A group of German researchers have audited TextSecure, the popular open source encrypted messaging application for Android, and the news is good. After fixing a particular vulnerability found in the app’s cryptographic protocol, TextSecure can offer what its creators wanted: one-time stateful authenticated encryption, i.e. authenticity and confidentiality of sent and received messages.
Since the moment Facebook acquired WhatsApp, there has been an increased interest for software that will assure secure IM communication. Among the most popular ones are Surespot, Threema and TextSecure.
This group of researchers chose to analyze TextSecure because its code is open source.
TextSecure was released in 2010 by Whisper Systems, a startup founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson.
Through the years, the app became very popular due to the following events: the company offered it for direct and free download to Egyptian protesters in 2011, the company was acquired by Twitter then made the app open source, and finally the app got implemented in the widely popular CyanogenMod open source Android firmware.
In their recently released paper, the researchers detailed the app’s complex cryptographic protocol, and described the so-called Unknown Key-Share Attack that can be aimed at the protocol. They also demonstrated that the improvement of the protocol they devised mitigates this type of attacks.
Details about this mitigation have been shared with the app’s developers, who acknowledged the issue and are likely already working on implementing a fix.
In the conclusion of their paper, the researcher intimated they might analyze Surespot’s cryptographic protocol next, as the software is also open source, and see how it compares to TextSecure’s.
Threema‘s, for the time being, is off limit, as the app is proprietary, and its protocol is kept confidential.