I'm looking for a few project apps that developers may have abandoned or moved on from. If you have code laying around and don't mind someone else taking the reigns, please PM me. I'll be happy to take it over and give it a second life.
I'm not bored, development is my hobby, but if you want, you may continue my work on the barcode scanner (see my signature).
I can add you to the project contributors or owners, but please proof what you really like to work on this project first.
You could try to make some kind of call reminder or continue with haret project, if developers agrees. Just a thought
Hmm, that barcode scanner is intriguing. I'm working on an app for good reads and being able to scan barcodes would be nice, the only downside being is the app i'm writing is for marketplace ingestion, is there a branch that doesn't use undocumented apis to achieve barcode scanning support?
It was developed a long time ago; and official camera API was closed at that moment. Now you may (if you really want to) refactor the app to use official API. By the way, I still don't understand what you are trying to achieve. You just want to reuse someones code for your own commercial project?
Not doing any commercial projects, I just want whatever I pickup and run with to be able to be on marketplace for all to see, not just rooted devices.
There is a lot of "Abandonware" on the marketplace that could see new life with some cleanup for proper tombstoning, mango support, new controls, tuning and some refreshing. I was just wondering if any devs had any such apps.
Obviously I wouldn't take something and commercialize it, never my goal. I try and open source it if at all possible on github or codeplex.
I would definitely be interested in re-factoring the app to use camera API, I think that would be a fun project to Segway into my goodreads app where I want to be able to manage books/libraries by barcode scanning as well
So, what the problem? If you are really like to improve that project on the open source principles - just go ahead and let me know But... Barcode recognition now included to the WP7 bits (and it works pretty well) so you need to do something special...
blahism said:
[..]
I would definitely be interested in re-factoring the app to use camera API, I think that would be a fun project to Segway into my goodreads app where I want to be able to manage books/libraries by barcode scanning as well
Click to expand...
Click to collapse
Take a look at the ZXing barcode scanning library. It supports many barcodes.
Here you'll find a implementation to read QR codes on WP7. In the original blogpost you will find ways to properly enable other barcode types.
This library/control will pass Marketplace certification. (I have a App in the Marketplace that uses this library/control)
Some of us use Textsecure as replacement for Stock SMS app. Textsecure provides encryption for your SMS. However, my recommendation is: stay away or at least don't update to 2.X... versions.
The developer has introduced Google Cloud Messaging, which means that even if your sms are secure, the fact you are using the app will be recorded in Google Centralized database. In addition, he removed the ability of the user to regenerate new identity key. In last couple of releases, he forced the user to allow the app to contact the internet (otherwise, the app would crash). That is even if you compile the app from sources, which I did a couple of hours ago. If you download the app from Store, you can't even use it without Google account and GSF, the latter will record your every keystroke including the password used to encrypt the messages. In further addition, the app is only available through Googleplay and the developer is actively resisting third party distribution. If that is not enough, you should know that Whisper systems is owned by Twitter, which is a red flag in of itself. The code is growing larger and is more difficult to examine for back door purposes.
My advice: stay away from this development, which in my view is compromised...
Edit. In January of this year, the developer left Twitter. Interestingly, he is still working on Textsecure and it is published under Whisper, which is Twitter. About the same time, all those things described above started to happen. Also interesting is that the developer was put on federal watch list and was continuously harrased by various agencies when flying. So, I wouldn't be surprised to learn that his new employer is the previous harraser...
All more reasons to stay away from this app.
optimumpro said:
Some of us use Textsecure as replacement for Stock SMS app. Textsecure provides encryption for your SMS. However, my recommendation is: stay away or at least don't update to 2.X... versions.
The developer has introduced Google Cloud Messaging, which means that even if your sms are secure, the fact you are using the app will be recorded in Google Centralized database. In addition, he removed the ability of the user to regenerate new identity key. In last couple of releases, he forced the user to allow the app to contact the internet (otherwise, the app would crash). That is even if you compile the app from sources, which I did a couple of hours ago. If you download the app from Store, you can't even use it without Google account and GSF, the latter will record your every keystroke including the password used to encrypt the messages. In further addition, the app is only available through Googleplay and the developer is actively resisting third party distribution. If that is not enough, you should know that Whisper systems is owned by Twitter, which is a red flag in of itself. The code is growing larger and is more difficult to examine for back door purposes.
My advice: stay away from this development, which in my view is compromised...
Edit. In January of this year, the developer left Twitter. Interestingly, he is still working on Textsecure and it is published under Whisper, which is Twitter. About the same time, all those things described above started to happen. Also interesting is that the developer was put on federal watch list and was continuously harrased by various agencies when flying. So, I wouldn't be surprised to learn that his new employer is the previous harraser...
All more reasons to stay away from this app.
Click to expand...
Click to collapse
And here is some more fresh evidence. Today I posted this info on Cyanogen site related to Textsecure Push for CM.
http://www.cyanogenmod.org/blog/whisperpush-secure-messaging-integration
The site says it is neither censored no monitored. Within 5 minutes, the post has disappeared... . So, stay away from this app as the development has been compromised. In my view, of course...
You have no clue what youre talking about.
Corndude said:
You have no clue what youre talking about.
Click to expand...
Click to collapse
Thanks, pal... for a very, very thorough, thoughtful and factual argument.
Edit: by the way, what does no gapps project have to do with textsecure being compromised?
Thanks for the heads up. Something is really amiss, and I won't want to directly experience it. I'm staying away from TextSecure for sure.
abdelazeez said:
Thanks for the heads up. Something is really amiss, and I won't want to directly experience it. I'm staying away from TextSecure for sure.
Click to expand...
Click to collapse
Most messenger apps today work with Google Push Notifications, seems to be no problem for people there. Funny that it is here. As for SMS, I would never use that through another app. Besides, the phone carrier companies save those probably too, whats so different with that you said ? Text Secure is a very nice app I think. Right now people on iOS don't have that app yet, which makes it hard to establish in mixed system userbases among people. But I hope that will change.
Besides, most people here probably use Twitter. Funny to complain about something that might be related to Twitter then, isn't it ?
Wolfseye
wpkwolfseye said:
Most messenger apps today work with Google Push Notifications, seems to be no problem for people there. Funny that it is here. As for SMS, I would never use that through another app. Besides, the phone carrier companies save those probably too, whats so different with that you said ? Text Secure is a very nice app I think. Right now people on iOS don't have that app yet, which makes it hard to establish in mixed system userbases among people. But I hope that will change.
Besides, most people here probably use Twitter. Funny to complain about something that might be related to Twitter then, isn't it ?
Wolfseye
Click to expand...
Click to collapse
The difference is that Textsecure/Whisperpush/CMpush tell you your SMS are encrypted. If they are indeed encrypted and there are no backdoors, your carrier (and others) can only get encrypted SMS (good luck to them trying to decipher). All other SMS apps are in plain text. In my view earlier versions of Textsecure are indeed secure. Starting from version 2.X, we no longer know that considering all the facts I mentioned in the OP.
You should really get your facts straight. Twitter bought Whisper Systems in 2011, mainly to get Moxie and the other Whisper Systems folks to work for them.
Moxie went on to lead Twitters security team. Twitter allowed them a month or so after they aquired Whisper Systems to open source their apps TextSecure and RedPhone. In January 2013 Moxie left Twitter and started Open Whisper Systems with a few others. They took the newly open sourced apps and developed them further.
This is also covered in their FAQ.
You can see all of their code on GitHub.
And if you don't have GAPPS installed, you will simply get a message that you won't be able to use push messages and that's it. Several friends of mine use it for SMS only, with Xprivacy restricting the internet access. It doesn't crash or anything.
If you experience this, you may either have a problem with your build or it's a bug specific to your device/Android version.
Moxie also wrote exactly why he doesn't want TextSecure to be released via F-Droid: for security reasons. They use central signing, which may very well compromise the update channel.
The whole discussion can be found in the most infamous thread in their GitHub: #127
lindworm said:
You should really get your facts straight. Twitter bought Whisper Systems in 2011, mainly to get Moxie and the other Whisper Systems folks to work for them.
Moxie went on to lead Twitters security team. Twitter allowed them a month or so after they aquired Whisper Systems to open source their apps TextSecure and RedPhone. In January 2013 Moxie left Twitter and started Open Whisper Systems with a few others. They took the newly open sourced apps and developed them further.
This is also covered ir FAQ.
You can see all of their code on GitHub.
And if you don't have GAPPS installed, you will simply get a message that you won't be able to use push messages and that's it. Several friends of mine use it for SMS only, with Xprivacy restricting the internet access. It doesn't crash or anything.
If you experience this, you may either have a problem with your build or it's a bug specific to your device/Android version.
Moxie also wrote exactly why he doesn't want TextSecure to be released via F-Droid: for security reasons. They use central signing, which may very well compromise the update channel.
The whole discussion can be found in the most infamous thread in their GitHub: #127
Click to expand...
Click to collapse
Which fact did I not get straight? You can't get the app anywhere other than from Googleplay and for Googleplay you need GSF, which records your every keystroke. And by the way, try to restrict getnetworkinfo in internet settings in Xprivacy and the app will crash as soon as you try to open a conversation (checked on several devices). And why was it necessary to prevent users from generating new identity key? Why not have an app available on Whisper's github, as many devs do. And by the way, I asked the same questions on github and f-droid threads and in response got a suggestion to build an equivalent of Google's GCM, so then Moxie would stop using Google.
optimumpro said:
Which fact did I not get straight? You can't get the app anywhere other than from Googleplay and for Googleplay you need GSF, which records your every keystroke. And by the way, try to restrict getnetworkinfo in internet settings in Xprivacy and the app will crash as soon as you try to open a conversation (checked on several devices). And why was it necessary to prevent users from generating new identity key? Why not have an app available on Whisper's github, as many devs do. And by the way, I asked the same questions on github and f-droid threads and in response got a suggestion to build an equivalent of Google's GCM, so then Moxie would stop using Google.
Click to expand...
Click to collapse
You are not even trying to learn/understand why things are done the way they are done, but instead chose to blast an open source project by a security expert who has spoken at defcon various times and who is on a national security list and gets severely hassled by the TSA every time he tries to travel because of his involvement with secure communication projects.
You don't show the slightest form of objectiveness either. The truth content of what you are writing varies between "flat out wrong" and "there is a reason for how they do it that way, which you either didn't care to research or willingly ignored".
1. You can sideload the apk either from http://apps.evozi.com/apk-downloader/ or any of the dozens of sites that mirror packages from the app store.
They do not provide apks because it is a security risk: there is no automated upgrade channel from where a user can get a new version which may fix serious security flaws.
Everybody who is able to compile from source however should understand the importance of updating regularly and can do so on his/her own.
Moxie stated all of that in the github ticket I linked to.
2. GSF doesn't record your keystrokes.
3. If you had bothered to look it up, getNetworkInfo returns if a certain interface (like wifi) is used for internet.
This leaks no interesting information whatsoever. And it especially doesn't mean that TextSecure doesn't work without internet, because this permission does not give an app internet access. Xprivacy actually expects this behaviour by apps, that's why those fields are by default not restricted even if you restrict internet access of an app.
The program crashes without this, because it expects to get a needed value returned, which you chose to block. This is not something they willingly built in, to stop you from using it without Google Play.
If you can't manage the complexity of the permissions, you should use a simple firewall like AFwall+ to restrict internet access.
4. This was probably removed because it doesn't add any significant security and adds clutter to the user interface, because average users have no idea what it's for. The identity keys you are talking about are long term identity keys. TextSecure uses different keys in every message and actually uses the most secure protocol I know of. It has excellent forward secrecy, future secrecy and deniability. More so than OTR, which it is derived from.
You can learn more about that in their blog:
https://whispersystems.org/blog/simplifying-otr-deniability/
https://whispersystems.org/blog/asynchronous-security/
https://whispersystems.org/blog/advanced-ratcheting/
5. You asked them to not use the only free world wide push network that has contracts with all major providers to not kill idle TCP connections.
Moxie always answered that they would love to use something else, but none exists. And that they don't have the resources to build a push network themselves.
This is all in the comments to https://whispersystems.org/blog/the-new-textsecure/ and on ycombinator:
https://pay.reddit.com/r/Android/co..._cyanogenmod_is_integrating/cdyfxhm?context=3
https://pay.reddit.com/r/Android/co..._cyanogenmod_is_integrating/cdyfrv0?context=3
They are however working on using emails as identifiers and websockets as an alternative to GCM. Websockets are already implemented on the server side and people are working on the client side.
Right now you can use encrypted SMS without GCM, no problem at all. If you want to use it over the internet, you can help to speed up the websocket development:
https://github.com/WhisperSystems/TextSecure/issues/1000
lindworm said:
You are not even trying to learn/understand why things are done the way they are done, but instead chose to blast an open source project by a security expert who has spoken at defcon various times and who is on a national security list and gets severely hassled by the TSA every time he tries to travel because of his involvement with secure communication projects.
You don't show the slightest form of objectiveness either. The truth content of what you are writing varies between "flat out wrong" and "there is a reason for how they do it that way, which you either didn't care to research or willingly ignored".
1. You can sideload the apk either from http://apps.evozi.com/apk-downloader/ or any of the dozens of sites that mirror packages from the app store.
They do not provide apks because it is a security risk: there is no automated upgrade channel from where a user can get a new version which may fix serious security flaws.
Everybody who is able to compile from source however should understand the importance of updating regularly and can do so on his/her own.
Moxie stated all of that in the github ticket I linked to.
2. GSF doesn't record your keystrokes.
3. If you had bothered to look it up, getNetworkInfo returns if a certain interface (like wifi) is used for internet.
This leaks no interesting information whatsoever. And it especially doesn't mean that TextSecure doesn't work without internet, because this permission does not give an app internet access. Xprivacy actually expects this behaviour by apps, that's why those fields are by default not restricted even if you restrict internet access of an app.
The program crashes without this, because it expects to get a needed value returned, which you chose to block. This is not something they willingly built in, to stop you from using it without Google Play.
If you can't manage the complexity of the permissions, you should use a simple firewall like AFwall+ to restrict internet access.
4. This was probably removed because it doesn't add any significant security and adds clutter to the user interface, because average users have no idea what it's for. The identity keys you are talking about are long term identity keys. TextSecure uses different keys in every message and actually uses the most secure protocol I know of. It has excellent forward secrecy, future secrecy and deniability. More so than OTR, which it is derived from.
You can learn more about that in their blog:
https://whispersystems.org/blog/simplifying-otr-deniability/
https://whispersystems.org/blog/asynchronous-security/
https://whispersystems.org/blog/advanced-ratcheting/
5. You asked them to not use the only free world wide push network that has contracts with all major providers to not kill idle TCP connections.
Moxie always answered that they would love to use something else, but none exists. And that they don't have the resources to build a push network themselves.
This is all in the comments to https://whispersystems.org/blog/the-new-textsecure/ and on ycombinator:
https://pay.reddit.com/r/Android/co..._cyanogenmod_is_integrating/cdyfxhm?context=3
https://pay.reddit.com/r/Android/co..._cyanogenmod_is_integrating/cdyfrv0?context=3
They are however working on using emails as identifiers and websockets as an alternative to GCM. Websockets are already implemented on the server side and people are working on the client side.
Right now you can use encrypted SMS without GCM, no problem at all. If you want to use it over the internet, you can help to speed up the websocket development:
https://github.com/WhisperSystems/TextSecure/issues/1000
Click to expand...
Click to collapse
Your original statement was that I got my facts wrong. Since you have not cited any instance where I came up with a wrong fact, I will address your opinions.
Number one: you say GSF does not record keystrokes. How do you know? Have you seen the source (which is closed)? If you did, you work for Google and then everything you say is propaganda that has zero factual value. If you don't, then you are just speculating. You pick whichever is worse. If you use Google proprietary blobs, your device is totally open and there is no security measure/app on earth that is effective against this. That GSF phones home at regular intervals and transmits data there is a known fact. You can use encryption from Mars and yet it won't work because raw data (before encryption) is open to Google. As another user noted, having GSF and other closed source apps is like having a lock installed on your house door and not knowing who has access to it besides you.
Number two: inability to generate new identity key: It was there for a reason, the same way PGP or GPG keys have the ability to be limited in time, revoked or regenerated. It is a good security standard and removing it represents weakening. Clutter? LOL. A regular user wouldn't even be able to find it. Certainly, it does not pop up anywhere, one has to find it.
Number three: Sideload or compiling: a regular user will do neither, he/she will simply download the app from the market, which means he has to have Google blobs. Or you are suggesting that users should download the app from the market and then remove GSF and other Googleapps? LOL again.
As I said earlier, Moxie's argument that allowing third party apps on your device is a greater security risk than having closed source blobs is wrong and grand BS (especially coming from someone who is considered a security expert). It is security through obscurity, which is no security at all. The value of his open source project is completely defeated by having closed source blobs by a known private branch of known three letter agencies.
Now, these are facts. Let's get to opinions. I think that this deliberate weakening of security (again coming from a security expert) is a strong indication that development and/or developer has been compromised. And that is why I recommend to stay away from this app. But that is just my opinion, which is nonetheless based on facts.
optimumpro said:
Your original statement was that I got my facts wrong. Since you have not cited any instance where I came up with a wrong fact, I will address your opinions.
Click to expand...
Click to collapse
Do you even read what I write?
If that is not enough, you should know that Whisper systems is owned by Twitter, which is a red flag in of itself.
Click to expand...
Click to collapse
As I explained he does now work there any more.
You seem to have noticed that too:
Edit. In January of this year, the developer left Twitter. Interestingly, he is still working on Textsecure and it is published under Whisper, which is Twitter.
Click to expand...
Click to collapse
Are you kidding me? How the flying **** did you get to this conclusion? The company that was bought by twitter was Whisper Systems.
They are publishing the new source under Open Whisper Systems. (none of those was ever called Whisper)
See the difference? They also state this here: http://support.whispersystems.org/customer/portal/articles/1474591-is-textsecure-owned-by-twitter-
And here is some more fresh evidence. Today I posted this info on Cyanogen site related to Textsecure Push for CM.
http://www.cyanogenmod.org/blog/whis...ng-integration
The site says it is neither censored no monitored. Within 5 minutes, the post has disappeared... . So, stay away from this app as the development has been compromised. In my view, of course...
Click to expand...
Click to collapse
So you are saying CyanogenMod is part of this grand conspiracy of yours? Come on...
GSF, which records your every keystroke.
Click to expand...
Click to collapse
Number one: you say GSF does not record keystrokes. How do you know? Have you seen the source (which is closed)? If you did, you work for Google and then everything you say is propaganda that has zero factual value. If you don't, then you are just speculating. You pick whichever is worse. If you use Google proprietary blobs, your device is totally open and there is no security measure/app on earth that is effective against this. That GSF phones home at regular intervals and transmits data there is a known fact. You can use encryption from Mars and yet it won't work because raw data (before encryption) is open to Google. As another user noted, having GSF and other closed source apps is like having a lock installed on your house door and not knowing who has access to it besides you.
Click to expand...
Click to collapse
It's a binary blob and it sends data to google, but you have no proof whatsoever if it records keystrokes. You can know if you want to tough. Decompile it and analyze it. I don't like binary blobs, but you can't just say they do something without having any proof. I may not be able to guarantee that they don't do something, because I have not personally decompiled and analyzed every bit of it, but until you have and have proof that it does do something you can't just claim it does.
Number two: inability to generate new identity key: It was there for a reason, the same way PGP or GPG keys have the ability to be limited in time, revoked or regenerated. It is a good security standard and removing it represents weakening. Clutter? LOL. A regular user wouldn't even be able to find it. Certainly, it does not pop up anywhere, one has to find it.
Click to expand...
Click to collapse
It is not something the average user should have access to, for several reasons. The TextSecure V2 protocol is NOT comparable with PGP/GPG because it has forward secrecy and deniability. The keys that are actually used to encrypt a message are not static as with PGP.
They are derived from the original keys and are changed with every message. No need to change them after X days/months/years.
Even if one key is intercepted, you would only be able to decrypt one message and not every message as it is the case with PGP.
If you get a new key, all your contacts get alerts that your key changed and that somebody may be listening in. That's not something the average user should be exposed to. If you think for whatever reason that you really want to do this, back up your conversations, uninstall TextSecure, install it again, import the backup and you have your new key.
Number three: Sideload or compiling: a regular user will do neither, he/she will simply download the app from the market, which means he has to have Google blobs. Or you are suggesting that users should download the app from the market and then remove GSF and other Googleapps? LOL again.
As I said earlier, Moxie's argument that allowing third party apps on your device is a greater security risk than having closed source blobs is wrong and grand BS (especially coming from someone who is considered a security expert). It is security through obscurity, which is no security at all. The value of his open source project is completely defeated by having closed source blobs by a known private branch of known three letter agencies.
Click to expand...
Click to collapse
Every average user has the google blobs, because they are preinstalled on nearly every phone and it's nearly unusable without them. This app is supposed to make encryption available to the masses.
Google may be undermined by your beloved three letter agencies, but it's not one of them. This is not to hide from them.
You have your threat model wrong.
No app alone can ever protect you from those agencies. They have hundreds of 0days for every platform and will simply own your Android, open source or not.
And this is not what TextSecure tries to do. They protect the content of every conversation with extremely strong encryption, no matter what the transport is. This does protect you from dragnet surveillance. But they can not protect you from someone who targets you and is willing to spend hundreds of thousands or millions to break into your operating systems.
If the NSA really wants you they get you, period. But TextSecure protects you from theives, cyber criminals and nearly everybody else who wants to read your messages.
You say you think the encrypted SMS mode was safe? With this your provider (and thus your government and every agency that wants it) has all the metadata. Who sent something to whom etc.
Google on the other hand has actually LESS meta data, because your phone sends the message to the TextSecure server, which relays the message to GCM. GCM then delivers the message. Because everything is encrypted none of the servers get contact data. But google only gets the receiver, not the sender. Your provider gets everything.
A global passive adversary may still do time corellation attacks, by listening who sends something when and who receives something at this time. After some sessions it's pretty clear who is talking to whom. It doesn't matter if Google is evil or not in this case. They get the metadata if they want to.
If you want protection against something like this take a look at pond, or meet i person: https://github.com/agl/pond
Now, these are facts. Let's get to opinions. I think that this deliberate weakening of security (again coming from a security expert) is a strong indication that development and/or developer has been compromised. And that is why I recommend to stay away from this app. But that is just my opinion, which is nonetheless based on facts.
Click to expand...
Click to collapse
As I explained there is no weakening whatsoever. Even if you consider google the adversary, they get less meta data than your SMS provider.
You can use this exactly as before without the google blobs if you want to.
They are actively working on a way to get away from the play store and GCM by building their own distribution method (which is finished, but not yet released, see #127 in their github) and implementing Websockets (server works, client is on the way).
Before you start slamming something you should really understand how it works, or ask if you understood it correctly.
lindworm said:
Do you even read what I write?
As I explained he does now work there any more.
You seem to have noticed that too:
Are you kidding me? How the flying **** did you get to this conclusion? The company that was bought by twitter was Whisper Systems.
They are publishing the new source under Open Whisper Systems. (none of those was ever called Whisper)
See the difference? They also state this here: http://support.whispersystems.org/customer/portal/articles/1474591-is-textsecure-owned-by-twitter-
So you are saying CyanogenMod is part of this grand conspiracy of yours? Come on...
It's a binary blob and it sends data to google, but you have no proof whatsoever if it records keystrokes. You can know if you want to tough. Decompile it and analyze it. I don't like binary blobs, but you can't just say they do something without having any proof. I may not be able to guarantee that they don't do something, because I have not personally decompiled and analyzed every bit of it, but until you have and have proof that it does do something you can't just claim it does.
It is not something the average user should have access to, for several reasons. The TextSecure V2 protocol is NOT comparable with PGP/GPG because it has forward secrecy and deniability. The keys that are actually used to encrypt a message are not static as with PGP.
They are derived from the original keys and are changed with every message. No need to change them after X days/months/years.
Even if one key is intercepted, you would only be able to decrypt one message and not every message as it is the case with PGP.
If you get a new key, all your contacts get alerts that your key changed and that somebody may be listening in. That's not something the average user should be exposed to. If you think for whatever reason that you really want to do this, back up your conversations, uninstall TextSecure, install it again, import the backup and you have your new key.
Every average user has the google blobs, because they are preinstalled on nearly every phone and it's nearly unusable without them. This app is supposed to make encryption available to the masses.
Google may be undermined by your beloved three letter agencies, but it's not one of them. This is not to hide from them.
You have your threat model wrong.
No app alone can ever protect you from those agencies. They have hundreds of 0days for every platform and will simply own your Android, open source or not.
And this is not what TextSecure tries to do. They protect the content of every conversation with extremely strong encryption, no matter what the transport is. This does protect you from dragnet surveillance. But they can not protect you from someone who targets you and is willing to spend hundreds of thousands or millions to break into your operating systems.
If the NSA really wants you they get you, period. But TextSecure protects you from theives, cyber criminals and nearly everybody else who wants to read your messages.
You say you think the encrypted SMS mode was safe? With this your provider (and thus your government and every agency that wants it) has all the metadata. Who sent something to whom etc.
Google on the other hand has actually LESS meta data, because your phone sends the message to the TextSecure server, which relays the message to GCM. GCM then delivers the message. Because everything is encrypted none of the servers get contact data. But google only gets the receiver, not the sender. Your provider gets everything.
A global passive adversary may still do time corellation attacks, by listening who sends something when and who receives something at this time. After some sessions it's pretty clear who is talking to whom. It doesn't matter if Google is evil or not in this case. They get the metadata if they want to.
If you want protection against something like this take a look at pond, or meet i person: https://github.com/agl/pond
As I explained there is no weakening whatsoever. Even if you consider google the adversary, they get less meta data than your SMS provider.
You can use this exactly as before without the google blobs if you want to.
They are actively working on a way to get away from the play store and GCM by building their own distribution method (which is finished, but not yet released, see #127 in their github) and implementing Websockets (server works, client is on the way).
Before you start slamming something you should really understand how it works, or ask if you understood it correctly.
Click to expand...
Click to collapse
"Decompile GSF"
You are kidding. Aren't you? If one can examine closed source the same way as open one, then all problems would be solved. And by the way, there would be no point in having proprietary software. Would it? Of course Java is easier to reverse engineer, but want to try Oracle's java?
"Google" Google has root access to your device: It can pull/install any application without you noticing it. They can install another version of TextSecure with backdoors. They can do whatever they want or told to. So, if you have Google, there is no point in any security at all. And when a developer forces users to have Google for his app to work, that's no security at all.
Cyanogenmode/Conspiracy? There is no conspiracy. The US has a law that requires providers to have back doors in their software/hardware for law enforcement, and there are wild claims (by those who know (and don't) what they are talking about) of TextSecure as "weapon" against this kind of surveillance. And that is pure bull. All that the app can provide is the false sense of security, while in reality making users more transparent to surveillance.
Phone service providers vs. internet: when you use Textsecure as a pure sms app, your provider gets gibberish, but they have no way of knowing what you are using. With GCM/GSF/Googleplay, they know exactly what you are doing, as you are marked as using this particular app. So, Moxie is making life of "survaillors" much easier.
Thanks for telling me to uninstall the app if I want to generate new key. So, if I do it this way, you think my contacts won't receive a message that my key has changed?
Here is how I began to suspect foul play: First I noticed the app wanted access to the internet, then I discovered that I can no longer generate a new key, then I went to read about F-droid/Whisper problems. Then I read that he wants the app be available through Google only, because he cares about security and does not want users to allow third party apps (BS). Then I read about feds harassment. You think the 3 letter agencies wouldn't like to have him?
In my view, Moxie's arguments no longer make sense. And by the way, when he is against the wall, he tells you to create a world wide push service - alternative to GCM. LOL.
For me that's enough to stay away from the app. Others will decide accordingly...
Does anybody work on an alternativ push service in order to replace hard requirement on Google services for TextSecure, Redphone and lots of other useful apps?
I understand that GAPPS are needed to run textsecure.
Is it possible/ has anyone succeed to get it to run with the no GAPPS apps such as the blank store etc or is the app relying too much on google infrastructure?
i can use textsecure sms without internet. besides registering with push is not mandatory at all so the crash you've experienced must be a bug in the version of textsecure you're using. also why compare it to pgp/gpg? textsecure uses otr with improvements to deniability and forward secrecy. also textsecure supports mms (which uses internet).
if you're really that paranoid, avoid android at all and stop spreading FUD claiming it to be fact. i don't find the statement factual at all. it lacks any evidence (show us the code with the backdoor first).
and also avoid openguardian project too as they conspire with textsecure since they are recommending it.
and by the way, whisper and openwhisper are different.
It really is ashamed when misinformed people comment on things they do not have enough information to intelligently speak about. Especially when it discourages people from using an application that is one of the only current means of communicating over SMS in a secure manner. Is it perfect? Certainly not... Security and encryption are never perfect, and there will always be flaws to be found, but to insist that someone such as Moxie Marlinspike is somehow working against the security researcher community in some undercover role as an agent of the government or some corrupt company is really insulting. If you have some absolute proof, or even a reasonable solid suspicion, please share it, but otherwise do not taint these incredible people with false accusations. Learn a bit about encryption, reverse engineering, and packet inspection, and then come back and give an intelligent analysis of your findings of the application you suspect to be playing some nefarious role. Until then, your accusations are completely unfounded and damaging to the community as a whole. There are many people who have worked hard to make this product a reality, and I believe they should be praised for their efforts. Obviously these are my own opinions, and you are free to dismiss them outright as you have done to others in previous posts. In addition, I realize I am not an active member of the xda community, but I am an active member of the security/reverse engineering community. My job and nearly all of my free time is spent reverse engineering software and I see no basis for your accusations.
Here is more update on Textsecure: there was a major vulnerability found last October-November. And Moxie's response (not surprisingly) - fixing "feels pretty cumbersome" and "I dunno."
Also, Open Whisper is now accepted into the family of such a bastion of privacy, as Facebook (kids love it, NSA approves). So, If you had any doubt about this app before, now you can sleep well at night (sarcasm).
https://moderncrypto.org/mail-archive/messaging/2014/001029.html
https://moderncrypto.org/mail-archive/messaging/2014/001030.html
To those who like to attack the messenger ( I call them Google thugs or pacifier babies). One says decompile GSF, the other - false accusations and absolute proof?! Wake up and get the pacifier out of your mouth. There is no such thing in real life. I give you the dots, you can't connect them with the pacifier in your mouth.
Here is some more damning evidence that Textsecure is a totally compromised project no longer to be trusted: during 2013-2014 Open Whisper Systems received over $1.3 mln from BBG, which is an arm of US Government and its 3-letter-agencies.
http://pando.com/2015/03/01/internet-privacy-funded-by-spooks-a-brief-history-of-the-bbg/
So, Moxie, it appears, has turned from someone who was harrased by TSA in airports (presumably for a failure to cooperate with the government) to a receipient of major funds from the same government. I am not even talking about him getting a once in a life-time project to work on "securing" Facebook's What's up application. Pitty and shame...
Replacement for Textsecure
Here is a pure sms app, which replaces compromised Textsecure, as well as stock messaging. There is no over the internet messaging, no google binaries and no Google Services Framewor all closed sourse. In addition, starting from version 2.7, textsecure no longer encrypts SMS. Pitty.
Here is the latest version: http://forum.xda-developers.com/android/apps-games/sms-secure-aes-256-t3065165
LineageOS will have any theme engine like cyanogenmod?
Since it will be based on CM: It's most likely. The current seems to be as following:
Based on CM13 code: Theme Engine will get included like it was in CM13. No differences for now as I can see.
Based on CM14 code: Theme Engine is in development and first signs to get closer to it, are done by today: LineageOS/android_packages_providers_ThemesProvider by Clark Scheff
Reference: https://review.lineageos.org/#/q/theme
I don't see them not including it. That's one of the selling points CM and it will be in Lineage
There is no telling what will happen. You have to remember that it used a propritary frameworks that was part of CM. With all rights to the CM name and everything attached to it could bring in many troubles.
If they were wise they would use the code that is all ready present.
zelendel said:
There is no telling what will happen. You have to remember that it used a propritary frameworks that was part of CM. With all rights to the CM name and everything attached to it could bring in many troubles.
If they were wise they would use the code that is all ready present.
Click to expand...
Click to collapse
If its in cm's open source code. Then the cyanogen company can't do anything about it. There are no 'rights' as open source is open source.
Tweakforce_LG said:
If its in cm's open source code. Then the cyanogen company can't do anything about it. There are no 'rights' as open source is open source.
Click to expand...
Click to collapse
I dont think you have a real firm understanding of the licenses that are involved in android. Only the stock kernel is licensed under the gpl making it completely open source. The rest of android is licensed under the Apache license which is very different and the coded is owned by the person/company that made it. Many people talk about open source when they really dont understand just what it means and what the rights really are. And make no mistake there are rights and rules you have to follow even on something like the kernel source which is "open" Sourced.
i sure hope they include some form of theming capability.some how oms based themes didnt appeal to me,they didnt look as good as the cmte themes.absence of cmte in cm14 kept me frm upgrading and i stayed back in cm13,it offered a good amount of granular control,to mix & match.especially liked the app theming capability,which lets u apply a completely diff theme for the app alone.waiting anxiously as cmte was what got me interested in cm in first place
MickyFoley said:
Since it will be based on CM: It's most likely. The current seems to be as following:
Based on CM13 code: Theme Engine will get included like it was in CM13. No differences for now as I can see.
Based on CM14 code: Theme Engine is in development and first signs to get closer to it, are done by today: LineageOS/android_packages_providers_ThemesProvider by Clark Scheff
Reference: https://review.lineageos.org/#/q/theme
Click to expand...
Click to collapse
Can you tell me what is this "FlipFlap: Apply themes"? I've never heard of it!
@ForgottenDude: As far as I can relate to, FlipFlap is the renaming of ThemeChooser from CyanogenMod.
zelendel said:
I dont think you have a real firm understanding of the licenses that are involved in android. Only the stock kernel is licensed under the gpl making it completely open source. The rest of android is licensed under the Apache license which is very different and the coded is owned by the person/company that made it. Many people talk about open source when they really dont understand just what it means and what the rights really are. And make no mistake there are rights and rules you have to follow even on something like the kernel source which is "open" Sourced.
Click to expand...
Click to collapse
Sorry for bumping this thread, but you Sr. are the only one needing to read the Apache license...The Apache license IS an Open Source license, you can modify and distribute the code. The code is NOT "owned" by anyone.
"You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
You must give any other recipients of the Work or Derivative Works a copy of this License; and
You must cause any modified files to carry prominent notices stating that You changed the files; and
You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works"...
One of the main BIG differences from the GPL is that this is not a Copyleft license, wich means that anyone can do anything they want with the code as long as they provide attribution back and don’t hold you liable...
Also, you must understand that the GPL is a Free Software license, there's a difference between Open Source and Free Software. Apache and BSD are Open Source licenses, GPL is a Free Software license.
Enviado desde mi Nexus 6P mediante Tapatalk
alexiuss said:
Sorry for bumping this thread, but you Sr. are the only one needing to read the Apache license...The Apache license IS an Open Source license, you can modify and distribute the code. The code is NOT "owned" by anyone.
"You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
You must give any other recipients of the Work or Derivative Works a copy of this License; and
You must cause any modified files to carry prominent notices stating that You changed the files; and
You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works"...
One of the main BIG differences from the GPL is that this is not a Copyleft license, wich means that anyone can do anything they want with the code as long as they provide attribution back and don’t hold you liable...
Also, you must understand that the GPL is a Free Software license, there's a difference between Open Source and Free Software. Apache and BSD are Open Source licenses, GPL is a Free Software license.
Enviado desde mi Nexus 6P mediante Tapatalk
Click to expand...
Click to collapse
You are completely missing the fact that with the GPL they have to provide the moded source code. As to where with the apache they do not have to give any source. It is the same thing that that allows OEMs to take android change it and not release the source code. You also see it with rom teams making their source private. Which they have the absolute right to do. The only Code that has to be shared is the kernel. Everything else doesnt.
So before you start trying to tell someone what they know you want to do something a bit more then reading it.
In the end I hope you guys get to use it. I will keep track of the progress on the threads as I would never use a Cm/Los rom personally.
zelendel said:
You are completely missing the fact that with the GPL they have to provide the moded source code. As to where with the apache they do not have to give any source. It is the same thing that that allows OEMs to take android change it and not release the source code.
Click to expand...
Click to collapse
I know that of course, I've been using mostly free software and Linux boxes for 15 years now...
zelendel said:
You also see it with rom teams making their source private. Which they have the absolute right to do. The only Code that has to be shared is the kernel. Everything else doesnt.
Click to expand...
Click to collapse
I knew that too, both Apache and BSD are permissive, you're not obliged to distribute the source code of derivative works. The Kernel is a different story because is GPL'ed.
I don't get what's the point you're trying to make, because although the code is copyrighted, you can STILL use it, make forks and so on. LineageOS (or anyone) CAN use ANY piece of Apache licensed source code of Cyanogen Inc.
The CM theme engine is NOT proprietary software...
EDIT: On other note, I really hope LineageOS team drop CMTE support in favor of OMS, Sony did a pretty good job there. But I don't think this will happen.
Enviado desde mi Nexus 6P mediante Tapatalk
alexiuss said:
I know that of course, I've been using mostly free software and Linux boxes for 15 years now...
I knew that too, both Apache and BSD are permissive, you're not obliged to distribute the source code of derivative works. The Kernel is a different story because is GPL'ed.
I don't get what's the point you're trying to make, because although the code is copyrighted, you can STILL use it, make forks and so on. LineageOS (or anyone) CAN use ANY piece of Apache licensed source code of Cyanogen Inc.
The CM theme engine is NOT proprietary software...
EDIT: On other note, I really hope LineageOS team drop CMTE support in favor of OMS, Sony did a pretty good job there. But I don't think this will happen.
Enviado desde mi Nexus 6P mediante Tapatalk
Click to expand...
Click to collapse
You don't get the part where he sold everything with the cm name. Which could exclude the code for the theme engine. Either way doesn't really matter to me as I would never use a cm or Los based rom or anything to do with it.
zelendel said:
You don't get the part where he sold everything with the cm name. Which could exclude the code for the theme engine. Either way doesn't really matter to me as I would never use a cm or Los based rom or anything to do with it.
Click to expand...
Click to collapse
Where did u get that info?? Nothing was sold. LOL...
The name CyanogenMod IS property of Cyanogen of course but it wasn't sold. And you still can't understand the Apache license...Some portions of code could be copyrighted to Cyanogen Inc. but that does not prevent LineageOS to use the code... Please read the license before talking. Is the exact same thing with the whole Android code, it's copyrighted to Google, but anyone can use the code, modify it, or do whatever they please. Again, please, read the freakin' Apache license.
Enviado desde mi Nexus 6P mediante Tapatalk
alexiuss said:
Where did u get that info?? Nothing was sold. LOL...
The name CyanogenMod IS property of Cyanogen of course but it wasn't sold. And you still can't understand the Apache license...Some portions of code could be copyrighted to Cyanogen Inc. but that does not prevent LineageOS to use the code... Please read the license before talking. Is the exact same thing with the whole Android code, it's copyrighted to Google, but anyone can use the code, modify it, or do whatever they please. Again, please, read the freakin' Apache license.
Enviado desde mi Nexus 6P mediante Tapatalk
Click to expand...
Click to collapse
You might want to go do some research. They sold the cm name and everything that goes along with it. Steve said exactly that.
There is no point in talking about this with you. You really have no idea how this all really works. I can easily take aosp add code to it and close the source. You will see this more and more as more and more developers are closing the source to their roms. Just so people can't use it.
Let me guess you so thing that CM and the cm company were 2 separate things.
Have a read
http://www.androidpolice.com/2016/1...ailure-cyanogenmod-to-reorganize-and-regroup/
It plainly states it has complete control of most of CM.
zelendel said:
You might want to go do some research. They sold the cm name and everything that goes along with it. Steve said exactly that.
There is no point in talking about this with you. You really have no idea how this all really works. I can easily take aosp add code to it and close the source. You will see this more and more as more and more developers are closing the source to their roms. Just so people can't use it.
Let me guess you so thing that CM and the cm company were 2 separate things.
Have a read
http://www.androidpolice.com/2016/1...ailure-cyanogenmod-to-reorganize-and-regroup/
It plainly states it has complete control of most of CM.
Click to expand...
Click to collapse
Omg... You really need a text comprehension lesson... Who sold the CM name? Nothing was sold, when Kondik and the others founded Cyanogen Inc. they trademarked the CyanogenMod name, thus it's now owned by the company...
" I can easily take aosp add code to it and close the source."
You are correct, please, tell us something we don't know...This is one of the freedoms of Apache license. That's precisely what I said before, anyone can grab the code, modify it, and sell it without distributing the source. You can fork a project that uses the Apache licence and can make a derivative work not freely available in opposition to GPL that you are required to share the code of derivative work. But this has nothing to do with LineageOS using Apache licenced software from Cyanogen Inc. do you understand the difference?... If Apache licenced code from Cyanogen Inc. is NOW available, anyone can use it. Jeez...
Basically all you're saying that all Roms in this forum should not exist, because the code of Android is owned by Google... LOL
Again and last time, read the freakin' license.
All the code of CMTE is Open Source software under Apache license, do you understand this part or not???? If you know this, then explain why on earth LineageOS cannot use it????
Enviado desde mi Nexus 6P mediante Tapatalk
alexiuss said:
Omg... You really need a text comprehension lesson... Who sold the CM name? Nothing was sold, when Kondik and the others founded Cyanogen Inc. they trademarked the CyanogenMod name, thus it's now owned by the company...
" I can easily take aosp add code to it and close the source."
You are correct, please, tell us something we don't know...This is one of the freedoms of Apache license. That's precisely what I said before, anyone can grab the code, modify it, and sell it without distributing the source. You can fork a project that uses the Apache licence and can make a derivative work not freely available in opposition to GPL that you are required to share the code of derivative work. But this has nothing to do with LineageOS using Apache licenced software from Cyanogen Inc. do you understand the difference?... If Apache licenced code from Cyanogen Inc. is NOW available, anyone can use it. Jeez...
Basically all you're saying that all Roms in this forum should not exist, because the code of Android is owned by Google... LOL
Again and last time, read the freakin' license.
All the code of CMTE is Open Source software under Apache license, do you understand this part or not???? If you know this, then explain why on earth LineageOS cannot use it????
Enviado desde mi Nexus 6P mediante Tapatalk
Click to expand...
Click to collapse
You know I had a whole big thing typed out but decided to look at your history. Decided it wasnt going to help so we are done.
Sit back and wait and see. Good luck to you.
zelendel said:
You know I had a whole big thing typed out but decided to look at your history. Decided it wasnt going to help so we are done.
Sit back and wait and see. Good luck to you.
Click to expand...
Click to collapse
Whatever...I wonder what will I see. ?
Enviado desde mi Nexus 6P mediante Tapatalk
ForgottenDude said:
Can you tell me what is this "FlipFlap: Apply themes"? I've never heard of it!
Click to expand...
Click to collapse
FlipFlap is the app that is used for phone with quick circle case. It is used to have some limited control and little view on the phone in circle opening of the case without opening the case and unlocking it.
LT__Gruber said:
LineageOS will have any theme engine like cyanogenmod?
Click to expand...
Click to collapse
Announcement from LineageOS about Styles/Themes. With LineageOS 15.1.
Styles
You can now style some aspects of your device by selecting a custom accent color and by choosing between a light or dark interface. A really cool feature we’ve added to this is the (optional) integration with LiveDisplay: during the day the device will have a light theme, and at night some of the interface elements will turn dark, so it’s easier on the eyes. What if this isn’t enough? What if you want your device style to match your wallpaper colors? Automagic will propose you the best colors combination based on your current wallpaper. While this is not a full theming replacement, we hope to satisfy users that requested simple theming capabilities.
Click to expand...
Click to collapse
Read more at https://www.lineageos.org/Changelog-16/
Related Styles API for developers at https://wiki.lineageos.org/sdk/api/styles.html