TextSecure is an open source messaging app with strong security features
The past days have been filled with news about new email or text messaging service that promise better privacy and security than traditional email and messaging applications.
TextSecure ticks all the right boxes and offers features that most comparable solutions don't. First of all, it is completely open source which means that you can download and build the app from source, or audit the source to make sure it is secure and there is nothing fishy going on.
That's however not the only difference to applications such as WhatsApp. The newest version of the app uses end-to-end encryption that supports message-level forward secrecy and deniability guarantees.
What that means? It would go too far to go into details here, so only this much: instead of always using the same public key to encrypt data, peers in a conversation negotiate secrets that are used instead. These are ephemeral, so that recording the traffic that is exchanged won't help listeners compromise the data in the future.
Deniability on the other hand means that recipients can verify that a message was sent from a particular contact, but that they cannot prove that to anyone else.
Protection does not end here though. All messages that are sent or received with TextSecure are stored in an encrypted database.
The application uses a mixed mode of operation by default. What this means is that it will use end-to-end encryption automatically if sender and recipient are using the TextSecure app.
If the recipient does not, a push message is sent instead, but only if you have verified your phone number at one point in time. Push messages offer better privacy and you are not billed for sending those messages. If push is not available for whatever reason, the app falls back to standard SMS instead.
This can be disabled in the options, so that only end-to-end encryption is used and nothing else.
The messaging application supports one on one conversations, and group chats which use the same level of encryption.
Secure messages are indicated by a padlock icon in the conversation window. Here you can also distinguish easily between secure messages that you have sent -- padlock icon again -- and regular messages that show a message icon instead.
It is furthermore possible to verify keys while you are in a secure conversation. Just select Secure Session Options > Verify Recipient Identity to do so. If you are in the same physical location, you can use QR code scanning to speed up the verification process.
The first time you run TextSecure you are asked to create a password. This password is used to encrypt all secret information, and it is recommended to select a strong one here. You can configure the app to remember the password for as long as it is running, or only for a select period of time. This password cannot be recovered if it is lost.
The password is also used to encrypt all text messages on the local device. The only message part that is not encrypted is the destination information.
Messages can be backed up and imported on another device, and also quickly deleted if you so desire.
TextSecure Private Messenger is already available for Android devices, while a compatible iOS version will be released in the near future.
Closing Words
TextSecure ticks all the right boxes. It is open source and thus fully verifiable. It offers end-to-end encryption, encrypts all messages, uses advanced encryption and security concepts for improved privacy and security, and can fall back to regular messaging if that is desired.
While it is currently only available for Android, it will soon be available for iOS devices and desktop systems.
Advertisement
I have been using this for a while now. It’s not bad. I use Red Phone as it’s voice complement. These drives the commies nuts in China and Russia. They keep knocking on my hotel room door or calling my room to see if I’m in. But my electronics are all securely electrified when I leave the room :)
Oh, and Martin, there is a problem posting comments via an Android phone. I always get a Please Complete All Fields error.
Dante thanks, it is fixed now.
I’ll try it out. Looks very good.