TextSecure

Updated: Tue, May 7, 2013 - 1:55pm

Let's talk about SMS for a minute: We all know that communication is completely insecure and that telcos routinely hand over all data to the government without even waiting for them to ask. So text messaging is compromised. What can we do?

A partial answer is to send encrypted text messages. The government still knows who you're messaging, and when, but they won't get the contents of the messages.

In order to send encrypted text messages, both you and the other party to this communication must have an app capable of doing encryption and decryption. Such an app is TextSecure, for android. It does text messaging using the OTR cryptosystem. It also saves your texts in an encrypted database on your phone.

Once you have this app, you can use it instead of the default "Messaging" app that comes with Android. It takes over all your texting duties, and you can use it to send encrypted texts to people who use this app, or non-encrypted texts to people who don't use this app. Due to the encryption overhead, you can only get 60 characters per encrypted text, instead of the, like, 140 or whatever for a plaintext text.

This app is open-source (of course, or I wouldn't be recommending it). You can, of course, download it for free at the google play store. If you want to do that, you don't need to read the rest of the post. Just get it and then start texting with me in an encrypted fashion.

However, if you are like me, you don't use the google play store because of privacy concerns. If you download apps from there, google knows that you've downloaded those apps. I don't like giving them that information. I don't even have the google play store installed on my phone. Instead, I use F-Droid, a separate app store that only distributes free, open-source apps, and lets you download them anonymously.

The problem is that the people who run F-Droid got into a little misunderstanding with the developers of TextSecure, so F-Droid doesn't distribute the app anymore. Briefly: There was a security bug. The TextSecure developers released the fix as a binary download on google play before making the fix available on their github repo. During this time, the developers of TextSecure found that f-droid was still distributing the out-of-date version (because they couldn't get the latest code), and asked them not to do that. The developers of TextSecure released their fix on github, but f-droid decided to take down TextSecure anyway. So now f-droid does not contain an encrypted SMS program.

So, your choices are: Give up your ability to download TextSecure anonymously, and get it from Google Play, or compile the app yourself. I chose the latter. I will now describe how to do that. Also, I will give you a third choice: Download the compiled, unsigned, app from here.

Here's how you compile the app:

  1. Make sure you have the Java Developer Kit
  2. Get the Android SDK
  3. Run the "Android SDK Manager":
    % android
    
  4. Install "Android 4.0.3 (API 15)". Important: Make sure you're using API 15. I have an old android phone, and I'm stuck with Android 2.3.3 (API 10), but you won't be able to compile the app unless you use API 15. Don't worry, the app compiled in this manner will still run on Android 2.3.3, due to the fact that its AndroidManifest.xml contains <uses-sdk android:minSdkVersion="8" android:targetSdkVersion="16"/>. Also, the special features from API15 can be emulated on earlier versions of Android by using ActionBarSherlock. More on that later.
  5. Once the API is installed, we must clone the git repos for TextSecure and for ActionBarSherlock.
    % git clone git://github.com/WhisperSystems/TextSecure.git
    % git clone git://github.com/JakeWharton/ActionBarSherlock.git
    
  6. TextSecure requires a particular version of ActionBarSherlock -- an older version -- version 4.2.0. So we need to make sure that's checked out.
    % cd ActionBarSherlock
    % git checkout -b 4.2.0 4.2.0
    % cd ..
    
  7. Both of the projects need to have the same version of the Android Support Library. Let's use the one from TextSecure.
    % cp TextSecure/libs/android-support-v4.jar ActionBarSherlock/library/libs/android-support-v4.jar
    
  8. Both projects need to be updated by the sdk. This is much like the "./configure" step in the gnu build system. Furthermore, TextSecure must be told to use ActionBarSherlock as a library project:
    % android update project --path ActionBarSherlock/library/ --target android-15 --subprojects
    % android update project --path TextSecure --target android-15 --library ActionBarSherlock/library/ --subprojects
    
  9. My JAVA_HOME variable is not set properly, so I had to set it:
    % export JAVA_HOME=/usr/lib/jvm/java-1.7.0-openjdk-amd64
    
  10. Finally, you can compile TextSecure:
    % cd TextSecure
    % ant debug
    
  11. You will now find bin/TextSecure-debug.apk. You can copy that to your phone and install it using a file browser, or you can copy it to a website and navigate to it to install it, or you can install it to your phone using the Android Debug Bridge which came with the SDK.
  12. Text me!
Your rating: None Average: 5 (62 votes)

Thanks (but it doesn't quite work so easily any more)

Thanks for this. The inability to build TextSecure has been somewhat frustrating (how are you meant to check it if you can't build it, right?). However, this process doesn't actually work any more.

With the command:
android update project --path TextSecure --target android-15 --library ActionBarSherlock/library/ --subprojects
I needed to change it to:

android update project --path TextSecure --target android-15 --library ../ActionBarSherlock/library/ --subprojects
Otherwise it didn't find the library. 

Also, the 'libs' folder of TextSecure is no longer present - you have to copy the support library from the SDK itself (or from ActionBarSherlock)
Missing are:
thoughtcrimegson-2.1.jar
libphonenumber (I am using libphonenumber-5.8.jar)

There were other errors while building, too.
I eventually got it to work by checking out ActionBarSherlock and TextSecure (as you did), finding and downloading the libraries I listed and putting them in the 'libs' folder of the TextSecure folder.
I then entered the ActionBarSherlock/library folder and did an 'ant debug' to build the library.
In Eclipse, I then added that library, the android v4 support library, thoughtcrimegson-2.1.jar, libphonenumber as external libraries. I also created the 'google-play-services_lib' project in Eclipse to allow access to play services, and made that a referenced project. Finally, I added the Google Cloud Messaging library (/extras/google/gcm/gcm.jar inside the Android SDK).
I then increases the 'minimum SDK version' to 17 in Eclipse, because otherwise I couldn't find genuine errors.
In 'res/values/themes.xml' inside the TextSecure folder, I removed two lines near the end that were causing errors:
<item name="android:listPreferredItemPaddingStart">16dip</item>

<item name="android:listPreferredItemPaddingEnd">16dip</item>

 

Finally, I did a ‘clean’ for the project in Eclipse, and then went to the TextSecure folder and ran ‘ant debug’. And it built.

Nope, I'm an idiot

The updated 'official' build instructions said to use Gradle, and I missed them. 

I'm an idiot 

keeping it up-to-date

Ryan,

Thanks for the write-up.

I put my Note2 on a no-GAPPS diet. I don't think I'm gonna make it very long. But I AM trying.

I installed a slim AOSP ROM (carbon) and have installed only F-Droid apps. By the way, I really wish F-droid and Whispersys would hug and make up.

I have dabbled in Linux a bit, but I need an answer to this: If using your compile-it-yourself method above, what about keeping TextSecure/Redphone/others up-to-date?. How do I do that?

Is it possible using a terminal inside Android?

Thanks,
Stan

Hi. Yeah, the problem with

Hi. Yeah, the problem with the compile-it-yourself method is that it only updates when you recompile it.

I suppose you could compile it from on the phone itself. For example, I have a Debian chroot installed on my phone. In principle, this should be able to compile android apps. I've never tried it, though. It would probably take hours on my phone (which is not very powerful).

Keep the faith! You can do it!

1mobile

Ha. Thanks for the faith.

How do you feel about using 1mobile.com as opposed to Google Play?

So many apps I use are not open source, but are free of cost and available at 1m.

1m doesn't require registration and it keeps apps up-to-date.

If I really want to stay private from 1m (even though it may already know the IMEI) I can:
- install orbot on my fresh no-GAPPs aosp ROM.
- use orbot as root to transparent-proxy everything.
- browse to 1m's site through TOR, install it and then install my apps.
- freeze 1m and its related processes for a while until I want to check for updates to apps.
- connect orbot first, unfreeze 1m, check for updates.

And so on.

Lol, this is pretty ridiculous.

Is the .apk a dev puts on Google Play different than one he puts on 1mobile or similar site? Does Google do anything to the file before putting it in the Play store?

I've read about how a dev knows everything about a user who purchased a non-free app from Google Play.

Is there a concern with free apps? I understand Google "knows" I installed any app installed through Google Play.

OK, this is already way too long, but since I'm on my phone, it's really long.

Thank you,
Stan

1mobile permissions

Wow. I just looked at 1mobile's permissions.

Very demanding. That sux.

Among others, it wants:

Read phone status and identity.
Read your contacts.
Find accounts on the device.

Bummer.

Yeah, I don't think that

Yeah, I don't think that looks like a good idea. Maybe if you work very hard, you can stay private from them, but I'd rather not have to have software on my phone that is my enemy.

My advice would be to not use closed-source apps. Closed-source apps are also my enemy, especially if they can update themselves! Who knows what the next update will bring? I guess it's supposed to ask you if it needs escalated privileges, but something like "internet access" might be okay to grant the first time around, but then an update comes along that misuses that internet access, and you don't have a chance to veto it or inspect what it's doing.

To me, if there isn't an open-source app for that, there isn't an app for that. I don't need Angry Birds that bad.