Guardian Project: SMS Encryption (non-)Options for Android

My first post was titled “Guardian Approved” as I did want to highlight applications that were of a certain quality or caliber. Unfortunately, in the realm of secure, private, encrypted short messaging (SMS), I can’t really say I have anything to approve! The best, most trusted solution out there (from CryptoSMS.org) hasn’t been ported to Android yet, and the rest of the offerings either cost too much, aren’t targeted directly at SMS, are closed source or generally poorly written alpha quality applications.

I’ve quickly realized that a quality SMS encryption application for Android (along with interoperability with other mobile phone platforms) is a critical application for the Guardian Project to focus on. One of the really cool aspects of building apps for Android is that you can completely replace the core applications on the device, meaning that an encryption-enabled SMS application isn’t relegated to a third-party status within the device. It can actual take over and replace the built in “Messaging” application and seamlessly handle SMS traffic and transparently handling encryption of messages to and from those addresses you have done a key exchange with.

Where Its At

In the meantime, here is a quick breakdown of what is available on Android today:


  • While not used for encryption, ChompSMS represents an excellent example of a “power-up” replacement for the built-in Android messaging application. It does offer an ability to send SMS through their Internet-based SMSC gateway. This means that as long as you have an mobile Internet data connection, you can send SMS messages without being monitored by the local mobile carrier, and even send SMS over a WIFI connection.

  • Encrypted SMS – $1.99 – “Parents Spy Much? Here’s your solution!” – This app is clearly targeted at the “passing secret notes in class” audience and not meant for anything serious. The encryption used seems to be of the basic letter substitution pig-latin variety, which could be cracked in about two seconds by someone with a pencil and paper.
  • Platinum RSA SMS – Free – “Encrypted text messaging service for your Android device. 1024 bit RSA math” – While the potential for this app seems good and the heavy use of the phrase “RSA math” indicates they know SOMETHING about encryption, the user interface is very confusing, even for me a seasoned user of terrible mobile user interfaces.
  • TXTCrypt – $9.99!

    “With TXTcrypt just enter your message and a password for it , now the encrypted message can only be decoded with that password , just tell it to someone , and send them message encrypted with it , they can use TXTcrypt to decode it..”. This application is very powerful and well written. However, it costs way too much for what it offers. No key change, no proper integration with SMS… it is just a basic password-based plain text encryption tool.



CryptoSMS

As mentioned before, there is a quality, open-source solution available called
CryptoSMS. From their site: “Cryptosms provides public/private key encryption, key generation and key management. it sends and receives encrypted sms and public keys, de- and encrypts files, offers key verification via fingerprints and provides a secure login. ”

Unfortunately, CryptoSMS is only available for J2ME-based phones today, which Android is not. There is a J2ME emulation app for Android, but it is a terrible user experience. What this is all adding up to is that the Guardian Project must/will plan to contribute to and otherwise support porting efforts of CryptoSMS to Android… while the user experience and integration with Android OS concepts like intents and content providers will take some work, the core engine of CryptoSMS appears to be just what is needed.

If you are in the New York area, and would like to learn more about CryptoSMS, you can attend a workshop this Thursday evening, August 13th, at The Change in Williamsburg, Brooklyn. More information available here…

15 comments

  1. Hey, just wanted to let you know that the autodetect-link to your feed (how browsers notice the URL to your feed) has been hijacked by spammers, it seems. I guess you should fix that ASAP. 🙂

  2. Hey, just wanted to let you know that the autodetect-link to your feed (how browsers notice the URL to your feed) has been hijacked by spammers, it seems. I guess you should fix that ASAP. 🙂

  3. Thanks…. fixed for now. In the process of migrating my blog to a new server and will make sure things are better locked down.

  4. I thought I left a comment already about Parandroid, but looks like it was marked as spam.

    So Parandroid is an open-sourced secure SMS app for Android. I haven't tested it yet, and people report it force closes often, but you can give it a try. parandroid.org.

  5. Parandroid was the app I felt had the best promise for awhile, but it had a number of security issues, and didn't work across networks very well. I am now using TextSecure from WhisperSystems on a daily basis. However, it is not open-source, but it is open to code review.

Leave a comment