Request: Google Play signed download alternative

[countrygeek]

I was about to suggest this before reading the infamous issue 53. It is sad to see that FDroid and WhisperSystems could not work together, I truly enjoy both projects. Needless to say a google alternative is required - google more and more frequently involves itself in privacy violations. I am opening this ticket in hopes that an alternative of some sort is made.

Possibilities: 1) WhisperSystems creates it's own official FDroid repository, as did GuardianProject: https://guardianproject.info/2012/03/15/our-new-f-droid-app-repository/

2) WhisperSystems provides an APK somewhere out there for people to download with simple instructions on how to verify it's not been tampered with.

In the event this is not done users not wanting Google will have to compile it from source, which although can be done, is a major inconvenience especially to newbies. Just for reference, there seems to be a large interest in migrating away from google. e,g, the NoGAPPS project: http://forum.xda-developers.com/showthread.php?s=a7bf27eb98e3bcefb7e58fb46d09710b&t=1715375

I hope you all come up with a resolution. Thanks and keep up the great work! :)

[mitar]

Thanks for working on it!

[devurandom]

Any progress?

[monreal]

While I personally use the app from google play I know a few potential users who do not even have a google account. Providing a way to install the app for those people would be great.

[moxie0]

Here's the update:

First, I wrote most of the client and server side for updates and crash reports. So that's almost ready to go. However, now that TextSecure also relies heavily on GCM, distributing it outside of Play doesn't really make sense, given that it won't function without Play Services Framework.

We have websocket support server-side, so we'd need to add that into TextSecure as a fallback option for users without Play. At that point, we can distribute it outside of Play. It won't really work well for all the reasons push messages exist, but that's the best we can do.

If anyone wants to take that on, pull requests are welcome.

[mvdan]

Yup, I agree that using textsecure without Google is useless at the moment.

[Argafal]

"However, now that TextSecure also relies heavily on GCM, distributing it outside of Play doesn't really make sense, given that it won't function without Play Services Framework." Do you need a Google account to use the GCM framework?

[ghost]

I was under the impression that it was possible to run TextSecure without Google's services. Has that changed? If so, unfortunately, an alternate distribution mechanism won't work for me or anyone else who runs a pure Android phone. Personally, installing Android without Google integration is step one in obtaining more privacy and security on my phone, and it seems like a step backwards to integrate privacy software with Google's services.

[moxie0]

@Argafal You don't need an account, but you need to have Play installed.

[moxie0]

@DKoestler TextSecure uses GCM for push messages. We'd be glad to support an alternate push message network, but there aren't any. Building, deploying, and maintaining a worldwide push messaging network that scales to hundreds of millions of users for free is a lot of work!

We can include websocket support in our Android client as an alternative (any volunteers?), but it won't work well.

[hillbicks]

@moxie0 First of all, thanks for your work and patience on this. I really appreciate this, but I'm curious about something and I'd like to get your input and assessment.

I'm trying to give away as little information as I possible can, by either using encryption and/or hosting the server part myself. Another approach to getting control over my data back, was to install the custom ROM again without the gapps package.

Now, I read your concerns about statistics, security when distributing outside the playstore and fdroid itself, but that isn't my concern or question.

What do YOU think of gapps/google? Since you clearly know more about security than probably all of us in this thread combined, what is your take on google? What is your motivation for programming an app whose main purpose is privacy but relies on google for getting it done. For me, this is a contradiction and don't get me wrong, I don't want to be rude, I want to understand your point of view. Is google not a concern for you? Again, I'm trying to understand if my reasoning for not installing any gapps actutally makes sense (I haven't seen any requests to google in my firewall logs since then) or is just something that doesn't really make much of difference.

Thanks for taking the time and explaining all of this :)

PS: What do you think of the nogapps project?

[moxie0]

@hillbicks I would like to distribute software that doesn't depend on Play, but there's currently no way to use push messages without Play. Now that we've written a distribution and update mechanism, that's the remaining obstacle.

[mitar]

But TextSecure still works without GCM if one does not use push messages and only SMS as a transport, no?

[countrygeek]

@mitar Yes, I use TextSecure without any piece of Google on my phone and it works fine. One easy way of doing this is via this excellent project: http://apps.evozi.com/apk-downloader/

[Wikinaut]

@mitar @countrygeek security ?

[SchwarzwaldFalke]

@moxie0 Just out of curiosity: I thought about using a self hosted push service e.g DEACON for me and some friends. What would be the best way to connect this service to the current infrastructure?

e.g. add functionality to the textsecure client and server so they support additional push services and then let the client decide which service (self hosted or gcm) he prefers? I saw the server already supports APN, so maybe it's not that difficult to add more services.

Thanks for your great work, hopefully it's some day useable without gapps!

[Wikinaut]

And it would be nice to see a short page with

instructions how to build TextSecure clients from the source

On my page https://github.com/Wikinaut/utils/wiki I have some examples for compiling

• Enigmail
• Mailvelope ; and
• GnuPG

from the sources. Every project should have such a page.

[mitar]

@Wikinaut: It is here: https://github.com/WhisperSystems/TextSecure/blob/master/BUILDING.md

[Wikinaut]

@mitar Thx, but "Ich brauche mehr Details." I need more details.... Can you (please) improve this ?

[mitar]

Maybe, but this issue is definitely not about that.

[KaitoKito]

Hi again. I just wanted to give my own point of view, no matter what you think.

When I discovered textSecure it was on Fdroid. An amazing way to secure my SMS with my friends. After that I didn't see any updates. When I finally came here and ask why the answer I got was that Fdroid whas less trustable than Google Play.

Google is well known for leaving a giant door on their servers to the NSA, CIA and others acronym who had no other purpose that spying everyone.

Fdroid is a nonprofit organisation who had the rule of giving access to the source code of all available apps.

And still the devlopers of textSecure trust more Google.

So I said let the time pass, maybe they will see they were fool.

Time passed and now textSecure needs a server AND google Play libs. You not only you force 100% of your users who don't know/want to compile your app to go on google play to download it, you also force them to install google play, a source closed app, on their phone. It's like a locksmith install a fingerprint system on your door but don't give you the possibility of knowing who is registered in.

Every good security expert knows that only 100% open source code can be trusted. Your software use a closed source code therefore it's shit. And I'm not talking about the shitty server idea.

I was hoping you'll release your app on Fdroid. Now I only hope that someoneelse will take your sourcecode, remove the play libs and server shit, and release it on Fdroid. I'm hoping someoneelse will do your job !

You are maybe a great developer but either you work for google/NSA or you are the stupidest person ever.

[Wikinaut]

@mitar @countrygeek "Yes, I use TextSecure without any piece of Google on my phone and it works fine. One easy way of doing this is via this excellent project: http://apps.evozi.com/apk-downloader/ "

and we could post he current MD5, and SHA1, hashes here, somewhere.

[forteller]

Would Aptoide be a suitable alternative for Play? It is Free Software, scans software with three different anti virus systems, nags users about updates, and gives publishers statistics: http://www.aptoide.com/page/publishers

[geileszeuch]

There is no need to look out for an alternative store, because @moxie0 already is almost done creating his own solution for providing his software outside of the Play Store. Please read the thread if somebody missed that. The only thing left now is a fallback method for users without Play. This method can for example be built into the android client using websocket technique which the server already supports. Although @moxie0 believes that this won't work well, I am still optimistic. It clearly won't be 100% equal to push, but I could live with little delayed notifications ( hopefully less than 5 minutes). So if somebody is going to make this real, we will have a Google free Textsecure app for everyone who wants it that way. And @moxie0 is also going to provide it outside of the Play Store.

So if somebody out there is experienced with websockets and Android than please don't hesitate implement this in Textsecure. I and a bunch of other people will be more than thankful and donations surely won't stay away, neither to Whisper systems nor to the contributor.

There is a project called autobahn, which implements a websocket client in android I believe. Maybe this can be helpful.

[v-0-d]

What about MQTT as a GCM alternative?

Some links: https://github.com/JesseFarebro/Android-Mqtt http://stephendnicholas.com/archives/219 http://stephendnicholas.com/archives/1217 http://ollieparsley.com/2013/05/20/using-mqtt-as-a-gcm-replacement-for-android-push-notifications/ http://www.slideshare.net/henriksjostrand/devmobile-2013-low-latencymessagingusingmqtt

[geileszeuch]

Another reference: http://dalelane.co.uk/blog/?p=1599

[moxie0]

@v-0-d We already have websocket support on the server and that suits us better for desktop clients. I don't think it'd be any less or more work on the Android side, someone just needs to make it happen.

[v-0-d]

@moxie0 How does websockets stand compared to GCM in terms of delay and battery usage?

good read about websockets and energy efficiency on mobile phones: http://nordsecmob.aalto.fi/en/publications/theses2013/thesis_estep/

[moxie0]

@v-0-d Substantially worse than GCM. It won't work well, but it's the only option short of building a worldwide push network.

[geileszeuch]

@moxie0 What library suits best for this purpose? Do you have a good suggestion? What about this one: https://github.com/TooTallNate/Java-WebSocket

Is this guide here good enough? http://www.elabs.se/blog/66-using-websockets-in-native-ios-and-android-apps

I probably won't be able to do this. I am just trying to help by taking away trivial obstacles. This definitely should be done by someone experienced.

[JavaJens]

Out of curiosity: wouldn't a WebSocket implementation create some form of worldwide push network?

[Gnarfoz]

On the contrary, it sounds like it would be a centralized model, using WebSockets to talk to the(ir?) server(s).

[generalmanager]

@Gnarfoz it's a federated server model, which means that (in theory) everybody can run his/her own server, as with XMPP/Jabber. Currently there are only two servers: WhisperSystem's and CyanogenMod's. If you want to start your own: grab the server source, get an SMS gateway (for the verification) and ask WhisperSystems to add your machine to the server network, as this is not yet automated.

[Gnarfoz]

I see. Then the answer to @JavaJens 's question is "no, but you could look into adding a server of your own to the network". :+1:

[JavaJens]

@Gnarfoz The WebSockets part is desired to have an alternate PUSH mechanism besides GCM or APN, the federation is using plain-old HTTP between the servers' APIs as far as I see.

My question was more like the following: If you use WebSockets to push to the devices, that means for each device you have an open connection and this seems to me to be no different than GCM except it is worse for battery, data and costs for the server, but the idea is the same. I wanted to know if using WebSockets over any other TCP connection presents a benefit.

[Hugoz12]

The reason for me to have something like this is that my Play Store tells me that Textsecure is not compatible with my tablet (Android 4.1.1). (Same with WhatsApp but not Telegram for whatever reason). I try to compile it myself later or can I trust http://apps.evozi.com/apk-downloader/ and save myself some work?

[ncruces]

@JavaJens the benefit is the possibility of future JavaScript, desktop clients.

@Hugoz12 to register on the TextSecure network your device needs to be able to receive SMS messages. If your tablet has a 3G connection with a phone number capable of receiving texts, you might be able to use TextSecure. Otherwise, you won't, for now.

[scruloose]

First off, I'd like to say thank you to Moxie and the Whisper Systems team both for all the work going into TextSecure and RedPhone, and also for this discussion. It's obvious that you are taking users' concerns seriously, even when you don't agree with their perspective. Moxie, I'm truly sorry to hear that the response to this issue has escalated to harassment and threats. While I have grave doubts that trusting Google, the hardware manufacturer, AND my cellular carrier (all of whom have financial interest in undermining my privacy) with root on my device is more secure than running a rooted pure-F/OSS ROM that allows me the option to grant superuser to apps, I certainly respect your view that the PC security model is completely broken and no example to aspire to.

This thread seems to have become the catch-all for discussion about alternate distribution channels as well as GCM dependency... my apologies if it's not the right place for my suggestion.

Moxie, I see from upthread comments that an outside-of-Play-Store distribution channel is well underway using Gradle, and that using websockets as a fallback for data-channel messaging (for those who want to avoid having the privacy-invading Play Services installed) is ... underway and looking for contributions. Sadly, I'm no programmer, so I can't offer any code toward that. Also, while I do understand that the non-GCM fallback will be slower and more battery-intensive, I think it's really valuable to give users that option, so thanks for that. I do wonder about one thing, though: given that the primary draw of TextSecure for many people is the simple ability to encrypt your SMS/MMS messages, the strong emphasis on data-channel messaging seems like it might be a form of "mission creep". I wonder whether a low-effort way to satisfy those who want to avoid the Play Store, Play Services, and GCM altogether might be to split off an SMS/MMS-only version of the app, which could be done through Gradle, as you mentioned. Then, if and when the websockets fallback is implemented, you might (or might not) want to phase out that SMS/MMS-only app. I do realize that you think using SMS is the greater evil, due to the carrier having access to the metadata, but don't you think that's a choice the user should have the right to make for herself?

Also, I have a couple of privacy-related questions that I couldn't find any answer to:

• When using the current GCM data-channel messaging, I assume that the server has access to the metadata... ie who I message and when. Is this correct?
• When using the current GCM data-channel messaging, who controls the server? Are they Google hosted servers, or does Whisper run their own servers? Are they federated, and if so can other servers in the network see the metadata? In short, how do I know who does and doesn't have access to my metadata?

These questions have thus far prevented any of my friends who are privacy-conscious enough to install an encrypted-messaging app in the first place from signing up for the data-channel messaging service. It might be good to have some info about that on-screen when prompting users to sign up.

[SecUpwN]

Just for my own clarification: Has anyone tried to install Google Play and restricting it with Xprivacy so that it cannot do anything except enabling TextSecure push messaging? Another question to this: Would I have to be signed in when using the Play Store (I'm not even registered there and refuse to do so)..

[generalmanager]

@SecUpwN

Has anyone tried to install Google Play and restricting it with Xprivacy so that it cannot do anything except enabling TextSecure push messaging?

I haven't tried to restrict GCM with Xprivacy yet.

Another question to this: Would I have to be signed in when using the Play Store (I'm not even registered there and refuse to do so)..

With the newer Android versions you don't need to be registered, you just need to have it installed.

[bungabunga]

@SecUpwN

never tried with TextSecure but i had general issues with Xprivacy. it sucked up my battery when restricting system and google stuff. also, if you restrict Google framework accsess to the internet, then push messages won't work and if you don't, then you did nothing. ;)

[SecUpwN]

@bungabunga, main question is: Do I have to be registered with Google Play?

[bungabunga]

no. as generalmanager said.

[SecUpwN]

@generalmanager, I just reflashed my AOKP-ROM which features KitKat 4.4 to test if TextSecure enables push messages when Google Play is installed - it doesn't. I did not restrict anything. What's wrong there?

[generalmanager]

@SecUpwN That's strange. There are some tickets if you search for kitkat, but they don't seem to match your description. Could you open a new ticket and describe exactly what you expect, what you did and what TS does? I'm on 4.4 as well, without any problems. Afaik you should only use one of these packages if you are on kitkat. If you modified the zip, you may have removed a necessary component. If you use other Gapps, it's probably not going to work at all.

[SecUpwN]

Ah, wait a minute. All I did was to install Google Play, not the whole GApps package. I will not, not even for testing purposes, cripple my ROM with Spyware by Google. Now I know the reason why TextSecure still complains when it is installed. But if TextSecure really shall be an alternative to other instant messengers, it should work without GApps or any Google stuff involved. I still love TextSecure for what it is and also completely removed my WhatsApp-Account, but once TextSecure is able to connect to people like in WhatsApp, you bet I'll use it as instant messenger. I'll be honest with you: I have high hopes that TextSecure shall find a replacement for GCM soon. Recommending it to my friends will be easier then, too.

[generalmanager]

@SecUpwN

I have high hopes that TextSecure shall find a replacement for GCM soon.

If you read this whole thread, you'll find out that they have a non-play distribution channel lined up and will use websockets as an alternative transport. The server already supports it, but somebody has to implement it for the client.

[SecUpwN]

@generalmanager, simply awesome. I'll keep waiting until @moxie0 has completed it. ;-) Rest assured that BitHub of WhisperSystems will definitely receive my donation then!

[eighthave]

@mvdan just let me know about this thread, so I thought I'd throw my belated two bits in.

@moxie0 I'll be interested to see what you come up with for the updater. One concern is that you said you require any distribution system to track its users (stats, etc). Those stats will never be offline, so they are a vulnerable target for attack. In many places, users of TextSecure will be a very interesting target to some highly skilled hackers. There are so many stories about giant data leaks and thefts I don't feel the need reference them. Storing stats also leaves you vulnerable to subpoenas, NSLs, secret court orders, etc.

Another concern is that you plan on making separate APKs for Play and outside Play. They should be clearly marked as distinct to avoid confusion (like separate version codes), and should be upgradeable either way (Play to non-Play, or vice versa). Putting your Google Play APKs in your own FDroid repo already allows for this.

And some points related to various parts of the thread:

• The characterization of FDroid as centralized is not accurate. The central f-droid.org repo is a centrally built and managed repo of apps, that part is centralized. The FDroid client can use any combination of repos as its source. Turn off the f-droid.org repo in the client, then FDroid is more decentralized than Play: the APKs can have developer builds and signatures and the repos can be hosted on any webserver on the internet, including Amazon S3, etc. There can also be mirrored copies of repos since FDroid repos are structured similarly to Debian repos.
• everyone should definitely upgrade their signing process to use an HSM (aka smartcard), here is how we are doing it: https://guardianproject.info/2014/03/28/security-in-a-thumb-drive-the-promise-and-pain-of-hardware-security-modules-take-one/
• the fdroid repo tools now support using an HSM as well: https://gitlab.com/fdroid/fdroidserver/merge_requests/2
• and recently, we've made it much easier for anyone to setup and maintain their own FDroid repo, using the exact same APKs as go into Google Play: https://guardianproject.info/2013/11/05/setting-up-your-own-app-store-with-f-droid/

[dalb8]

You didn't mention @eighthave, that peer-to-peer repos are proposed too ;-) F-Droid (the client) will need to have better warnings that possible updates fail to appear before that becomes palatable to developers like Moxie: the peer-to-peer repos are by nature ephemeral. Of course, apps can add their own nag screens without including installer code, but who wants that? I do welcome peer-to-peer as it offers defence against censorship: I'm just saying some developers could get uneasy.

There's also talk of integrating PGP signatures on f-droid.org: wouldn't it be nice if everybody (including GitHub) started offering them?

[SafwatHalaby]

@moxie0: For the safety of your users, you should distribute an official APK or publish it on F-droid.

You should consider the fact that the current situation is actually either driving those who don't have Playstore away from TextSecure to other less secure apps, hence compromising their privacy, or forcing them to resort to dangerous alternatives such as using one of dozens of unofficial APK websites.

Your intentions are good, but by not providing a Playstore alternative, the result is less security for the minority which you are trying to protect.

Look at it that way, you have only two choices:

1. The current situation, in which desperate users get the App from, say... http://www.appsapk.com/textsecure-private-sms-mms/ Or use a different app altogether.

2 . A situation where you have an official APK / F-droid App.

In both situations, things aren't optimal in regards to software updates, crash reports, and statistics. But situation 2 is a lot more secure.

By sticking to situation 1 you aren't resolving any of the issues related to a non Play Store distribution of the app, but you are adding extra non security on top of it.

In other words, people will always download Textsecure from places other than Playstore regardless of your actions, but you have the choice of channeling those downloads towards a single, official, safer source.

Also, 99% will use Playstore anyways, so this should not have a big impact on statistics, Google Play download counts, crash reports, etc...