It's an enduring disappointment to those of us too security/privacy conscious to install Google Play that Moxie refuses to distribute signed APKs through any other channel. It also confuses the heck out of me that someone who makes an app *explicitly* to guard against intermediaries doesn't actually understand why I might distrust Google as much as my network provider. Anyways, without a Google account Redphone performs very poorly, so I don't use it, but I've got a good network of Textsecure users going based on self-compiled, unmaintained APKs, precisely the outcome Moxie claims Google Play helps prevent. Bad Incentives, I guess. On 11 November 2014 17:30:09 GMT+00:00, odinn <odinn.cyberguerrilla@riseup.net> wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Yes, I have an idea. The US corporation-state is unhappy that people can make sexy calls (or any other calls) to each other that the US corporation-state is not privy to. They have complained to Google. Someone pulled it from the store. A debate ensued on whether or not that would be appropriate, thus while hot air is being expelled the other secure apps remain in Google's Play store.

Nonetheless the apps will remain available elsewhere even if pulled from store.

There is a thread related to these issues on twitter which I recommend you visit (dated from the time when Google Play had censored adblockplus and disconnectme, removing them from the Google Play store):

https://twitter.com/AnonyOdinn/status/506325144382341120

Text of the statements which started the thread, my response to it, and adblockplus's response:

"ashkan soltani ‏@ashk4n Aug 29

Conflict of interests - Google removes privacy preserving apps @AdblockPlus and @disconnectme from Android Play store http://blogs.wsj.com/digits/2014/08/28/why-some-privacy-apps-get-blocked-fro......"

"@dgouldin @ashk4n Yes, & @disconnectme @AdblockPlus @bitpay +others should provide links (to dl client) independent from any website service"

"Adblock Plus ‏@AdblockPlus Sep 1

@AnonyOdinn @dgouldin @ashk4n You can grab our APK here: https://adblockplus.org/en/android"

George W. Maschke:

...

Early today, 11 November 2014, Open Whisper Systems' RedPhone app was removed from the Google Play Store:

https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone

...

By contrast, TextSecure remains available:

https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms

...

and Open Whisper Systems' iOS app, Signal, remains available:

https://itunes.apple.com/us/app/signal-private-messenger/id874139669

Any ideas what may have happened?

George Maschke PGP Public Key: 316A947C

- -- http://abis.io ~ "a protocol concept to enable decentralization and expansion of a giving economy, and a new social good" https://keybase.io/odinn -----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJUYkehAAoJEGxwq/inSG8C284H/0/QI82K1ahaWeRuujP7sasy zGnXb5pkr6kTKleTQhRXuXfA1OgDcKXFnrd+FaZKtdzdgnmPM8U5vm/sr8pQ40i/ YjulJtDmbV3nrR4scp9iAXanabWR8lF/ya8+pUTUfuuHFHhjIdhUNIo448V8rLx/ gk1MzR76Ba0OWXRh1s9lDEXiYdgw5+/BzP3gIdglKTCif7w5Ky6eApqYY57jmJeL pCmhoUymLx7m0ADWCwf6Qbv3WmSgj1bloZF9Y/tNZImp6X1Yn6DWcwmaDkv4dSOT omSW7uIRTaeHK5S3gzuUBWLfSbgd2XYs5KYNsbfQHsyIL6xBnmfmzAUhRg8Bm4g= =h3Qz -----END PGP SIGNATURE-----

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Well, not trying to be blunt about it, but maybe the reason why Moxie decided to build apps for Android, is because Android tipped over 80 percent market share before even 2014, and who wouldn't want to try to provide good privacy for that large of a userbase? or maybe it is some other reason, maybe you could ask Moxie, who I've copied on this. But with that said, with that many users, good apps that provide people with choices as to how to protect their information are necessary. By the way, I use RedPhone and TextSecure, and I recommend them to others. I'm aware of the issues that have arisen in connection with analyses of TextSecure and CyanogenMod (and the issues that people raise with Android), but I still think that RedPhone and TextSecure are some of the best things out there particularly when compared to many other similar apps on the market. Really these kind of things (Google Play's censorship of Adblockplus and disconnectme in the past, as examples, and Google pulling RedPhone off Play, more recently) make it clear though that you can't have Google as your friend for long and if you're going to put an app out it should be downloadable from your project site, downloadable from github, and accessible (for mobile apps / droid) via https://f-droid.org/ as well. Don't you dare tell me people should go get an iPhone (yes, Signal is available for iPhone, which is surely good for the many iPhone users, and that's a good thing) in light of Apple's horrific practices such as, but not limited to, this: http://blog.crackpassword.com/2014/06/breaking-into-icloud-no-password-requi... or this (re.: Yosemite and iCloud): http://datavibe.net/~sneak/20141023/wtf-icloud/ etc. Lodewijk andré de la porte:

I'm still confused as to why Moxxie decided to build apps for Android. Android is a really bad environment, security wise. The securephone (or whatever it's called) did very little to assuage worries. The stack is way too tall! The attack surface is *huge*. Then through the Google Store, which is a problem too. Maybe Moxxie decided that any threat model that include an adversarial Google will result in immediate loss, thus decided that Google was his friend?

- -- http://abis.io ~ "a protocol concept to enable decentralization and expansion of a giving economy, and a new social good" https://keybase.io/odinn -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJUYrySAAoJEGxwq/inSG8Cl4QH/ivNfUcC1gkzxamtosZ9CiiS nEfsVIlS/Zw2/31fQ9hjZqH0V8UCu86mDJxLiUtnD0JbyKgaNWt08dGJJLuxn+tU JglsVk5PrTZTICGML8Mrf4Qr/0k+a1+LtmBqCl3p/Myiy0ZjZCBgE8m6LakvtSc6 7GtpqeqFUluECB/+e7mEAJHqZtnnbcNAGH7iStfzAmQ+3W0TPS68MRibRoKH43zP 1LYaymgQKJtOdPme99cexDEdS1xNUZhTc56BMWJhxS8mN4LYw6dqXx8zyEI+jkRs 0WWec43Acqwglt4/YDoXvc3y4u41FI2LUGvB0LyI5ri5AW88fx1sZ1P6id7hQu4= =5h6+ -----END PGP SIGNATURE-----

On Wed, 12 Nov 2014 14:29:04 -0800, <bluelotus@openmailbox.org> wrote:

Where can TextSecure be downloaded?

Best workaround I've found so far if you want to download Google Play APKs on your computer and then transfer them to your phone manually is Raccoon: http://www.onyxbits.de/raccoon Requires java along with a 'dummy' Google account, but gets the job done with the least amount of hassle. Unfortunately, it appears that TextSecure still requires the Google Services framework to be installed and running on the Android device. Haven't figured out yet how to do this manually this without installing Google Play. Also, FWIW, you can (or at least you used to be able to) manually remove a Google account from an Android phone without having to factory reset the device. http://www.sleetherz.com/android-news/how-to-change-gmail-account-on-android... -- Seth I <3 nicely trimmed email replies

Moxie's laid out very clear reasons for why he uses Google Play and discourages other people from building it. You may not agree with him, but he at least has what I think is a coherent security model that he's sticking to. Really great discussion on it here: https://github.com/whispersystems/textsecure/issues/53 https://github.com/whispersystems/textsecure/issues/127 Namely, he trusts apps signed with his signature (a process he manages using his own airgapped system) and that's it. *You* may not hinge your trust of the application on his signature, but he does, and he wants ideally every TextSecure install to have it. Both threads above are from before the CyanogenMod deal. To make that happen, Moxie's team built a secure self-update path for the app, which removed most of the barriers to requiring Google Play. The other main barrier is push delivery, which right now uses Google Cloud Messaging. High quality push delivery to a kabillion devices is very hard, and not easy to replace. However, Moxie has encouraged people to take advantage of the server's WebSockets support, and to build an option for that into the client if they want to remove the last barrier to Google support -- while warning that WebSockets delivery will not be nearly as good as GCM-based delivery. I was talking with a friend about this over the weekend, and I think that the push that's happening for fully reproducible builds -- where every build produces an identical binary with an identical hash -- would resolve some of the issues Moxie has. Then, Moxie can sign the hash of the binary, and others who build the source code or get binaries from other places can verify that hash. That still requires some tooling or verification UX, and for builds to be reproducible by other people than Moxie, but it could make a difference. -- Eric On Thu, Nov 13, 2014 at 6:12 AM, Cathal Garvey <cathalgarvey@cathalgarvey.me

wrote:

Nope, I haven't had to install Play for Textsecure at all, and I don't use or have a personal Google account. When it offers to set up data channel, just skip it, and TS reverts to encrypting over SMS instead.

Redphone also has a "no google" mode where it announces incoming calls to other RP users with a simultaneous SMS, but I've found it to be very buggy in my builds; calls connect but no sound transmitted, etc.

As far as "where to get it", here's a copy: https://ngrok.com:61924/ owncloud/public.php?service=files&t=264659e23e8733b528386eaa6f52d5ef

Cert is self-signed: SHA1: 63:9B:E2:FA:D8:A9:66:DE:46:B7:E4:C2:18:47:73:04:C0:12:FE:1F SHA256: CF:D2:82:0D:C8:65:CE:EB:2E:3F:36:EC:DA:9E:82:4E:2E:BD:51:19: 6A:7E:11:65:50:40:57:9E:B8:79:8D:A2

This is an older build by now. Frankly I'm holding out for a JS build of Textsecure and I'll probably try FFOS, then. FDroid and Textsecure are my "killer apps" tying me to Android. I just wish Moxie would let them play nice together.

On 12/11/14 23:13, Seth wrote:

...

On Wed, 12 Nov 2014 14:29:04 -0800, <bluelotus@openmailbox.org> wrote:

...

Where can TextSecure be downloaded?

Best workaround I've found so far if you want to download Google Play APKs on your computer and then transfer them to your phone manually is Raccoon:

http://www.onyxbits.de/raccoon

Requires java along with a 'dummy' Google account, but gets the job done with the least amount of hassle.

Unfortunately, it appears that TextSecure still requires the Google Services framework to be installed and running on the Android device. Haven't figured out yet how to do this manually this without installing Google Play.

Also, FWIW, you can (or at least you used to be able to) manually remove a Google account from an Android phone without having to factory reset the device.

http://www.sleetherz.com/android-news/how-to-change- gmail-account-on-android-market-without-factory-reset/2511/

-- konklone.com | @konklone <https://twitter.com/konklone>

On Thu, Nov 13, 2014 at 2:41 PM, Cathal Garvey <cathalgarvey@cathalgarvey.me

wrote:

Oh, for sure Moxie has a threat model that makes sense to him, but I dispute that it makes any sense in the real world. Google's certificate system is TOFU, so whatever certificate Google pushes to a users' device is what that device trusts updates from thenceforth. And, there's no obvious way for an Android user to verify a certificate *even if they were so inclined*. For my part, as an Android user with a knowledge of and interest in crypto, I have *never* checked a signed APK. Ever.

So, if even the more technical end of Moxie's customer base don't check APK signatures, and if most people simply take what Google Play offers them, what's to stop Google pushing a malicious TextSecure? Nothing. Nothing, at all, ever. And all the machinations and air-gaps Moxie and co implement are meaningless, because the TOFU scheme makes Google the root of all trust on the Google Play market.

This isn't accurate, in practice. In theory, Google could replace any certificate they want for first use. But they clearly don't do that for everyone (Moxie or someone would notice), and if they did it in a targeted way, it could only be on the first use. That's a threat vector, but only viable under both targeted and specific circumstances. So "what's to stop Google pushing a malicious TextSecure? Nothing. Nothing, at all, ever." isn't accurate -- you can trust that you're highly likely to get the real TS binary on first install, and then guarantee that you're getting a binary signed by the same person for updates. This is why Moxie uses TOFU for the TextSecure threat model itself. Yes, if someone MITMs you and your friend the first time you talk, you're compromised from then on, but in practice that's rare and difficult.

If it were merely about certificates, Moxie would offer up-to-date APKs through his own website and F-Droid repository, allowing him to have utter control over timely updates without an intermediate trusted agent.

He clearly doesn't think much of F-Droid's build process, especially that they don't keep the build and signing process fully offline. I think that was generally his principal objection there. There's a more general complaint he's raised as well, which covers the case of hosting the APK on his own site, which is that (in his opinion) the worst thing you can ask non-savvy users to do is check the box that says "Allow unknown sources". I'm pretty sympathetic to this point of view, for the general class of user. And it's the general class of user that Moxie's interested in making inroads on with TextSecure. Interestingly, I saw this malware alert today that addresses two of the issues here: https://www.us-cert.gov/ncas/alerts/TA14-317A The malware only affects people who download it from an unknown source, *and* it's helped by the fact that apparently iOS does not enforce matching certificates on app upgrades with the same bundle identifier. Apple's depending on their App Store walled garden -- and the phone's lack of a built-in "allow unknown sources" option for security. In a sense, Google's allowing users to opt-in to the "unknown sources" option, even when it raises a user's security risk, forces Google to provide stronger security guarantees even for users who have that enabled. But of course, that only addresses replacement of an existing app. As you say, Android is TOFU for apps, so having "unknown sources" on means a user is vulnerable to new app malware. I feel like there's been a big mindset shift in the security community about controlled app update vectors. I know Google feels extremely strongly that auto-updating through a secure channel (with pinned keys) is the way to go with Chrome. Both in terms of ensuring that the app is only the one Google built and signed, and in the overall security benefit of not having people lag behind on older browsers for 10 years. I've really been enjoying (seriously) @SwiftOnSecurity on Twitter, and she had a really interesting post on what security means for the general class of people. It was very depressing, but also points to the direction we need to go: http://swiftonsecurity.tumblr.com/post/98675308034/a-story-about-jessica But he doesn't, and when I asked I finally got an answer: It's because

F-Droid doesn't offer metrics, debugging, and analytics. Essentially, he wants Google play so he can get silent feedback on what the Apps are doing in the wild.

He's also expressed openness to a third-party replacement for this functionality. It's not impossible to do that, but a high quality open source replacement needs to be built first. Google Analytics has an Android SDK, but it is closed-source. This is the same issue as Google Cloud Messaging: the requirements are high, but an alternative is welcome. I do wonder how he's managing analytics on the CyanogenMod pre-install -- I'd guess CyanogenMod has their own analytics infrastructure he's piggy-backing on.

I don't object to this as long as it's opt-in for users, but I do object that it's being presented as something (threat model) rather than developer convenience.

I believe it's being presented as both a threat model, and a set of feature requirements. I wouldn't call needing device analytics just "convenience" -- for a large-scale Android app, it's essentially mandatory. I managed a smaller-scale, but modestly successful, Android app called "Congress" for 4+ years at my last job, and analytics were vital in fixing arcane bugs, identifying when legacy features could be dropped in favor of faster and more secure replacements, and overall feature planning.

I love TextSecure, and I'm grateful to Moxie and co for creating it. It lets me layer security on a legacy platform that everyone uses in a way that's transparent and extremely user-friendly, while offering security granularity for those so inclined (cert checks). But the delivery is through an intermediary that are essentially a public-facing wing of the NSA, and they have total control over the trust/threat model for 95% of the user-base. So..I don't even.

I think it's crucial to establish independence from Google to the greatest extent possible. "public-facing wing of the NSA" is IMO too strong, but even putting that aside, TOFU doesn't grant them "total control" over the trust/threat model for their user base. Certs and TOFU on Android is auditable, and that does put a leash on what Google is capable of doing without being caught. -- Eric

On 13/11/14 17:51, Eric Mill wrote:

...

Moxie's laid out very clear reasons for why he uses Google Play and discourages other people from building it. You may not agree with him, but he at least has what I think is a coherent security model that he's sticking to.

Really great discussion on it here:

https://github.com/whispersystems/textsecure/issues/53 https://github.com/whispersystems/textsecure/issues/127

Namely, he trusts apps signed with his signature (a process he manages using his own airgapped system) and that's it. *You* may not hinge your trust of the application on his signature, but he does, and he wants ideally every TextSecure install to have it.

Both threads above are from before the CyanogenMod deal. To make that happen, Moxie's team built a secure self-update path for the app, which removed most of the barriers to requiring Google Play.

The other main barrier is push delivery, which right now uses Google Cloud Messaging. High quality push delivery to a kabillion devices is very hard, and not easy to replace. However, Moxie has encouraged people to take advantage of the server's WebSockets support, and to build an option for that into the client if they want to remove the last barrier to Google support -- while warning that WebSockets delivery will not be nearly as good as GCM-based delivery.

I was talking with a friend about this over the weekend, and I think that the push that's happening for fully reproducible builds -- where every build produces an identical binary with an identical hash -- would resolve some of the issues Moxie has.

Then, Moxie can sign the hash of the binary, and others who build the source code or get binaries from other places can verify that hash. That still requires some tooling or verification UX, and for builds to be reproducible by other people than Moxie, but it could make a difference.

-- Eric

On Thu, Nov 13, 2014 at 6:12 AM, Cathal Garvey <cathalgarvey@cathalgarvey.me <mailto:cathalgarvey@cathalgarvey.me>> wrote:

Nope, I haven't had to install Play for Textsecure at all, and I don't use or have a personal Google account. When it offers to set up data channel, just skip it, and TS reverts to encrypting over SMS instead.

Redphone also has a "no google" mode where it announces incoming calls to other RP users with a simultaneous SMS, but I've found it to be very buggy in my builds; calls connect but no sound transmitted, etc.

As far as "where to get it", here's a copy: https://ngrok.com:61924/__owncloud/public.php?service=__files&t=__ 264659e23e8733b528386eaa6f52d5__ef <https://ngrok.com:61924/owncloud/public.php?service=files&t= 264659e23e8733b528386eaa6f52d5ef>

Cert is self-signed: SHA1: 63:9B:E2:FA:D8:A9:66:DE:46:B7:__E4:C2:18:47:73:04:C0:12:FE:1F SHA256: CF:D2:82:0D:C8:65:CE:EB:2E:3F:__36:EC:DA:9E:82:4E:2E:BD:51: 19:__6A:7E:11:65:50:40:57:9E:B8:79:__8D:A2

This is an older build by now. Frankly I'm holding out for a JS build of Textsecure and I'll probably try FFOS, then. FDroid and Textsecure are my "killer apps" tying me to Android. I just wish Moxie would let them play nice together.

On 12/11/14 23:13, Seth wrote:

On Wed, 12 Nov 2014 14:29:04 -0800, <bluelotus@openmailbox.org <mailto:bluelotus@openmailbox.org>> wrote:

Where can TextSecure be downloaded?

Best workaround I've found so far if you want to download Google Play APKs on your computer and then transfer them to your phone manually is Raccoon:

http://www.onyxbits.de/raccoon

Requires java along with a 'dummy' Google account, but gets the job done with the least amount of hassle.

Unfortunately, it appears that TextSecure still requires the Google Services framework to be installed and running on the Android device. Haven't figured out yet how to do this manually this without installing Google Play.

Also, FWIW, you can (or at least you used to be able to) manually remove a Google account from an Android phone without having to factory reset the device.

http://www.sleetherz.com/__android-news/how-to-change-__ gmail-account-on-android-__market-without-factory-reset/__2511/ <http://www.sleetherz.com/android-news/how-to-change- gmail-account-on-android-market-without-factory-reset/2511/>

-- konklone.com <https://konklone.com> | @konklone <https://twitter.com/konklone>

-- konklone.com | @konklone <https://twitter.com/konklone>

On Fri, Nov 14, 2014 at 2:29 PM, Ted Smith <tedks@riseup.net> wrote:

There's essentially no way to get around this on Android, which is I think why Moxie has abandoned that goal. If a solution exists, the people detracting TextSecure for using Google infrastructure should build that solution, fork TextSecure, and add it. Code speaks louder than words.

At lot of the issue is that currently the OS map on phones looks like: 'Android/green' hardware = Google OS, 'iWhatever/white' hardware = Apple OS. The solution is to remove the '=' ties between the two. Already we are seeing porting efforts by BSD and Linux kernels to the ARM and other hardware commonly found in phones and other less than PC form factors. And hardware integrators are making more open-friendly devices where they can, perhaps someday up to and including baseband. Eventually, other than some binary driver blobs, you'll probably see a full Unix running on them in 5 years, driven by 'just because it's cool', and to get out from under the complete hardware to appstore, bottom to top, stacks we're stuck with today. With the nexus6 and the droid sdk, you could strip out a big chunk of useless google stuff and make your own rom. Even without venturing into unix porting efforts. Guardianproject and some other customization efforts seem to be doing just that. 'Appstores' are nothing more than the commercial side of things with all the typical historical lock ins. Eventually opensource provides alternatives and demand leverage to open up some cracks as happened with PC's and Microsoft. Those cracks build.