Text messages are an incredibly important, daily tool. You know this already, or you wouldn’t be here. Text messages are also one of the most commonly-targeted communication methods, precisely because of how ubiquitous they are. Independent hackers, corporations, marketers, and government agencies all want to intercept your texts for various reasons. Today we’re going to learn how to shut them out.
First, a little necessary background. The word “texting” doesn’t just refer to one thing— it’s more of an umbrella term, used to denote a couple technically different types of communication. To secure our stuff, we have to get a quick rundown of what the different types are.
1. “True” texting uses the SMS/MMS protocol. These are “green bubble” texts if you’re an iPhone user. Most if not all “standard” texts you send from one cell phone to another will probably be SMS-based. SMS messages count against the “texts” included in your data plan, and cell companies have routinely overcharged for them for years.
An SMS message is no more secure than a postcard, and can be intercepted and viewed by anyone with the capability to get between you and the recipient. This means your cell carrier and anyone with direct access to the cell carrier’s systems, local police or investigators using a premade cell phone hijacking system like a Stingray (more on these later), or anyone with a couple hundred bucks and the technical expertise to build an IMSI catcher.
SMS is a dead-end technology as far as security goes. It will probably never get better, and should never be used for sensitive communications.
2. “Data-based” texting uses your cell phone’s data connection to send messages. They don’t count against your carrier’s texting limits. This means everything that isn’t SMS, for all intents and purposes: iMessage (“blue bubble” iPhone texts), WhatsApp, Kik, Line, Facebook Messenger, etc. Any of the “free text” apps are considered data-based texting.
Data-based texts are often more secure, in that they usually feature some kind of encryption— they usually cannot be read by someone who’s able to listen in on your traffic. However, the operators of these services have the keys to unlock the encryption. WhatsApp, for example, is now owned by Facebook. If you think Facebook doesn’t have an interest in scanning your texts for information they can sell to marketers, you are more credulous than I. Facebook would and has decrypted chats for anyone who comes knocking with a subpoena, and so would any of these other companies.
So what can be done about this? We have to encrypt our text messages so that we can be sure only the sender (that’s you) and the recipient have the keys. Here are a couple applications to do just that:
The first option is Threema, which costs two dollars. Threema is a data-based texting app very similar to WhatsApp, designed to make encryption as painless as possible. They’re based in Switzerland, which has exceptional data-privacy laws. Threema was adopted en masse in privacy-conscious Germany after Facebook purchased WhatsApp, and has become extremely popular among people who frequently text across international boundaries.
Threema uses a simple “three lights” system to indicate the level of security of a given conversation— That is to say, that you can be absolutely sure the person you’re texting is who they say they are. Three lights means the conversation is perfectly secure, two orange lights means there is a reasonable degree of surety, and one red light means you can’t be sure the person is who they say they are.
To get the three green lights, you scan a QR code (in person!) displayed on the other person’s phone. It’s a simple one-time process designed to provide an extra layer of security, and it works really well. They lay out the process here. The level of encryption remains the same, the lights are just to indicate how sure you can be that it’s the real Slim Shady.
The drawback to Threema is that it is not “open source” software— independent people who know what they’re doing cannot read the source code of the app to be 100% sure there are no secret back doors. Chances of this are very remote, but there is still necessarily a small amount of trust which must be placed in the developers. This may or may not be an acceptable risk for you.
The second (free!) option is Textsecure, for Android. Its iPhone counterpart is Signal, which currently only supports encrypted voice calls but will have texting added soon. Textsecure is an open-source encrypted texting app released by Whisper Systems, headed up by well-known hacker and security researcher Moxie Marlinspike. It’s is still a little shaky in some ways, but it will probably be the secure-texting app of choice once it gets a little polish and a solid iPhone version. Watch this space.
The biggest challenge with these applications is going to be getting your friends to jump ship to the new service. Threema tries to make the process as painless as possible, scanning your address book and automatically adding people who also have the app installed. If they switched to WhatsApp before, surely they can do it again with the promise that your awful selfies and text-based fanfic will be secure from prying eyes.
(Want to test Threema, but don’t have any friends on it yet? Send me a message at UKX9YWN4.)