User:Asr/SMSSecure

SMSSecure is a fork of TextSecure, both advanced free and open-source encrypted messaging applications for Android which use the TextSecure encryption protocol. This protocol enables the secure transmission of SMS and MMS messages to other SMSSecure users. Users can independently verify the identity of their correspondents by comparing key fingerprints out-of-band or by scanning QR codes in person. The Android application can function as a drop-in replacement for Android's native messaging application. The local message database can be encrypted with a passphrase.

SMSSecure implements TextSecure's encryption protocol, but with no instant messaging features, and therefore can not be used for instant messaging with TextSecure, WhisperPush, or Signal users. SMSSecure is developed by Carey Metcalfe and Bastien Le Querrec, who are not affiliated with Open Whisper Systems.



Whisper Systems and Twitter (2010–2011)
TextSecure started as an application for sending and receiving encrypted SMS messages. Its beta version was first launched in May 2010 by Whisper Systems, a startup company co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson. In addition to launching TextSecure, Whisper Systems produced a firewall, tools for encrypting other forms of data, and RedPhone, an application that provides encrypted voice calls. All of these were proprietary enterprise mobile security software.

In November 2011, Whisper Systems announced that it had been acquired by Twitter. The financial terms of the deal were not disclosed by either company. The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security".

Twitter released TextSecure as free and open-source software under the GPLv3 license in December 2011. RedPhone was also released under the same license in July 2012. Marlinspike later left Twitter and founded Open Whisper Systems as a collaborative Open Source project for the continued development of TextSecure and RedPhone.

Open Whisper Systems (2013–2015)
Open Whisper Systems' website was launched in January 2013. Open Whisper Systems started working to bring TextSecure to iOS in March 2013.

In February 2014, Open Whisper Systems updated their protocol to version 2, adding group chat and push messaging capabilities. Toward the end of July 2014, Open Whisper Systems announced plans to unify its RedPhone and TextSecure applications as Signal. This announcement coincided with the initial release of Signal as a RedPhone counterpart for iOS. The developers said that their next steps would be to provide TextSecure instant messaging capabilities for iOS, unify the RedPhone and TextSecure applications on Android, and launch a web client. Signal was the first iOS app to enable easy, strongly encrypted voice calls for free.

In March 2015, Open Whisper Systems released Signal 2.0 with support for TextSecure private messaging on iOS. Later that month, Open Whisper Systems ended support for sending and receiving encrypted SMS/MMS messages on Android. As of version 2.7.0, TextSecure only supports sending and receiving encrypted messages via the data channel. Reasons for this included:
 * Complications with the SMS encryption procedure: Users needed to manually initiate a "key exchange", which required a full round trip before any messages could be exchanged. In addition to this, users could not always be sure whether the receiver could receive encrypted SMS/MMS messages or not.
 * Compatibility issues with iOS: Not possible to send or receive encrypted SMS/MMS messages on iOS due to the lack of APIs.
 * The large amounts of metadata that inevitably arise and are uncontrollable when using SMS/MMS for the transportation of messages.
 * Focus on software development: Maintaining SMS/MMS encryption and dealing with edge cases took up valuable resources and inhibited the development of the software.

Forking to SMSSecure
Open Whisper Systems' abandonment of SMS/MMS encryption, added to the dependency on Google Cloud Messaging (GCM) and the unavailability from F-Droid, prompted some users to create SMSSecure as a fork.

Features
SMSSecure allows users to send encrypted text messages to other SMSSecure users with smartphones running Android. SMSSecure also allows users to exchange unencrypted SMS and MMS messages with people who do not have SMSSecure.

Management of regular SMS/MMS
Messages sent with SMSSecure may be encrypted as soon as the user sends a private session request. This feature differs from the regular use of TextSecure protocol V2 in TextSecure, WhisperPush and Signal, which centralizes the users in federated directory servers, and therefore is able to automatically start ciphered sessions via GCM or WhisperPush, without requesting it from the user.

Encryption of SMS
When a private session is started in SMSSecure, any sent messages are automatically end-to-end encrypted, which means that they can only be read by the intended recipients. The keys that are used to encrypt the user's messages are stored on the device alone, and they are protected by an additional layer of encryption if the user has a passphrase enabled. In the user interface, encrypted messages are denoted by a lock icon.

According to the Slovakian website Cypersec.sk, with the abandonment of SMS/MMS encryption by TextSecure, SMSSecure is now the only one from their tests to provide this feature.

Key verification
SMSSecure has a built-in function for verifying that the user is communicating with the right person and that no man-in-the-middle attack has occurred. This verification can be done by comparing key fingerprints out-of-band. Users can also scan each other's personal QR codes.

Non-dependency on GCM
TextSecure relies on GCM for a wakeup event in order to deliver messages over the data channel. According to Carey Metcalfe and Bastien Le Querrec, their goal is to build an app which is independant from Google Services, which is not be TextSecure because of this GCM dependancy.

Stagefright
On July 27, 2015, an Android bug called Stagefright was publicly announced, which lead users to audit their MMS/SMS applications. Accoring to Yemen-Press.com, SMSSecure's default settings can be modified so that it is not vulnerable to this attack vector.

Licensing
The complete source code of SMSSecure is available on GitHub under a free software license. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copy of the application and compare it with the version that is distributed by SMSSecure.

Reception
In April 2015, SMSSecure was included in a list of "The best 9 apps for Android" by the Dutch website Android Planet.

Distribution
SMSSecure is available through Google Play, F-Droid and Amazon Apps.