RedPhone Removed from Google Play Store

Eric Mill eric at konklone.com
Thu Nov 13 09:51:33 PST 2014 

Moxie's laid out very clear reasons for why he uses Google Play and
discourages other people from building it. You may not agree with him, but
he at least has what I think is a coherent security model that he's
sticking to.

Really great discussion on it here:

https://github.com/whispersystems/textsecure/issues/53
https://github.com/whispersystems/textsecure/issues/127

Namely, he trusts apps signed with his signature (a process he manages
using his own airgapped system) and that's it. *You* may not hinge your
trust of the application on his signature, but he does, and he wants
ideally every TextSecure install to have it.

Both threads above are from before the CyanogenMod deal. To make that
happen, Moxie's team built a secure self-update path for the app, which
removed most of the barriers to requiring Google Play.

The other main barrier is push delivery, which right now uses Google Cloud
Messaging. High quality push delivery to a kabillion devices is very hard,
and not easy to replace. However, Moxie has encouraged people to take
advantage of the server's WebSockets support, and to build an option for
that into the client if they want to remove the last barrier to Google
support -- while warning that WebSockets delivery will not be nearly as
good as GCM-based delivery.

I was talking with a friend about this over the weekend, and I think that
the push that's happening for fully reproducible builds -- where every
build produces an identical binary with an identical hash -- would resolve
some of the issues Moxie has.

Then, Moxie can sign the hash of the binary, and others who build the
source code or get binaries from other places can verify that hash. That
still requires some tooling or verification UX, and for builds to be
reproducible by other people than Moxie, but it could make a difference.

-- Eric

On Thu, Nov 13, 2014 at 6:12 AM, Cathal Garvey <cathalgarvey at cathalgarvey.me
> wrote:

> Nope, I haven't had to install Play for Textsecure at all, and I don't use
> or have a personal Google account. When it offers to set up data channel,
> just skip it, and TS reverts to encrypting over SMS instead.
>
> Redphone also has a "no google" mode where it announces incoming calls to
> other RP users with a simultaneous SMS, but I've found it to be very buggy
> in my builds; calls connect but no sound transmitted, etc.
>
> As far as "where to get it", here's a copy: https://ngrok.com:61924/
> owncloud/public.php?service=files&t=264659e23e8733b528386eaa6f52d5ef
>
> Cert is self-signed:
> SHA1: 63:9B:E2:FA:D8:A9:66:DE:46:B7:E4:C2:18:47:73:04:C0:12:FE:1F
> SHA256: CF:D2:82:0D:C8:65:CE:EB:2E:3F:36:EC:DA:9E:82:4E:2E:BD:51:19:
> 6A:7E:11:65:50:40:57:9E:B8:79:8D:A2
>
> This is an older build by now. Frankly I'm holding out for a JS build of
> Textsecure and I'll probably try FFOS, then. FDroid and Textsecure are my
> "killer apps" tying me to Android. I just wish Moxie would let them play
> nice together.
>
>
> On 12/11/14 23:13, Seth wrote:
>
>> On Wed, 12 Nov 2014 14:29:04 -0800, <bluelotus at openmailbox.org> wrote:
>>
>>> Where can TextSecure be downloaded?
>>>
>>
>> Best workaround I've found so far if you want to download Google Play
>> APKs on your computer and then transfer them to your phone manually is
>> Raccoon:
>>
>> http://www.onyxbits.de/raccoon
>>
>> Requires java along with a 'dummy' Google account, but gets the job done
>> with the least amount of hassle.
>>
>> Unfortunately, it appears that TextSecure still requires the Google
>> Services framework to be installed and running on the Android device.
>> Haven't figured out yet how to do this manually this without installing
>> Google Play.
>>
>> Also, FWIW, you can (or at least you used to be able to) manually remove
>> a Google account from an Android phone without having to factory reset
>> the device.
>>
>> http://www.sleetherz.com/android-news/how-to-change-
>> gmail-account-on-android-market-without-factory-reset/2511/
>>
>>


-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 5742 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20141113/a68c7056/attachment-0001.txt>

More information about the cypherpunks mailing list