Unfortunately, the TextSecure application is now deleted from the repository.
Previous versions of this have a serious security flaw. One feature of the software is that all SMS messages sent and received are stored in an encrypted database. However, due to an apparent oversight by the developer, all received messages are logged in plain text to the Android system log file. The end result is that rather than providing more security than the default setup, where a specific Android permission is required to access SMS message content, the messages are exposed in the log file, which is much easier to access and may even be inadvertently posted when sending debug logs to developers. Note that messages sent using end-to-end encryption (i.e. where the other party also uses TextSecure) are logged in encrypted form, so that content is NOT exposed in plain text.
The latest version of the application is 0.6.2, and the security flaw has now been fixed. However, the author has not published any source code corresponding to the binary he released of this version, and far from wishing to help anyone stuck with his previous disastrous mistake, he actually asked for the application to be removed from our repository as he wants to distribute it via Google Play only.
As such, I would recommend anyone running this application to cease to use it, and remove it.
-
How can this code be closed? Its GPLv3′d…?
https://github.com/whispersystems/textsecure
If what you say is true, isn’t this grounds for a license violation complaint?
-
I don’t know if the code is deliberately closed (it may be simply missing by mistake, it’s not unusual) but there is no corresponding source for the 0.6.2 version that’s available on Google Play, and as the developer stated he doesn’t want anyone to build it except him, there seemed little point asking.
As for a license violation, it’s his code, he can do what he likes with it. There isn’t (as far as I know) any GPL’d code there apart from his own. All the dependencies are Apache or similar.
-
The tone of this post is pretty childish. There are two completely unrelated issues here:
1) There was an information leak bug for *unencrypted* (detail you decided to omit) messages in TextSecure. I’m sure it won’t be the only bug; shit happens. The fix has been available for almost a month.
2) I would prefer that f-droid does not distribute unverified, arbitrarily signed, and outdated versions of TextSecure.
The authors appear to be having some kind of emotional reaction to a simple email request about the second point, but to somehow insinuate that I’ve been “withholding” access to the source for a bug fix is ridiculous.
The source that I’m theoretically “withholding” is for the 0.6.2 release, but that release is completely unrelated to the bug in question. The full source for the previous release was available for almost a month, and f-droid was still not distributing it. And the only commit unavailable for the 0.6.2 release was the change to the version number in the manifest.
So please clarify your language. Just because I don’t want to participate in f-droid doesn’t mean you need to leverage a bug in my software as some kind of platform for your hurt feelings by suggesting that I’m doing something sinister, or otherwise don’t have the security and well-being for my users in mind.
-
Regarding 1) I agree – yes, it’s a bug, everyone has them, they get fixed. Nobody has said otherwise. If you can suggest a correction to the sentence in the original post that describes the bug, I’ll happily amend it – I’ve re-read it, and it seems to say what you said. I didn’t decide to omit anything.
Regarding 2) I’ve never suggested you’re deliberately withholding anything, only that it’s impossible for us to provide the 0.6.2 release due to the full source being unavailable, and I quote myself from above “(it may be simply missing by mistake, it’s not unusual)”.
There’s no emotional response to your preference that people not distribute your software, other than perhaps a little amusement at the disconnect between this and the license it is distributed under – one which expressly permits and encourages it.
The real issue stems from this chain of events: 1. a user reports this bug to you on github, 2. your response is not “yeah, sorry, I made a mistake, get a new version”, it is (and I quote in full):
Please do not install software from F-Droid. It is an unverified build, exceptionally out of date, and should be considered malware. The fix is to install 0.6.2 from the Play Store.
3. You email us stating that you’d prefer that nobody distributed your GPL licensed software except you. In particular, you don’t mention the security problem with this release, but fortunately we discovered this for ourselves.
So if there was to be an emotional response from me, it would be to your dealing with a report of a security bug in your own software by flinging a “malware” accusation at this project. But you’ll note I decided (at least until now) to simply let that slide and stick to the facts.
(Minor point – “exceptionally out of date”, and “available for almost a month” – you fixed this bug 17 days ago: https://github.com/WhisperSystems/TextSecure/commit/dda75006e4e88320dfe8c4c274381aa30c6066ca)
Nobody ever suggested you should participate in F-Droid, and while it would be great if you did, there are certainly no hurt feelings that you don’t want to. You talk of ‘unverified builds’. To a user of F-Droid, something that’s verified is where the complete corresponding source to the binary is available, and it’s built in a secure, open, automated process such that the two correspond, and where the user can reproduce that same build themselves with a single command. To you it’s something completely different (you haven’t specified what, but at the very least, from my perspective I’d say it involves only obtaining it a closed-source Google App that tracks what you install and when, and also involves not having the complete source to be able to reproduce the build). These are two very different views, so it’s neither hurtful nor surprising that you wouldn’t be involved. F-Droid is very much a minority sport – very few people take the care to ensure that they have the source code to everything that runs in their pocket, and in my opinion that will always be the case.
Finally, I don’t see the need to clarify any language – I don’t suggest or imply for a moment that you’re doing something sinister. I do suggest, and have now hopefully clarified, that your response to this issue left a lot to be desired.
-
In response to your points:
1) Your post says that this bug effects “secure” messages, when it only effects unencrypted messages.
2) Why even mention 0.6.2 in this “advisory”? It has nothing to do with this bug. You clarify your language in a comment on your own post, but given that a whole bunch of people (including the comment you were responding to) have written me or posted publicly that I’ve responded to a security problem by closing the source of TextSecure, it seems pretty obvious that people interpreted it that way.
3) Look at the timestamps, I emailed you before this bug was opened, not in response to it. It was a simple, polite, email that you totally freaked out about.
If you honestly think that your post was a professional, informative, mature response intended to notify your users about a security issue with no other hurt feelings attached, then I’m even more convinced than I was before that I’d prefer not to have F-Droid managing the signing keys for binary distributions of my software.
-
1) I say “secure” because one of the claims of your software is that “all text messages, regardless of destination, that are sent or received with TextSecure are stored in an encrypted database on your phone.” – this isn’t the case if they’re written in plain text to the log file.
2) 0.6.2 is totally relevant – the reason your application was removed is because there were security issues, and the source code for the latest version was unavailable. (I’ll assume by mistake, because you’ve now updated it, but we have no way of knowing that in advance). We can’t provide applications that have issues of this nature if source code is going to be unavailable.
3) I quoted the timeline from my perspective, but if that was inaccurate, the point stands bug was discovered at least 18 days before that and you didn’t mention it, despite knowing that we had large numbers of users who might be still running that version and needed updates. Instead you requested that we cut off their update channel. The only reason we complied with that request was the obvious prospect of not being able to update them to the current version, 0.6.2, let alone any future versions. There’s no freaking out involved.
-
1) It’s a pretty important distinction, and again it was obviously interpreted incorrectly.
2) The source code for the fix release (0.6) was long available, but f-droid was still distributing the insecure version released December of 2011. The release you mention in your “advisory,” 0.6.2, has nothing to do with this security issue. And the only thing unavailable for that release was a change to the version number in the manifest file, so please don’t paint me as being the negligent party in this case.
3) This is exactly it. How the fuck was I supposed to know that you have large numbers of users who are in need of an update? I had no idea that f-droid was distributing unofficial binaries, that they were out of date, or how many users were affected (I still don’t know, given that developers have no visibility into their projects on f-droid). As far as I can tell, I have absolutely no control over the f-droid release process, so what exactly was I supposed to do? I assumed that f-droid was some kind of alternative app store and that someone else had started submitting APKs there (the people who made me aware of f-droid were under the impression that I was signing the APKs!), so I emailed you to say that I was the developer and that I hadn’t submitted the project. Your response was to post an incredibly childish “advisory.”
-
1) Ok, so it was accurate but somebody (unspecified) misinterpreted it? I have completely replaced the brief paragraph with a much more detailed one, which is hopefully safe from that. I believe it’s still accurate, but if you have any objections I’m sure you’ll let me know.
2) and 3) You’re missing the point completely – this post is not about you or aimed at you. It’s not about *you* had a security flaw, it’s about *we’re* sorry, we can’t provide this software any more and you need to uninstall it – an unprecedented situation that deserved an explanation. At the risk of repeating myself: our users are running this software, and expect to get updated. (Not always as quickly as we’d like, admittedly – this is a small volunteer project, and people are aware of that). We can’t update them to the current version because there’s no source, we can’t ask the developer to correct that situation, because he’s decided to go back on his license, and declare that nobody can distribute the application except him, and we certainly can’t count on being able to provide any future versions of the software. Given the security-sensitive nature of the software, the only option is to remove it. This means that anyone who hasn’t updated to 0.6.1 yet doesn’t get the update, or even know that one exists. The point of the post is to communicate that situation to those users.
This has gone on far too long already, but I feel I need to add a couple more points that may or may not help you see the situation from a different perspective:
When you say “developers have no visibility into their projects on f-droid” you talk like that’s a bug. It’s a feature. By “visibility into their projects” you mean visibility into people’s devices. While that’s the situation in the Google Play world that you expect ALL users of your software to participate in, it’s not acceptable to people who use F-Droid, and it’s one of the key reasons they use it. In our opinion a developer has no right to know who has installed their software, and certainly Google has no right to know and track exactly who has installed exactly what software. I’m very surprised you don’t appreciate this.
Finally, you keep talking about “unverified builds”. The idea of a verified build is extremely important to F-Droid users – the verification being that the complete corresponding source code for the binary is available, and the build can be reproduced by *anyone* who so chooses. You haven’t said what your definition of verified build is, but it’s obviously a different one because nobody could have possibly built the 0.6.2 that you released to Google Play – the source code wasn’t published. Although you can say it was just a small AndroidManifest file change, you must also be able to see that only you knew that.
-
You guys can easily provide the software by building it yourself and then your users can (hopefully) upgrade to a safer version. Why not simply build the latest TextSecure code from the github repo and push out an update so that users aren’t in harm’s way? I’m one of those users and boy, color me surprised that my F-Droid installed TextSecure has such a bug that will not be updated?
That said – I’d really strongly encourage you to consider why Moxie is so concerned about the security of F-Droid. The Play store is a secure application delivery mechanism and if F-Droid were feature for feature the same (all traffic over SSL, pinned to a specific cert/CA), I bet he would be totally keen on the inclusion of TextSecure.
He wrote a great blog post on how to ensure apps aren’t vulnerable to SSL/TLS MITM here:
Your App shouldn’t suffer SSL’s problemsDoes F-Droid do this? I looked and I think the answer is no. Is that a mistake? For example packages such as https://f-droid.org/repo/info.staticfree.android.twentyfourhour_5.apk are also available as http://f-droid.org/repo/info.staticfree.android.twentyfourhour_5.apk – why in the…?
As it is, I’m posting this over HTTP and the default F-Droid package is offered over HTTP (!). I appreciate that an HTTPS link is offered as that is more than most groups even consider possible or reasonable; still, nearly all of the links are for HTTP, including the QR code.
The irony of course is that if I could get F-Droid from Google Play, I’d be able to securely install F-Droid. I understand why it isn’t there but I hope the frustrating irony isn’t lost on you guys.
It seems that to offer software like TextSecure, a lot of security work is in order (eg: work by Justin Cappos with TUF https://www.theupdateframework.com ) and I’d wager that is why Moxie only wants to distribute stuff in the Play store. I’d also guess that the way the bug presented really wasn’t very helpful.
-
@Jacob: Thanks for the thoughtful comments on this.
So yes, we can easily bulld the code from github and push that apk out – this is what we were doing in the first place. There are issues with doing that though, which I’ll reiterate; Firstly, the author says the code is GPL licensed, but the author also says “nobody can build and distribute this code except me” – which takes priority legally?
Secondly, at the time the decision was taken to remove the app, the source code for the latest version wasn’t available from github or anywhere else. Although we already had a version with the bug in question fixed, we had no idea if there were even worse issues remaining in the version we had. At the same time, the author of the software deflects a user’s report of his bug by blaming it on F-Droid, labelling it malware, and stating that no build of the software except his is secure. Under those circumstances, would you take the code and build it anyway?
Regarding security, the F-Droid client uses SSL by default, but it doesn’t rely on that at all. The repo index itself is signed, by a specific key that the client has – not relying on a CA or any outside influence. Even if an individual apk download was subject to a MITM attack, or server compromise, the client would refuse to install it because it wouldn’t match what was in the index.
Side issue, but relevant: although Moxie has taken it upon himself to spread misinformation elsewhere that this key, and the keys used to sign the apks, “are being stored online”, that’s not the case at all and never has been. Although I’m sure Moxie could highlight some genuine security concerns if he chose to, this fictional one is the only one he’s expressed, to my knowledge.
Regarding the packages being available for manual download from the site via http or https, that’s a matter of user choice. Manual downloading is never going to be secure via either protocol, but if people want to do it they can. There’s a warning given above the links, and the apk download links are all https links – you would have to manually modify the url yourself to get the http download. For the client, again, both options are offered but the http one seems to be ‘the default’, and as you say, the QR code goes to http. I’ll get these fixed.
Don’t think for a minute I’m saying F-Droid is totally secure – it’s very much “USE THIS AT YOUR OWN RISK!” as stated in various places around this site. It’s a small volunteer project and should be treated as such. However, the best effort possible is made to secure things. Ultimately any delivery mechanism is flawed. Although you seem to have great confidence in Google Play, you can download malware from there any day of the week. I can create an account tomorrow and upload some in binary form. I don’t see it as any more secure than F-Droid, and in some ways it’s certainly less secure.
Additionally, and specifically relevant to someone who wants to use TextSecure, it will track your use of it. By restricting TextSecure distribution to Google Play, Moxie is saying that if you want to encrypt your SMS messages, you must also be on a centrally located database of people who want to encrypt their SMS messages, along with identity details and a complete record of whatever other applications you run. This state of affairs is totally incomprehensible to me,
You’re right, if I understand your last sentence correctly, that this situation could have been handled better by me. On top of that, we’re lacking the ability to send in-client notifications about important things like this, so unless you read the news here you could be still running the insecure TextSecure without knowing about it. This, many similar things, will be implemented in the client before we dare to call it 1.0.
-
-
-
I guess Moxie Marlinspike really sold out then.
-
-
-
do you have a link to a confirmation of the bug you mention ?
Thanks
-
Yes, see the link in my response to Moxie, above.
-
The whole exchange is here:
https://github.com/WhisperSystems/TextSecure/issues/53
Note that I’d emailed f-droid about getting TextSecure removed before this bug came in, not in response to it.
-
-
I don’t understand the attitude of someone publishing under GPLv3 that doesn’t want someone else to download and package their code.
-
I very much regret seeing the outcome of this discussion, and the second discussion found at https://github.com/WhisperSystems/TextSecure/issues/53. From my perspective I do not wish to use neither Google’s apps nor their application repository and I prefer to have only open source software running on my phone. To the user who asked for “some repository similar to a “traditional linux desktop”, that is exactly what I see f-droid trying to accomplish: a repository that offers me quality open source software through a single source, signed with one key that I need to trust. While it might not be there yet it is on a good track and as close as it gets, when comparing with all the other repositories that are out there.
The fact that moxie0 asked for the fixed version to be removed from f-droid leaves me now with the choice either
a) to start building textsecure myself (which would most likely result in me ending up with an out-of-date version sooner or later), exactly what the author tried to avoid in the first place
b) to abandon the use of textsecure all together, certainly not what the author wants
c) or to live with this security flaw. Not what I want.From a user perspective textsecure as an app and f-droid as a repository both lose a lot from this discussion. Frankly said I am not interested in who said what and who started and how we ended in this mess. I am interested to have a working app from a repository I trust, and that should be in the interest of both of you, the repository maintainer and the app author. The only winner of this discussion here is close software and proprietary distribution networks – a sad development for the open source world and hopefully a sad development for both of you. I really wish the two of you, moxie0 and CiaranG, would work together rather than against each other and concentrate on the goal, to offer Android user’s an open source app for secure text messaging.
Reply
Donate
You can help support F-Droid by donating via PayPal, Flattr or Bitcoin.
Bitcoin:
15u8aAPK4jJ5N8wpWJ5gutAyyeHtKX5i18
AnySoftKeyboard: Ukrainian
AnySoftKeyboard: Catalan
Ubuntu One Files
Earth Live Wallpaper
Impeller
Eyes-Free Shell
Bushido Blocks
K-9 Mail BETA
Scuttloid
IITC mobile
16 comments
Comments feed for this article
Trackback link: http://f-droid.org/posts/security-notice-textsecure/trackback/