Aller au contenu

Utilisateur:Asr/SMSSecure

Une page de Wikipédia, l'encyclopédie libre.

{{Ébauche}}

Asr/SMSSecure

[[Fichier: |frameless |upright=1 |alt=Description de l'image . ]]
Informations
Première version
Dernière version Modèle:LSR
État du projet Activf
Environnement Android
Type Chiffrement de SMS/MMS messaging
Site web smssecure.org

SMSSecure est un fork de TextSecure, deux logiciels libres et open-source de chiffrement de messagerie. Ces applications permettent la transmission sécurisée des messages SMS et MMS à d'autres utilisateurs de SMSSecure, TextSecure, ou Signal. Les utilisateurs peuvent vérifier indépendamment de l'identité de leurs correspondants en comparant les empreintes digitales (fingerprint) des clés de chiffrement, ou en scannant les codes QR de personne à personne. L'application Android peut fonctionner en remplacement de l'application de messagerie native d'Android. La base de données de messages locale peut être chiffré avec un mot de passe.

SMSSecure met en œuvre le protocole de chiffrement de TextSecure, mais sans messagerie « push »,[1] et ne peut donc pas être utilisé pour la messagerie instantanée en tant que telle vers les utilisateurs TextSecure, WhisperPush, ou Signal. SMSSecure est développé par l'équipe de SMSSecure.


History[modifier | modifier le code]

TextSecure[modifier | modifier le code]

Whisper Systems and Twitter (2010–2011)[modifier | modifier le code]

TextSecure a démarré comme une application permettant d'envoyer et recevoir des SMS chiffrés.[2] Sa version beta a été publiée en mai 2010, par Whisper Systems,[3] une startup co-fondée par le chercheur en sécurité Moxie Marlinspike, et le roboticien Stuart Anderson.[4][5]. Cette application et les autres applications de Whisper Systems sont à l'époque sous license propriétaire.

In November 2011, Whisper Systems announced that it had been acquired by Twitter. The financial terms of the deal were not disclosed by either company.[6] The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security".[7]

Twitter released TextSecure as free and open-source software under the GPLv3 license in December 2011.[4][8][9][10] RedPhone was also released under the same license in July 2012.[11] Marlinspike later left Twitter and founded Open Whisper Systems[12] as a collaborative Open Source project for the continued development of TextSecure and RedPhone.[13]

Open Whisper Systems (2013–2015)[modifier | modifier le code]

Open Whisper Systems' website was launched in January 2013.[13] Open Whisper Systems started working to bring TextSecure to iOS in March 2013.[14][15]

In February 2014, Open Whisper Systems updated their protocol to version 2, adding group chat and push messaging capabilities.[14][16] Toward the end of July 2014, Open Whisper Systems announced plans to unify its RedPhone and TextSecure applications as Signal.[17] This announcement coincided with the initial release of Signal as a RedPhone counterpart for iOS. The developers said that their next steps would be to provide TextSecure instant messaging capabilities for iOS, unify the RedPhone and TextSecure applications on Android, and launch a web client.[18] Signal was the first iOS app to enable easy, strongly encrypted voice calls for free.[12][19]

In March 2015, Open Whisper Systems released Signal 2.0 with support for TextSecure private messaging on iOS.[20][21] Later that month, Open Whisper Systems ended support for sending and receiving encrypted SMS/MMS messages on Android. As of version 2.7.0, TextSecure only supports sending and receiving encrypted messages via the data channel. Reasons for this included:[2]

  • Complications with the SMS encryption procedure: Users needed to manually initiate a "key exchange", which required a full round trip before any messages could be exchanged. In addition to this, users could not always be sure whether the receiver could receive encrypted SMS/MMS messages or not.
  • Compatibility issues with iOS: Not possible to send or receive encrypted SMS/MMS messages on iOS due to the lack of APIs.
  • The large amounts of metadata that inevitably arise and are uncontrollable when using SMS/MMS for the transportation of messages.
  • Focus on software development: Maintaining SMS/MMS encryption and dealing with edge cases took up valuable resources and inhibited the development of the software.

Fork vers SMSSecure[modifier | modifier le code]

L'abandon du chiffrement des SMS/MMS par Open Whisper Systems' [22], ainsi que la dépendance forte envers les technologies Google Google Cloud Messaging et Google Market ; l'indisponibilité de l'application sur les plateformes F-Droid et Amazon[23] a conduit plusieurs développeurs à créer un fork.[1][24][25]

Fonctionnalités[modifier | modifier le code]

Screenshots de l'application depuis un smartphone

SMSSecure allows users to send encrypted text messages to other SMSSecure users with smartphones running Android. SMSSecure also allows users to exchange unencrypted SMS and MMS messages with people who do not have SMSSecure.

Management of regular SMS/MMS[modifier | modifier le code]

Messages sent with SMSSecure may be encrypted as soon as the user sends a private session request. This feature differs from the regular use of TextSecure protocol V2 in TextSecure, WhisperPush and Signal, which centralizes the users in federated directory servers, and therefore is able to automatically start ciphered sessions via Google Cloud Messaging or WhisperPush, without requesting it from the user.[26]

Encryption of SMS[modifier | modifier le code]

When the private session started in SMSSecure, any sent messages are automatically end-to-end encrypted, which means that they can only be read by the intended recipients. The keys that are used to encrypt the user's messages are stored on the device alone, and they are protected by an additional layer of encryption if the user has a passphrase enabled. In the user interface, encrypted messages are denoted by a lock icon.

Key verification[modifier | modifier le code]

SMSSecure has a built-in function for verifying that the user is communicating with the right person and that no man-in-the-middle attack has occurred. This verification can be done by comparing key fingerprints out-of-band. Users can also scan each other's personal QR codes.

Non-dependency on GCM[modifier | modifier le code]

TextSecure implements instant messaging via Google Cloud Messaging or Cyanogen's WhisperPush.[27]Modèle:Self published inline According to the SMSSecure team, their goal is to build an app which could be totally independant from Google Services,[28] which is not be TextSecure because of this GCM dependancy.[29]

Encryption without data channel[modifier | modifier le code]

The application doesn't needs to own a data channel to cipher/decipher messages. According to the slovakian website "cypersec.sk", with the abandon of SMS/MMS use by TextSecure, it is now the only one from their tests to propose this feature. [30]

Stagefright[modifier | modifier le code]

On July 27, 2015, a bug called Stagefright was publicly announced,[31] which lead users to audit their MMS/SMS applications. Accoring to Yemen-Press.com, SMSSecure's default settings can be modified so that it is not vulnerable to this attack vector.[32]

Licensing[modifier | modifier le code]

The complete source code of SMSSecure is available on GitHub under a free software license. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copy of the application and compare it with the version that is distributed by SMSSecure.

Reception[modifier | modifier le code]

In April 2015, SMSSecure was included in a list of "The best 9 apps for Android" by the Dutch website Android Planet.[33]

Distribution[modifier | modifier le code]

SMSSecure is available through Google Play, F-Droid and Amazon Apps.

See also[modifier | modifier le code]

Modèle:Portal



References[modifier | modifier le code]

  1. a et b (de) « TextSecure-Fork bringt SMS-Verschlüsselung zurück », sur Heise, (consulté le )
  2. a et b Open Whisper Systems, « Saying goodbye to encrypted SMS/MMS », (consulté le )
  3. « Announcing the public beta » [archive du ], Whisper Systems, (consulté le )
  4. a et b (en) Caleb Garling, « Twitter Open Sources Its Android Moxie | Wired Enterprise », Wired,‎ (lire en ligne)
  5. « Company Overview of Whisper Systems Inc. », Bloomberg Businessweek (consulté le )
  6. Tom Cheredar, « Twitter acquires Android security startup Whisper Systems », VentureBeat, (consulté le )
  7. (en) Danny Yadron, « Moxie Marlinspike: The Coder Who Encrypted Your Texts », The Wall Street Journal,‎ (lire en ligne)
  8. Chris Aniszczyk, « The Whispers Are True » [archive du ], sur The Twitter Developer Blog, Twitter, (consulté le )
  9. « TextSecure is now Open Source! » [archive du ], Whisper Systems, (consulté le )
  10. (en) Pete Pachal, « Twitter Takes TextSecure, Texting App for Dissidents, Open Source », Mashable,‎ (lire en ligne)
  11. « RedPhone is now Open Source! » [archive du ], Whisper Systems, (consulté le )
  12. a et b Andy Greenberg, « Your iPhone Can Finally Make Free, Encrypted Calls », Wired, (consulté le )
  13. a et b (en) « A New Home », Open Whisper Systems,‎ (lire en ligne)
  14. a et b Brian Donohue, « TextSecure Sheds SMS in Latest Version », Threatpost, (consulté le )
  15. Christine Corbett, « Sure! », Open Whisper Systems, (consulté le )
  16. Moxie Marlinspike, « The New TextSecure: Privacy Beyond SMS », Open Whisper Systems, (consulté le )
  17. « Free, Worldwide, Encrypted Phone Calls for iPhone », Open Whisper Systems,
  18. Michael Mimoso, « New Signal App Brings Encrypted Calling to iPhone », Threatpost,
  19. Jon Evans, « Talk Private To Me: Free, Worldwide, Encrypted Voice Calls With Signal For iPhone », TechCrunch, AOL,
  20. (en) Micah Lee, « You Should Really Consider Installing Signal, an Encrypted Messaging App for iPhone », The Intercept,‎ (lire en ligne)
  21. (en) Megan Geuss, « Now you can easily send (free!) encrypted messages between Android, iOS », Ars Technica,‎ (lire en ligne)
  22. http://www.techwalls.com/textsecure-no-longer-encrypts-sms/
  23. http://derstandard.at/2000013841576/SMSSecure-TextSecure-Abspaltung-belebt-SMS-Verschluesselung-wieder
  24. https://www.security.nl/posting/422674/Versleuteld+sms%27en+met+Android-app+SMSSecure
  25. http://open-freax.fr/smssecure-retour-sms-chiffres/
  26. LinuxFr : SMSSecure - Les sms et mms chiffrés sur Android, ce n'est pas fini
  27. The client logic is contained in a CyanogenMod system app called WhisperPush, which the system hands outgoing SMS messages to for optional delivery. https://whispersystems.org/blog/cyanogen-integration/
  28. SMSSecure focuses on SMS and MMS. This fork aims to: Keep SMS/MMS encryption ; Drop Google services dependencies (push messages are not available in SMSSecure). SMSSecure/README.md
  29. SMSSecure est libre (sous licence GPL), ne dépend d'aucun serveur tiers, ne repose pas sur les API et services de Google et utilise un chiffrement de 256 bits. Korben : crypter sms et mms
  30. http://www.cybersec.sk/navody-a-programy/navody/ako-si-ochranit-komunikaciu-predovsetkym-na-androide/ (via Google translate) SMSsecure The only exception among the selected applications, which replaces the built-in Messenger Android. After you install it, use the SMS if only this application, including received messages. The authors have chosen this solution, especially for greater security - SMS messages are also encrypted locally in the phone memory. Note, however, that after uninstalling lose all SMS messages that have been received by it. The indisputable advantage of the application and its unique is that it does not require a data connection. If the application uses only one party sends unencrypted traditional SMS. If you have applications installed both, sender and recipient, it is possible to exchange messages in encrypted mode. Enough to exchange encryption keys (one-touch). This is a very intuitive application that the operator should not cause more trouble even inexperienced users.
  31. http://www.zdnet.fr/actualites/stagefright-un-simple-mms-pour-controler-95-des-smartphones-android-39822978.htm
  32. https://yemen-press.com/news52022.html
  33. http://www.androidplanet.nl/apps/de-9-beste-android-apps-in-google-play-van-week-15-2015/

External links[modifier | modifier le code]

{{Cryptographic software}} [[Category:Cryptographic software]] [[Category:Free and open-source Android software]] [[Category:Free security software]] [[Category:Free software programmed in Java (programming language)]]