The sanctity of Apple iMessage end-to-end encryption has been challenged by white hats who in 2013 reverse engineered the protocol behind it, revealing that Apple controls the key infrastructure and could, in turn, be compelled to turn over messages via government order.
CEO Tim Cook denied those charges last September in an interview, but nonetheless, confidence in the security of messages sent over iMessage hasn’t been 100 percent since.
Researcher Moxie Marlinspike’s Open WhisperSystems today released version 2.0 of the free Signal app for Apple iOS, which now adds end-to-end encrypted messaging to the encrypted voice calling introduced last July with Signal 1.0.
The private messaging support for iPhone is free and open source—and not the last step for Marlinspike, who is also responsible for RedPhone, an app that encrypts calls on the Android platform, and TextSecure for Android, a private text and chat app that is at the heart of today’s Signal 2.0 release for the iPhone.
“We’re going to unify TextSecure and RedPhone into Signal on Android, release a desktop version of Signal, and keep working to push the envelope of secure protocols and private communication,” Marlinspike said of his planned product road map.
For now, the availability of Signal 2.0 for iOS brings a measure of privacy and secure communication that’s been in question since the QuarksLab report of 2013.
Signal 2.0 adds encrypted messaging to the encrypted voice calling introduced last year. via @ThreatpostTweet
“It’s technically possible that someone in control of Apple’s servers could intercept your communication,” Marlinspike said, adding that Signal 2.0 now allows iPhone users to communicate privately with users on the Android platform. The protocol behind Signal 2.0 also supports forward secrecy, which essentially generates a new encryption key for each message, meaning that if a key were cracked in the future, not all messages would be in danger.
Signal 2.0, Marlinspike also said, allows users to verify each other’s respective encryption keys, meaning that it would be an easy detect if an attacker was sitting in a man-in-the-middle position intercepting traffic between endpoints.
For now, both ends of a conversation require Signal to be installed in order to assure secure communication, Marlinspike said.
The simplicity of Signal should remove any impediment for privacy conscious users. The app uses the phone’s existing phone number and address book and does not require a separate log-in or authentication mechanism to manage. Users are able to send encrypted group messages (text, video, photos) and make encrypted phone calls worldwide without extra charges, Marlinspike said.
“We cannot hear your conversations or see your messages, and no one else can either. No exceptions. You can even tap and hold on a contact’s name to see advanced identity verification options,” says Signal 2.0’s product description. “Everything in Signal is always end-to-end encrypted and painstakingly engineered in order to keep your communication safe.”
The source code is available on Github for inspection, as well, Marlinspike said.