[Q] First Timer - App Advice Needed - Web App Development

PREMISE
see mockup attachment. fyi, some minor details are left out to protect the premise.
the purpose of the app is to create a countdown clock. and we intend to have different sponsors.
FRONT-END REQUIREMENTS
when the clock expires, it will have beep and vibrate.
to make money, when someone brings up the app on their phone, they would see a coupon from a sponsor company. and upon the launch screen, if the person likes the coupon, they can request to have it e-mailed to them. there's two options to have at this point. a) the app sends me (the app business owner) an e-mail confirming that this individual has requested this coupon. and I'll e-mail it to them whenever I get a chance [but this could get messy if there is a ton of users] b) the app somehow automatically send an e-mail right then and there to the individual [this could be a Day 2 project].
regardless of whether or not the visitor has requested the coupon e-mailed to them, when they click the "ENTER APP" button, they should be transferred to the APP SCREEN.
BACK-END REQUIREMENTS
a. we will NOT store any customer data or e-mails or anything else. we will simply generate a one-time e-mail to that address and that's it.
b. we would like to track a) how many downloads so we can tell potential sponsors b) how often people use the app and how long it's open on their phone for.
c. needs to work on android, IOS and windows phones. we do not care about tablets or computers. smart phones users will be 99% of our audience.
d. we need some sort of back-end or web interface where I can enter in new sponsor names, logos and coupons.
QUESTIONS
1. I'm not going to learn to build this myself. i have no knowledge of how to build one and don't have the time to learn. i plan to hire an overseas freelancer through odesk.com. what program should I ask they use to build this? I've heard terms like swift, xcode, ruby on rails, twitter bootstrap, etc… ideally, is there one go-to popular program that creates a cross-platform compatible app? my fear is that if I have to drop a programmer in the middle of the project and pick up another, will the new person be able to pickup where the last guy left off?
2. how would I go about changing the coupons? and changing the sponsor banner ads? would there need to be some sort of web interface? would I need to purchase a website and hosting account and have some functionality built there? is there some dashboard somewhere else?
3. how big scale a project is this? roughly how many hours should this take a COMPETENT app developer? seems to me like one of the most basic apps you could build but what do I know.
4. at what point does an app get submitted to google play? apple store? windows whatever they have? or do I even need those entities or could I just let people somehow download it from a website? if so, what would I be missing out by not getting it listed under those marketplaces?
5. anything else I have not thought about that I should be aware of?
please advise. thanks in advance!!!

sixrfan said:
PREMISE
see mockup attachment. fyi, some minor details are left out to protect the premise.
the purpose of the app is to create a countdown clock. and we intend to have different sponsors.
FRONT-END REQUIREMENTS
when the clock expires, it will have beep and vibrate.
to make money, when someone brings up the app on their phone, they would see a coupon from a sponsor company. and upon the launch screen, if the person likes the coupon, they can request to have it e-mailed to them. there's two options to have at this point. a) the app sends me (the app business owner) an e-mail confirming that this individual has requested this coupon. and I'll e-mail it to them whenever I get a chance [but this could get messy if there is a ton of users] b) the app somehow automatically send an e-mail right then and there to the individual [this could be a Day 2 project].
regardless of whether or not the visitor has requested the coupon e-mailed to them, when they click the "ENTER APP" button, they should be transferred to the APP SCREEN.
BACK-END REQUIREMENTS
a. we will NOT store any customer data or e-mails or anything else. we will simply generate a one-time e-mail to that address and that's it.
b. we would like to track a) how many downloads so we can tell potential sponsors b) how often people use the app and how long it's open on their phone for.
c. needs to work on android, IOS and windows phones. we do not care about tablets or computers. smart phones users will be 99% of our audience.
d. we need some sort of back-end or web interface where I can enter in new sponsor names, logos and coupons.
QUESTIONS
1. I'm not going to learn to build this myself. i have no knowledge of how to build one and don't have the time to learn. i plan to hire an overseas freelancer through odesk.com. what program should I ask they use to build this? I've heard terms like swift, xcode, ruby on rails, twitter bootstrap, etc… ideally, is there one go-to popular program that creates a cross-platform compatible app? my fear is that if I have to drop a programmer in the middle of the project and pick up another, will the new person be able to pickup where the last guy left off?
2. how would I go about changing the coupons? and changing the sponsor banner ads? would there need to be some sort of web interface? would I need to purchase a website and hosting account and have some functionality built there? is there some dashboard somewhere else?
3. how big scale a project is this? roughly how many hours should this take a COMPETENT app developer? seems to me like one of the most basic apps you could build but what do I know.
4. at what point does an app get submitted to google play? apple store? windows whatever they have? or do I even need those entities or could I just let people somehow download it from a website? if so, what would I be missing out by not getting it listed under those marketplaces?
5. anything else I have not thought about that I should be aware of?
please advise. thanks in advance!!!
Click to expand...
Click to collapse
Hi i have read your long query,The app which you described and checking out the mockups seems to be pretty less complicated and i will give you some answers for it.
1) The best thing to do is make an app in popular cross platform frameworks better use html5 frameworks such a sencha touch,jquery mobile etc with phonegap. Look for developers in this category.
2)Changing the banner ads and coupons is simple.Just host that in your server,app will load those ads and banners whens it loads for the first time ,we can refresh the content later by periodic service calls
3) its a small scale project .Just building the app alone will take atmost 30 hours including creating for 3 platforms and excluding testing.
4) its always better to upload the apps their respecttive stores.Apple wont allow apps to sideload fro other sources.For getting listed on those stores you need to get developer licenses 100$ for apple store,25$ for google play store etc
5)Just be aware that the app should work on all ost of the devices ,gives timely updates etc
also you can track the number of downloads from the respective stores,also you can include some analaytic sdk like flurry etc to get the details like "how often people use the app and how long it's open on their phone for".
i am an Cross platform app developer.If you are interested we can talk in Pm. hope i helped

Related

[DEV] [REQ] C++, rewrite existing code

First I would like to thank the whole forum (with few exceptions that I'd like to not mention here) for the past 2,5 years, which have been very educating for me regarding Windows Mobile as a system. During that whole time I have searched for the perfect simple-to-use, lightweight app for storing and retrieving a grocery list, yet unfortunately I have had to come to the conclusion that it does not exist to this date. There are some existing apps but these are either not simple to use or do not accomplish the simple task at all, or they are too heavy (requiring additionally the .NET framework to be installed for example, etc.).
The idea for the simple software is that one has a changeable groups and items of groceries, from which they can select the already saved ones needed at that shopping day (e.g. during a discussion with girlfriend), and later when in shop they can just check the ones they have already put into basket. I would like to see the person who will argue that it does not easily beat archaic mode of storing information, a.k.a. paper and pen.
I have found an app which, with some relatively small amount of effort can be rewritten to accomplish that task, this software is iContact AE. As far as I understand, there is judicially no problem using the source code from iContact AE as long as following the license restrictions (correct me please if I am wrong). Why AE? Just a selection based on the fact that AE has the most appealing interface and most settings. Of course, this could be a point of discussion, but so far it seems like the best choice.
CAB - http://icontactae.codeplex.com/releases/view/28951
Source - http://icontactae.codeplex.com/SourceControl/list/changesets
I created a possible, chronological tasklist in order to get from iContact AE to the shopping app, whatever it will be called (name suggestions also welcome in due time). Also, I already have a pretty clear vision about
Discuss the usability and feasibility of the selected software / it's source code and it's alternatives (as far as I remember there was the original iContact and some other derivate version).
[*]Create, discuss and review static prototypes of the interface (basically screenshots of each view).
[*]List the requirements to be implemented (or removed).
[*]Code in / remove code according the list from previous task.
[*]Create skin and graphics.
[*]Clean up rest of code, remove unnecessary parts of it (to make it more light).
[*]Test and review changes.
I can either take lead, perform or participate actively in the tasks that are listed green. I only need a competent C++ coder who can help and thinks this is a great idea.
The changes needed to the existing source code do not seem to be much at first glance, but of course as I cannot code in C++, I could be wrong. I just looked at the parts of code where to change the tabs and queries to storage files.
So there, got it off my chest. Any C++ gurus missing a simple, convenient grocery app?
OK, I will put this in another way. I will personally contribute $50 (via PayPal or if EU country, via transfer) to the coder - provided that the end result is according to the requirements, which we will agree forehand. If anyone wants to join in with contribution, You are more than welcome.
aiiro said:
OK, I will put this in another way. I will personally contribute $50 (via PayPal or if EU country, via transfer) to the coder - provided that the end result is according to the requirements, which we will agree forehand. If anyone wants to join in with contribution, You are more than welcome.
Click to expand...
Click to collapse
If I had money I to would offer some.
It's no wunder WinMo is falling behind no one wants to create apps even when offered a straight cash deal.
Amen to that. I was actually reading this and took a good hour of researching to see just how hard it might be and how time-consuming it might be. I would have loved to take this on...but alas, It would split me way too much. I am already working on my FFP_LS Pro 2.5 Improvements (Major Major improvements...I am practically re-writing the app), I am starting work on a game I plan to release (Its a rather popular game I have yet to find for WIndows Mobile), and I already volunteered to work on the Boggle Clone for WinMo ... so I am already pretty split as it is. heh...if I find free time, and nobody has taken this on, I will probably come back and make this my next project
Sorry though...I do hope some developer comes around to assist!
Thanks for Your support. I thought that I don't need to subscribe to my own threads in order to get a notification if a new post is made, but I was wrong. I certainly didn't get one for Your post. So, sorry for the late reply. I will subscribe to my own thread now

Image Sizes and Costs

I downloaded somewhere some image sizes - below are two. I am not too sure which one I downloaded these for / from. But can these icon information be used for Windows Mobile 7, Android, and iPad / iPhone?
From what I think I remember speaking with one developer helping him with testing his game, I think he said it was $99.00 a year for 100 applications. If I only wanted to submit one (free) application, would it be better to find someone that already has the feature to develop this application? The application is very small - mainly to read one specific RSS feed.
Hey
the developer account costs are not connected to the image license price. If you want to submit a WP7 app to the marketplace, you have to own a developer account, that costs $99/year. But this price does not grant the permission to use these pictures. You have to ask the creator whether you're allowed to use them.
Regards
Chris
Thanks - sorry I did not mean to imply I would use these images, I just did not know if it was these image (sizes / quality) that was needed.
If the developer has an account though and he develops the app that I need, can he use that account to upload the app?
Hey
For the licensing procedure and requirements you should visit this link:
http://msdn.microsoft.com/en-us/library/hh184843(v=VS.92).aspx
But I don't get your question. If you're asking wheter you could have another developer programming and submitting the application you need the answer is yes. Every developer that has an account can send apps in. You just have to find someone that wants to create your application. Another possibility would be to program your app yourself and send the compiled version to a developer, so that he can pass it to the WP marketplace...
Regards
Chris
If you need an app built for something easy like an RSS feed, check this thread:
http://forum.xda-developers.com/showthread.php?t=941248
it discusses a build your own app website.
http://thirdlabs.com/
I have never used it and have no afiliation with the site, but it looks easy enough...
Anywho, once the app is made, you can
sideload it (if you're unlocked)
pay for a dev account and submit it ($99 a year)
try to get a free student account and submit it (see here )
find someone with a dev account that will submit it for you
good luck
Thanks for the links! I have run into the RSS feed link - but it was not that site.
Yes, Chris - that answers that question. I thought as much but wanted to make sure. (Sorry it is difficult for me to sometimes get my point across due to my health).

What frustrates you about an app?

So I'm working on a post for my site. It's going to be a list about things a developer does with an application that frustrates us as users. The goal is to highlight common complains from the community about practices devs use in their apps and to hopefully encourage them with feedback to improve.
This is the list I've got so far. Please feel free to chime in if you agree or disagree and ADD any things that bug you as a USER.
--Lack of a live tile: One of the biggest differences on our platforms and others is the inclusion of live tiles. If it makes sense for the application, a live tile is a must. I'm hard pressed to find a large category of apps where a live tile wouldn't make sense at some basic level.
--No fast app switching: No explanation needed, devs get with it.
--Not playing nice with Metro: You make an app for iOS or Android and now you want to port it Windows Phone as fast as possible...so fast you don't think about the design. Great apps on Windows Phone are those that capitalize on the principles of the design language.
--Have both a paid and free version of an app: Do a search for an app in the Market or App Store and you'll get two versions for a lot of popular apps: the free and paid version. There is NO reason why you would need to do that with Windows Phone. Devs have the ability to implement a 'trial' state of an application where they can do everything and more a 'free' version of an app could. Stop cluttering the Marketplace.
--Redirecting to a website: I once downloaded a sports app that had potential. I opened the app and played around. There was a pivot page that had a section for news. Clicked it...and bam. IE is opening up. Nope, no thank you. I want to use your app now your website.
These are some of the big themes that I've encountered more than I should when playing around with apps. This is not a major problem, but it's there and it really shouldn't be.
Also I'm not trying to put developers down, I know it's hard work and I myself am trying to learn as well. But we should strive for something better.
Alright, sound off with some feedback guys. Any other 'sins against users' I've missed that you encounter? I'd like to see what you think before I write the post on my site.
ALSOOOO.... How about you list some apps that contain these 'sins against users'. That way we can politely invite the developer to hear our thoughts and implement changes that benefit everyone. Happy users = $, $= happy dev.
All these are minor.. My biggest complaint is when push notification is either delayed or doesnt come at all. I've missed some important whatsapp messages cause it was delayed 10 mins.
Sent from my T8788 using XDA Windows Phone 7 App
samsabri said:
[...]
--Have both a paid and free version of an app: Do a search for an app in the Market or App Store and you'll get two versions for a lot of popular apps: the free and paid version. There is NO reason why you would need to do that with Windows Phone. Devs have the ability to implement a 'trial' state of an application where they can do everything and more a 'free' version of an app could. Stop cluttering the Marketplace.
[...]
Click to expand...
Click to collapse
As I agree with what you are posting, I think you missed the point on this one.
It's true that this is cluttering the marketplace, but people like to hand out a "FREE" version from a marketing persepective. There is a seperate column with "free" apps, hence it will be easier to stand out with both a free and paid app...
Also if you have a fully functional free trial (with only an add) it is still being noted as paid app, so you miss everybody who has no credit card, they will automatically overlook a paid app, even if it has a free unlimited trial (well there are always exceptions of course, but those account mostly for "high profile" apps/games).
This is the main reason, that without uploading 2 apps, there is an unfair disadvantage for the dev.
But I agree it is annoying but from a developer perspective it makes a lot of sense why people do this.
Marvin_S said:
As I agree with what you are posting, I think you missed the point on this one.
It's true that this is cluttering the marketplace, but people like to hand out a "FREE" version from a marketing persepective. There is a seperate column with "free" apps, hence it will be easier to stand out with both a free and paid app...
Also if you have a fully functional free trial (with only an add) it is still being noted as paid app, so you miss everybody who has no credit card, they will automatically overlook a paid app, even if it has a free unlimited trial (well there are always exceptions of course, but those account mostly for "high profile" apps/games).
This is the main reason, that without uploading 2 apps, there is an unfair disadvantage for the dev.
But I agree it is annoying but from a developer perspective it makes a lot of sense why people do this.
Click to expand...
Click to collapse
I agree. Some devs don't mention what the trial offers(time-limited or function-limited) and hence I stay away from such paid apps. Sometimes the trial is fully functional with ads. Agreed that the devs were lazy to not include it in the description, but some users are lazy too. That would be the reason for two versions of the app.
it not being available at all.
or how about it's free on android or ios, but $3 on wp7... wtf?
Marvin_S said:
As I agree with what you are posting, I think you missed the point on this one.
It's true that this is cluttering the marketplace, but people like to hand out a "FREE" version from a marketing persepective. There is a seperate column with "free" apps, hence it will be easier to stand out with both a free and paid app...
Also if you have a fully functional free trial (with only an add) it is still being noted as paid app, so you miss everybody who has no credit card, they will automatically overlook a paid app, even if it has a free unlimited trial (well there are always exceptions of course, but those account mostly for "high profile" apps/games).
This is the main reason, that without uploading 2 apps, there is an unfair disadvantage for the dev.
But I agree it is annoying but from a developer perspective it makes a lot of sense why people do this.
Click to expand...
Click to collapse
Yeah, I understand the marketing angle. I guess I live in some fantasy land in my head where the world is clean and organized. Hopefully with the Windows 8 Marketplace offering devs simliliar options in how they can implement trials we'll see less "free" apps because users may come expect every paid app to come with a trial.
svtfmook said:
it not being available at all.
or how about it's free on android or ios, but $3 on wp7... wtf?
Click to expand...
Click to collapse
That is something I missed, I how they determine the price difference between platforms?
Off the top of your head, do any apps come to mind where there is a big price difference in platforms? Exclude Xbox Live enabled games for a moment, the reason being I can see the inclusion of achievements, leaderboards, etc to be the cause of the price bump.
I'm in need of a map/location/gps app, that supports offline map caching . while I found couple of them on marketplace, ones that had nice design an functionality, all of them where online only and ones that had offline map caching had terrible design an absolutely no functionality. thats sad
design and functionality should be put first IMO
Inconsistent Resuming and Lack of Tombstoning
Once an app leaves the foreground you have two methods of returning to it: use the app switcher or hitting the tile on your Start screen. Going from the app switcher resumes as expected, but going from the Start screen restarts the app, even if it's already sitting in the background. Now this is probably something Microsoft has to fix, but I feel that if more apps tombstoned, then it could make things more consistent.
samsabri said:
That is something I missed, I how they determine the price difference between platforms?
Off the top of your head, do any apps come to mind where there is a big price difference in platforms? Exclude Xbox Live enabled games for a moment, the reason being I can see the inclusion of achievements, leaderboards, etc to be the cause of the price bump.
Click to expand...
Click to collapse
Yes if they would note next to the price tag of each app wheter it contains a Trial version, it is less needed for devs to release a seperate "Lite" version. However the problem is now you have to click the app first than wait until the buttons show up in order to find out wheter an app has a free trial.
This should be there on the big scroll list so a user will see at first glance wheter he/she can try the app for free. At the moment I can't blame dev's for introducing their own workarounds.
But what is more annoying to me is that if devs follow metro design and don't use the margins correctly. Hence the app looks odd in comparison to the native apps, i.e. a lot of chat apps mimick the messaging app but don't pay attention to the margins, the bubble sizes and the bubble alignments, which will make them look very unprofessional. This is sad because they did take the effort to stylize the app like Metro, but they ruined the experience because of not "understanding" the fundamentals of the design language. Which is not just typography but also clever and precise use of margins, shapes and spacings. And since there is not much chrome, every tiny offset or error stands out to a trained eye instantly.
Marvin_S said:
Yes if they would note next to the price tag of each app wheter it contains a Trial version, it is less needed for devs to release a seperate "Lite" version. However the problem is now you have to click the app first than wait until the buttons show up in order to find out wheter an app has a free trial.
This should be there on the big scroll list so a user will see at first glance wheter he/she can try the app for free. At the moment I can't blame dev's for introducing their own workarounds.
But what is more annoying to me is that if devs follow metro design and don't use the margins correctly. Hence the app looks odd in comparison to the native apps, i.e. a lot of chat apps mimick the messaging app but don't pay attention to the margins, the bubble sizes and the bubble alignments, which will make them look very unprofessional. This is sad because they did take the effort to stylize the app like Metro, but they ruined the experience because of not "understanding" the fundamentals of the design language. Which is not just typography but also clever and precise use of margins, shapes and spacings. And since there is not much chrome, every tiny offset or error stands out to a trained eye instantly.
Click to expand...
Click to collapse
I think going forward an ideal scenario would be a user expects to have a trial mode for any app that a dev is asking money for. It's a win-win for both consumers and developers. Check out this post from Paul Laberge explaining some of the benefits of a trial mode.
Seems like your second paragraph is echoing the statement to follow metro design language/principles and aim for higher quality control in regards to the design.
It's interesting, I feel like 5 years ago software was all about being functional with no regard to design. Now we not only demand, but expect applications to function well and look beautiful. Exciting times
karan1203 said:
All these are minor.. My biggest complaint is when push notification is either delayed or doesnt come at all. I've missed some important whatsapp messages cause it was delayed 10 mins.
Sent from my T8788 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
Are those faults of the developer or the platform itself? I ask because I don't know a lot of the technical workings behind the push notification system. My limited knowledge tells me it might be a mix of both parties to blame.
Can anyone clarify?
apps?
For sure about Notifications part.
Push Notification can be useful "ONLY" when you have the phone right in front of your face. Because right after that, they are gone forever.
Second, Push Notification usually have a delay , about a half to 2 mins, from the actual event.
Like my friend can post a thing on my Facebook Wall, and the phone took about 2 mins to update it to the ME title. Same with all other Applications.
I used to try hacking the ROM and Registry of the Phone to reduce the delay of the Title Update. But failed so hard because Microsoft really locked it up hard.
I think most of the annoyances are captured already in the initial post but I'll also add
-That some apps are still being released without mango capability.
-Some apps are just the mobile site (for example the tagged app wtf?)
prohibido_por_la_ley said:
I think most of the annoyances are captured already in the initial post but I'll also add
-That some apps are still being released without mango capability.
-Some apps are just the mobile site (for example the tagged app wtf?)
Click to expand...
Click to collapse
I was hoping I'd cover the most obvious complaints, but wanted to reach out and see if anything was missing. Also venting is good for us
And regarding Tagged...? Wow... I just looked at it on the web Marketplace and I won't let something that hideous touch my phone. It's just lazy and doesn't add any value to users or devs. Users get nothing out of it and as a dev what have you accomplished?
Apps like that should not pass certification. It seems draconian, but it's ok for us to demand and expect quality work.
wixostrix said:
...but going from the Start screen restarts the app, even if it's already sitting in the background.
Click to expand...
Click to collapse
This is (or was pre-Mango) a requirement to have your app certified. The rules say/said that a user returning to a task via the Back button is trying to complete an interupted task; a user launching the app from Start is starting a new task and shouldn't be presented with abandoned work from earlier.
I have a calculator app that maintains full state across invocations. I was worried that MS would reject the app because it preserved state even upon restarting. They did accept it, though.
Worst thing for me is wasted screen space.
A good example is the official WP7 Facebook app. Go to the "wall" screen, and you have "FACEBOOK" then "Most Recent" then "What's on your mind?" all permanently stuck at the top. Space is also wasted at both sides, meaning that only 50-60% of the screen is actually available to display your friends wall posts.
I thought the idea of Metro is to "put information first", so this is ridiculous. I have a phone with a 3.7" screen, yet the facebook app is more readable on my friends 3" non-widescreen Blackberry.
Aphasaic2002 said:
Worst thing for me is wasted screen space.
A good example is the official WP7 Facebook app. Go to the "wall" screen, and you have "FACEBOOK" then "Most Recent" then "What's on your mind?" all permanently stuck at the top. Space is also wasted at both sides, meaning that only 50-60% of the screen is actually available to display your friends wall posts.
I thought the idea of Metro is to "put information first", so this is ridiculous. I have a phone with a 3.7" screen, yet the facebook app is more readable on my friends 3" non-widescreen Blackberry.
Click to expand...
Click to collapse
I hear you on that Facebook app. Thankfully the integration with Windows Phone makes it so that I haven't opened it in months. I check FB once a day on the browser at home before bed, but that's about it.
But I'll chalk this complaint under the 'design abuse' category.
Anyone have any other apps that violate some of our sins in the original post in this thread?
I'd like to see improvements with the sound handeling. Most games have a 'music volume' and a 'FX volume' it seems the volume % is boolean, 0% is silent, 10%-100% is full volume. I'd like to listen to my music while gaming without the Pew Pew causing my ears to bleed

Warning about TextSecure App: Possible Compromised Development

Some of us use Textsecure as replacement for Stock SMS app. Textsecure provides encryption for your SMS. However, my recommendation is: stay away or at least don't update to 2.X... versions.
The developer has introduced Google Cloud Messaging, which means that even if your sms are secure, the fact you are using the app will be recorded in Google Centralized database. In addition, he removed the ability of the user to regenerate new identity key. In last couple of releases, he forced the user to allow the app to contact the internet (otherwise, the app would crash). That is even if you compile the app from sources, which I did a couple of hours ago. If you download the app from Store, you can't even use it without Google account and GSF, the latter will record your every keystroke including the password used to encrypt the messages. In further addition, the app is only available through Googleplay and the developer is actively resisting third party distribution. If that is not enough, you should know that Whisper systems is owned by Twitter, which is a red flag in of itself. The code is growing larger and is more difficult to examine for back door purposes.
My advice: stay away from this development, which in my view is compromised...
Edit. In January of this year, the developer left Twitter. Interestingly, he is still working on Textsecure and it is published under Whisper, which is Twitter. About the same time, all those things described above started to happen. Also interesting is that the developer was put on federal watch list and was continuously harrased by various agencies when flying. So, I wouldn't be surprised to learn that his new employer is the previous harraser...
All more reasons to stay away from this app.
optimumpro said:
Some of us use Textsecure as replacement for Stock SMS app. Textsecure provides encryption for your SMS. However, my recommendation is: stay away or at least don't update to 2.X... versions.
The developer has introduced Google Cloud Messaging, which means that even if your sms are secure, the fact you are using the app will be recorded in Google Centralized database. In addition, he removed the ability of the user to regenerate new identity key. In last couple of releases, he forced the user to allow the app to contact the internet (otherwise, the app would crash). That is even if you compile the app from sources, which I did a couple of hours ago. If you download the app from Store, you can't even use it without Google account and GSF, the latter will record your every keystroke including the password used to encrypt the messages. In further addition, the app is only available through Googleplay and the developer is actively resisting third party distribution. If that is not enough, you should know that Whisper systems is owned by Twitter, which is a red flag in of itself. The code is growing larger and is more difficult to examine for back door purposes.
My advice: stay away from this development, which in my view is compromised...
Edit. In January of this year, the developer left Twitter. Interestingly, he is still working on Textsecure and it is published under Whisper, which is Twitter. About the same time, all those things described above started to happen. Also interesting is that the developer was put on federal watch list and was continuously harrased by various agencies when flying. So, I wouldn't be surprised to learn that his new employer is the previous harraser...
All more reasons to stay away from this app.
Click to expand...
Click to collapse
And here is some more fresh evidence. Today I posted this info on Cyanogen site related to Textsecure Push for CM.
http://www.cyanogenmod.org/blog/whisperpush-secure-messaging-integration
The site says it is neither censored no monitored. Within 5 minutes, the post has disappeared... . So, stay away from this app as the development has been compromised. In my view, of course...
You have no clue what youre talking about.
Corndude said:
You have no clue what youre talking about.
Click to expand...
Click to collapse
Thanks, pal... for a very, very thorough, thoughtful and factual argument.
Edit: by the way, what does no gapps project have to do with textsecure being compromised?
Thanks for the heads up. Something is really amiss, and I won't want to directly experience it. I'm staying away from TextSecure for sure.
abdelazeez said:
Thanks for the heads up. Something is really amiss, and I won't want to directly experience it. I'm staying away from TextSecure for sure.
Click to expand...
Click to collapse
Most messenger apps today work with Google Push Notifications, seems to be no problem for people there. Funny that it is here. As for SMS, I would never use that through another app. Besides, the phone carrier companies save those probably too, whats so different with that you said ? Text Secure is a very nice app I think. Right now people on iOS don't have that app yet, which makes it hard to establish in mixed system userbases among people. But I hope that will change.
Besides, most people here probably use Twitter. Funny to complain about something that might be related to Twitter then, isn't it ?
Wolfseye
wpkwolfseye said:
Most messenger apps today work with Google Push Notifications, seems to be no problem for people there. Funny that it is here. As for SMS, I would never use that through another app. Besides, the phone carrier companies save those probably too, whats so different with that you said ? Text Secure is a very nice app I think. Right now people on iOS don't have that app yet, which makes it hard to establish in mixed system userbases among people. But I hope that will change.
Besides, most people here probably use Twitter. Funny to complain about something that might be related to Twitter then, isn't it ?
Wolfseye
Click to expand...
Click to collapse
The difference is that Textsecure/Whisperpush/CMpush tell you your SMS are encrypted. If they are indeed encrypted and there are no backdoors, your carrier (and others) can only get encrypted SMS (good luck to them trying to decipher). All other SMS apps are in plain text. In my view earlier versions of Textsecure are indeed secure. Starting from version 2.X, we no longer know that considering all the facts I mentioned in the OP.
You should really get your facts straight. Twitter bought Whisper Systems in 2011, mainly to get Moxie and the other Whisper Systems folks to work for them.
Moxie went on to lead Twitters security team. Twitter allowed them a month or so after they aquired Whisper Systems to open source their apps TextSecure and RedPhone. In January 2013 Moxie left Twitter and started Open Whisper Systems with a few others. They took the newly open sourced apps and developed them further.
This is also covered in their FAQ.
You can see all of their code on GitHub.
And if you don't have GAPPS installed, you will simply get a message that you won't be able to use push messages and that's it. Several friends of mine use it for SMS only, with Xprivacy restricting the internet access. It doesn't crash or anything.
If you experience this, you may either have a problem with your build or it's a bug specific to your device/Android version.
Moxie also wrote exactly why he doesn't want TextSecure to be released via F-Droid: for security reasons. They use central signing, which may very well compromise the update channel.
The whole discussion can be found in the most infamous thread in their GitHub: #127
lindworm said:
You should really get your facts straight. Twitter bought Whisper Systems in 2011, mainly to get Moxie and the other Whisper Systems folks to work for them.
Moxie went on to lead Twitters security team. Twitter allowed them a month or so after they aquired Whisper Systems to open source their apps TextSecure and RedPhone. In January 2013 Moxie left Twitter and started Open Whisper Systems with a few others. They took the newly open sourced apps and developed them further.
This is also covered ir FAQ.
You can see all of their code on GitHub.
And if you don't have GAPPS installed, you will simply get a message that you won't be able to use push messages and that's it. Several friends of mine use it for SMS only, with Xprivacy restricting the internet access. It doesn't crash or anything.
If you experience this, you may either have a problem with your build or it's a bug specific to your device/Android version.
Moxie also wrote exactly why he doesn't want TextSecure to be released via F-Droid: for security reasons. They use central signing, which may very well compromise the update channel.
The whole discussion can be found in the most infamous thread in their GitHub: #127
Click to expand...
Click to collapse
Which fact did I not get straight? You can't get the app anywhere other than from Googleplay and for Googleplay you need GSF, which records your every keystroke. And by the way, try to restrict getnetworkinfo in internet settings in Xprivacy and the app will crash as soon as you try to open a conversation (checked on several devices). And why was it necessary to prevent users from generating new identity key? Why not have an app available on Whisper's github, as many devs do. And by the way, I asked the same questions on github and f-droid threads and in response got a suggestion to build an equivalent of Google's GCM, so then Moxie would stop using Google.
optimumpro said:
Which fact did I not get straight? You can't get the app anywhere other than from Googleplay and for Googleplay you need GSF, which records your every keystroke. And by the way, try to restrict getnetworkinfo in internet settings in Xprivacy and the app will crash as soon as you try to open a conversation (checked on several devices). And why was it necessary to prevent users from generating new identity key? Why not have an app available on Whisper's github, as many devs do. And by the way, I asked the same questions on github and f-droid threads and in response got a suggestion to build an equivalent of Google's GCM, so then Moxie would stop using Google.
Click to expand...
Click to collapse
You are not even trying to learn/understand why things are done the way they are done, but instead chose to blast an open source project by a security expert who has spoken at defcon various times and who is on a national security list and gets severely hassled by the TSA every time he tries to travel because of his involvement with secure communication projects.
You don't show the slightest form of objectiveness either. The truth content of what you are writing varies between "flat out wrong" and "there is a reason for how they do it that way, which you either didn't care to research or willingly ignored".
1. You can sideload the apk either from http://apps.evozi.com/apk-downloader/ or any of the dozens of sites that mirror packages from the app store.
They do not provide apks because it is a security risk: there is no automated upgrade channel from where a user can get a new version which may fix serious security flaws.
Everybody who is able to compile from source however should understand the importance of updating regularly and can do so on his/her own.
Moxie stated all of that in the github ticket I linked to.
2. GSF doesn't record your keystrokes.
3. If you had bothered to look it up, getNetworkInfo returns if a certain interface (like wifi) is used for internet.
This leaks no interesting information whatsoever. And it especially doesn't mean that TextSecure doesn't work without internet, because this permission does not give an app internet access. Xprivacy actually expects this behaviour by apps, that's why those fields are by default not restricted even if you restrict internet access of an app.
The program crashes without this, because it expects to get a needed value returned, which you chose to block. This is not something they willingly built in, to stop you from using it without Google Play.
If you can't manage the complexity of the permissions, you should use a simple firewall like AFwall+ to restrict internet access.
4. This was probably removed because it doesn't add any significant security and adds clutter to the user interface, because average users have no idea what it's for. The identity keys you are talking about are long term identity keys. TextSecure uses different keys in every message and actually uses the most secure protocol I know of. It has excellent forward secrecy, future secrecy and deniability. More so than OTR, which it is derived from.
You can learn more about that in their blog:
https://whispersystems.org/blog/simplifying-otr-deniability/
https://whispersystems.org/blog/asynchronous-security/
https://whispersystems.org/blog/advanced-ratcheting/
5. You asked them to not use the only free world wide push network that has contracts with all major providers to not kill idle TCP connections.
Moxie always answered that they would love to use something else, but none exists. And that they don't have the resources to build a push network themselves.
This is all in the comments to https://whispersystems.org/blog/the-new-textsecure/ and on ycombinator:
https://pay.reddit.com/r/Android/co..._cyanogenmod_is_integrating/cdyfxhm?context=3
https://pay.reddit.com/r/Android/co..._cyanogenmod_is_integrating/cdyfrv0?context=3
They are however working on using emails as identifiers and websockets as an alternative to GCM. Websockets are already implemented on the server side and people are working on the client side.
Right now you can use encrypted SMS without GCM, no problem at all. If you want to use it over the internet, you can help to speed up the websocket development:
https://github.com/WhisperSystems/TextSecure/issues/1000
lindworm said:
You are not even trying to learn/understand why things are done the way they are done, but instead chose to blast an open source project by a security expert who has spoken at defcon various times and who is on a national security list and gets severely hassled by the TSA every time he tries to travel because of his involvement with secure communication projects.
You don't show the slightest form of objectiveness either. The truth content of what you are writing varies between "flat out wrong" and "there is a reason for how they do it that way, which you either didn't care to research or willingly ignored".
1. You can sideload the apk either from http://apps.evozi.com/apk-downloader/ or any of the dozens of sites that mirror packages from the app store.
They do not provide apks because it is a security risk: there is no automated upgrade channel from where a user can get a new version which may fix serious security flaws.
Everybody who is able to compile from source however should understand the importance of updating regularly and can do so on his/her own.
Moxie stated all of that in the github ticket I linked to.
2. GSF doesn't record your keystrokes.
3. If you had bothered to look it up, getNetworkInfo returns if a certain interface (like wifi) is used for internet.
This leaks no interesting information whatsoever. And it especially doesn't mean that TextSecure doesn't work without internet, because this permission does not give an app internet access. Xprivacy actually expects this behaviour by apps, that's why those fields are by default not restricted even if you restrict internet access of an app.
The program crashes without this, because it expects to get a needed value returned, which you chose to block. This is not something they willingly built in, to stop you from using it without Google Play.
If you can't manage the complexity of the permissions, you should use a simple firewall like AFwall+ to restrict internet access.
4. This was probably removed because it doesn't add any significant security and adds clutter to the user interface, because average users have no idea what it's for. The identity keys you are talking about are long term identity keys. TextSecure uses different keys in every message and actually uses the most secure protocol I know of. It has excellent forward secrecy, future secrecy and deniability. More so than OTR, which it is derived from.
You can learn more about that in their blog:
https://whispersystems.org/blog/simplifying-otr-deniability/
https://whispersystems.org/blog/asynchronous-security/
https://whispersystems.org/blog/advanced-ratcheting/
5. You asked them to not use the only free world wide push network that has contracts with all major providers to not kill idle TCP connections.
Moxie always answered that they would love to use something else, but none exists. And that they don't have the resources to build a push network themselves.
This is all in the comments to https://whispersystems.org/blog/the-new-textsecure/ and on ycombinator:
https://pay.reddit.com/r/Android/co..._cyanogenmod_is_integrating/cdyfxhm?context=3
https://pay.reddit.com/r/Android/co..._cyanogenmod_is_integrating/cdyfrv0?context=3
They are however working on using emails as identifiers and websockets as an alternative to GCM. Websockets are already implemented on the server side and people are working on the client side.
Right now you can use encrypted SMS without GCM, no problem at all. If you want to use it over the internet, you can help to speed up the websocket development:
https://github.com/WhisperSystems/TextSecure/issues/1000
Click to expand...
Click to collapse
Your original statement was that I got my facts wrong. Since you have not cited any instance where I came up with a wrong fact, I will address your opinions.
Number one: you say GSF does not record keystrokes. How do you know? Have you seen the source (which is closed)? If you did, you work for Google and then everything you say is propaganda that has zero factual value. If you don't, then you are just speculating. You pick whichever is worse. If you use Google proprietary blobs, your device is totally open and there is no security measure/app on earth that is effective against this. That GSF phones home at regular intervals and transmits data there is a known fact. You can use encryption from Mars and yet it won't work because raw data (before encryption) is open to Google. As another user noted, having GSF and other closed source apps is like having a lock installed on your house door and not knowing who has access to it besides you.
Number two: inability to generate new identity key: It was there for a reason, the same way PGP or GPG keys have the ability to be limited in time, revoked or regenerated. It is a good security standard and removing it represents weakening. Clutter? LOL. A regular user wouldn't even be able to find it. Certainly, it does not pop up anywhere, one has to find it.
Number three: Sideload or compiling: a regular user will do neither, he/she will simply download the app from the market, which means he has to have Google blobs. Or you are suggesting that users should download the app from the market and then remove GSF and other Googleapps? LOL again.
As I said earlier, Moxie's argument that allowing third party apps on your device is a greater security risk than having closed source blobs is wrong and grand BS (especially coming from someone who is considered a security expert). It is security through obscurity, which is no security at all. The value of his open source project is completely defeated by having closed source blobs by a known private branch of known three letter agencies.
Now, these are facts. Let's get to opinions. I think that this deliberate weakening of security (again coming from a security expert) is a strong indication that development and/or developer has been compromised. And that is why I recommend to stay away from this app. But that is just my opinion, which is nonetheless based on facts.
optimumpro said:
Your original statement was that I got my facts wrong. Since you have not cited any instance where I came up with a wrong fact, I will address your opinions.
Click to expand...
Click to collapse
Do you even read what I write?
If that is not enough, you should know that Whisper systems is owned by Twitter, which is a red flag in of itself.
Click to expand...
Click to collapse
As I explained he does now work there any more.
You seem to have noticed that too:
Edit. In January of this year, the developer left Twitter. Interestingly, he is still working on Textsecure and it is published under Whisper, which is Twitter.
Click to expand...
Click to collapse
Are you kidding me? How the flying **** did you get to this conclusion? The company that was bought by twitter was Whisper Systems.
They are publishing the new source under Open Whisper Systems. (none of those was ever called Whisper)
See the difference? They also state this here: http://support.whispersystems.org/customer/portal/articles/1474591-is-textsecure-owned-by-twitter-
And here is some more fresh evidence. Today I posted this info on Cyanogen site related to Textsecure Push for CM.
http://www.cyanogenmod.org/blog/whis...ng-integration
The site says it is neither censored no monitored. Within 5 minutes, the post has disappeared... . So, stay away from this app as the development has been compromised. In my view, of course...
Click to expand...
Click to collapse
So you are saying CyanogenMod is part of this grand conspiracy of yours? Come on...
GSF, which records your every keystroke.
Click to expand...
Click to collapse
Number one: you say GSF does not record keystrokes. How do you know? Have you seen the source (which is closed)? If you did, you work for Google and then everything you say is propaganda that has zero factual value. If you don't, then you are just speculating. You pick whichever is worse. If you use Google proprietary blobs, your device is totally open and there is no security measure/app on earth that is effective against this. That GSF phones home at regular intervals and transmits data there is a known fact. You can use encryption from Mars and yet it won't work because raw data (before encryption) is open to Google. As another user noted, having GSF and other closed source apps is like having a lock installed on your house door and not knowing who has access to it besides you.
Click to expand...
Click to collapse
It's a binary blob and it sends data to google, but you have no proof whatsoever if it records keystrokes. You can know if you want to tough. Decompile it and analyze it. I don't like binary blobs, but you can't just say they do something without having any proof. I may not be able to guarantee that they don't do something, because I have not personally decompiled and analyzed every bit of it, but until you have and have proof that it does do something you can't just claim it does.
Number two: inability to generate new identity key: It was there for a reason, the same way PGP or GPG keys have the ability to be limited in time, revoked or regenerated. It is a good security standard and removing it represents weakening. Clutter? LOL. A regular user wouldn't even be able to find it. Certainly, it does not pop up anywhere, one has to find it.
Click to expand...
Click to collapse
It is not something the average user should have access to, for several reasons. The TextSecure V2 protocol is NOT comparable with PGP/GPG because it has forward secrecy and deniability. The keys that are actually used to encrypt a message are not static as with PGP.
They are derived from the original keys and are changed with every message. No need to change them after X days/months/years.
Even if one key is intercepted, you would only be able to decrypt one message and not every message as it is the case with PGP.
If you get a new key, all your contacts get alerts that your key changed and that somebody may be listening in. That's not something the average user should be exposed to. If you think for whatever reason that you really want to do this, back up your conversations, uninstall TextSecure, install it again, import the backup and you have your new key.
Number three: Sideload or compiling: a regular user will do neither, he/she will simply download the app from the market, which means he has to have Google blobs. Or you are suggesting that users should download the app from the market and then remove GSF and other Googleapps? LOL again.
As I said earlier, Moxie's argument that allowing third party apps on your device is a greater security risk than having closed source blobs is wrong and grand BS (especially coming from someone who is considered a security expert). It is security through obscurity, which is no security at all. The value of his open source project is completely defeated by having closed source blobs by a known private branch of known three letter agencies.
Click to expand...
Click to collapse
Every average user has the google blobs, because they are preinstalled on nearly every phone and it's nearly unusable without them. This app is supposed to make encryption available to the masses.
Google may be undermined by your beloved three letter agencies, but it's not one of them. This is not to hide from them.
You have your threat model wrong.
No app alone can ever protect you from those agencies. They have hundreds of 0days for every platform and will simply own your Android, open source or not.
And this is not what TextSecure tries to do. They protect the content of every conversation with extremely strong encryption, no matter what the transport is. This does protect you from dragnet surveillance. But they can not protect you from someone who targets you and is willing to spend hundreds of thousands or millions to break into your operating systems.
If the NSA really wants you they get you, period. But TextSecure protects you from theives, cyber criminals and nearly everybody else who wants to read your messages.
You say you think the encrypted SMS mode was safe? With this your provider (and thus your government and every agency that wants it) has all the metadata. Who sent something to whom etc.
Google on the other hand has actually LESS meta data, because your phone sends the message to the TextSecure server, which relays the message to GCM. GCM then delivers the message. Because everything is encrypted none of the servers get contact data. But google only gets the receiver, not the sender. Your provider gets everything.
A global passive adversary may still do time corellation attacks, by listening who sends something when and who receives something at this time. After some sessions it's pretty clear who is talking to whom. It doesn't matter if Google is evil or not in this case. They get the metadata if they want to.
If you want protection against something like this take a look at pond, or meet i person: https://github.com/agl/pond
Now, these are facts. Let's get to opinions. I think that this deliberate weakening of security (again coming from a security expert) is a strong indication that development and/or developer has been compromised. And that is why I recommend to stay away from this app. But that is just my opinion, which is nonetheless based on facts.
Click to expand...
Click to collapse
As I explained there is no weakening whatsoever. Even if you consider google the adversary, they get less meta data than your SMS provider.
You can use this exactly as before without the google blobs if you want to.
They are actively working on a way to get away from the play store and GCM by building their own distribution method (which is finished, but not yet released, see #127 in their github) and implementing Websockets (server works, client is on the way).
Before you start slamming something you should really understand how it works, or ask if you understood it correctly.
lindworm said:
Do you even read what I write?
As I explained he does now work there any more.
You seem to have noticed that too:
Are you kidding me? How the flying **** did you get to this conclusion? The company that was bought by twitter was Whisper Systems.
They are publishing the new source under Open Whisper Systems. (none of those was ever called Whisper)
See the difference? They also state this here: http://support.whispersystems.org/customer/portal/articles/1474591-is-textsecure-owned-by-twitter-
So you are saying CyanogenMod is part of this grand conspiracy of yours? Come on...
It's a binary blob and it sends data to google, but you have no proof whatsoever if it records keystrokes. You can know if you want to tough. Decompile it and analyze it. I don't like binary blobs, but you can't just say they do something without having any proof. I may not be able to guarantee that they don't do something, because I have not personally decompiled and analyzed every bit of it, but until you have and have proof that it does do something you can't just claim it does.
It is not something the average user should have access to, for several reasons. The TextSecure V2 protocol is NOT comparable with PGP/GPG because it has forward secrecy and deniability. The keys that are actually used to encrypt a message are not static as with PGP.
They are derived from the original keys and are changed with every message. No need to change them after X days/months/years.
Even if one key is intercepted, you would only be able to decrypt one message and not every message as it is the case with PGP.
If you get a new key, all your contacts get alerts that your key changed and that somebody may be listening in. That's not something the average user should be exposed to. If you think for whatever reason that you really want to do this, back up your conversations, uninstall TextSecure, install it again, import the backup and you have your new key.
Every average user has the google blobs, because they are preinstalled on nearly every phone and it's nearly unusable without them. This app is supposed to make encryption available to the masses.
Google may be undermined by your beloved three letter agencies, but it's not one of them. This is not to hide from them.
You have your threat model wrong.
No app alone can ever protect you from those agencies. They have hundreds of 0days for every platform and will simply own your Android, open source or not.
And this is not what TextSecure tries to do. They protect the content of every conversation with extremely strong encryption, no matter what the transport is. This does protect you from dragnet surveillance. But they can not protect you from someone who targets you and is willing to spend hundreds of thousands or millions to break into your operating systems.
If the NSA really wants you they get you, period. But TextSecure protects you from theives, cyber criminals and nearly everybody else who wants to read your messages.
You say you think the encrypted SMS mode was safe? With this your provider (and thus your government and every agency that wants it) has all the metadata. Who sent something to whom etc.
Google on the other hand has actually LESS meta data, because your phone sends the message to the TextSecure server, which relays the message to GCM. GCM then delivers the message. Because everything is encrypted none of the servers get contact data. But google only gets the receiver, not the sender. Your provider gets everything.
A global passive adversary may still do time corellation attacks, by listening who sends something when and who receives something at this time. After some sessions it's pretty clear who is talking to whom. It doesn't matter if Google is evil or not in this case. They get the metadata if they want to.
If you want protection against something like this take a look at pond, or meet i person: https://github.com/agl/pond
As I explained there is no weakening whatsoever. Even if you consider google the adversary, they get less meta data than your SMS provider.
You can use this exactly as before without the google blobs if you want to.
They are actively working on a way to get away from the play store and GCM by building their own distribution method (which is finished, but not yet released, see #127 in their github) and implementing Websockets (server works, client is on the way).
Before you start slamming something you should really understand how it works, or ask if you understood it correctly.
Click to expand...
Click to collapse
"Decompile GSF"
You are kidding. Aren't you? If one can examine closed source the same way as open one, then all problems would be solved. And by the way, there would be no point in having proprietary software. Would it? Of course Java is easier to reverse engineer, but want to try Oracle's java?
"Google" Google has root access to your device: It can pull/install any application without you noticing it. They can install another version of TextSecure with backdoors. They can do whatever they want or told to. So, if you have Google, there is no point in any security at all. And when a developer forces users to have Google for his app to work, that's no security at all.
Cyanogenmode/Conspiracy? There is no conspiracy. The US has a law that requires providers to have back doors in their software/hardware for law enforcement, and there are wild claims (by those who know (and don't) what they are talking about) of TextSecure as "weapon" against this kind of surveillance. And that is pure bull. All that the app can provide is the false sense of security, while in reality making users more transparent to surveillance.
Phone service providers vs. internet: when you use Textsecure as a pure sms app, your provider gets gibberish, but they have no way of knowing what you are using. With GCM/GSF/Googleplay, they know exactly what you are doing, as you are marked as using this particular app. So, Moxie is making life of "survaillors" much easier.
Thanks for telling me to uninstall the app if I want to generate new key. So, if I do it this way, you think my contacts won't receive a message that my key has changed?
Here is how I began to suspect foul play: First I noticed the app wanted access to the internet, then I discovered that I can no longer generate a new key, then I went to read about F-droid/Whisper problems. Then I read that he wants the app be available through Google only, because he cares about security and does not want users to allow third party apps (BS). Then I read about feds harassment. You think the 3 letter agencies wouldn't like to have him?
In my view, Moxie's arguments no longer make sense. And by the way, when he is against the wall, he tells you to create a world wide push service - alternative to GCM. LOL.
For me that's enough to stay away from the app. Others will decide accordingly...
Does anybody work on an alternativ push service in order to replace hard requirement on Google services for TextSecure, Redphone and lots of other useful apps?
I understand that GAPPS are needed to run textsecure.
Is it possible/ has anyone succeed to get it to run with the no GAPPS apps such as the blank store etc or is the app relying too much on google infrastructure?
i can use textsecure sms without internet. besides registering with push is not mandatory at all so the crash you've experienced must be a bug in the version of textsecure you're using. also why compare it to pgp/gpg? textsecure uses otr with improvements to deniability and forward secrecy. also textsecure supports mms (which uses internet).
if you're really that paranoid, avoid android at all and stop spreading FUD claiming it to be fact. i don't find the statement factual at all. it lacks any evidence (show us the code with the backdoor first).
and also avoid openguardian project too as they conspire with textsecure since they are recommending it.
and by the way, whisper and openwhisper are different.
It really is ashamed when misinformed people comment on things they do not have enough information to intelligently speak about. Especially when it discourages people from using an application that is one of the only current means of communicating over SMS in a secure manner. Is it perfect? Certainly not... Security and encryption are never perfect, and there will always be flaws to be found, but to insist that someone such as Moxie Marlinspike is somehow working against the security researcher community in some undercover role as an agent of the government or some corrupt company is really insulting. If you have some absolute proof, or even a reasonable solid suspicion, please share it, but otherwise do not taint these incredible people with false accusations. Learn a bit about encryption, reverse engineering, and packet inspection, and then come back and give an intelligent analysis of your findings of the application you suspect to be playing some nefarious role. Until then, your accusations are completely unfounded and damaging to the community as a whole. There are many people who have worked hard to make this product a reality, and I believe they should be praised for their efforts. Obviously these are my own opinions, and you are free to dismiss them outright as you have done to others in previous posts. In addition, I realize I am not an active member of the xda community, but I am an active member of the security/reverse engineering community. My job and nearly all of my free time is spent reverse engineering software and I see no basis for your accusations.
Here is more update on Textsecure: there was a major vulnerability found last October-November. And Moxie's response (not surprisingly) - fixing "feels pretty cumbersome" and "I dunno."
Also, Open Whisper is now accepted into the family of such a bastion of privacy, as Facebook (kids love it, NSA approves). So, If you had any doubt about this app before, now you can sleep well at night (sarcasm).
https://moderncrypto.org/mail-archive/messaging/2014/001029.html
https://moderncrypto.org/mail-archive/messaging/2014/001030.html
To those who like to attack the messenger ( I call them Google thugs or pacifier babies). One says decompile GSF, the other - false accusations and absolute proof?! Wake up and get the pacifier out of your mouth. There is no such thing in real life. I give you the dots, you can't connect them with the pacifier in your mouth.
Here is some more damning evidence that Textsecure is a totally compromised project no longer to be trusted: during 2013-2014 Open Whisper Systems received over $1.3 mln from BBG, which is an arm of US Government and its 3-letter-agencies.
http://pando.com/2015/03/01/internet-privacy-funded-by-spooks-a-brief-history-of-the-bbg/
So, Moxie, it appears, has turned from someone who was harrased by TSA in airports (presumably for a failure to cooperate with the government) to a receipient of major funds from the same government. I am not even talking about him getting a once in a life-time project to work on "securing" Facebook's What's up application. Pitty and shame...
Replacement for Textsecure
Here is a pure sms app, which replaces compromised Textsecure, as well as stock messaging. There is no over the internet messaging, no google binaries and no Google Services Framewor all closed sourse. In addition, starting from version 2.7, textsecure no longer encrypts SMS. Pitty.
Here is the latest version: http://forum.xda-developers.com/android/apps-games/sms-secure-aes-256-t3065165

Audit my code please

Short version: I programmed a Windows 8 Oauth app. I didn't know where to post this, but it's mostly done in javascript and HTML so I figured this forum might be best. If others have time, I'd really appreciate it if someone would audit my code. Due to the nature of the amount my request, I thought it would be best to post a link to the GitHub repo. If this is wrong, please correct me.
GitHub: https://github.com/mepis/Windows8OauthAuthenticator
Long Version: I use 2-step for a lot of my accounts. The problem is, I'm lazy. I don't feel like getting up to get my phone after I set it down at night. I wanted a metro Oauth app for Windows 8. I looked on the store, but didn't recognize any of the developers. Due to the nature of Oauth, I choose to err on the side of caution and not use the apps. I'm not saying that other devs aren't well intentioned and good devs. I'm just saying that it's a better idea in the name of security that I not use the apps if I can't verify anything. So I decided to write my own.
That leaves another issue though. Due to the nature of Oauth, the token device shouldn't be on the same device you're putting passwords in. I'm choosing to ignore this a bit. I do recognize that tokens shouldn't be stored in plain text though in the Windows storage space. Instead, I push and pull the token from the Windows Credential Manager and the password vault.
I was thinking of running the tokens, labels, and account names through an AES algorithm and then storing that information in the credential manager. This would require a user password on opening the app though. I'm not sure I want to go that route yet, though it would be easily implemented later on.
The mission of this app is simple. I want to offer an Oauth app that is open source and able to be audited by the general public. I want others to have access to a free tool that they can trust and review. I will never charge for this app nor ask for donations. It's also posted under the GNU version 3 license.
At some point, I am thinking about porting this app to Windows Phone.
I'm very much a amateur developer though. I was hoping that others could audit my app, offer suggestions, and point out mistakes. I very much appreciate any help or time that any person is willing to offer.
While you may well get some takers, and some of them might even know what they're doing, you realize you're asking for something that is usually done by people who do this stuff professionally for hundreds of dollars per hour, right? It's like writing up a legal contract and posting it online and saying "do you think this will hold up in court?"
OK, training to be a security engineer doesn't take as long as training to be a lawyer. But there's *more* lawyers than there are security engineers, and our time is very much in demand (yes, I'm a security engineer; no, I will not audit your code for free unless I expect to have a use for it personally).
I'm not even sure what you mean by "OAuth app". OAuth is a standardized protocol (v2.0, RFC 6749, is more accurately described as a framework) for delegated authentication. For example, you've seen how a lot of web sites let you sign in using your Facebook account? That's because they use Facebook as an OAuth provider. The website delegates the responsibility of authenticating users to Facebook, which is handy for them because they don't have to handle passwords and so forth, handy for the user because many users already have FB accounts, and handy for FB because they gain information about what kinds of sites you visit and can use that to target ads. It also has downsides, of course; the OAuth client (web site) has to trust that FB knows what they're doing and to remain available, the user gives FB info they might not want FB to have and also ends up essentially re-using passwords across sites (a bad idea), and FB bears the cost and responsibility of managing all those logins.
Now, to make any authentication scheme (including but not limited to OAuth) stronger, you can multi-factor authentication (sometimes called two-factor auth or 2FA). The most common way of doing that is using Time-based One Time Password (TOTP, standardized as RFC 6238) security tokens, either in small hardware devices or in mobile apps. Is that what this is supposed to be? Because... that has nothing to do with OAuth.
I have a hard time imagining a situation in which I'd use a TOTP generator written by somebody who didn't know the difference between TOTP and OAuth.
Well, your response thus far has been excellent (I'm not being sarcastic). I need to read more about Oauth then. I must have my definitions and understanding a bit confused.
In actuality, to phrase it better, the application would be a TOTP app then - like Google Authenticator. I used Javascript provided by Google for the TOTP generation. The app itself is rather simple. My biggest concern though is the safety of the tokens. I used Windows Credential Manager to store the tokens on the device. I couldn't find much information about the security of Windows Credential Manager though. That's my biggest concern.
Other than that, thanks for the information. I'm going to do some more reading.
For what it's worth (and without having read your code), it sounds like you're doing OK; TOTP generators are not complex by themselves, and usually the only threat to them is in the secret storage (which you're addressing). Of course, most of them offer things like QR code scanning (as a way to load secrets more easily) and I don't know if you have anything like that or whether there are any security pitfalls there.

Categories

Resources