Basic Internet Security

Secure Text messaging

Sending SMS (text) messages is considered insecure, not only do they travel unencrypted through the phone network, they are also saved on your phone where someone might see them.

If you are using an Android based smart phone there is a neat free tool to fix both issues; TextSecure. TextSecure uses a password to save all your messages (sent and received) encrypted to your phone, and it also enables you to securely SMS with other people using TextSecure. Remember that if you have sent an SMS to someone that is not using TextSecure it will still be unencrypted on their phone and over the network.

Geek info on how TextSecure works

SMS communication using TextSecure is encrypted using the Off The Record (OTR) encryption protocol. OTR is specifically designed for chat messaging, it provides session based encryption and authentication, but on top of that it provides deniability, something protocols like PGP do not provide.

Installing TextSecure

TextSecure can be installed using the Market App on your phone. either search for 'TextSecure' in the market, or use the QR code on this page with the Barcode Scanner.

After you have acknowledged the permissions and installed the app, you are ready to start it, as soon as you do so you are confronted with the "End User License Agreement", press accept to continue. A new pop-up telling you this is beta software will appear which you have to acknowledge too.

TextSecure uses a password to encrypt the text messages on your phone. Be careful to choose a strong password you can easily remember (for more information look at the section on using secure passwords), if you lose it you will not be able to read any of your old messages. To be sure you entered it correctly you have to enter the password twice.

The next step is to tell if you want the messages already stored on the phone to be copied to the TextSecure database, if you choose "Copy" here you will be able to secure your old messages by deleting them from the system database later.

After this step you are ready to use TextSecure to send unencrypted messages. If other people also use TextSecure this is automatically detected, it will then present you with the option to send them your key. Exchange keys is needed to get full end-to-end encryption. This process is described in the next steps. It is also possible to manually start this process by clicking the menu button and choosing the option "secure session".

after these steps your communications are secure, but you have not acquired a trust relation, put in other words, the channel is secure but you are not entirely sure who you're talking to. So keeping that in mind, the next thing to do is to verify that you are indeed talking to the right person (a sender's phone number can be easily forged, so you need a more secure way to check the identity). In the conversation window press the menu button and select "Secure Session Options".  In the window that appears select "Verify Recipient Identity".

The following window shows your and theirs identity fingerprint. You can for instance call them and check if the keys are correct. If you happen to be close together to set this up, TextSecure also allows you to use your Barcode scanner to check the keys. To start this, select compare and follow the instructions. If you are done verifying using any of the other methods, select "Verified!" and select OK in the next screen. A Save Identity popup appears, usually the name is already filled in correctly and you can just push the "Ok" button twice to start your authenticated messaging.


You can see that this messaging has been verified because the lock icons in the left corner and next to the messages are not red colored. These messages are encrypted and authenticated.

 

This is the right moment to look at the various configuration options that TextSecure comes with. Most of them are self-explanatory. Securitywise it might be a good idea to look at the setting for the Passphrase timeout interval, and set it to a lower value according to your situation. If the timeout interval expires, and you want to few your messages again, TextSecure will ask for your password.

These are the basics of TextSecure. If you like the application we advice you to replace the messages application link on your phone's homescreen. This way you won't mix the TextSecure and normal Messages application