So insight of a few recent but private discoveries I really feel its time I started raising awareness on security related topics.
@moderators and @wendell feel free to chime in or move my discussion. I was not sure where to place it
Since this is my first post on the topic/potential series I will preface with this is not a full guide or how to on how to make yourself hack proof or anonymous etc. This is not the place for full on tinfoil hate. If you want to do that head over to 0x1Sec or other security forums to do so LOL.
Basically what this will be is a place where I share my finds, maybe some insights or just a cool new app or program that I think is good for anybodies security practices to use.
That being said I could possibly start focusing on OS sec and stuff but for now I will keep it simple and without needlessly making this TLDR lets talk about one of the apps I have been using for a very long time.
As we all know we live in a technological world where we rely on our cellphones and SMS to send messages and do business on every day. However despite some security measures taken by cell phone providers SMS is still an insecure service and sometimes a vulnerability in a secure working environment.
Of course the best practice is to never send secure data via SMS however sometimes I can see the merit in wishing to do so.
Let us talk a little bit about why SMS is insecure. Highlighting the obvious in particular.
In theory SMS messaging is not secure. Why?
* You cannot guarantee who is in possession of the phone.
-
Protocols governing transmission of SMS are not encrypted. (SMPP; SS7; MM4 (interoperator connectivity); EAIF)
-
Many channels, providers and operators can sit between the origin of the message and receiving handset, meaning information could be compromised at any point.
-
SMS works on a 'store-&-forward' basis, thus information would remain on providers' systems, operators' systems and the handset itself, indefinitely however it can be deleted on the subsequent handset.
-
As considerable as Messaging volumes are for both A2P & P2P, the unique identifying factor is freely available, the mobile number is exactly that. Meaning compromised systems would be relatively easy to query for the desired messages.
Well whats the solution? Can I still use my number and text securely? The answer is yes albeit a caveat. The application I am about to mention provides end to end encryption however you need both end points to be running the application and in a secure mode obviously. Minus that the app is easy to use and setup.
The application is called signal and I will show you the installation process and some of its menu options etc without revealing too much. I have unveiled the security option of disabling it from blocking my screenshots temporarily for the sake of this post.
Well looks like the app is so secure it starts out in that mode and doesnt let me screenshot registration. I am not complaining this is good. Basically you start it. I asks your phone number to register it with the signal SMS delivery system and then you can invite friends and import your system SMS messages.
Another factor that makes signal secure is that all the code is open source, which means anyone can look at how the app is written that doesn’t mean hackers can break Signal’s encryption (which is virtually uncrackable due to it being AES256–SHA3-512–RSA4096 as the cipher technology), but it does mean security experts and users can check that Signal is maintaining the high privacy standards that it says it is which is good. After all the more eyes trying to spot the bug the higher likelihood of it being found.
SO lets look at the menus. I might have gone in reverse order but ehh It does not matter lol
In the advanced section you turn signal on like I have it done as the default provider for messages and calls which means if the other end does not have signal it will fallback but it will always try the secure transmission first and alert you and give you an invite link for that person if they do not have it. Something I have found useful to spread awareness with.
The appearance section is self explanatory though the plus side to this app is that it offers some dark themes which undoubtably some people will find useful
Tge SMS section allows you to fine tweak the SMS and MMS capability where you can provide delivery reports and insure its compatible with wifi calling. Something which you cannot find in alot of third part messaging apps especially the secure ones. I have to hand a +1 to that seemless integration.
There is a notifcation menu where you can fine tweak the important stuff and the priority. I have mine set to high because it makes me feel better about me sending messages with a hi priority but I am positive it probably does not do much LOL unless you have that service extension. Which is good to see that it can integrate with that level of services. I expect a lot from an application like this to provides a seamless experience
Here is an example of a conversation between myself and my friend mike LOL. THOUGH UHM COUGH I SHOULD HAVE bleeped out more Other then peering into my private life take a look at the time stamps notice the double check mark and the lock icon. This is the app letting you know it was a secure and successful transmission. Various settings are included that allow you to set disappearing messges… view all media ever sent (EXCEPT disappearing messages) conversation settings allow you to change the background color… the notification settings etc. Reset Secure session destroys all data and restarts a new with a new and differently salter cipher to ensure a clean and secure new session. Attachments can be made however there is a limitation. One at a time as the signal app does need to verify and encrypt each one. This is a limitation I hope they over come in the future.
Chat settings are provided in the settings menu to provide the same experience as the AOSP messenger programs which also features message trimming if you have limited space
The privacy section is fantastic. I like the fact you can set a time out pass phrase you can relay all sms and calls through a signal server (VPN) and you can have screen security block screen shots. Something I just turned back on
So in light of the application tour I would just like to say it gives me comfort to know apps like this have been developed. I contacted signal via email and they gave me a lengthy explanation how they safe guard the data from ever being kept or stolen through their servers. Needless to say I am going to take their word for it given the extensive proof they gave me. In addition to that their security faq is extremely well kept and worth the read.
https://support.whispersystems.org/hc/en-us/sections/202710618-FAQ
If you are convinced here is the link to your favorite device stores
Android:
Apple:
No windows phone support sorry
So let me know what you think below in the comments and feel free to ask questions and bring up important points I am sure to have missed