Thought I'd let yous guys know about this nifty little app by renowned hacker and anarchist Moxie Marlinspike.

If your phone gets stolen, texts are safe because they're locally encrypted. If both parties are using TextSecure, then the messages are safe in transit to the other phone as well. Well, that last bit only applies if the key exchange has been completed and a lock icon appears next to your message. This should happen mostly-automatically. Just make sure the lock icon is present. I recommend going into the general settings and have the password expire after a few hours or something so you need to re-type it occasionally otherwise the local encryption of ALL text messages is useless. That feature can be turned off, however, if you'd prefer TextSecure to just keep to its own encrypted text messages and leave your normal text/MMS messages to your phone's normal texting app.


Also please choose a secure password.
More info on password security:
https://xkcd.com/936/
If you're lazy/uncreative: http://preshing.com/20110811/xkcd-password-generator/


Currently it's only for Android, but an iOS port is in the works. It's being integrated into the standard text messaging app for Cyanogenmod 11 and up if you're into flashing ROMs, which, really, if you want stronger security is the way to go. But that's beyond this thread.

There's also another app by the same guy called RedPhone. This one encrypts phone calls. It uses data rather than minutes, so you need a data connection. The session key can be verified by repeating the two words that appear on your phone screen to the other person when they answer. They should be the same on both ends.

Here's his site:

https://whispersystems.org/

Have fun. Both the apps, RedPhone and TextSecure, are in the Google Play store. And when the iOS ports are done, there as well. If you're into iOS or Android development, here's the github. It's all open source, and they'll pay you to help them (https://whispersystems.org/blog/bithub/) develop. https://github.com/WhisperSystems

Thanks, I'll have to investigate this further when I have the chance. I've done some "hobby encrypting" but nothing real serious, definitely interested in the topic though.

Thanks, I'll have to investigate this further when I have the chance. I've done some "hobby encrypting" but nothing real serious, definitely interested in the topic though.
If you have a supported phone, I highly highly highly recommend flashing a custom ROM to it. Just make sure you back up all personal data and the IMEI first. When you flash the recovery to use ClockworkMod Recovery, there's an option to back up the currently installed ROM and apps; I suggest doing that and backing up to an external SD card to save internal phone storage for other shit. I personally use Cyanogenmod, but they're kinda going commercial so I'm worried about their future. Runner up would be AOKP (http://aokp.co/) as an alternative ROM for when Cyanogenmod shits themselves. That way the source is open on what's specifically going into your phone; one less attack vactor re- backdoors from the service provider's own distribution of android.


There's still the issue of the GPSr not being properly shielded from the modem, which runs proprietary software no matter what and can be activated remotely and silently and snag GPS coords, but as far as I know, no US available phone is properly shielded, and you or I probably don't have to worry about that part because we're not mafioso or anything, just computer geeks.

because we're not mafioso or anything

SPEAK FOR YOURSELF. :blink::blink::blink::blink:







:lol:

SPEAK FOR YOURSELF. :blink::blink::blink::blink:







:lol:
Capo Cangaceiros, Paulie requests your presence at the restaurant tuesday evening. It's regarding the package that Jimmy was bringing from Mr. Gambino. There's been an incident.

+1 for TextSecure, it's an incredible piece of software. Just remember to never put anything on a phone or a computer you wouldn't want the whole world seeing. Security measures are great, but don't let that sense of safety make you take a risk you normally wouldn't.

It still seems unsafe. The government can still access your phone remotely and then, with the equivalent of some keylogging software, just get the key from one of the two of you when you enter it. Although I guess that's a lot more difficult for them to do, if we're talking warrants and legality, than just intercepting it from the cellphone company itself.

It still seems unsafe. The government can still access your phone remotely and then, with the equivalent of some keylogging software, just get the key from one of the two of you when you enter it. Although I guess that's a lot more difficult for them to do, if we're talking warrants and legality, than just intercepting it from the cellphone company itself.
If you use something like AOKP or CyanogenMod, then the biggest weak link is the binary blob associated with the modem, which, if not properly separated from the GPS unit, could be used to remotely turn on GPS and get your coords. Unless, they have a 0-day to remotely break into whatever ROM you're using (more likely with stock ROMs), then use a privilege escalation exploit to get root without whatever permission manager you have noticing, then install a rootkit that grabs your textsecure password and uses it to steal your private key.

The same argument can be made in reference to ANY encryption on PCs as well. It would be just as difficult to circumvent, so it's really a non-argument, because then you might as well argue that all encryption is useless, which is not true at all if you know what you're doing. You have to eliminate the weak links in your security ... proprietary software/hardware, weak passwords, etc. It ultimately boils down to the person being the weakest link, though, because if you're being beaten with a wrench you'll probably give up your password/keys.

Thanks for bringing that up here, seems to be kinda useful :)