-
Notifications
You must be signed in to change notification settings - Fork 6
Home
You can never be sure who or what is viewing your messages or what they’re going to do with them if they should get them. Tinfoil-SMS is an encrypted messaging application so your texts don’t fall into the wrong hands. Tinfoil-SMS uses 256 bit ECC encryption key as well as a unique signed key exchange to prevent any “man-in-the-middle” attacks.
The only way an unwanted party will see your messages is if they know your secret passphrases and preform a key exchange with you. If you think we’re bluffing or you need to see it to believe it, feel free to poke around the source code. It’s open source and we’ve got nothing to hide.
- The worst security is a false sense of security
- The best security is the appearance of no security
- Design systems with the intent that everyone is acting against the system
- Security above all else, including performance
- Always free for anyone to use and with no limitations
- Released as open source software under the GNU General Public License Version 3
- Simple to use and understand UI
- Easy to import contacts from the phone to Tinfoil-SMS
- Public key cryptography using Elliptic Curve Cryptography (ECC)
- A secure and reliable public key signing scheme to mitigate man-in-the-middle attacks
- AES-256 block cipher with SHA-256 message HMAC
- Incorporate steganography to obfuscate text messages
- Comprehensive source code documentation and wiki
- Thorough guide to help mitigate any security risks as a result of improper use
- Project is currently beta, the goal is a stable release by February.
- Thorough beta phase with comprehensive bug testing and reporting using ACRA and Bug Sense
- Security audits and a detailed cryptanalysis of the application and the library, Orwell
- Finalizing the cryptography during the beta release, so that it can remain unchanged for the stable release
- A stable release within 6 months of the beta release
- Incorporating steganography to obfuscate text messages for the next major release
If you are new to using Tinfoil-SMS it is highly recommended that you go through the introductory tutorial to familiarize yourself with the application and to ensure that you do not use it improperly and expose yourself to a potential security threat (principle #1, the worst security is a false sense of security).
For those who are familiar with the app, but have not read through the introductory tutorial, it is still recommended that you go through the tutorial to better familiarize yourself with the key exchange process and the recommended best practices.
Tinfoil SMS Introductory Walkthrough
We are always in need of more developers, at the moment the greatest need is for developers to aid in resolving issues, especially some of the tricky concurrency and database issues for different versions of Android as we work towards an initial stable release to be distributed on Google Play.
If you have a keen interest in cryptography or a developer interested in contributing to Tinfoil-SMS, please take a look at the following cryptography page which gives a detailed breakdown of the cryptography used for the entire Tinfoil-SMS cryptosystem as well as a cryptanalysis.
- Why do I have to use shared secrets (it's annoying, etc.) ?
- The shared secrets are required to provide a way of verifying that the persons executing the key exchange are their real identities and not imposters (to prevent possible man-in-the-middle attacks).
- Normally (on the Internet) public key signing and verification is done using a trusted source known as a certificate authority (CA), unfortunately no such trusted source exists for the telecommunications world for the SMS protocol like the internet.
- We evaluated many alternatives such as crowd-based CA, but they were all either unfeasible or too easy to detect/manipulate.
- Principle #1 of the project's guiding principles, the worst security is a false sense of security.
- What is ________ ?
- Please see the list of terminology, if you are still unsure feel free to send us an email.
- How can I stop sending encrypted messages ?
- Please see the Untrusting or Removing Contacts section of the introductory tutorial.
- How do I change my shared secret (e.g. I entered it incorrectly) ?
- Please see the section on Managing Contacts in the introductory tutorial.
- How can I contribute
- We're glad you asked please see the Developers section or feel free to drop us an email, we will gladly fill you in on outstanding tasks and areas where we could use help.