Talk:TextSecure/Archive 1

Latest comment: 10 years ago by 194.100.27.29 in topic Phone number
Archive 1

Features

Information not yet included in the Features section:

  • Available themes: Light and dark.
  • Opt-in feature: "Timeout passphrase: Forget passphrase from memory after some interval"
  • Opt-in feature: "Delete old messages: Automatically delete older messages once a conversation thread exceeds a specified length"
  • Opt-in feature: "SMS delivery reports: Request a delivery report for each SMS message you send"
  • Possibly upcoming features (need secondary sources):
  • A browser extension that would allow conversations to remain in sync across multiple devices.[1] "The TextSecure protocol supports a mechanism for keeping conversations in sync across all registered devices, without sacrificing forward secrecy, deniability, an asynchronous orientation, and without trusting any third party."[2]
  • Email address based registration.
  • RedPhone integration.[3][4]


TextSecure can be used with The Guardian Project's Orbot to hide the user's IP address. The phone has to be rooted, though. I am a bit hesitant to say that this should be in the Features section, because it is not an inherent feature of the app. It could be in the future, if its developers decide to add proxy support like in the DuckDuckGo, Firefox, and Twitter apps. --Nullnullthree (talk) 09:39, 27 March 2014 (UTC)

Distribution

The author of TextSecure, Moxie Marlinspike, discourages any distribution of the application apart from the Google Play Store, or any other app store that provides similar levels of spying on the users.[5] This has led to friction with the F-Droid open-source app repository maintainers, and finally resulted in Moxie requesting removal of TextSecure from that repository, which was carried out.[6]

The above was added by an unknown editor (101.221.82.251) a few hours ago. It has multiple issues and should be reviewed before adding to the article.[7] The answer given in issue #281 is by no means complete and refers to issue #127.[8] --Dodi 8238 (talk) 05:20, 13 March 2014 (UTC)

The incident was a matter of a temporary security vulnerability. Open WhisperSystems requested the app's removal for multiple reasons not stated in the referenced F-Droid notice.[9][10] Apropos, the first sentence contradicts itself. It should read: "...or any other app store that does not provide similar levels..." --Nullnullthree (talk) 09:46, 27 March 2014 (UTC)

I would suggest the following version be added as a new subsection ("Distribution") to the security section. This version omits the last part about F-Droid. The word friction is quite loaded and out of context. Open WhisperSystems requested F-Droid to remove the app from their repository and they complied. --Nullnullthree (talk) 10:53, 13 March 2014 (UTC)

The F-Droid incident is probably significant enough to be mentioned. Otherwise our unknown contributor might not have written about it. I have taken the liberty of adding a one-line mention of it in your suggestion. --Dodi 8238 (talk) 16:14, 13 March 2014 (UTC)

Following an incident in August 2012, Open WhisperSystems has declined requests to distribute the application through 3rd party sources, such as F-Droid.[11] They have defended this position with the following arguments:

1. Users who install the application outside of the Play Store do not receive timely software updates. The ability to provide users with rapid fixes for any vulnerabilities that are found is extremely important to the security of our software. Alternative app catalogs like F-Droid rely on a centralized trust model and necessitate allowing the installation of apps from unknown sources which harms Android's security for average users. Open WhisperSystems is developing an update framework that will allow distribution outside of the Play Store to happen in a responsible and secure fashion.
2. Outside of Google's GCM, the fact is that there are no alternative push messaging frameworks for Android that can scale to the millions of users that TextSecure has. GCM requires Google Play. As a solution, Open WhisperSystems has added WebSocket support to the open source TextSecure server. This won't work as well as push messages that are sent via GCM, but it will provide a way for TextSecure to work outside of Google's GCM push messaging framework once support has been added to the client. (Open WhisperSystems Support)

Open WhisperSystems has acknowledged that this is an important issue for some of TextSecure's users, and have assured that they are working on it. They have, however, chosen to focus on serving the millions of users who have Google Cloud Messaging (GCM) capabilities before turning their attention to the small number of users who refuse to install GCM. They have invited the community to help them add WebSocket support to TextSecure for Android.[12]

Phone number

The Server tracks all IPs that appeared in combination with your phonenumber. It can be better to use another service that does not know about your phone number at all.

The above was added by an unknown editor (88.215.114.126). The allegation in the first sentence should meet Wikipedia's verifiability standards before it can be added to the article. Also, what is meant by tracking? The second sentence does not sound like it's up to par with Wikipedia's neutral point of view standards. Check out the five pillars of Wikipedia. --Dodi 8238 (talk) 21:12, 14 March 2014 (UTC)

I think our unkown contributor meant that the mobile network operators are able to track everything that has to do with the SIM card of the device, such as location and call/messaging activity. This is something that would be possible regardless of whether or not TextSecure is installed on the device. To my knowledge, the developers have never claimed that TextSecure fixes this issue. --Nullnullthree (talk) 12:10, 15 March 2014 (UTC)
I agree. Anyway, TextSecure can be used with Orbot to hide the user's IP address. TextSecure-Server only stores the user's (hashed) phone number, auth token, and GCM ID.[13] Because the number is hashed, one could argue that the server does not know the user's phone number. Hashing, however, has no real privacy value.[14] --Dodi 8238 (talk) 18:40, 16 March 2014 (UTC)
In other words, the app only asks for the user's phone number so that it can generate a hash that it can then compare to hashes on a server. --194.100.27.29 (talk) 14:49, 9 July 2014 (UTC)

Servers

Information about the registration process could be included in the Servers section. [15] [16] --Dodi 8238 (talk) 09:17, 20 March 2014 (UTC)

I've now added a line or two about what information is sent to the servers. --Dodi 8238 (talk) 22:43, 25 March 2014 (UTC)