14 DAY TRIAL // After performing a security audit on TextSecure, an Android chat client touting to preserve authenticity and confidentiality of the messages, researchers found it to be trustworthy, save for an Unknown key-share attack, for which mitigation techniques exist.
The app is available on Google Play and it is integrated in CynogenMod, an open-source distribution of Android OS maintained by a huge community.
Researchers at the Ruhr University Bochum performed a set of security checks on TextSecure in order to verify its end-to-end text encryption capabilities. The app is designed for the security conscious and it can also be used for encrypting SMS text as well as multimedia and instant messages.
In a highly technical paper called “How Secure is TextSecure?,” the security protocol behind the app is analyzed, and some minor flaws are revealed along with the unknown key-share attack.
Researchers dissected the protocol flow
Since TextSecure is open-source, the researchers had no trouble taking a look at its code and checking how encryption was implemented and if a risk of compromise existed.
To better understand how the encryption works, the researchers distinguished several stages in the protocol flow, which they named registration, sending/receiving a first message, sending a follow-up message and sending a reply.
The unknown key-share (UKS) attack was described though an analogy that can be easily understood by most of the users.
“Bart wants to trick his friend Milhouse. Bart knows that Milhouse will invite him to his birthday party using TEXTSECURE (e.g., because Lisa already told him). He starts the UKS attack by replacing his own public key with Nelson’s public key and lets Milhouse verify the fingerprint of his new public key. This can be justified, for instance, by claiming to have a new device and having simply re-registered, as that requires less effort than restoring an encrypted backup of the existing key material,” the researchers write.
The next step consists in Bart forwarding to Nelson the message with the invitation from Millhouse, and the trickery is complete. “Thus, Milhouse believes that he invited Bart to his birthday party, where in fact, he invited Nelson.”
TextSecure deemed as a result of the security audit
A variant of this attack exists, and it relies on intercepting one message by taking over a WiFi access point and interposing between the two interlocutors.
Mitigating the risk of UKS is also described in the paper and the issue has been brought to the attention of the TextSecure maintainers.
The conclusion of the German researchers is that TextSecure achieves one-time stateful authenticated encryption and can be safely used for text communication without fear of someone being able to decrypt the messages.