In a previous post I referenced the EFF’s Secure Messaging Scorecard, which evaluates the security and privacy measures built into several messaging applications across Windows, OS X, Linux, and Android. In this post, I outline my favourite app on this card: TextSecure, the secure text messaging application for Android from Open WhisperSystems.
TextSecure is the type of app I’d like to see more frequently: free and freely available; open source so that users, developers, and auditors can review the code; built with powerful security measures enabled by default; and simple enough to use that it becomes invisible to even the least tech-savvy user immediately. The developers are also honest about the compromises they’ve had to make in bringing the app to its current state, noting in their support articles that they have had to choose between reliable message transport and integration with Google Play Services [link] and including references to the discussion around that decision and the steps they plan to take to mitigate that compromise in the future.
The functionality TextSecure offers is essentially a set of tiered security levels to protect its users’ privacy:
Level one: when configured with a passphrase (an optional password entered on the device before the app can be used), all text messages – whether encrypted in transit or not – are encrypted on the device’s storage.
Level two: when messaging between two users that both have TextSecure installed, but in circumstances where using push/data is not possible, messages are encrypted in transit but are sent over mobile carriers’ networks via SMS.
Level three: when push is available, messages are encrypted in transit and never pass over SMS networks.
Essentially, each level offers another set of protections. First your messages are protected if anyone has physical access to your device; second the contents of your messages are protected from interception by your mobile carrier (but metadata such as the from and to numbers are still captured); third all data and metadata circumvent the carrier channels. All of this is invisible to most users.
The list of people and organizations that might want to or might be reading your text messages and metadata is as long as a grown person’s arm, so the reason an individual would or should use TextSecure or a similar app is pretty close to self-evident. The fact that TextSecure is so easy to implement and share and use makes switching to it a really easy decision.
Full technical documentation, including the source code for the app, is available at the Open WhisperSystems website.