Free Android encryption comes to Egypt Free cellphone encryption is coming to Android users in Egypt courtesy of San Francisco software maker Whisper Systems. Until now, Redphone and TextSecure, voice- and text-encryption apps respectively, have generally been available in the US only. Whisper Systems has been working on making the packages available internationally …
Stand alone encryption is infinitely better than system encryption as nosey governments cannot attack a cell handset manufacturer and updating is easily done - all with difficulties for the governments concerned.
Authoritarian governments such as the U.S. now is have nothing to gain by poking around servers as the protection lies with the user.
The only things is how do we know there are no backdoors to Redphone and TextSecure? Other Apps might well be able to bypass these Apps and surreptitiously transmit them without users knowledge.
"The only things is how do we know there are no backdoors to Redphone and TextSecure?"
You'll probably never be absolutely sure, but much higher levels of assuredness are achievable with some approaches compared to others. Firstly the source code has to be available, including all the source code needed to build the binary, for public inspection. Secondly the source code must be modifiable and for modified versions to be distributable by anyone interested, so that if an implementation bug leading to security issues is found users are not dependent upon the original author for fixes. These starting points are necessary but insufficient. Thirdly there have to be enough interested and knowledgeable people inspecting the source code and independently testing it, and able to publish test results.
But people with this knowledge are not cheap and won't necessarily have time to do this work as a public service. Paying for them to do this work on the basis that reports will be openly published, and having a competition with prizes for published cracks also helps ensure testing and inspection are more likely to be done by a wider selection of interested parties.
If these criteria are not satisfactory, we have every reason to believe products which don't pass these tests are inherently untrustworthy. The easiest way for a cryptographic software designer to achieve a level of trust is to make products open source using already trusted open source library implementations of established and reputable algorithms (e.g. RSA, AES256, SHA1, supported by experts with solid reputations in this field.
And finally for more than the very good basis of trust which is achievable for the highest quality cryptography designs using the measures described above, compilers, virtual machines and platform firmware and microcode would all need to be independently reverse engineered and compared against carefully reviewed specifications, to the extent some confirmation can be independently provided against exotic platform hacks of the class described by Ken Thompson in his classic paper: "Reflections On Trusting Trust" see:
http://cm.bell-labs.com/who/ken/trust.html
If you look at the redphone setup, they require all calls to route and exchange keys etc via their switch. Which is a absolutely perfect place to MITM the whole process.
They are also releasing their sourcecode "soon" and have been in the process of doing so for quite some time.
Trust? sorry, I'll be outside configuring stunnel and openssl to run on a android to get me out the local juristiction. Hint, its possible, free and secure in a way only open source things can be.
I guess this will happen:
"Egypt bans Text Encryption."
"It's only used by terrorists and if you've nothing to hide, you shouldn't have to encrypt!" - said a spokesman." A minimum 5 year sentence will be given to those found with this terrorist software."
Nice idea, but totalitarian governments do as they want, in reality.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
