Shared publicly  - 
 
Secure Messaging
 
Secure/push messages in +CyanogenMod

We've been focusing on data security lately; +Steve Kondik got the ball rolling with Privacy Guard. And obviously, recent events have made privacy concerns a global discussion.

The Privacy Guard contribution is the philosophy I like to  to see in these types of data security implementations: seamless protection of the user data. If it's a pain to use, or if it breaks third party apps, it's going to be a negative experience, and we're doing it wrong.

One of the interesting developments of the past couple weeks is that iMessage, is not snoopable by a third party, not even Apple (or so they would have you believe ;).

Regardless of whether that is true; I love the design philosophy of iMessage: it works transparently, and encrypts the user's message between iOS users and fails over to SMS as needed. Frictionless.

I'd thrown a poll out there, to see what sort of cohesiveness +CyanogenMod  users have. Surprisingly high. Many +CyanogenMod  text a lot with other +CyanogenMod users.
https://www.evernote.com/shard/s63/sh/94c9d731-6540-430e-b401-c212f14428d7/fae4c3c7a114a957547a2d77c19e3323
(Which makes sense, as our growth to 7M users is entirely organic and word of mouth)

Anyways, TL;DR. I've built out a secure/push based messaging plugin for CyanogenMod. Messages between two CyanogenMod will be encrypted end to end and sent over GCM. It's built into the framework; so it works transparently, even with third party apps. (This is actually one of the cooler points IMO, and I do a lot of testing with GoSMS, etc)

It's basically PGP (encryption + authenticity) for text messages, built into the system.

There are two minor changes to the telephony and framework to support this:

Add Middleware hooks to IccSmsInterfaceManagerProxy. This allows a sent SMS message to be intercepted and rewritten or sent over another transport.
http://review.cyanogenmod.org/44464

Add other various framework support bits (new permissions). Grant system apps priority in case of ordered broadcast priority tie.
http://review.cyanogenmod.org/44545

Here's the source for the app/plugin, which is still under heavy development.
https://github.com/koush/PushSms

At this point, I'm looking to get some feedback, discussion, thoughts, etc on this project. Not ready for active testing yet.
968
240
Keegan Jacobson's profile photoRichard Riker's profile photoBenjamin Geese's profile photoSławek Rozbicki's profile photo
146 comments
 
that the reason why cyanogenmod beats nexus/proprietary builds hands down.
 
Would it be something that could be open enough to interoperate with other platforms that choose to implement it, too? 
 
I like this idea. However, I'm curious if it will work for Google Voice.
 
Okay now this is awesome. I love seeing what you guys come up with. With AOSP nearing its completion it is up to you guys to carry on the good work and you sure as hell do. I love the privacy element that you guys have been doing lately. With everything going on it is more important than ever.
 
Seems like I have to say goodbye to AOKP and say Hi to +CyanogenMod
Basically, I see it as a loyalty program. People once start using it will be hooked :)
 
That sounds great but once hangouts integrates SMS I probably wouldn't use it anymore.
 
Would this improve privacy in any way between a CM user (me, for example) texting with a non-CM user? Not sure how many friends use CM, to my dismay.
 
+jerry brinkley the only thing that keeps me on AOKP right now is the better customization of the nav buttons for the GNexus.
 
Very cool, said the terrorist.
 
Is this going to be a separate app? Or built into the stock messaging app
 
I am a huge cyanogenmod fan but I have the note 2 right now and need the note functions. Is there any way to get pushsms going without cyanogenmod?
 
Would be awesome if Google could implement this kind of thing into Android as a whole. 
 
TW has just way to many awesome features to go to CM. 
 
You sir, literally make my dreams come true. You will lead some big company some day
 
Bringing back privacy! I love your work.
 
Will this allow tablets to text other people?
 
The shame is that several users will be unable to use it, because they refuse to use GCM for privacy reasons. Will there be a fallback for some other system?
 
Fantastic idea! Would also love to see some voice encryption as well if that's possible. Something like redphone. More privacy is definitely better. 
 
Too bad people using CM are minority :/
 
This is a great idea. This just might convince my fiance to finally switch over from stock. 

Someone said it above, but sometimes I really wonder why the CM team (and AOKP/Carbon/etc) are not all Google employees. I know that a lot of this stuff appeals to only us dorks, but I bet people would be much more loyal to Android if they were reeled in with the insane customization available and all the additional features that seem so obvious to include... and those like this new feature that is just pure genius. 
 
I would use this plug-in forever once it becomes available. 
 
Me and my girl are on CM. I would be perfectly satisfied if she was the only person I used this with.
 
+Tyler Goulet I'm sure some great devs have already made ports your speaking of but your device is end of life. Time to upgrade.
 
+Tyler Goulet Nightlies for that deviceshouuld start up again soon. It doesnt help that our last available build is 3 months old. 
 
can this work by itself? as in an app I the play store? I love how stuff like this are made.. but hate it when I can't have everyone I know use it
 
ok thanks.. now only if this takes over to replace SMS.. 
 
This is awesome news... Been looking for a more integrated alternative to Grypon secure texting app... Its not a bad app, but I'd like a more integrated thing...
 
Cyanogen always has been and always will be the best
 
If these idiots at work l root their phone :-) 
 
Great to hear.  I'd like to see something like pluggable encryption, for all comms, messaging and voice eventually.  Sort sort of flag to indicate what level of security (if any) the person you're communicating with has, so conversations can be handled accordingly. (Notification bar? Show that a secure connection is currently running and at what level of encryption between the other party)

If a flaw is found in a method, change encryption easily by loading a new (checked) apk that handles encryption rather than having to install a new ROM/messaging app. Also, we can compile that apk ourselves rather than  relying on a download.

Next for meta data hiding,  if 'extra security' mode engaged, to route those messages to other users of the system to fudge the routing, or through a VPN back in a secure (non-US) site.  Not full TOR, and limited in amount sent, but to just bounce it a few random times on sending at least.

Just some ideas bounced around for a long time now.   Messaging obviously has to be the first thing, but a secure VOIP if the other person is detected to also be running CM and has 'encryption' set, would be great.
If it's a matter of initiating and swapping keys first in the messaging app, and in the messaging, to then have the option to 'make a secure voip call to this person', that'd be perfect, as hopefully at that point you've swapped keys, know what levels of encryption they're using, if the .apk they're using to encrypt is 'safe'.

A 'encryption' menu in the settings to manage all this too, as might want to use low end (but something) for calls, huge keys for text messaging, and a list of the public keys held on people on your contact list, so some can be revoked as needed.
 
Hey - this is something that I think is freaking awesome - however do you think this level of integration could be handled by an Android App for those of us unlucky enough to not be running CyanogenMod?
 
No expert here +Kevin Norman but I would say yes with a special server but since there is framework modifications I'm not entirely sure
 
Here's my thought though: If this checks if both users are CM users before encryption and sending the message doesn't this mean that CM is not going to have a list of everyone's phone numbers using CM? Would this require some kind of authentication on first boot, like Hangouts does? What happens later if I stop using CM and a friend with CM sends me a message? Will his phone think I'm still using CM and encrypt a message?

Don't get me wrong, I love this idea. I'm saddened more people I know aren't using CM as well because of it. These are just some things I hope you guys have worked out on your side.
 
Why does the octopus have cat ears? :|
 
I wish at least some of my friends used CM ;(
 
Wait does this use data or sms. I really like the idea but due to me being on really low data cap it wouldnt go far with me
 
+Ryan Stuckmaier I'd guess that on first attempt, the phones set a flag on that user.  heck, if it's some form of PGP, assign the key for that person in one of the contact fields.   Doesn't matter, that's just the public key to encrypt date to be sent to that person, they'd then decrypt  it on their phone.  Without wanting to sound demeaning (and I apologise in advance as it's really not my intent), I'd hugely recommend (if unaware) of a quick read of http://en.wikipedia.org/wiki/Public-key_cryptography as I think you'll be reassured that no-one else will have anything, and the things that are stored on your phone are 'safe' to have.
 
+Daniel Ariza
I'd expect it to be optional.  To get it really encrypted, there would be a fair bit of extra data used to pad out a message, but shouldn't be MB's per message sent, and hopefully it's an option.
 
Hmm, continue to think about this, the actual messing app itself, should that have an extra requirement of login? Or if the phone's unlocked, it's open.  And if so, should messages self delete themselves after a few minutes of being read (or even perhaps if not read).  Some sort of 'Bob called you (5) minutes ago, message not saved'  'oh, hey bob, here now" "hey Alice, ah, was just wanting to ask you what's for dinner tonight, I fancy the 'Mexican Dirty Pork Bomb' and wondered if that was ok, or you preferred Italian?"  Then, 2 mins later after read, it's cleared.  Phone stolen/captured, nothing left.  Would also need a way to clear those keys too remotely so if the phone's taken, your single call can get someone to log onto your google account and remove the keys for people perhaps, so the authorities can't impersonate you on other messages.
 
I am highly interested in this both on CM and Android as a whole. I currently use Threema but it's paid and no one really uses it. 
 
What can I do to help? What funding can I help throw to help this happen? Devices/design/coding?
 
+Sam Thomas I can tell you from experience lots of companies are looking to custom firmware developers as a hiring resource. Albeit the companies may not be the ones you would expect ;-)
 
This is awesome. All of these great projects from the cm team has been so great to see! 
 
Finally Cyanogenmod is getting more security features. I would love to see host IDS something like tripwire and a firewall as a standard 
 
+Jonathan Garfinkel I think the point is that you would; no matter what app you use to send SMS messages, the new framework would check to see whether the recipient has a device which runs Cyanogenmod and supports the new push framework, and if so encrypt it and send it via push, rather than plain SMS. Hangouts, stock SMS app, goSMS... this is an extension to the backend SMS system, not a new app.
 
Looks really great! I hope you get the support needed from developers.
 
I should use CM...xylon is whack
 
Every rom builder will soon start including this. It's going to be huge. Just wait... ;)
 
This is just a ridiculously good idea, please implement this in the next CM stable release! 
 
That's really a great news. I hope it will be included in every Custom Rom and works between all of them. But the best would be, if Google would implement it too.
 
Superb! made keys dynamically generated and sent to pubkey servers. This must be easy to use - ppl dont use PGP because it seems to be difficult to them (public/private keys etc.). They dont understand the technology, that is why everything must be automatic and transparent yet secure - like HTTPS.
 
Correct me if I'm wrong, but couldn't support be extended to other devices (and thus also non-CM devices) by also releasing an SMS-app with this feature built-in? I don't see a reason why that would be impossible.

That way CM users have this built-in and transparent, other ROMs that chose to implement the same system have it too in a transparent way, and users on other ROMs could install the SMS-app.

It would also be a great way to bring the excellent CM SMS-app to other devices ;)
 
I'll just leave this here:
http://www.cypherpunks.ca/otr/otr-wpes.pdf
Also will you be able to add WebRTC with ZRTP (not DTLS) for voice and video? And why not just expand on the TextSecure and Redphone apps, and why not use those as default SMS and Dialer apps in CyanogenMod? If you don't want to use those apps specifically, you can just use the source code and create new apps out of them, with expanded capabilities, and more tied into CyanogenMod.
https://whispersystems.org/

Now that even Google and Nexus devices can't be trusted anymore, it would be great if people could still feel secure using CyanogenMod, and helping this along, by adding all sorts of apps and features to make CM ROMs security oriented and with very strong privacy built-in.

The world needs you to do this after all the recent unvealings.
 
Secure Messaging just like iMessage would be great.
 
This sounds great, it reminds me of why I first flashed CyanogenMod on my N1 back in the day: innovative open source features that serve the user's interests. Might be time to ditch the stock firmware on my GNex and flash CyanogenMod...
Rob Ban
+
1
2
1
 
I'd love to see what the +Android have to say about this? Also, +Google should really include this within Hangouts.

Good job so far!
 
Will we be able to tell if a user has PushSms/Cm, of how do we know if the sms is getting encrypted? One way would be go add a little icon next to the people in the phonebook, to show if they have PushSms :) 
 
I sadly have no friends that use CyanogenMod, but this idea is great and I see real benefit in the work you've done.
Nadim M
 
Can't it be OS independent? There's an opportunity to own the "market" as everyone else is playing chicken. 
 
seems to be interesting. over which server will the messages be transmitted?
 
+eleventy. I suppose I should update the wife's phone, then.
 
CM is going to put RIM out of business. 
 
Maybe AOKP and others will get on board also. 
 
Is there any possibility to get this working with an desktop client?
Translate
 
my instagram video wont work and the camera gets disconnected
 
Without cross device it's useless. 
 
Why PGP? I believe for short messages OTR would be much more fitting.
Anyways, I would also love to see GnuPG (PGP) support hacked into the Gmail app. 
 
I support this 100%. The transparency/ease of use is especially welcome. I'd also like to voice interest in read receipts.
 
I would like to see bitmessage used... there is no "central server" and everything is encrypted even the "from" and "to". 
 
gpg you can still see the "from" and "to" so it is less secure 
 
Awesome, and it being open-source means that we can code apps for other OSs too.
 
yup, there is already a Linux desktop app written in python (I think it could be ported to windows and osx too). it could replace iMessage completely then
 
Wow, this is some really interesting stuff !
Now if only all of my friends had Android phones supported by CM.
 
Hola, no me deja postear en el foro, que rom me recomendais  para Yarvik SMP45-210
Translate
 
This should use your Google account or a CyanogenMod account. Added to the device in the normal add account way. 
 
Awesome!

Two questions: Will it be possible to build an app for non-cyanogen (or possibly non-modded) devices and desktops? Secondly, will it work correctly if i have Google Voice set up?

I've been looking for something like this... even if it only works on cyanogen and desktop, that might be enough to get me to switch to it...
 
Many of these questions already have answers. Check the replies on the original post.
 
¿tengo que estar conectado con el móvil? pues desde el pc no se puede me sale el mensaje "You cannot start a new topic"
Translate
 
I think this is great news, however if you can only securely message to other Cyanogen users, doesn't that severely limit the audience?  Will there be anyway to securely communicate with non CM users?  (Like the BBM app for Android does)
 
I'd love to see a new blue/white ui in there once this is built in to the ROM! Just a suggestion ;)
 
I want it - Now if I can convince my friends to switch to cyanogenmod based roms :)
 
If Google brought this to the next version of Android with cross platform support...my god could my iwhore friends finally shut up about iMessage. Please Google I am begging you! 
 
They already brought there version, it's called Hangouts.  They just need to hurry up and integrate Google Voice
 
No, hangouts is for everything Google except an SMS replacement. 
 
If this could be implemented into other OS's somehow I would be happy to pay for it.
 
Google won't do this, because Google isn't your friend.  They make their money by selling your data, and attempts to obscure that data don't benefit them.  The only reason you have Android is to snoop on you (and to a lesser extent to erode Apple/MS dominance in some markets).  To do this profitably, they need to stay in good graces with the government, who isn't keen on this concept.  CM has none of these burdens.

Apple won't do it, because Apple wants you to buy Apple devices with iMessaging.  CM doesn't particularly care if you buy an Apple device...to each their own!

The best bet, as others noted, would be to bake it into CM then create an Android and iPhone app that would somehow add the functionality to each OS.  This is probably doable for Android, but will be problematic for iOS for numerous reasons.

I'll throw my support behind doing this for voice also, using the same concepts as the IM method.
 
Great! Two things though; I'd want to be able to see if my message will be secure before I send it. And I'd like to be able to use several devices(phone/tablet/desktop?) seamlessly, a bit like hangouts.. I guess that'd compromise the security a bit but yeah... I'm sure you'll figure something out! ;)
 
yeah we just got another revolutionary new messaging protocol that 0,001% will use. Why not just use an existing standard? We already got xmpp+otr or xmpp+pgp which would do a great job. And as this is bound to a google account (because gcm) you could also just use xmpp+gpg over gtalk (i would also say this is shit, but at least it's a standard). http://xkcd.com/927/
This simply cannot be an AOSP enhancement because AOSP has no GCM. On the one hand you want to provide some privacy, on the other hand you use google for that - kind of irony isn't it?
 
How is the initial key exchange performed? I assume Alice requests Bob's public key over SMS and then encrypts her message using that key? I know there isn't a good fix, but this is obviously vulnerable to a MitM attack by the carrier.

Are there plans to support other key exchange methods? For example, a setting could require all key exchanges to be performed by NFC. I think this is a good compromise between security and ease-of-use.
 
I'd like this extended to ... the non mobile world as well. There is no secure IM service out there. We need SMS / IM full encryption.

This is great work, no doubt, I just want more. No one out there is doing full end to end IM encryption. Desktop and mobile alike, I wish it were the case.

Now if only this were built into all androids, full end to end encryption !!
 
Trillian does end to end IM, though I believe there is a middleman involved that could be compromised.  I never really looked into it in depth.
 
If only there was a feasible way to make this work with third-pary XMPP servers, then it would be sooo cool. Blackberyy's messaging service would look like messenger pigeons delivering ROT-13 letters.
 
+Dmitri Smirnov this should be possible, nobody forces you to use the pushsms app provided by koush, you could easily replace it with another because of the new hooks added to cyanogenmod.
 
+Marvin Theissen what I had in mind is actually providing a gateway to and from XMPP servers, out of the box. So that any jabber user could message a CM user and vice-versa.
 
+Dmitri Smirnov this would be nice but is kind of impossible, because koush's PushSMS uses Google Cloud Messaging for recieving which is a proprietary protocol. To be precise: Sending messages is easily possible, but recieving would require some reverse engineering and would be against Google's ToS.
 
its good for secure messaging, but with it being PGP and authenticated it will still be able to proven who sent the message so its far from anonymous 
 
+Dom Eyre who said anything about being anonymous? Anyway, if we're talking messaging you probably don't need anonymity. Pseudonimity - maybe.
Also, if you're talking about plausable deniability - it breaks offline message delivery and asynchronous messaging, as it requires both parties to be online for the session.
 
+Dmitri Smirnov , what I was meaning is that governments etc don't need to worry about it being used by terrorists etc. I love this feature
 
+Dom Eyre How did you come to that conclusion? Technology is not discriminative in it's uses.
So I'd say government still has to worry about it used by terrorists, otherwise the technology is just not good enough, as tech is a double-edged sword.
 
[If] I were a terrorist I would not use any means that is verifiable. Thats how I came to that conclusion, damming evidence instead of the usual circumstantial BS that they usually rely on.

This is getting off topic now so I will leave it there but yes, such an awesome development for CM. I can also see a lot of Samsung users going CM10 seeing Samsung's current stance of telling you you cant even root or flash custom recovery... I just switched from the S$ to a htc One, better camera, (low light) music/sound, nice sense interface, dont feel the need to root given the level of customisability of the One.

S4 is now for messing about with, or I might restore it as close to stock as possiable when yellow triangle gets released update and sell it.
Liam C
 
how would i use this
 
There doesn't appear to have been any movement in 4 months on the GITHUB page for PushSMS.  Did this encryption get shelved due to Cyanogenmod being incorporated?
 
So +Koushik Dutta I know you are busy and all but this was a great idea, I'm just wondering if you guys still plan on using this at some point in the future or if it got canned.
Add a comment...