Popular text and instant messaging client TextSecure would offer excellent security ... if it patched an attack vector found by a German research team conducting the first audit of the software.
The app was downloaded half a million times from the Android play store and was built into the popular Cyanogenmod Android operating system which has clocked up more than 10 million downloads.
The research team from Ruhr University Bochum found the open source platform was at present well-secured and would achieve laudable one-time stateful authenticated encryption if it fixed an Unknown Key-Share attack.
"Since Facebook bought WhatsApp, instant messaging apps with security guarantees became more and more popular," they wrote in the paper How Secure is TextSecure?
"We are the first to completely and precisely document and analyse TextSecure's secure push messaging protocol.
"We show that if long-term public keys are authentic, so are the message keys, and that the encryption block of TextSecure is actually one-time stateful authenticated encryption [and] prove TextSecure's push messaging can indeed achieve the goals of authenticity and confidentiality."
The team explained crypto bod Moxie Marlinspike's platform in detail – making it worthwhile reading for the algo inclined.
For the rest they offer an analogy for their key attack, drawn from popular fiction.
"Bart wants to trick his friend Milhouse. Bart knows that Milhouse will invite him to his birthday party using TextSecure. He starts the attack by replacing his own public key with Nelson's public key and lets Milhouse verify the fingerprint of his new public key. This can be justified, for instance, by claiming to have a new device and having simply re-registered ... if Milhouse invites Bart to his birthday party, then Bart may just forward this message to Nelson who will believe that this message was actually sent from Milhouse. Thus, Milhouse believes that he invited Bart to his birthday party, where in fact, he invited Nelson."
While it may result in birthday tears and tantrums, the attack was not a death knell for the platform and had been acknowledged by Marlinspike.
TextSecure included instant messaging to its SMS channel in February making it a palatable alternative to iMessage and WhatsApp
It and other communications platforms branded as secure enjoyed an uptick after Facebook purchased WhatsApp fueling some privacy fears. The app gained popularity enjoyed a large uptake in users since the acquisition of the latter and as word spread of its use in the Egypt Arab Spring.
Researchers Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jorg Schwenk and Thorsten Holz said little was known about rival secure platforms such as Threema and SureSpot.
"A comparison of textSecure and SureSpot will be an interesting project for future work," they wrote. ®