About this Project
Delphino CryptSecure aims for being a very simple-to-use and light-weight Android app for a secure, encrypted text messaging via Internet and via SMS. Additionally light-weight personal CryptSecure servers can be run by nearly anybody on a private webspace with minimial requirements.
To be up front about it, Delphino CryptSecure has NOTHING to do with the crypto chat project named "CryptoCat" (http://crypto.cat) and it is also independent from "textsecure" (http://whispersystems.org). The focus of Delphino CryptSecure is different and about PERSONAL messaging, meaning own PERSONAL + LIGHT-WEIGHT + MULTIPLE message servers for everyone! SSL is not required and a client can handle multiple personal servers.
As TextSecure unfortunately stopped supporting encrypted SMS, Delphino CryptSecure aims for explicitly supporting encrypted SMS. We think than SMS are still not dead and people like to send encrypted SMS if Internet connection is bad like in a train or on the road. We additionally hope to come up with very convenient and handy features like not interrupting you while typing, copy&paste from older messages, fast scroll bar, lock scrolling, backup to Clipboard, etc. The complete list can be found below. The most important fact is the AES encryption of each message. Not even the server knows what you write. Because random characters are added to each message even equal content looks different during transmission. AES keys timeout after one hour and are automatically renewed.
Vision I of CryptSecure is to become a fully open and transparent project where everyone can inspect the source code to validate that CryptSecure does its best to protect people's privacy. Visit us at Github: Android Client, Personal Server
Vision II is that CryptSecure can be used on even an own personal (company or other closed user group) server. Therefore the server part is a very light-weight 85 KB small PHP file and only needs support of PHP & MySQL. This is the "personal" character of CryptSecure and the idea is borrowed from projects like OwnCloud. An own CryptSecure personal server is supposed to run on almost any hosted web space that supports PHP and MySQL for ~$5 a month.
Vision III is that a CryptSecure client handles multiple CryptSecure servers. This way you can be part of multiple closed-user-groups where each group operates its own personal message server, e.g., a home family group server and a work server. If you are on holiday, just disable the work server on your client and you won't struggle with work messages for a while :-)
To the best of our knowledge the combination of
(i) end-2-end encryption with (ii) open-source and an (iii) (multiple) own personal private message servers
that are light-weight (e.g., require no SSL) is a novel approach in the world of message systems.
WE EXPOSE ANY PRIVACY ATTACKERS! CLICK HERE
But be reassured that your privacy is still protected!
Download & Donate
Get CryptSecure Android app from the Google Play Store: https://play.google.com/store/apps/details?id=org.cryptsecure
If you like CryptSecure, your donation is very welcome! Support us and our expenses.
Contribute at GitHub:
Android Client: https://github.com/delphinosoftware/cryptsecure-client-android
Personal Server: https://github.com/delphinosoftware/cryptsecure-server
All messages are encrypted on the mobile device before sending and can only be decrypted by the receiver (or the sender). Anybody in between, even the message server, won't be able to decrypt your message simply because only the sender and the receiver share the secret key necessary to decrypt the message. Following the Perfect-Forward-Secrecy policy, such keys are automatically renewed after one hour. The following shows a screen shot from the server database containing encrypted messages, even some with equal content, which is not visible due to random characters automatically added:
Beta Testing (!!!)
We are currently beta testing our software and doing code cleanup & reviews. CryptSecure is planned to become available at the Google Play Store in September/October 2015. If you are interested in this project and want to help testing (a functional alpha version already exists) or contribute, please write an email:
Finally, we dare the step into the world after beta testing with some devices. Please note that this is a VERY EARLY stage and do not expect an extremely robust product yet. Additionally, the server cryptsecure.org ist privately owned and not intended to be used by any company or heavy-users. It is intended for demo purposes or very light usage only. We reserve the right to ban users for any reason. Please always keep in mind CryptSecure's vision II+III: It is to encourage people to use their own personal servers for their closed user groups. (9/11/2015)
Simple To Use: Just install the app, enter your e-mail and choose a password and a nick name. Then, as usual, click the activation link in your email. Once you restart the app you are asked to enable encryption automatically. This generates an account key and sends it to the server. With the registration you got a UID (number) you can give your friends so that they can add you or alternatively you add their UIDs. That's it!
Encrypted SMS: While other good secure messaging apps like TextSecure unfortunately have removed the encrypted SMS feature, we feel encrypted SMS can really help because while traveling you often have to struggle with an unreliable Internet connection. And unfortunately especially while traveling it is most crucial that your messages (to family or workmates) come through, reliably and quickly! For that reason CryptSecure explicitly supports encrypted SMS (you just need to enter your phone number in the account settings to enable this feature).
NoHang˛: While you type, sending & receiving is blocked in order to prevent interrupting you. If you pause for a while (5 sec) to think or read, sending & receiving is resumed. If you fast-type event scrolling will be deferred until you stop for at least one second!
Light-Weight Status&Read Confirmations: These are part of the typical new messages request. The new message request does not rely on any suspicious push-mechanisms outside of CryptSecure.
Dying-Sessions: The session concept includes time, meaning that a session that is used now cannot be used a minute later any more. If someone steals a session, it will become worthless in a minute.
Obscured UIDs: UIDs will not be sent in plain text. This means that a spy attack will not reveal your contacts. Also your email and user name is not send in plain text to the server.
Password Protection: Your password will never be sent in plain text to the server but only RSA encrypted. Further the server will NOT store your password but only the hash of it. Nobody is able to recover your password from the hash!
Phone Number Protection: Sending encrypted SMS is an optional feature. If you choose this your phone number is only exposed to your contacts and nobody else.
Session Key Timeouts: A separate symmetric AES key is used for every conversation meaning that for each contact there will be a separate session key. This session key is automatically replaced by a new one every hour.
Hidden Identity: It has been shown that adding random text to your messages (and removing it later after decryption) enhances cryptography strength. This makes it also impossible to detect messages with the identical content (these will look different when looking at their encrypted data sent).
Chat Mode: You can switch to a chat mode where hitting the Enter key sends the message. This can be globally switched on/off during conversations when pressing long on the send button.
SMS Mode: If the other person and you have turned on the SMS option (this means temporary storing your phone number on the server) you can choose to send encrypted SMS instead of messages. This makes sense for example if you have bad Internet connection (e.g. in trains) and still want to communicate encrypted. The SMS mode is turned on like the chat mode but is saved for each user in your contacts.
Extra-Long SMS: CryptSecure implements an application-level multi part for encrypted SMS and for Internet messages. This way your messages and even your SMS can be of nearly unlimited length. They will be split and merged back automatically.
Separate Databases: For every contact there will be a separate database file created. If one database might get corrupted the other databases will not be harmed. Additionally this scales better if you have contacts with very large conversations.
Cut-History: To increase performance only the last 50 messages in a conversation will be shown when opening a conversation. The other older messages can still be shown using the context menu.
Keep-Trying-But-Decelerate: If a message cannot be sent because of bad Internet, then the app keeps trying until Internet is there again and the message could be sent. To save energy the intervals between failing sending attempts will increase from 10 seconds up to 5 min (+%50 each time). This is only done for the background send/receive service. If the app is in the front, then we constantly keep trying to send/receive.
Unsecure Messages & SMS: You can always press long on the send button to send an unsecure message or SMS. This will only be the default if the other person has not enabled encryption (or is an external SMS-only-contact). It is not recommended to send unsecure, unencrypted messages but in the unlikely event of disrupted keys you can at least communicate how to restore. Typically refreshing your contacts and sending a new session key afterwards should fix these problems - but both of you should refresh the contact list.
Security Alerts: At each login your current country and your device id is stored at the server which compares it the next time you log in. If the country of device changes then you will get an email than warns you about this. You can then decide to change your password if this is suspicious to you. You can always compare you device id (hash) from your settings to the device id in the automated security alert email. If there are more than 10 consecutive unsuccessful login attempts then you will also be informed by an automated security alert email exposing the ip address of the last attempt.
Default SMS-App: From Android KitKat on you can select a default SMS application. CryptSecure is able to handle all SMS that you receive. You will only be able to respond in plain text (unsecure) unless you invite the other person to also use CryptSecure.
For pre-KitKat Androids all CryptSecure messages will be filtered automatically.
Draft-Auto-Save: If you temporary switch to another app while creating a new message then this is automatically saved as a draft and also automatically recovered later on.
Smart-Scroll-Lock: If you have scrolled down completely, the scroll bar will automatically scroll down if you write new messages or new messages are received. But if you have scrolled up to read or respond to an older message then if you send a message or receive a new one the scroll position wont change to not disturb your reading. Instead a small toast informs you about the new message. The scroll-lock will also try to focus the right message if you switch from landscape to portrait mode or the other way round.
Battery Saver: Several options allow you to save battery power. As the screen of your phone typically consumes most of the energy you might be surprised that even the darker scheme helps in saving energy while you use CryptSecure whenever your phone is equipped with one of the popular AMOLED displays.
Ticker: When receiving new items (up to Android KitKat) you will be able to see/read the message in the ticker. Unfortunately Lollipop does not support this feature anymore.
Enabled Select & Copy: Often it is annoying if it is not possible to select and copy parts or a whole message if one wants to answer to a message or to parts of it. CryptSecure allows to select and copy from every message! For simply copying the whole message just long-press at the message border to bring up the message details dialog.
Growing Input Field: If one wants to write a large message, the text input field automatically grows so that you can see as much as possible from your current message. We think this is preferable over just seeing 3-4 lines.
Revoking: CryptSecure allows to revoke messages that were sent erroneously. If such messages are not delivered yet the recipient will never read them because these messages will be revoked on the server directly. If they already have been delivered they can also be revoked afterwards but it is not guaranteed that the messages are not read yet. If a message is revoked before it is read then a read confirmation will never appear. If a message is revoked before it is delivered then a delivery confirmation will never appear.
Easy-Search: Search for a keyword in a conversion is made simple. Search UP or DOWN relative to the current message. If a message containing the keyword is found it is automatically focused.
Insistent SMS Retrial: An SMS that is sent (encrypted or unencrypted) is queued until network signal strength allows for a sending attempt. If this fails for signal/network error (and not for a wrong phone number etc) then the SMS is tried to be send again at a later time. If the SMS cannot be send due to an unknown error such as a wrong phone number then it is marked as 'FAILED'.
Quick Type: If you rotate your phone from portrait to landscape mode the keyboard is shown automatically and you can quickly begin to type!
Photo Attachments: CryptSecure allows to attach pictures from your gallery or directly taken if your device comes equipped with a camera. The server may set a limit of size or even disallow images sent by Internet message. CryptSecure can user SMS to send images and even split up images across 10 or 20 SMS if required. CryptSecure allows you to adjust the size and quality of an image to help you find a trade-off between the message size/SMS number and the quality of the attachment image.
Personal Server: CryptSecure aims for being able to run on your own personal company or closed user group server with a PHP (5.3.5+) and MySQL Database. SSL or other special packages are not necessary. The server is very light-weight and basically consists of just one PHP-File with 85 KB. Using your own personal message server, you have fully control over all your private messages (that are still not readable on the server!) and the communication between just the users on your server. The server can be in stealth mode so that invalid requests will be answered with a HTTP 500 server error message. You can set an attachment limit or disable new registrations. To the best of our knowledge the combination of (i) end-2-end encryption with (ii) open-source and an (iii) multiple own personal very-light-weight message servers is a novel approach for encrypted message systems.
Multi Server Support: CryptSecure Clients from version 1.3 on are able to connect to bunch of personal message servers. Because each server of course will require additional effort, this list should be kept limited to 3-4 servers. A client may disable a server and won't receive messages from this server until it reenables the server again. Each server requires its own registration. Registration of new users can be generally switched off and on in the server configuration.
Convince Yourself: CryptSecure also aims for being open for inspection/auditing. The source code is being made available so that any privacy concerns can be falsified directly in the code.
IP-Expose&Block: Any privacy attack attempts are exposed and blocked automatically.
Legal information/Impressum: Christian Motika, Allee 18, 25709 Marne, further details and email address see: http://delphino.de
Copyright (c) Christian Motika, August 2015, www.delphino.de, dedicated to the most important person in my life Sara Gebhart, SC www.sarachriz.com