Monday, December 09, 2013

In coming update, CyanogenMod text messaging to be encrypted by default

CyanogenMod (CM), the world's most installed custom Android ROM, is about to make the text messages its end users send more secure, by default. The company announced on Monday that it has teamed with Open Whisper Systems to incorporate its TextSecure secure messaging app into its ROMs.

This means that messages that are sent from CM users to other CM users, or to those using the TextSecure app from the Google Play Store, will be automatically be encrypted. Those using the service that will be built into the update to CM 10.2 can use any SMS client they wish.

Cyanogen says has 10 million known users, but that number is lower than the actual figure as it gives users the option to not be counted. Kirt McMaster, CEO of Cyanogen, said that these hidden users could boost the actual installed base to as many as 30 million.

Notably, there is some fragmentation here, as Android users are used to. The secure messaging update will first be rolled out to the newly released CyanogenMod 10.2 version, which has been installed by about 668,000 users, and then to earlier versions.

How does TextSecure compare with Apple's iMessage? Apple has claimed that iMessage texts cannot be decrypted, even by the company itself. However, security experts disagree; they have shown that Apple could swap out users’ keys to ones that it controls if it wished to decrypt user data.

Meanwhile, TextSecure uses a feature known as “perfect forward secrecy” that modifies a user’s encryption key with every message, meaning that even if the key for one message is broken, no other messages can be read. TextSecure, additionally, has received positive reviews from security researchers who have audited its open-source code.

In a blog post, security researcher Moxie Marlinspike, CTO and co-founder of Open Whisper Systems, said:
Cyanogen deserves enormous praise for their substantial commitment of time and resources to this development effort. Their genuine resolve to protect their users from large-scale dragnet surveillance is truly remarkable in a world where most companies are instead angling to collect as much information about their users as possible. They’ve set the bar high for themselves, but I think we can expect more great things from them in the future.
Certainly, 10 million or even 30 million users is small considering that Samsung sold over 40 million GS4s alone in six months.

Still, perhaps this will gain enough attention for Google to consider adding TextSecure to its SMS middleware layer, as Cyanogen did.

No comments: