CyanogenMod adds encryption to SMS: Is regular text messaging finally secure?


Digital privacy is perhaps the biggest issue of 2013, and this is likely to extend far beyond the new year. With whistleblowers leaking information that government agencies are spying on our conversations, who would not be paranoid? And if it’s not government, it’s the multitude of service providers that use our personal information — brand preferences, online habits, geo-location, demographics — as means to target their advertising message.

We earlier discussed a few apps that could help in improving privacy in conversations, and these include the likes of Telegram and Silent Circle, which employ peer-to-peer encryption to ensure messages are safe from prying eyes. However, there are limitations to using add-on apps for secure messaging. First, there is the added effort of having to install an app just for secure messaging. Secondly, your correspondents would be limited to those also using those apps. Third, some apps are not free — Silent Circle, for one charges a monthly fee for each user.

Granted, you will likely want to have private and secure conversations with a limited set of people, wouldn’t it be good if all your chats and text messages were secure in the first place? iOS users seem to have this luxury, at least with iMessage. Apple claims that the service has unbreakable encryption, and the company does not turn over data to authorities. Now, security researchers have challenged this claim, but the fact remains that Mac, iPhone, iPad and iPod touch users already have a built-in app for secure messaging. The limitation here, again, is that you can only message securely with other iMessage users. SMS fallback (sending to a non-iMessage user) will still be insecure.

For Android users, Google does not exactly offer a default messaging app aside from the stock SMS and Hangouts. The onus is upon the user to choose an alternative messaging app, even — that’s the beauty of Android. But an effort from the developers of CyanogenMod might lead to more secure SMS in the future.

CyanogenMod and WhisperPush

For CyanogenMod, encrypted messaging comes in the form of WhisperPush, based on the open-source TextSecure protocol. The Cyanogen team is already baking this functionality into nightly 10.2 builds, and promises to include it in version 11 onward. “Your messages to other CM or TextSecure users (regardless of iOS or Android) will automatically be encrypted and secured,” developers have written. And if the intended recipient does not have TextSecure, then the message sending will fall back into unsecured SMS.

In summary, WhisperPush will encrypt messages sent through SMS, for as long as both sender and recipient are compatible with the platform. With the technology, encrypted messaging can be extended to any SMS application, which includes either the stock SMS app that comes with the device, or the multitude of replacement apps on Google Play.

TextSecure uses end-to-end encryption with local-generated keys, and the technology likewise employes forward secrecy. Meta data might be vulnerable to snooping, however. But with TextSecure being open source, developers and users alike are free to scrutinize the code to check for potential vulnerabilities.

The technology is designed to be unobtrusive, although there are still potential loopholes. For one, the “silent” and automatic fallback is found to be an issue for some, because it nullifies the security offered by encryption. This might be a minor hurdle that can be fixed in a final release.

What’s exciting here is that secure cross-platform messaging may actually be possible without the need to install separate sets of apps for each need. TextSecure is meant to run in the background, and users are free to simply send SMS as they normally would, but can expect an additional layer of privacy and security on top of SMS.

There is, of course, the limitation that only CyanogenMod offers this functionality as an included feature, at this point. But what’s stopping developers from integrating TextSecure into Android, iOS or any other mobile platform?