Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Communications Encryption

Secure Communication Comes To Android 150

An anonymous reader writes "Forbes is reporting that Moxie Marlinspike and Stuart Anderson's startup, Whisper Systems, has released a public beta of two Android applications that provide encrypted call and SMS capabilities for your Android phone. In the wake of recent GSM attacks, it'll be interesting to see if smartphones end up providing a platform that fundamentally changes the security we can expect from mobile communication."
This discussion has been archived. No new comments can be posted.

Secure Communication Comes To Android

Comments Filter:
  • by d1r3lnd ( 1743112 )

    Just like encrypted email! Everyone uses that...

    • Re: (Score:3, Informative)

      by DrSkwid ( 118965 )

      lol, I thought I was about to prove you wrong because I had STARTTLS enabled on our incoming mail server and was surprised to find remote MTAs using it as I'd turned it on to protect our users' outgoing mail authentication.

      $ telnet mx1.hotmail.com 25
      Trying 65.55.37.120...
      Connected to mx1.hotmail.com.
      Escape character is '^]'.
      220 col0-mc4-f34.Col0.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.msn.com/Anti [msn.com]

    • Re:Sure it will (Score:4, Informative)

      by sznupi ( 719324 ) on Tuesday May 25, 2010 @09:12PM (#32344182) Homepage

      Plus we can look at the impact done by availability of Zfone/ZRTP (this new encrypted VoIP standard from Phil Zimmermann) for Symbian smartphones (half of all smartphones)

      Oh, nobody was aware of its availability? Exactly...

      • I was very much aware of it.

        My friends, family, bank manager, solicitor, girlfriend etc just don't care enough to get it.
      • Plus we can look at the impact done by availability of Zfone/ZRTP (this new encrypted VoIP standard from Phil Zimmermann) for Symbian smartphones (half of all smartphones)

        That is also the case with this application.
        The secure voice communication *is* done with ZRTP.
        The secure texting is done with Off-the-record (already widely used in Adium, Pidgin and the likes).

        Oh, nobody was aware of its availability? Exactly...

        The more these (standard) technologies are deployed, the more they will get used.

        As an example, Adium is a rather popular multi-system chat software for Mac OS (based on the same libpurple of pidgin fame) has Off-the-record (the same system as used by this software for SMS), and thus Off-the-record is starting to ge

  • Less useful (Score:4, Informative)

    by Darkness404 ( 1287218 ) on Tuesday May 25, 2010 @05:56PM (#32342716)
    While interesting, these apps aren't that useful because the other caller would have to be using the same software for it to work which limits it to just a few people using Android with these apps.
    • Re:Less useful (Score:5, Interesting)

      by stephanruby ( 542433 ) on Tuesday May 25, 2010 @06:23PM (#32342952)

      While interesting, these apps aren't that useful because the other caller would have to be using the same software for it to work which limits it to just a few people using Android with these apps.

      These apps may not be useful to *you*, but they will certainly be useful to governments, a few companies, and some of the more vigilant/paranoid tin-foil hat wearers among us. In any case, what we need is a free open source solution that does encryption.

      The number of Android users is not that big right now, but Android is coming very fast from behind [gartner.com], and with Google taking 0% of the commissions from their Market/App stores (leaving the entire 30% in perpetuity to the carriers/phone makers), I speculate that Android will really become the #1 dominant platform eventually.

      • As someone considering an Android device soon, that link was pretty interesting. I wonder if the growth will continue at anything close to that rate?

        • by sznupi ( 719324 )

          For most rigorous values of "continue" - of course not ;p

          But long term it will surely be one of few major players (add bada OS to that list - Samsung seems to bet heavily on it, with the goal of having very large part of total sales using bada in a year or two; and just look at this total). I must say I prefer such situation way more from what we have on the desktop.

    • by Civil_Disobedient ( 261825 ) on Tuesday May 25, 2010 @07:14PM (#32343426)

      Uh, so?

      You know, telephones aren't terribly useful, either. Because the person on the other end has to have a phone as well. Completely impractical compared to yelling.

      • Ok, how many people do you know that have Android phones? Heck, most of the people I talk to don't even have smartphones, of those that do only one or two have an Android phone the rest have Windows Mobile or Blackberries.
        • by Imagix ( 695350 )
          At least five of my friends have Android phones. Another one with an iPhone, A couple with Blackberries.
        • by PopeRatzo ( 965947 ) * on Tuesday May 25, 2010 @08:35PM (#32343986) Journal

          Ok, how many people do you know that have Android phones?

          Me, my wife, and my daughter.

          The reed player in my band (the other three players have iPhones or non-smart phones).

          I was at a school board meeting earlier in the month and the soccer mom sitting next to me had a Droid. The kid who lives next door and who has bragged to me that he owns an Xbox, a PS3 and a Wii has an HTC android phone. He says "iPhones are for pussies".

          I passed that last part along for informational purposes only. I do not endorse that sentiment in any way, mostly because I wouldn't want some offended iPhone user to give me such a slap.

        • Ok, how many people do you know that have Android phones?

          http://www.marketwatch.com/story/android-market-share-passes-iphones-npd-data-2010-05-10 [marketwatch.com]

        • by mcvos ( 645701 )

          Ok, how many people do you know that have Android phones?

          About half of my closest co-workers. At my previous job, it was only 20% of my co-workers, while 60% had iPhones (including me at the time). My impression is that among programmers, Android is really big, just like the iPhone was before it.

    • Open standard. (Score:4, Interesting)

      by Ungrounded Lightning ( 62228 ) on Tuesday May 25, 2010 @07:16PM (#32343458) Journal

      ... these apps aren't that useful because the other caller would have to be using the same software for it to work ...

      From TFA:

      Marlinspike says the apps will interface with users' contact lists and other functions on the phone to take the hassle out of making calls and sending texts that can't be eavesdropped by third parties. ...

      RedPhone uses ZRTP, an open source Internet voice cryptography scheme created by Phil Zimmermann, inventor of the widely-used Pretty Good Privacy or PGP encryption. ... [Similarly for the SMS system.]

      Looks to me like the product uses defacto-standard encrypted communication tools and integrates them with the phonebook to make their use automatic when calling a contact with whom you can have an encrypted conversation.

      So it looks to me like your encrypted communications wouldn't be limited to people using the same android app. You could talk to anybody using the same underlying "standard" scheme.

      • In fact, the texting part uses Off-the-record [cypherpunks.ca], which is available on lots of software, including libpurple-based like Pidgin (as a plugin) and Adium (out of the box).

        So if you configured an account able to receive SMS (like a SIMPLE or Skype account [google.com]) on these software, it already works.

        And as the webOS chat module is libpurple-based it might not by that much difficult to bolt OtR on Palm Pre (some hobyist have successfully ported other libpurple plugins [palminfocenter.com] onto the Pre).

    • by AHuxley ( 892839 )
      Yes like with http://zfoneproject.com/ [zfoneproject.com] you have to set both ends up, but after that its all ok.
      This is great news for Android but I feel will make the end users glow. Will the speak want more sneak and peek or demand decryption form the creators.
    • While interesting, these apps aren't that useful because the other caller would have to be using the same software for it to work which limits it to just a few people using Android with these apps.

      Are you this guy [bayareamotorsport.com]?

    • There are several [a-gss.com] encryption programs [securevoicegsm.com] for Nokia's Symbian phones that work over GSM, but they don't look terribly compatible even amongst one another, which has presumably stymied adoption.

      These two Android apps are compatible with Zfone [zfoneproject.com], which is SIP not GSM. So they should work with the commercial Zfone clients for Windows Mobile and Symbian [tivi.com], which covers the vast majority of smartphones outside the U.S.

      I've found no Zfone port for the iPhone or BlackBerry but they're bit players outside the U.S. Maemo

  • However, the site claims "we will be making the source available for download and inspection shortly."
    • Re: (Score:3, Funny)

      Probably removing all the colorful comments :P

    • I'm interested in seeing how the key exchange is handled. After all, you can have a great encryption algorithm but if your implementation sucks, it won't do you any good.

      What I'm more curious about is why there hasn't been (AFAIK) an app that uses an asymmetric public-key encryption method. The solution from TFA takes the combination of the users' keys to generate a password, but couldn't you easily have a private key stored on the handset itself and a public key to interface with others? Granted, the hurd
      • by Ungrounded Lightning ( 62228 ) on Tuesday May 25, 2010 @07:24PM (#32343504) Journal

        What I'm more curious about is why there hasn't been (AFAIK) an app that uses an asymmetric public-key encryption method. The solution from TFA takes the combination of the users' keys to generate a password, ...

        Public key encryption is crunch intensive - even in the good direction. (It's "effectively impossible" in the "bad" direction, which is the whole point.) Too crunch intensive to be practical when encrypting streams, even with current fast processors.

        So it's usually used to generate and exchange a "session key" (and perhaps periodically replace it with a new one) for a symmetric cypher that takes less crunch and is "secure enough" if the amount of material it encrypts is limited.

      • Re: (Score:2, Informative)

        by cool_arrow ( 881921 )
        If I recall correctly zrtp generates ephemeral "one time use" keys via Diffie Hellman key exchange. After the session, the keys are discarded. Also asymmetric encryption is used all the time with PGP/openGPG. I generate a key and encrypt a message to you using relatively speedy symmetric encryption, and then encrypt that key asymmetrically with your public key. I send you the bundled up pgp package. You decrypt the symmetric key with your private key and then decrypt my message. Of course the pgp prot
      • I'm interested in seeing how the key exchange is handled. After all, you can have a great encryption algorithm but if your implementation sucks, it won't do you any good.

        For texting the implementation is Off-the-Record [cypherpunks.ca], which is already used in several other softwares (the libpurple-based Pidgin and Adium, for instance). The details of this are here [cypherpunks.ca].

        Granted, the hurdle there would be things like losing the phone, getting new hardware, etc, but it's still interesting to think about.

        Read OtR's website and their arguments about "Deniability" and "Perfect forward secrecy". Some of the problems are addressed in the way OtR works (as opposed to older encryption system such as pidgin-encryption).

  • Now everybody's mom can call them to dinner without fear of being overheard by certain Three Letter Agencies.
    • by MichaelSmith ( 789609 ) on Tuesday May 25, 2010 @05:58PM (#32342734) Homepage Journal

      Well okay but say you are in Iran or Thailand and you want organize an action against your government. Secure mobile communications would be pretty handy for that.

      • Re: (Score:3, Insightful)

        by alx5000 ( 896642 )

        Well, okay, but say you are the government of Iran or Thailand and you don't want anyone to organize anything against you. Outlawing secure mobile communications would be pretty handy for that.

        Yes, your message is secure, but without some kind of steganographic method, the fact that you're using encryption is not. And neither are you, for that matter.

        • steganographic method

          Thats true. Maybe something which hooks into a picture exchanging site like 4chan. Conceals messages in images so the recipient grabs new images before they go 404.

          • by mcvos ( 645701 )

            Thats true. Maybe something which hooks into a picture exchanging site like 4chan.

            If I was the Iranian government, I'd probably burn people alive for even knowing about 4chan.

            • Thats true. Maybe something which hooks into a picture exchanging site like 4chan.

              If I was the Iranian government, I'd probably burn people alive for even knowing about 4chan.

              Are you the Iranian Government?

              • by mcvos ( 645701 )

                Thats true. Maybe something which hooks into a picture exchanging site like 4chan.

                If I was the Iranian government, I'd probably burn people alive for even knowing about 4chan.

                Are you the Iranian Government?

                Alas, no.

      • I'm guessing that, in the dystopian future, the list of evil governments that would suppress speech but not ban encrypting it will be very short.(for commercial reasons, of course, various sorts of "tame" encryption, useful for keeping criminals out of banking sessions; but transparent to the authorities will be permitted, even encouraged)

        It isn't all that hard to hide exactly what you are up to. It is harder to hide that you are hiding something. Any sufficiently evil regime will just make hiding someth
        • Any sufficiently evil regime will just make hiding something a crime

          Ah yes [telegraph.co.uk]

        • by EdIII ( 1114411 )

          keeping criminals out of banking sessions; but transparent to the authorities will be permitted, even encouraged

          That's demonstrably retarded thinking on behalf of the government. Criminal organizations are always going to be at the forefront of technology in order to achieve their goals.

          Criminals today, not the thugs on the street, are pretty savvy. Even the most complex alarm systems are broken into, encryption and systems still have other vulnerabilities and backdoors.

          I would be extraordinarily shocked

          • by NNKK ( 218503 )

            Criminals today, not the thugs on the street, are pretty savvy. Even the most complex alarm systems are broken into, encryption and systems still have other vulnerabilities and backdoors.

            This, I think, may be the real reason cryptography in the US has never been strongly regulated. Somebody at the NSA realized you can't make sure government communications are secure if everybody's trying to hide the latest research from everybody else.

            With the world's leading cryptographers publishing their research openly, everyone knows where they stand, and the NSA can react appropriately if a threat to US communication channels appears.

        • I'm guessing that, in the dystopian future, the list of evil governments that would suppress speech but not ban encrypting it will be very short.

          Probably, but encryption is still valuable to the victims of such regimes as one (of several) layers of protection, as the government discovering that you are (illegally or not) concealing information from them is not as useful to the repressive government as finding out the content of the encrypted communication.

          • Re: (Score:3, Insightful)

            by sznupi ( 719324 )

            Really repressive governments are very skilled in the techniques of rubber hose cryptoanalisis (well, some of the formally not-repressive ones also are, as long as they can put the encrypted data being analysed in a legal limbo)

            • Really repressive governments are very skilled in the techniques of rubber hose cryptoanalisis

              More effective, but less repressive, governments know that that method is far better at getting people -- guilty or not -- to confess and implicate a laundry list of "accomplices" -- guilty or not -- than it is at actually revealing what the target actually knows.

              Actually, "really repressive" governments are generally aware of that, too, for the most part, though given that loyalty is valued far more than competen

              • by sznupi ( 719324 )

                Uhm, in case of breaking encryption that method usually doesn't have typical downsides. You either know the keys, which is good since you can give them. Or you don't know them...which is not so good for you.

                • by NNKK ( 218503 )

                  There are ways to deal with encrypted data such that it's impractical to determine whether the key you've been given really decrypts all of the data. TrueCrypt has provisions for this.

                  Under torture, you can reveal the first key, which will decrypt valuable-seeming data (real or fake), but not the second key, which protects truly damaging information.

                  You might still fry, but your compatriots have a better chance.

                  • by sznupi ( 719324 )

                    I'm aware of hidden volumes of Truecrypt, but so are possible torturers almost certainly. That doesn't help you in such situation in any way. Might make it worse...

                    It all essentially boils down to - if you're dealing with such a regime, relying on encryption doesn't really work.

      • by penguinchris ( 1020961 ) <`moc.liamg' `ta' `sirhcniugnep'> on Tuesday May 25, 2010 @07:33PM (#32343572) Homepage

        Just a small comment, I don't think you can group Thailand with Iran when it comes to restricting/monitoring communications. They do block websites (trivial to get around if you want to) but they don't block dissent against the government in any way, and I'm guessing they monitor it less than the NSA monitors US citizens.

        And that's beside the fact that you can get pre-paid mobile phones for the equivalent of $10 in cash with very cheap add-on minutes (also pay for those in cash) which for all practical purposes are untraceable, because if you're paranoid you can switch them around or whatever.

        I'm defending Thailand because the foreign press has distorted what happened there recently quite a bit. It's nothing like Iran. People are free to protest the government, despite what it may seem after the violence recently in Bangkok.

      • by mjwx ( 966435 )

        Well okay but say you are in Iran or Thailand and you want organize an action against your government. Secure mobile communications would be pretty handy for that.

        Thailand is a bad example, the redshirts plot against the government by protesting in the streets as well as burning government buildings and large shopping malls. Besides, I'm not sure if you know too much about the actual problem causers (the western media has been horrible at reporting it, even the Beeb has been little better then Fox News) l

      • Except it wouldn't because they shutdown mobile base stations, telephone lines, electricity and water in the protest areas in Thailand.

  • by Anonymous Coward on Tuesday May 25, 2010 @05:59PM (#32342744)

    What I would like to see is a PGP/gpg utility for Android. The closest I can get to this is cross-compiling a statically linked gpg binary for ARM and running that in a terminal.

    • RTFA.

      "RedPhone uses ZRTP, an open source Internet voice cryptography scheme created by Phil Zimmermann, inventor of the widely-used Pretty Good Privacy or PGP encryption."

  • by bzzfzz ( 1542813 ) on Tuesday May 25, 2010 @06:07PM (#32342818)

    We'll know it's at least OK if the FBI and CIA start lobbying congress to outlaw it.

    We'll know it's pretty good if the NSA starts lobbying congress to outlaw it.

    The government is absolutely convinced that law enforcement will come to a screeching halt if people can communicate casually without being subject to eavesdropping. This despite the courts' general distaste for such evidence (people rarely speak candidly in phone conversations regarding criminal enterprises and therefore establishing context and the meaning of codewords becomes a prosecutorial hurdle), and the paucity of successful prosecutions built primarily on the strength of intercepts.

    So we've had cryptography treated as a munition. And clipper. And CALEA.

    Of course, if the keys are on a server somewhere they can always just subpoena them.

    • Re: (Score:3, Informative)

      by e9th ( 652576 )
      As far as I know, the Justice Department's position hasn't changed much since this [cybercrime.gov] 1998 policy FAQ.

      Anyone have any later statements from them?
    • The government is absolutely convinced that law enforcement will come to a screeching halt if people can communicate casually without being subject to eavesdropping.

      Some people in government are, some people in government pretend to be to sell policies they wish to abuse for purposes other than the overt purpose, and some people in government don't even pretend to be. "The government" -- even referring to any single, particular government -- isn't a hivemind with a uniform point of view or agenda.

    • by spinkham ( 56603 )

      This is really not a problem. If the Gov't really wants access to your calls, they bug your room, bug your computer microphone, install custom phone firmware with a backdoor, etc. Usually all the Gov't cares about is the metadata: Who called who when. The conversations themselves are gravy.

      Encryption stops casual snooping, and I highly recommend it's use, even against gov't level attacks. However, if the Gov't really is interested in you specifically, you're hosed no matter what countermeasures you use.

    • What's wrong with you? Its not about the FBI, CIA, NSA, courts, supoena, eavesdropping, munition or any of that. Look at this list you made up, I think you're paranoid.

      Sheesh. I thought this was already obvious.

      Its all to protect the good children and to stop the terrorist children.

    • by mbstone ( 457308 )

      If people could communicate casually without being subject to eavesdropping, no one's taillights would ever be burnt out again.

  • by MoFoQ ( 584566 ) on Tuesday May 25, 2010 @06:16PM (#32342896)

    it just reminds me that I really need to start speaking in Klingon more frequently.

  • Comment removed based on user account deletion
  • by Coward Anonymous ( 110649 ) on Tuesday May 25, 2010 @06:58PM (#32343284)

    It's a VOIP app that encrypts the audio. Except the fact that the protocol itself is documented this is not materially different from skype which is also encrypted and has governments apparently scrambling to crack.
    A truly revolutionary app would encrypt the phone's mobile call audio.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      You said:

      Except the fact that the protocol itself is documented this is not materially different from skype which is also encrypted and has governments apparently scrambling to crack.
      A truly revolutionary app would encrypt the phone's mobile call audio.

      TFA says:

      Whisper Systems' apps aren't the first to bring encrypted VoIP to smartphones. But apps like Skype and Vonage don't publish their source code, leaving the rigor of their security largely a matter of speculation. Marlinspike argues that because those

    • Re: (Score:2, Informative)

      by Anonymous Coward

      For the same reason you don't see apps that record calls (google voice does somewhat, but is not doing so in the phone) you'll never see an app which encrypts the phone call. It's just not possible to route the audio through the processor of these phones. Therefore it truly _would_ revolutionary --since it's impossible by design.

    • Re: (Score:2, Informative)

      by Loualbano2 ( 98133 )

      A product like that came out a long time ago.

      http://www.pgpi.org/products/pgpfone/ [pgpi.org]

      I don't think it's supported much anymore. It was a cool concept that just didn't seem to go anywhere.

      ft

      • by rsborg ( 111459 )

        http://www.pgpi.org/products/pgpfone/
        I don't think it's supported much anymore. It was a cool concept that just didn't seem to go anywhere.

        Seems it might have been a bit ahead of it's time, as the majority of the work was done prior to the revelation that the US Government was massively spying on it's citizens.

    • Trying to re-assemble information after being passed through a lossy pipe is hard. I wouldn't want to tackle it - it has too many variables, and it would be too easy to detect and shut down.

      Successfully solving these problems would be revolutionary - but also advanced enough that it could be considered magical.

      • Re: (Score:2, Insightful)

        by yyxx ( 1812612 )

        Trying to re-assemble information after being passed through a lossy pipe is hard.

        It's called a "modem". We have had those things for years. You could treat cell phone audio like a lossy analog channel and run a robust modem over it. But what's the point?

        If you want something that sounds speech-like, that's not a lot harder.

    • by Weezul ( 52464 )

      There are like three separate companies that sell Symbian apps (Nokia) for end-to-end encrypted called over the GSM network, well they're all made for Symbian because Nokia has all the business users outside the U.S. These encryption solutions are quite expensive however, closed source, and don't look that interoperable, so good luck picking the one that isn't owned by the NSA, Chinese Intelligence, etc.

      Skype already provides authorities with "lawful intercept" capabilities, which means they provide your bu

  • Skype provides encrypted calls and SMS for how many years now? Oh, this is from Forbes...

    • Skype provides encrypted calls and SMS for how many years now?

      But it's closed source and runs through an infrastructure that is subject to government pressure for disclosure.

  • It won't be secure unless the hardware, software and distribution are controlled, tracked and audited. Prove there isn't a hidden API in the RF modem that will dump RAM and the keys on command.

  • by no1home ( 1271260 ) on Tuesday May 25, 2010 @09:53PM (#32344424)

    Since it's going out as a VOIP call, why not route it via TOR? Yes, it would likely slow down the talking a bit (great, I could finally take notes while still keeping up with the conversation), but it would make it that much more difficult to track down the caller and/or recipient. Might also work for the SMS if it's using an Internet-based route instead of the actual cell system SMS.

    • The encryption for streaming voice data is not exactly the best, and Tor means possible third party interception. If someone does decrypt the conversation then just from your tonal range and dialect you are communicating significant information about your identity you wouldn't have to over email (you may even be providing a unique fingerprint). Phone numbers are much more identifying than IP addresses--cellphones can be easily triangulated from the data sent to the carrier, and have to be bought and activ

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...