Related
Had the thought that perhaps the new feature, to send your nexus a direct link from your computer, might be exploitable by some unfriendly people.
What do you all think the risks are, if any?
If it can tell your phone to open the browser and launch a website, whats to stop someone from telling your phone to buy ten thousand copies of Conan the Barbarian, or destroying itself and catching on fire. Kidding of course, but you get what i mean.
Very difficult. It'd be just as likely as someone stealing your Gmail account.
Mmm, ok. Thought I would ask
It has the potential, under the right circumstances, to be used for evil though! EVIL!
I'm not entirely sure, but from what I understand all intents go through google servers. I assume google is doing checks for malicious behaviour on their end.
Don't you have to register a phone to a gmail account and be logged into that account to send to the phone?
Haven't tried the app myself make it wouldn't make sense any other way ;-)
You have to be logged in. And i thing info is sendt via google servers, so unless someone steals your google account, i think you should be safe
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
chromiumcloud said:
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
Click to expand...
Click to collapse
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
I believe that Google are running a closed beta at present too, so the only people that can write apps that use cloud messaging will have been vetted by Google.
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
ludo218 said:
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
Click to expand...
Click to collapse
All of the messages go through the Google servers
As I understand, the application engine part of the extension (which runs on google application engine) register itself to "the cloud" using google api. Anyone should be able to use these api, no?
It most certainly could be exploited. I can think of a javascript exploit that would work right now.
However the consequences of an exploit are severely limited by the security model that Android uses. Something can not run in another security context unless you allow it to.
The day "Chrmoe2Phone" asks for root access is the day it should be removed from your phone. Until then they most it could do is tell an app to do something that you've already allowed that app to do (which could arguably be undesirable things).
The user needs to explicitly permit all security privileges in Android remember (read that app install page with security details!). If it can do something, you've permitted it to do so.
tanman1975 said:
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
Click to expand...
Click to collapse
That is true, but if i recall correctly, when you choose a phone number link from the browser, it will bring the number up in your dialer application, but you must initiate the call with the green call button, so there is a level of security there.
actually this could be a pretty nifty security feature. Is the phone gets stolen how great would It be to able to enable the gps, camera or mic? Given proper security protocols of course...
@tanman1975
Didn't think of that one. T'would be a very powerful tool against the robbers out there. Nice.
How's your battery status after the last facebook update?
From what I'm seeing facebook is holding a partial wakelock for the whole time
Is this happening in any situation?
Removing the facebook account from the phone fixes the problem... but would like to keep it in...
now I'm trying with the notifications disabled...
FB has the highest partial wakelock use on mine, but it's not massive, it's bar is about 1/5 full.
but the timing is embarassing compared to other apps :/
to me it looked that the android system wakelock were very high too...
i'm trying to see if the notifications disabled it lowers down...
How can I check this?
*#*#4636#*#*
then select "battery history"
Or use Anycut to create a shortcut to the 'Testing' app.
same here.. uninstalled.
No problems here.
41 seconds total.
Although I would LOVE to be able to turn off the Facebook push notifications. Despite having disabled everything inside the FB app, they still get pushed to my phone, which drives me ****ing crazy.
I suspect having everything turned off would be why you have a very low wakelock?
Mine is very low. I set facebook to never check for updates since the last release added push notifications. I don't think polling for updates is necessary anymore. No clue why it even has the option still.
Sent from my Nexus One using XDA App
hexix said:
Mine is very low. I set facebook to never check for updates since the last release added push notifications. I don't think polling for updates is necessary anymore. No clue why it even has the option still.
Sent from my Nexus One using XDA App
Click to expand...
Click to collapse
Facebook developers suck balls, that's why.
JCopernicus said:
Facebook developers suck balls, that's why.
Click to expand...
Click to collapse
Status updates aren't pushed, I'm guessing that it'd fry the servers. So if you want your synced contacts to display their status in the contact popup you have to poll them.
Somehow the iPhone and Blackberry apps are able to use push notifications properly without frying anyone's servers. Email and SMS notifications can also be sent out instantly. I'm pretty certain there is no technical reason why the Android app can't work right.
pfmiller said:
Somehow the iPhone and Blackberry apps are able to use push notifications properly without frying anyone's servers. Email and SMS notifications can also be sent out instantly. I'm pretty certain there is no technical reason why the Android app can't work right.
Click to expand...
Click to collapse
Sure there is, facebook developers suck balls.
pfmiller said:
Somehow the iPhone and Blackberry apps are able to use push notifications properly without frying anyone's servers. Email and SMS notifications can also be sent out instantly. I'm pretty certain there is no technical reason why the Android app can't work right.
Click to expand...
Click to collapse
The news feed updates don't get "pushed" to either of those devices. The polling frequency is for updating the news feed which you would want when using the facebook widget.
I'm not interested in wall updates getting pushed. Notifications get pushed to those devices, and that's all I expect from the Android app.
Newbie question, what is a wake lock and how does it drain battery?
killing the facebook app solved my problem (not only facebook where being very "active"... but also the "android system" was kept constantly awake!!)
in the usage history the system was basically never sleeping... running the whole time :/
as for now I started facebook again... and disabled the notification thing... let see what will happens...
I can confirm that disabling the notifications "fixed" the problem... no more continuos wakelock when app is started...
dunno if push is really working... (don't appear so... will see in the next days :/)
Rusty! said:
I suspect having everything turned off would be why you have a very low wakelock?
Click to expand...
Click to collapse
Yeah, probably.
The Facebook app is just atrocious. I hate it with a fiery passion. Basically the ONLY 2 reasons I have it installed are 1) Facebook/Contact picture sync and 2) Upload from gallery to FB.
so since apple released whatever 'iMessage' for all apple products and its exclusive and what not, and all blackberry devices have BBM, how much do you gander android will release its own form of IM within the coming months before the release of icecream sandwich?
revamp of G-Talk... maybe? LOL that thing seriously need a big overhaul anyway.
a penny for your thoughts?
I personally like the idea of GTalk how it is now. They could just make sure its installed on every phone and maybe even put it on the first screen.
I like having it cross-platform and even available on the desktop.
Most of my friends have Android now, so more and more people are moving to GTalk.
I wish they would come out with a better desktop client though that'll do video rather than relying on the web one.
I think GTalk should be a feature they advertise more. Its already available on every Android phone, uses push for 2.2+ and works really well.
It would be cool
I would like to see google sync google talk across devices. Not sure if it could kill off SMS like everyone thinks though.
ethridgt said:
I would like to see google sync google talk across devices. Not sure if it could kill off SMS like everyone thinks though.
Click to expand...
Click to collapse
The nice thing is that it uses Jabber, so there's lots of clients out there that will support it...all with their own feature sets. So its easily cross-platform, just not always the official app.
I think iMessage is going to be hugely popular as it looks like it's built right into the normal SMS messaging application in iOS and is going to be automaticly used any time you are sending a message to another iPhone user. Once people get used to using the combined messaging app, it's going to be nearly impossible to convince iPhone users to install a 3rd party chat app.
I now think it makes sense for RIM to open up BBM to other platforms, as they have the best chance of getting people to install their app, and if they are going to lose customers to iPhones and Androids (which is clearly happening), it would be in their best interest to at least keep them as BBM users.
Frankly, Google really dropped the ball by not seeing what a big problem all of these propietary chatting protocols are going to be for alternative mobile platforms. Many people in places like Canada (where blackberry and BBM are very popular) fear switching from blackberry as it means giving up all of your BBM contacts, and it's going to be the same thing for iPhone users soon. We needed an open spec protocol like XMPP to be the dominant protocol so that anyone can make a client for any device, but there are parts of Google Talk that just don't meet what people are looking for.
Google Talk needs at least the following, in my opinion:
- Remove the ability to log out
- Delivery (and maybe read) status for messages
- Improved group chat (currently the implementation is clumsy and inconsistent)
- Improved media transfers (photos and videos, but also contacts and locations)
- Combine SMS and Google Talk applications into one messaging super app, like iMessage.
The biggest problem with Google talk is its currently not widely available on every android phone.
Google doesn't need to revamp gtalk. It just needs to make Disco the default messaging program like Apple has done with iMessage. It would need to add MMS and remove the requirement for creating groups before sending messages but I can't imaging either would be too difficult to do before ICS is released.
http://techcrunch.com/2011/05/23/google-disco-2/
Been wishing this was in gtalk since 1.6. I dont think they need to combine it with the SMS app if they keep the green circle next the contacts name when they are signed on in Gtalk.
If they updated the BB and IOS apps to work with the new Gtalk apps it could dominate. But like google maps with navigation, they reserve group chats and video chatting to the web client and android users.
http://www.cultofmac.com/androids-going-to-help-apples-imessage-kill-off-sms/99831
PrawnPoBoy said:
I think iMessage is going to be hugely popular as it looks like it's built right into the normal SMS messaging application in iOS and is going to be automaticly used any time you are sending a message to another iPhone user. Once people get used to using the combined messaging app, it's going to be nearly impossible to convince iPhone users to install a 3rd party chat app.
I now think it makes sense for RIM to open up BBM to other platforms, as they have the best chance of getting people to install their app, and if they are going to lose customers to iPhones and Androids (which is clearly happening), it would be in their best interest to at least keep them as BBM users.
Frankly, Google really dropped the ball by not seeing what a big problem all of these propietary chatting protocols are going to be for alternative mobile platforms. Many people in places like Canada (where blackberry and BBM are very popular) fear switching from blackberry as it means giving up all of your BBM contacts, and it's going to be the same thing for iPhone users soon. We needed an open spec protocol like XMPP to be the dominant protocol so that anyone can make a client for any device, but there are parts of Google Talk that just don't meet what people are looking for.
Google Talk needs at least the following, in my opinion:
- Remove the ability to log out
- Delivery (and maybe read) status for messages
- Improved group chat (currently the implementation is clumsy and inconsistent)
- Improved media transfers (photos and videos, but also contacts and locations)
- Combine SMS and Google Talk applications into one messaging super app, like iMessage.
Click to expand...
Click to collapse
+1, I totally agree with you.
It really has to be promoted. I have a lot of friends with Android devices whom doesn't even know that Gtalk exists, it's a real pain. It needs the option to login with a kind of a "PIN" maybe just like RIM has.
VicToR_AC said:
+1, I totally agree with you.
It really has to be promoted. I have a lot of friends with Android devices whom doesn't even know that Gtalk exists, it's a real pain. It needs the option to login with a kind of a "PIN" maybe just like RIM has.
Click to expand...
Click to collapse
why use a pin though? that just creates more hassle for everyone. why not just tell them to add your gaccount which has everything integrated... your number/whatever you want to share.
FaithCry said:
why use a pin though? that just creates more hassle for everyone. why not just tell them to add your gaccount which has everything integrated... your number/whatever you want to share.
Click to expand...
Click to collapse
Because as I can see, some of my friends with an Android device don't even use Gmail accounts, and there's when the problem using Gtalk begin!
VicToR_AC said:
Because as I can see, some of my friends with an Android device don't even use Gmail accounts, and there's when the problem using Gtalk begin!
Click to expand...
Click to collapse
Fair enough...but then are you telling me they aren't downloading any apps from the market then? And thus not optimizing the android system already? Because if they can access the market they should be able to use g chat ...
Sent from my Nexus One using XDA App
For it to work, any message system has to integrate with the default messaging app. Otherwise, it will be a failure. Apple did get iMessage right by integrating it with the sms app and make using it automatic (without any user input to setup).
^wait, so how does the phone know if the receiver is an iOS user and that the receiver has an internet connection? For iPads, there are no phone numbers associated with the devices. So how does iMessage integrate with the SMS app?
Currently you can see if the person is on gtalk in the SMS app by a green dot next to their name. That seems perfectly fine by me.
NexusDro said:
^wait, so how does the phone know if the receiver is an iOS user and that the receiver has an internet connection? For iPads, there are no phone numbers associated with the devices. So how does iMessage integrate with the SMS app?
Click to expand...
Click to collapse
Actually, even iPad 3G users have a phone number (it just isn't visible to the user). My guess is it will do contact matching (which will check the contact's email against itunes accounts and the phone number). The phone number will probably be automatically registered to your account when you login to your phone with your itunes account. So it isn't hard to do that simple matching.
moelester518 said:
Currently you can see if the person is on gtalk in the SMS app by a green dot next to their name. That seems perfectly fine by me.
Click to expand...
Click to collapse
Which sms app? I don't see any green dots (or spaces for them) in the default app, or handcent.
I'm on CM7. Is this a feature in stock roms?
bozzykid said:
Actually, even iPad 3G users have a phone number (it just isn't visible to the user). My guess is it will do contact matching (which will check the contact's email against itunes accounts and the phone number). The phone number will probably be automatically registered to your account when you login to your phone with your itunes account. So it isn't hard to do that simple matching.
Click to expand...
Click to collapse
But what if I switch between iphones and other phones all the time?
J.L.C. said:
Which sms app? I don't see any green dots (or spaces for them) in the default app, or handcent.
I'm on CM7. Is this a feature in stock roms?
Click to expand...
Click to collapse
You can see who's online on Gtalk on the stock contact list.
NexusDro said:
You can see who's online on Gtalk on the stock contact list.
Click to expand...
Click to collapse
Yep, you can. But the contact list isn't an sms app
Just upgraded my device to OTA 4.4 and Exchange services crashed every time I opened Email (I kept getting a message "Unfortunately Exchange Services stopped" repeatedly).
After deleting both the email account and the user certificate (we use certificate-based email authentication), I am unable to re-add the Exchange account back (after defining all credentials and parameters, I get a popup that says "Couldn't finish. Can't connect to server."). Additionally, I see a white triangle with an exclamation point inside in the notification bar. When I pull the bar down, the exclamation bar has a caption of "Network may be monitored by an unknown third party". When I click on that caption, I get a new pop-up saying "Network monitoring. A third party is capable of monitoring your network activity, including emails, apps and secure web sites. A trusted credential installed on your device is making this possible". There is a button underneath called "Check trusted credentials" and clicking on that takes me to a "user" portion of the trusted credentials store, where I see my corporate CA certificates.
In general, the issue of certificates issued by a non-public CA generating a "Network may be monitored" message has already been documented in several forums and there is an issue #62076 created for it. However, I suspect that "security features" introduced in KitKat are somehow preventing my device from using my certificate for email authentication (because device does not trust it). I knew I could count on Google to break the most used feature of my phone (email) and thus render it useless. Another win for the history books.
had the same issue after updating to 4.4. in short, i had to re-push both OA and CA certificates to re-establish the authentication system for work
aldouse said:
had the same issue after updating to 4.4. in short, i had to re-push both OA and CA certificates to re-establish the authentication system for work
Click to expand...
Click to collapse
I already tried that twice. No joy.
The most annoying part is that I also have a Nexus 10 tablet and it had ZERO problems after upgrading to KitKat (aside from the annoying "your network is being monitored" notification). This means Motorola yet again mucked with the stock Android install and broke it.
Any other ideas? I'd hate to go through a pain of reverting back to 4.3.
It'll work if you keep deleting, rebooting, then reinstalling the apk for email. At least it did for me. My company issues these certs, and I got it to work eventually.
Sent from my XT1060 using Tapatalk
So....here is what the issue is: https://code.google.com/p/android/issues/detail?id=61785
Looks like quite a lot of people are affected by this. I cant believe how sloppy Google's QA is if something as major as this was pushed out of the door.
Now I need to wait for Motorola to incorporate this fix into their build of Android, then for Verizon to "test" it and roll it out via another OTA update. In the mean time, my Moto X is as good as a brick because I cant get my corporate email/contacts/calendar on it.
Ridiculous!
Use another client
Touchdown is my client of choice and it works great with kit Kat
Sent from my XT1058 using Tapatalk
mj0528 said:
Use another client
Touchdown is my client of choice and it works great with kit Kat
Sent from my XT1058 using Tapatalk
Click to expand...
Click to collapse
+1 for touchdown... Worth the money if you rely on exchange email.
Sent from my XT1053 using Tapatalk
Network security warning cleared also
1ManWolfePack said:
It'll work if you keep deleting, rebooting, then reinstalling the apk for email. At least it did for me. My company issues these certs, and I got it to work eventually.
Click to expand...
Click to collapse
Can you clarify 'work' - I assume this means it is sync'ing - do you still have the security warning about the certificate, or did this get cleared in your reboot/re-install cycles ?
Thanks
Just wanted to update everyone - Google has stated that the issue is fixed "in a future release". One "minor" problem - there is zero information as to which release, as well as when it is going to be rolled out.
So....as of now thousands of people using private certs on Kitkat devices are still screwed and this number is growing by the day. In order to make it more convenient to pretend like the issue is minor and insignificant, Google has blocked further comments on issue 61785 after 260 people starred it, so now users that have an issue cannot even report it.
ek001 said:
In order to make it more convenient to pretend like the issue is minor and insignificant, Google has blocked further comments on issue 61785 after 260 people starred it, so now users that have an issue cannot even report it.
Click to expand...
Click to collapse
If the issue is resolved and Google has a rollout plan for the fix, what use is there for further bug reports or reporting? It just becomes noise in their bug tracking system. Is there a purpose for yet more people to say, "hey, yeah, I have this issue too"?
Strange, I have Exchange email set up on my Moto X 4.4 and synching without issues.
After the pop-up, I accepted or ok'd. We're running a 2010 Exchange Server.
SYNSYNACKACK said:
Strange, I have Exchange email set up on my Moto X 4.4 and synching without issues.
After the pop-up, I accepted or ok'd. We're running a 2010 Exchange Server.
Click to expand...
Click to collapse
Are you using a certificate issued by a private CA for ActiveSync authentication?
ek001 said:
Are you using a certificate issued by a private CA for ActiveSync authentication?
Click to expand...
Click to collapse
Under Exchange settings, Port is 443, Security type is SSL/TLS, client certificate is None.
Strange, I thought it pushed a CA though when I completed the set up.
SYNSYNACKACK said:
Under Exchange settings, Port is 443, Security type is SSL/TLS, client certificate is None.
Strange, I thought it pushed a CA though when I completed the set up.
Click to expand...
Click to collapse
That's the point. This issue only affects users that are using certificates issued by private CAs for ActiveSync authentication. If you are not using certificates, you would not be affected.
ek001 said:
That's the point. This issue only affects users that are using certificates issued by private CAs for ActiveSync authentication. If you are not using certificates, you would not be affected.
Click to expand...
Click to collapse
Not necessarily true. I use exchange email for work and although I can set up my account I cannot receive emails. I can send sometimes. But never receive.
via my slapped KIT KAT moto X
lowvolt1 said:
Not necessarily true. I use exchange email for work and although I can set up my account I cannot receive emails. I can send sometimes. But never receive.
via my slapped KIT KAT moto X
Click to expand...
Click to collapse
What you are experiencing is a separate issue, so please open a separate thread for it.
The issue being discussed here is a situation where an attempt to use private certificates for authentication while adding an Exchange Activesync account to a device running 4.4 results in a bogus "Couldn't finish. Can't connect to server." error message (while the device does not even attempt to go out and establish a connection).
binary visions said:
If the issue is resolved and Google has a rollout plan for the fix, what use is there for further bug reports or reporting? It just becomes noise in their bug tracking system. Is there a purpose for yet more people to say, "hey, yeah, I have this issue too"?
Click to expand...
Click to collapse
There are several reasons the thread should have remained open:
1. While Google is taking their sweet time to roll out a fix, someone may find a workaround for the issue. A workaround is certainly better than a phone with no email/contains/calendar (and no, nobody wants to pay for and use those crappy 3rd party email clients).
2. Having 10,000+ people star a thread gives a great indication of how widespread the issue is, hopefully giving Google developers a hint that it needs to be prioritized and rolled out ASAP (as opposed to incorporating it into the next general patch release).
3. Since most handset vendors customize their Android build, the issue may not exist on every handset made by every manufacturer. Someone may report that a particular device is not suffering from this issue, thus making it safe to buy.
4. If and when the fixed version of Android is finally rolled out and the "fix" does not work, users have no way to report it, other than opening a brand new thread and wasting more resources.
https://whispersystems.org/blog/cyanogen-integration/
The client logic is contained in a CyanogenMod system app called WhisperPush, which the system hands outgoing SMS messages to for optional delivery. The Cyanogen team runs their own TextSecure server for WhisperPush clients, which federates with the Open WhisperSystems TextSecure server, so that both clients can exchange messages with each-other seamlessly. All of the code involved throughout the entire stack is fully Open Source.
"All of the code involved throughout the entire stack is fully Open Source."
So any possibility of seeing this in omnirom?
SHAWDAH said:
https://whispersystems.org/blog/cyanogen-integration/
The client logic is contained in a CyanogenMod system app called WhisperPush, which the system hands outgoing SMS messages to for optional delivery. The Cyanogen team runs their own TextSecure server for WhisperPush clients, which federates with the Open WhisperSystems TextSecure server, so that both clients can exchange messages with each-other seamlessly. All of the code involved throughout the entire stack is fully Open Source.
"All of the code involved throughout the entire stack is fully Open Source."
So any possibility of seeing this in omnirom?
Click to expand...
Click to collapse
Hmm.
1) All of it would have to get reviewed for security. I know pulser has looked at some of CM's other solutions and found vulnerabilities.
2) Since it sounds like it needs some server infrastructure, it would take some time and planning before we could get it up and running.
TextSecure definitely looked interesting until seeing that it requires gapps.
wkwkwk said:
TextSecure definitely looked interesting until seeing that it requires gapps.
Click to expand...
Click to collapse
Yea its stupid, he partially justifies it here https://github.com/WhisperSystems/TextSecure/issues/127
He also said this
"If you want alternatives to things like GCM, you have to either build them or help the people that are. I would love to use a different push service, but they don't exist.
Likewise, if we want an alternative to Play, we have to build it. What exists now (f-droid) has a centralized trust model, so we're building something else."
Entropy512 said:
2) Since it sounds like it needs some server infrastructure, it would take some time and planning before we could get it up and running.
Click to expand...
Click to collapse
For whatever it is worth, Moxie Marlinspike has said that Open WhisperSystems has a TextSecure server that they will let other ROMs use. Sadly I am unable to link, but /r/Android/comments/1shejv/as_of_today_cyanogenmod_is_integrating/cdxlnck should give you the info and context you're after. I hope that helps alleviate some concerns, or at least makes this somewhat more doable--I would love to see this adopted much more widely!
I just wish they could add return receipt functionality, and fall back to SMS if data delivery doesn't provide one in a reasonable time frame.
palpitations said:
For whatever it is worth, Moxie Marlinspike has said that Open WhisperSystems has a TextSecure server that they will let other ROMs use. Sadly I am unable to link, but /r/Android/comments/1shejv/as_of_today_cyanogenmod_is_integrating/cdxlnck should give you the info and context you're after. I hope that helps alleviate some concerns, or at least makes this somewhat more doable--I would love to see this adopted much more widely!
I just wish they could add return receipt functionality, and fall back to SMS if data delivery doesn't provide one in a reasonable time frame.
Click to expand...
Click to collapse
Ok, that's useful.
I'll let pulser do final judgement on this. He's our resident tinfoilhatter.
I got myself a tinfoil wide-brim to match my duster...
I'll have to get a 4.4 capable phone in the future so I can get OMni.
Entropy512 said:
Ok, that's useful.
I'll let pulser do final judgement on this. He's our resident tinfoilhatter.
Click to expand...
Click to collapse
Resident tinfoil hat responding to duty...
The issue I've seen with this system (and I must say, it is good that work is done on this, and I commend that it has been done) is the implementation.
Once again, a solution has been made, which is smart, has good features, but is crippled in the security area, due to making things "easy to use".
The specific issue is that, from what I can see, at least right now, there is no way to tell if a message is going to be sent encrypted or unencrypted. It's no good knowing AFTER the fact - you need to know before it is sent how it will be sent.
Additionally, if you are using encryption, from what I can see, the message is actually sent over the internet. This means there is a central repository of users stored on a server somewhere. That is centralisation, centralisation is bad... As I raised back at the time, there are side-information risks.
While the new implementation may well eliminate some of these, I am not convinced this system provides the level of anonymity that some may desire. My worry is that since the original idea was conceived, where a user's phone number being available to CM was not seen as a concern, that any solution has been architected without considering every aspect of security.
Securing correspondence via SMS would be very nice to have done properly. But this is simply a "hook", that takes what you *think* is an SMS, and sends it over the internet. There are plenty of people in the world (particularly developing nations), where they have poor, or limited, access to the internet. SMS can be a lifeline for them.
There are also many places (some incredibly large), which regularly and routinely block internet services they disagree with (not at all looking at China here...) - it is important that any system works worldwide, and is resistent to easy "blocking".
I would personally prefer to see the actual messages sent over SMS... That means if you have no internet connection, you can still send the SMS. And you can do so ENCRYPTED, rather than unencrypted.
At the end of the day though, until you can tell 100% whether something will be sent encrypted or unencrypted, you can't trust a system. The server operator may also gain useful metadata in this case (though not ideal, your carrier already gets metadata for SMS).
Tl;dr, it looks nice, but we need to look at everything here, and consider that not everyone has internet access all the time. After key-exchange is complete (I would like offline key exchange via NFC and QRcode (on the screen) as well, for in-person identity verification), we need to ensure that a user can securely communicate without internet connectivity.
Until then, this is just a smaller rival to iMessage. And hey, maybe that's a good thing... But for my money, it's not a secure SMS system...
Thoughts welcomed.
pulser_g2 said:
Resident tinfoil hat responding to duty...
The issue I've seen with this system (and I must say, it is good that work is done on this, and I commend that it has been done) is the implementation.
Click to expand...
Click to collapse
Great criticism Pulser but surely this system (even with its flaws) is better than traditional SMS, where everything you send and receive is logged by your carrier?
slashslashslash said:
Great criticism Pulser but surely this system (even with its flaws) is better than traditional SMS, where everything you send and receive is logged by your carrier?
Click to expand...
Click to collapse
The thing is, since everything is sent via the Internet, there are plenty of other existing ways to send encrypted messages over the Internet where *you can be sure the message is encrypted*.
Pulser touched on my initial concern (which I held off on voicing until he chipped in) - To determine whether to send a cleartext SMS or send the SMS via an Internet message, the app needs to know whether the recipient is "enabled" with this service. There are two ways to do this:
1) The sender explicitly configures the app to say that recipient Y is capable of receiving encrypted SMS
2) The app does some form of peer-to-peer negotiation
3) The app sends data associating your phone number with an account on another service to a centralized server. This appears to be what CM's solution is doing. Which is kind of silly - This is an app for extremely privacy-conscious people, that is enabling widespread data collection of mappings between a users' phone number and other accounts.
Stay away from this app and developer, who in my view, has been compromised. In the latest release (which I compiled about an hour ago), he removed the ability of the user to regenerate identity key. In the last couple of releases, the app would crash unless you allow it to use the internet. He also introduced Google Cloud Pushing services, which means that everyone who is using textsecure will be recorded in centralized Google/Nsa database. That is if you compiled the app from the source. If you download the app from the store, you wouldn't be able to use it at all without Google account and GSF. Having GSF defeats any encryption as every keystroke is recorded and regularly submitted Home (Google/NSA). Stay away and look for alternatives. I am checking Tinfoil sms app.
optimumpro said:
Stay away from this app and developer, who in my view, has been compromised. In the latest release (which I compiled about an hour ago), he removed the ability of the user to regenerate identity key. In the last couple of releases, the app would crash unless you allow it to use the internet. He also introduced Google Cloud Pushing services, which means that everyone who is using textsecure will be recorded in centralized Google/Nsa database. That is if you compiled the app from the source. If you download the app from the store, you wouldn't be able to use it at all without Google account and GSF. Having GSF defeats any encryption as every keystroke is recorded and regularly submitted Home (Google/NSA). Stay away and look for alternatives. I am checking Tinfoil sms app.
Click to expand...
Click to collapse
Stop spreading this your uninformed opinion everywhere.
I answered each and every one of your "arguments" in your original thread:
http://forum.xda-developers.com/showpost.php?p=51818980&postcount=10