Free cellphone encryption is coming to Android users in Egypt courtesy of San Francisco software maker Whisper Systems. Until now, Redphone and TextSecure, voice- and text-encryption apps respectively, have generally been available in the US only. Whisper Systems has been working on making the packages available internationally …
A solution to RIM's challenges
Stand alone encryption is infinitely better than system encryption as nosey governments cannot attack a cell handset manufacturer and updating is easily done - all with difficulties for the governments concerned.
Authoritarian governments such as the U.S. now is have nothing to gain by poking around servers as the protection lies with the user.
The only things is how do we know there are no backdoors to Redphone and TextSecure? Other Apps might well be able to bypass these Apps and surreptitiously transmit them without users knowledge.
"The only things is how do we know there are no backdoors to Redphone and TextSecure?"
You'll probably never be absolutely sure, but much higher levels of assuredness are achievable with some approaches compared to others. Firstly the source code has to be available, including all the source code needed to build the binary, for public inspection. Secondly the source code must be modifiable and for modified versions to be distributable by anyone interested, so that if an implementation bug leading to security issues is found users are not dependent upon the original author for fixes. These starting points are necessary but insufficient. Thirdly there have to be enough interested and knowledgeable people inspecting the source code and independently testing it, and able to publish test results.
But people with this knowledge are not cheap and won't necessarily have time to do this work as a public service. Paying for them to do this work on the basis that reports will be openly published, and having a competition with prizes for published cracks also helps ensure testing and inspection are more likely to be done by a wider selection of interested parties.
If these criteria are not satisfactory, we have every reason to believe products which don't pass these tests are inherently untrustworthy. The easiest way for a cryptographic software designer to achieve a level of trust is to make products open source using already trusted open source library implementations of established and reputable algorithms (e.g. RSA, AES256, SHA1, supported by experts with solid reputations in this field.
And finally for more than the very good basis of trust which is achievable for the highest quality cryptography designs using the measures described above, compilers, virtual machines and platform firmware and microcode would all need to be independently reverse engineered and compared against carefully reviewed specifications, to the extent some confirmation can be independently provided against exotic platform hacks of the class described by Ken Thompson in his classic paper: "Reflections On Trusting Trust" see:
There IS no assurance.
If you look at the redphone setup, they require all calls to route and exchange keys etc via their switch. Which is a absolutely perfect place to MITM the whole process.
They are also releasing their sourcecode "soon" and have been in the process of doing so for quite some time.
Trust? sorry, I'll be outside configuring stunnel and openssl to run on a android to get me out the local juristiction. Hint, its possible, free and secure in a way only open source things can be.
That just means they will throw you in the slammer for not giving them your password. Certainly in the UK at least. In Egypt they will probably let you go (border patrol in Egypt is military based is it not?)
It's wide open to 'rubber-hose cryptography'!
No, don't, stop right now.
Don't make it available for the iPhone.
They don't deserve it.
I guess this will happen:
"Egypt bans Text Encryption."
"It's only used by terrorists and if you've nothing to hide, you shouldn't have to encrypt!" - said a spokesman." A minimum 5 year sentence will be given to those found with this terrorist software."
Nice idea, but totalitarian governments do as they want, in reality.
It may be encrypted, but the government will still know the endpoints.
That *has* to be an assumed name.
Egyptians in general can't afford android phones
First of all Egyptians in general can't afford android phones....so this is all for nothing...