Zenhack.net

The Trouble With TextSecure

19 Jul 2015

Since the Snowden leaks, I’ve observed people being generally more security and privacy concious with respect to their computers. When talking to people about setting up encryption (whether it’s OTR, PGP, or something else), I don’t usually need to convince people of the utility of these tools. The “I have nothing to hide” argument is getting rarer. Maybe I’m bubbling myself, and seeing a more dramatic change than is really there (this seems likely), but I think there is a real positive shift going on in that regard.

I’m also seeing people willing to put up with some quirks, and tools that they need some hand-holding to set up, such as GPG. GPG has some serious usability problems, there are some deeper problems with the standard, and there are just some very fundamental problems trying to secure email as a communications mechanism. That said, it’s better than nothing, and many people think it’s important enough to fumble through.

There are lots of other tools I end up hearing about. Some are good, some are a bit more half baked or wrongheaded, but it’s encouraging to me that people are really starting to care.

There’s one tool that I see a lot of people getting excited about that, while it has some good points, also has some problems that I feel the need to point out: TextSecure.

What Is It?

TextSecure is a mobile app for sending and receiving encrypted text messages. These days it actually doesn’t use SMS at all for encrypted texts, but will seamlessly do so for unencrypted texts, so from the users’ standpoint (as long as they have working data), it looks exactly the same. It used to be the case that TextSecure did send encrypted messages through SMS, but support for that has been dropped, for reasons explained here.

Good Stuff

TextSecure is very easy to use. Once you’ve installed it and done the initial setup, it doesn’t look very different from a standard text messaging app, and you can pretty much keep going as you have been, but with some added security.

This is incredibly unusual for privacy/cryptography tools, and the developers deserve a lot of credit for doing an outstanding job.

I’m also told the implementation is very clean. Especially in a security-related tool like TextSecure where correctness is critical, this does a lot to inspire confidence. And of course it’s free and open source software.

Problems

Most of this section is specific to the android port. There’s an iPhone version as well, but simply using an iPhone means you have similar problems (and then some) with every app your on phone.

The chief problem with TextSecure, as I see it, is over-centralization. On an implementation level, TextSecure uses Google Cloud Messaging, which has the unfortunate consequence that TextSecure is not usable without being signed in to Google.

On a more social level, the developers have made it clear that they feel very strongly that they should be informed about how many people are using their software, what versions people are running and so on. Because of this they’ve insisted on distributing builds of the app through the Google Play store only. There have been some heated arguments between the TextSecure developers and the F-Droid developers where the TextSecure developers have actually asked the F-Droid developers to stop distributing TextSecure. I won’t link to those discussions here, if you’re curious you should be able to find them easily enough.

To be clear, the developers’ reasons for wanting all of those analytics are perfectly benign and sensible. It’s useful feedback for improving the application, and lets them know if there’s a problem where large numbers of users are running out of date, possibly vulnerable versions of the software. However, it should be the users’ choice to opt in or out of this. Even debian has it’s popularity-contest package, but it doesn’t get activated unless the user is okay with it.

For me, this is all really troubling, and has caused me to stay away from the app. While the encryption is nice, Having to be constantly connected to systems run by a company whose business model revolves around targeted advertising makes me deeply uncomfortable. I don’t sign into Google on my phone, and have in the past been running non-stock android roms that don’t even have the Google Play store installed.

For users who for one reason or another have chosen to be persistently connected to Google (or for iPhone users, where they have so little control over their device already), TextSecure is probably a big win. However, I’m always wary of tools that increase centralization around an already powerful corporate interest, and every user an app like this gets makes it harder for people to use something else.

Alternatives

When TextSecure dropped support for sending encrypted messages over SMS, some folks started a fork of the project called SMSSecure. It’s available via F-Droid (as well as Google Play). As near as I can tell it doesn’t support using the data connection as a transport at all. The drawbacks which caused TextSecure developers to drop support for encrypted SMS are entirely real, and they’re fair criticisms. There are some rough edges that would be really hard to fix while using SMS as a transport. It’s also probably the case that it leaks more metadata to more organizations (I haven’t looked all that closely at the implementation of TextSecure, but from what I know about SMS I’m inclined to take their word for it), which is serious drawback. That probably isn’t solvable while using SMS as a transport either.

However, even so it’s one of the nicer encryption tools I’ve used, and it addresses the concerns I’ve raised above. For the most part it looks and (from the user’s perspective) operates pretty similarly to TextSecure, although there are a few minor rough edges due to the use of SMS as a transport. From where I stand it’s a really good trade-off.

Conclusion

While the increased interest in encryption tools I’ve seen lately is encouraging, I’m wary of tools that try to fill this role while using centralized services, especially from entities that may be less than trustworthy in a privacy context. I don’t necessarily think that there’s no argument for making that tradeoff in favor of usability, but I don’t think it should be done lightly, and in the case of TextSecure I think it’s the wrong tradeoff. I’d encourage people to try out SMSSecure.