[liberationtech] Encrypted SMS

Jen Savage savagejen at gmail.com
Thu Oct 7 11:23:09 PDT 2010 

I am still seeking encryption solutions for the iPhone. Any app at all
that can send an encrypted photo or text message.

-Jen

On Thu, Oct 7, 2010 at 1:17 PM, Moxie Marlinspike
<moxie at thoughtcrime.org> wrote:
>
>> I've not been able to find any serious review of CryptoSMS, or any
>> other implementation of secure SMS messaging.  Would any of you
>> helpful people be able to point me the right way, or share your
>> thoughts?
>
> As Danny mentioned, I work on an encrypted SMS client for Android, so
> I've looked into a few other solutions along the way.
>
> - CryptoSMS -- Last I checked this was J2ME only.  When I glanced at
> their protocol, my recollection was that it isn't forward secure and
> that the local encryption protocol is broken (or at least not IND-CPA
> secure).
>
> - Parandroid -- This is a fork of the stock Android messaging app with
> some crypto tacked on.  The authors have done an impressive job of
> maintaining the appropriate merges across all the different messaging
> versions for the various Android versions, but this appears to be their
> first foray into secure communication.  When I glanced at their
> on-the-wire protocol, it had vulnerabilities for both secrecy,
> integrity, and authenticity.  My recollection was that the local storage
> protocol had the same problems.  I contacted them about it probably four
> or five months ago, and to my knowledge they haven't made any
> announcements or changed anything since.
>
> - CryptoPhone -- There's an encrypted SMS app for CryptoPhone.  My
> recollection is that it's forward secure.  Haven't looked at the source.
>  If I recall, though, they don't use ECC and so it uses a lot of SMS
> messages? Could be mistaken.
>
> - TextSecure -- This is the app that I work on (bias stated).  It uses
> ECC and has a protocol derivative of OTR, so you get forward security
> and deniability.  We also support encrypted MMS messages.  We've cloned
> most of the stock messaging feature and added some more.  It's a beta,
> though, so while it's becoming pretty stable and I'm gaining confidence
> in its security with each release, no guarantees.  It's free for
> individual use, so give it a try.  We'll be making the source available
> (not under an OSS license) once it comes out of beta.
>
>> You might also want to look at TextSecure,
>> http://www.whispersys.com/, which is based on OTR, but with some
>> protocol changes to fit with SMS's limited size. I've cc:'d the
>> author of TextSecure here Moxie Marlinspike, though I suspect he may
>> be onlist anyway.
>
> I'm not on the list, thanks for the CC though.
>
> - moxie
>
> --
> http://www.thoughtcrime.org
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>

More information about the liberationtech mailing list