WhisperPush: Secure Messaging Integration

In July, Koush announced that CyanogenMod would be seeing integrated, system-wide secure messaging integration with compatibility with TextSecure. For those unfamiliar, TextSecure is an open-source cross-platform (iOS and Android) client that encrypts your SMS messages both locally, and over the air when sending to other TextSecure users. The application is maintained by Open WhisperSystems, and lead engineer Moxie Marlinspike.

Moxie is a veteran of open source software, cryptography and good encryption practices, and a privacy advocate. To learn more about him and his accomplishments check out his personal site and Wikipedia page. He’s also spent time as a speaker at DEFCON on multiple occasions.

Moxie has been the lead engineer on the CyanogenMod implementation of TextSecure, making sure the CM version is both secure and compatible with his existing services. Unique to the CM implementation is our SMS middleware functionality. This is the same code that allows for our Google Voice integration into any messaging application.

By leveraging this for our TextSecure implementation, we can extend the encrypted messaging functionality to nearly any SMS application you decide to use. Your messages to other CM or TextSecure users (regardless of iOS or Android) will automatically be encrypted and secured. In the event your receiving party isn’t on CM or using TextSecure, the implementation will silently fall back to a normal SMS message (unencrypted).

Today, we are launching our version initially into the CM 10.2 nightly stream to test the server load and make sure things are working at scale. Once things are dialed in, we’ll also enable this for CM 11 builds moving forward.

The source for this code is also being made public, and similar to what we did with CMAccount, we welcome outside audits of the cryptography. (1, 2)

Read more at the Open WhisperSystems blog!

  • Adam

    If encryption is crucial for you, then you should be using an app which provides stronger guarantees and indications of when your session is encrypted (such as TextSecure). You shouldn’t be relying on middleware provided by your phone’s OS to do this for whatever SMS app you happen to be using.

    Opportunistic encryption can be incredibly useful for many people. Even if they don’t verify their contact’s identity, they are still protected against passive attacks such as the NSA’s dragnet surveillance of the internet, and malicious (or compromised) carriers snooping on their SMS messages.

    “Security when you’re lucky” will benefit a lot of people who would otherwise make no effort to install an app to keep their text messages safe.

  • anywherehome

    yes, we really need internet free encrypted messages

  • Stephan

    Oh boy… that’s the problem it does NOT improve ANYTHING because you have to expect everything you write to still be transmitted unencrypted.

    It’s pointless to argue that “encrypting sometimes, and sometimes not” improves anything in terms of security. This is a typical Marketing feature.

    The only positive thing about this is, that you can send messages for free when your communication partner has CM, too (which btw, is pretty cool!).
    Advertising encryption implemented like this though, is telling your customers fairytales about “secure messaging”.

    It’s a farce and CM should know better than this.

    This is NOT secure and anyone who states that “encrypting sometimes is still better then never” has totally missed the point of encrypted messaging.

  • Michael Huff

    Are you gonna get Kit Kat on the i535 or not?

  • dstruct2k

    Wouldn’t that be exposing information about anyone you attempt to text? I don’t need other people knowing if I have a certain feature enabled on my device.

  • dstruct2k

    You seem like someone that should be using Replicant.

  • dmo580

    Not really. If you wanted complete privacy, you should be using another solution. The primary purpose of texting is to get information reliably to someone. It doesn’t matter if they have a smartphone or data or whatever, it’s the equivalent to calling.

    With that said, I’d be open for an OPTION to have fallback or not. Personally, I’d do my private communication through another app, and rely on this to communicate with my friends reliably. The privacy option is just the cherry on the top, and I’d rather not have messages missed because of a data outage or because I flashed a new ROM or switched phones.

  • eli barash

    I get a massage your registery its ok right away tegister again? How come

  • Zach Peirce

    I love this feature but before I start using it I wanted to ask about Google Voice. I currently use GV and Google Voice +, can I also use this service or is that not possible at this time? Thanks!

  • BadMnky

    I have been playing with this on my GS3 CM 11 nightly 20131214 texting my stock GS4 and my buddy’s stock droid with and without the textsecure app. I don’t have any confidence the built in function is actually working. I have no way knowing if my message was actually encrypted and the only time I saw evidence of actual encryption was when both phones had textsecure installed and a secure session was initiated..

  • Kaz Wesley

    Good luck setting up public-key encryption without revealing your public key

  • griffin

    Same for me …
    I installed a CyanogenMod ROM on my Nexus 4, w/o the Gapps (for privacy mainly)
    As market, I got FDroid, that have all stuff I need. (plus HumbleBundle app for some games I bought)
    Why some apps are preinstalled and don’t works/run out of the box ?

    At least, let us the choice to have this app in our ROM or not …

  • Christopher Hardin

    search nsa logging sms and its all iphone stuff? is it because thats the only device/ platform people talk about or what?

  • Christopher Hardin

    then neither of you are using whisper push i guess

  • Guest

    I just read this article after seeing the app on my CM11 device, and since I also don’t want to use this, I safely disabled it in its App Info page in Settings.

  • B Brad

    Just turn off SMS fallback.

  • Guest

    does anyone know how to unregister from cyanogenmod server. i want to register on text secure server so that i have push messages.
    I registered using whishperpush on cyanogenmod and now text secure will not allow me to register on their servers

  • http://www.damagehead.com/ Sameer Naik

    does anyone know how to unregister from cyanogenmod server. i want to register on text secure server so that i have push messages.
    I registered using

  • lumyking

    I dont really understand what u mean?

  • eli barash

    Sorry i know its beginer question how i use it

  • https://smyl.es/ Myles McNamara

    Yeah same question, I registered a while ago on CyanogenMod before the latest TextSecure update was pushed, since then went to VirginROM and now can’t use push with text secure…. how do we unregister?

  • Thomas Boeckers

    How would I opt out of Whisper Push? or un-register?

  • Kẏra

    Did you ever get an answer to this? I’m wondering the same thing.

  • Kẏra

    Has it been tested to work with Google Voice? Does it now use the whisper systems server for push messaging instead of google’s?

  • papero

    So you have to convince your friend to root there phone and install CM otherwise this is useless :/

  • papero

    I thought text messages where encrypted to begin with!! :0 so this day and age with all these fancy phones with finger print scanners lol and you can’t even send a secure text message without rooting and installing your own software that’s ridiculous!

  • teqnick

    Can’t believe the comments on this. If you don’t want to use it or don’t think its secure enough, don’t use it. Use something else. Thanks Cyanogen for your hard work, and please keep it up despite the ungrateful few.

  • teqnick

    You have to opt in. Its not automatic. You run the config tool, simply press “unregister” in the whisper push app to disable

  • Mosin

    Anyone have this working with Hangouts 1.2? I get a crash when I receive an encrypted text message. The text message is never displayed.

  • hwertz

    “You could just as well read the sentence as “the implementation will
    silently fall back to encrypted transmission whenever possible”
    No because that sentence would mean that, if normal SMS was unavailable, it’d silently fall to encrypted transmission; when the case is it’ll fall back to normal SMS if encrypted transmission is not available.
    I don’t think anyone objects to opportunistic encryption, they want a little indication if the conversation is secure or not.

  • Jacob Dagenais

    Love the encrypted messaging but you should add a checkbox where you can have the message self-destruct after a timeout to have it really secure. Make it so the person receives the message then has to tap it to activate it and read what it says.

  • grey tuesday

    Ha Ha! Basic common knowledge

  • http://dezindzer.com/ Nikola

    I’m having problems registering from Serbia.
    I never get the SMS for verification, no meter how many times i try… :(

  • http://www.aquademica.se/mogel/ Mögel

    Interesting to see … thank you it’s well done :)

  • sguyx

    why is it containing admob?? trustGo tells that whisperpush contains admob engine!