Thanks to the PRISM unveiling by whistle-blower, Edward Snowden, we’ve learned that we can’t really trust communication apps like Hangouts or Skype, when it comes to keeping our communications private.
A couple of years ago there was the CarrierIQ scandal, which was a software many OEM’s used with their custom software to track a lot of information about the users. We thought we’d be safe from that if we used Nexus devices, but after PRISM was uncovered, even that is not going to be enough if you don’t want government employees randomly snooping (or at least analyzing algorithmically) all of your “private” communications. This is why I very much welcome CyanogenMod deciding to be a lot more privacy/security oriented in the future with features such as the privacy mode and the making of a secure text messaging solution.
They initially announced they would be using PGP to encrypt all SMS messages end-to-end, no matter what SMS app you’re using. I was hoping they’d use OTR encryption instead of PGP(PDF), which encrypts every message with a new key, and makes it extremely hard for anyone to decrypt everything, thanks to its perfect forward secrecy feature. This is what apps like TextSecure are using.
TextSecure is already open source and a quality app, and I was hoping that instead of making their own apps from scratch, they’d be using TextSecure as the main SMS app on CyanogenMod ROM’s. When you’re not talking to someone else who uses TextSecure, the app acts just like any other SMS app, and sends your texts unencrypted, without breaking anything. So you wouldn’t lose anything by having it as the main SMS app in CM, but only gain the extra security for when you’re talking to other TextSecure users.
Now, it seems CyanogenMod is going to going to work with the creator of the TextSecure and RedPhone (secure voice) apps to implement a security solution that encrypts all the text messages sent from your phone, no matter what SMS app you’re using, just like originally intended, but because they are working with Moxie, it gives me hope that it’s going to be great and really secure.
“We are partnering with @Moxie from TextSecure to build this solution. He is building an iOS app [and] also going to be helping out on the Android side to build an Android equivalent into CM, as well as a standalone [app for the] Android Market…We hope that making this cross-platform will make this a lot easier for users to use this seamless messaging.” – Koush
Moxie was already working on a secure messaging app for iOS, and they are going to make this cross-platform between CM users (no matter what SMS app they use), Android users who use the stand-alone app, and iOS users who do the same. I’m hoping that they still consider using RedPhone as the main dialer for CM ROM’s, because just like TextSecure, it doesn’t interfere in any way with normal use, but when used over an Internet connection and with another RedPhone user, you’d be talking over a very secure line.
I think CyanogenMod is choosing the right route here by making the ROM very security and privacy oriented, and I wish they end up making some sort of open source alternative to Silent Circle (SMS, voice, video, e-mail) that is built-in inside the CyanogenMod ROM’s. To complete that, all they’ll need to do next is add encrypted video-chat and make the default e-mail client support very easy to use PGP encryption, with a database for public keys, so it’s easy to e-mail your friends with encrypted messages if they already have a public key, without having to ask them about it, first.
If Google is not going to be very serious about the security of their users’ communications, not just against hackers, but also against government abuses, then maybe CyanogenMod can become the answer to that, for those of us who really care about privacy and security.