient if he uses the same carrier.  If the recipient does not use the same carrier as the sender, they are sent over the Internet to the recipient’s carrier who then forwards then to the recipient.  Sometimes these messages are stored to send if the recipient is not available.

As you can see, there is ample opportunity for someone to intercept any text sent from your mobile device.   SMS and MMS have always had problems with spamming and spoofing because no identity authentication is required to send and receive them.  Additionally, these messages are stored in plain text on your device so that anyone who has access to your phone can read them.   TextSecure can help solve many of these problems.

All of these problems existed even before it was revealed that the NSA was spying on you.  So as you can see if you want to keep your text with co-workers, friends, or family private, you need to encrypt the data and be able to authenticate the recipient.  This is exactly why Whisper Systems was founded to provide private, secure texting for the everyone.

Whisper Systems was a small security start-up co-founded by Moxie Marlinspike (pseudonym) and Stuart Anderson in 2010.  It released a text messaging application called TextSecure Private Messenger for sending and receiving encrypted text messages in May 2010.    In November 2011, Whisper Systems and its two talented founders was acquired by Twitter to reinforce its security team. Consequently, TextSecure was taken offline.  In December 2011, Twitter released TextSecure as a free and open-source app under the general public license version 3 (GPLv3) .

Signal/RedPhone EFF Checklist

In June 2014, Secure Messaging Scorecard, a project of the Electronic Frontier Foundation (EFF) gave the  TextSecure for Android mobile app from Open Whisper Systems 7 out of 7 checks.  They received checks for being encrypted in transit, being encrypted so that the provider could not read it, providing a way to verify contacts’ identities, having forward secrecy of past communications if the keys are compromised, is the code open to independent review, having the security design properly documented, and having its code audited recently.  The TextSecure app is free and fully open source.

Visit TextSecure

Secure Text with TextSecure for Android

Now let us begin our review of the TextSecure mobile app from Open Whisper Systems.  TextSecure has been implemented into the popular Android alternative OS CyanogenMod.  Android devices with the CyanogenMod installed on them are all compatible with the TextSecure app.  CyanogenMod users can use any SMS app and still benefit from the additional security and privacy afforded by TextSecure.  CyanogenMod has a confirmed user-base of 10 million with as many as 20 million estimated users in the wild (users are not required to register the OS).  TextSecure has also been implemented with Facebook’s WhatsApp but in such a way that it is not compatible with TextSecure users and encryption cannot be verified because the code is closed-source.

TextSecure is a free and open-source encrypted messaging application for Android published under the GPLv3 license.   TextSecure allows users to send end-to-end encrypted text messages, audio messages, photos, videos, contact information, and a wide selection of emoticons over a data connection between TextSecure users.   TextSecure messages are also compatible with those sent from Signal for iOS.  This let’s those with TextSecure on Android exchange securely encrypted messages with users running the Signal app on their iOS smartphones and tablets.   TextSecure can be also be used to send and receive unencrypted SMS and MMS, with users who do not have the TexSecure or Signal app installed.    It uses end-to-end encryption and provides forward secrecy, future secrecy, and deniable authentication to secure all instant messages to TextSecure and Signal users.  It also allows you to use a passphase to encrypt the messages on your device.  TextSecure is not currently compatible with Android tablets.

The TextSecure encrypted messaging protocol is an end-to-end encrypted protocol with deniability guarantees and message-level forward secrecy, similar to Off the Record (OTR) messaging.  It uses an ephemeral Curve25519 key, AES-256 bit encryption, and a HMAC-SHA256 hash authentication as low level cryptographic primitives.  The TextSecure protocol is a derivative of OTR whose major difference is that it uses elliptic curve cryptography (ECC) keys.  The OTR protocol uses DSA keys which are National Institute of Standards and Technology (NIST) approved.  Their has been some controversy about the NSA having backdoors to NIST keys but it has yet to be definitively proven.  Key management is handled by Axolotl, a cryptographic ratchet that was developed by Moxie Marlinspike and Trevor Perrin.  This provides a degree of “future secrecy” for your messages.  Version 2 of TextSecure uses a no header keys variation of the axolotl ratchet and protobuf records.

Installing TextSecure app on your Android phone is easy:

  • Step 1 – Download the the TextSecure app from the Google Play store and install it
    • Tap “Install” and accept the Terms of Service (app permissions) by selecting “Accept.”
    • The app will download and install automatically.
    • Note – If you do not agree to the app permissions the installation will cancel.
  • Step 2 – Configuration and initial setup
    • Register your phone – enter your country (where SIM card was purchased) and phone number and press register (optional)
      • You will receive an SMS message with 6 digit code to verify your registration
      • If no SMS is received, you can select to hear an automated 6 digit voice code.
      • Verify your registration
  • Import current SMS messages into the encrypted database
  • Make TextSecure your default messaging app
  • Create a passphrase to encrypt your local data
    • This encrypts your data locally on your device, as well as, in transit.
    • Note – If you skip this step your messages will still be encrypted in transit but on your local device
    • Have TextSecure automatically lock after a period of inactivity that you set

Below are a few screenshots of the TextSecure app in action.  The last screenshot shows the creation of a group using the app.

TextSecure Private Messenger

You can now begin securely messaging your friends and family by selecting them from your contact list.  If both you and your friend are using TextSecure for Android or Signal for iOS then the messages will be sent automatically encrypted over the Internet.  Else, if your recipient does not have TextSecure or Signal, the message will be sent unencrypted on SMS.   TextSecure messages sent secure over the Internet have a blue background and those sent over SMS have a green background.   Pressing and holding the blue send button will bring up an options screen to allow you to choose how to send your message.   TextSecure 2.7.0  and above will only support encryption through the TextSecure transport or plaintext SMS/MMS.   The Open Whisper System servers never have access as the keys are kept locally on your machine and they do not store your data.

Among the other features that the app has is the ability to create groups from your contacts to send group messages.  Similarly to sending individual messages, if anyone in your group does not have TextSecure or Signal, the message will be sent using MMS.  Else the message is sent to all group members encrypted over the Internet.  TextSecure allows you to send images, video and audio files to your contacts.   Finally you can verify your recipients identity using their fingerprint technology.

TextSecure Review:  Conclusion

Open Whisper Systems is a community volunteer and privately funded project that has grown out of the need for secure, easy to use privacy apps for the masses.  One of the projects that it currently supports is TextSecure Private Messenger for Android.  This program gives Android users a way to ensure that all of their text messages are private and secure.  It allows TextSecure users to send encrypted messages to either other TextSecure for Andriod users or Signal for iOS users.  It also lets them authenticate the identity of the message recipient using its fingerprint technology.   So anyone who has either of the aforementioned apps can send secure, encrypted text messages, pictures, videos, or audio files using Wi-Fi or data over the Internet to others that also use the apps.  This allows them to save money because they avoid possible SMS and MMS charges.

The TextSecure app is integrated seemlessly with Andriod’s contact list so that anyone can easily use it.  All text messages between those that have either of the aforementioned apps are encrypted by default before being sent to their intended recipient.  Since this encryption occurs on the local device, even the Open Whisper Systems servers can not see the message and they do no store your data so you can be sure your communication is private and secure.  If the recipient does not have one of the above mentioned apps installed, then the message will be sent using unencrypted SMS or MMS.  This makes it suitable as a replacement app for the Android’s regular messaging app.  TextSecure is free and open-source under the general public license version 3 (GPLv3).  Open Whisper Systems is currently working to develop a TextSecure browser extension.  If you have an Android phone, we recommend that you try the app for yourself and recover the privacy you once had when texting with family and friends.

Visit TextSecure