TextSecure to Drop Support for Encrypted SMS

Open Whisper Systems is phasing out support for encrypted SMS and MMS messages in its TextSecure messaging product. The move does not spell the end for encrypted messaging for users of the Android app, as the company plans to switch to its own transport protocol to address some of the security and performance issues inherent in SMS.

TextSecure is more than five years old, and when it first became available, it was one of a tiny handful of products providing encrypted messaging. The app is free and it predates by a long while the slew of similar products that emerged after the Edward Snowden revelations raised the stakes on security and privacy for many users. But the environments has changes, as have the ways that people use their phones, and Open Whisper Systems is moving away from SMS to its own transport system for encrypted messaging.

“The TextSecure story started back in 2009, at the dawn of the smartphone era. Back then, TextSecure focused on securing the transport that everyone coming from feature phones was familiar with: SMS. Today, many things have changed, and TextSecure now emphasizes the ‘TextSecure transport,’ which uses data rather than SMS. While we remain committed to supporting plaintext SMS/MMS in addition to the encrypted TextSecure transport so that the app can function as a unified messenger, we are beginning the process of phasing out support for SMS/MMS as an encrypted transport in favor of the TextSecure data protocol,” the company said in a blog post.

One of the reasons that the company is moving to its own transport protocol for encrypted messaging is the security issues with SMS. Text messages sent over SMS are routed through carriers’ infrastructure and as they move along, they leave traces everywhere. This runs counter to what an encrypted messaging app is trying to accomplish.

“They leak all possible metadata 100% of the time to thousands of cellular carriers worldwide. It’s common to think of SMS/MMS as being ‘offline’ or ‘peer to peer,’ but the truth is that SMS/MMS messages are still processed by servers–the servers are just controlled by the telcos. We don’t want the state-run telcos in Saudi, Iran, Bahrain, Belarus, China, Egypt, Cuba, USA, etc… to have direct access to the metadata of TextSecure users in those countries or anywhere else,” the company said.

The TextSecure transport protocol uses data rather than the SMS system, something that makes it more accessible and economical for users in locations where text messaging over SMS is very expensive.

Another consideration in the change to the TextSecure protocol is that Open Whisper Systems has released an iPhone secure messaging app called Signal. The move away from SMS will allow TextSecure to become compatible with Signal.

“We recently launched Signal for iPhone, which includes support for TextSecure-compatible messaging. However, iOS does not have APIs that allow us to programatically send/receive SMS messages. This means that encrypted SMS messages to iPhone users won’t work, which creates potentially confusing compatibility issues for users,” the company said.

The next version of TextSecure, 2.6.0, will be the last one to include support for encrypted SMS and MMS.

Suggested articles

Discussion

  • Dan on

    That is unacceptable. SMS is still the king of messaging, especially in the third world where internet access is spotty at best and very expensive. I have several messaging apps on my phone but I use SMS 98% of the time. And for some of my contacts, we prefer to encrypt text messages with TextSecure. We fully understand that metadata is not secure, but we accept it. Just as we accept that GPG only encrypts the content of email, not the headers. It is a trade-off we are willing to take to ensure that our communications, at the very least, are not readable by our carrier or the government. Just to be on the safe side, I have backed up my version of TextSecure before it gets superseded by a newer (and less useful) version. But Moxie or his company should think hard before throwing us SMS users under the bus.
  • Bruce Garrison on

    Please do not do this! I know so many who will wind up being exposed because of ignorance.
  • Johan on

    It seems that TextSecure is being forked: https://github.com/SecuredText/SecuredText This way we can use the forked app for sms and TextSecure for pushmessages.
  • Ted on

    And I have just found a alternative for me: www[dot]trutower[dot]com/2015/03/19/threema-gateway-secure-messaging-launch-23730/
  • David on

    Do NOT upgrade if you are on a Text Secure version v2.6.x or before If you do, Moxie the Moron has removed SMS Encryption after v2.6.x This release log information is NOT visible on the Google Playstore when you try to upgrade. Moxie the Moron doesn't want people to know he has removed the SMS Encryption after v2.6.4 otherwise no one would upgrade. Since Moxie (the utter Moron) has removed SMS Encryption (for no real reason except to cement a deal with WhatsApp) after version v2.6.4, there is no point using Text Secure any more Moxie the Moron has put self interest using an open source platform ahead of maintaining E2E SMS Encryption for all I suggest to 'unintall' Text Secure and use the more stable Open Source platforms - Chat Secure (Open Source) - E2E IM Encryption - more feature rich and stable than Text Secure. Can be downloaded and installed with the Google Playstore (unlike crappy Text Secure) https://chatsecure.org - SMS Secure (Open Source) - E2E SMS Encryption. Can be downloaded and installed with the Google Playstore (unlike crappy Text Secure) https://smssecure.org Plonk! ... there goes my unintall of Text Secure after 3 year Hope to never use another of your products Moxie the Moron !!!
  • Aviator168 on

    This is gimmick. If the service is routing the message, they can store the metadata and open to government examination. The only way to hide the metadata is to use bitmessage (for now at least)
  • John Willis on

    SMS Secure is a much better option than Text Secure
  • Paul on

    What a moronic move. Even in most 1st world countries, take a trip out of the city into the countryside and the data connection becomes useless and needs SMS-fallback. How does TextSecure now differentiate from WhatsApp? Why are people not now just going to use the equally inferior WhatsApp? Or is this the whole point of this dirty move?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.