Encrypted messaging by Schmoose, anyone?

[speedtouch]

I've been searching for some sort of encrypted messaging app for WP8 for quite some time. At first I thought Telegram was going to be it, but after reading a few articles on it as well as listening to the Security Now guys label it as insecure, I crossed Telegram off my list. Darn it!

A new app popped on the scene a few weeks ago, Schmoose. The devs were kind enough to bring Schmoose to WP8 first, before they cross-platformed it to W8, iOS, and Android. Nice touch!

The version I first tried was v1.1.3 and holy crap was it a mess. I emailed the devs the problems I was having with the app and they responded that my concerns were to be addressed in the next update. And sure enough, in v1.2.0, all problems were addressed. Wow! It works a lot better now. I'm evaluating it to see if it's going to be the replacement for text messaging on my phone. It's still kinda clunky and the devs haven't put any help in the Help section just yet, so there's things that I just don't understand about the app.

Do any of you use Schmoose?

Schmoose | Windows Phone Apps+Games Store (United States)

https://www.schmoose.ms/

 

[DaT Franchise]

I wouldn't waist my time, CM did that with android a few months back and within a week the encryption was cracked. In this day in age your not going to get 100% private messaging.

I may be mistaken but even if you could have a full 100% encrypted message system the recipient would need the same app??

 

[speedtouch]

If CM is Cyanogen Mod and you're speaking of TextSecure integration, that would not be true. It's not cracked.

You are right that two people would need the same app to communicate with encrypted messages.

 

[jmshub]

I wouldn't waist my time, CM did that with android a few months back and within a week the encryption was cracked. In this day in age your not going to get 100% private messaging.

I may be mistaken but even if you could have a full 100% encrypted message system the recipient would need the same app??

Complete endpoint to endpoint encryption is available these days, and the concepts are well defined. To achieve valid encryption, both users will almost certainly need to use the same application, at least an application using the same protocol. From the schmoose website, it says they are using "OpenPGP standard". OpenPGP uses private keys and public keys to encrypt and decrypt information. This method is proven to be secure, if it is implemented correctly. One catch is that you have to manually share your public key to anyone with whom you wish you converse with encryption.

 

[jmshub]

speedtouch, I really have no actual need for an encrypted chat client, but I am going to download it and look into it anyway. It looks interesting, but I would like to know further to ensure that they are properly implementing the security model that they have designed.

 

[speedtouch]

speedtouch, I really have no actual need for an encrypted chat client, but I am going to download it and look into it anyway. It looks interesting, but I would like to know further to ensure that they are properly implementing the security model that they have designed.

Good deal. I think it's important to have all communication private, if possible. Each to their own, of course. I agree with you, I'd like some proof that their security model is robust and up to the task of keeping conversation private. OpenPGP is a great standard if implemented correctly. Like you said, the real drawback is that keys must be shared somehow. The only way I figure Schmoose does it now is by having the public keys traverse their servers on the way to your contact, as well as traversing their servers when your contact sends you his public key.

I have emailed with the devs on this very subject of security verification. They have assured me their security model will be audited and the results posted online.

Edit: I just remembered you can add contacts into Schmoose via a QR code using the phone's camera, but I am not sure if this includes the contact's public key or not. If it does, then that's an excellent way to make the comms secure.

 

[jmshub]

Don't get me wrong. I am definitely an advocate of privacy. I'm just saying that I do nothing that "demands" robust security for chatting. I have the app installed, but I'm a little confused about the way friends are added to the app. I see how to generate a qr code, but I don't see how to take a pic of someone else's qr code to add them into my friends list. If the schmoose team takes a copy of your public key, then they would be able to decrypt any text encrypted with your private key, and can effectively be a man in the middle. I need a little more detail to see that they are doing it right. I don't currently know anyone else using schmoose. I may try to install it on my wife's phone sometime over the weekend to test it a bit.

Edit: nevermind, I saw how to use the QR code to import other contacts.

 

[speedtouch]

Don't get me wrong. I am definitely an advocate of privacy. I'm just saying that I do nothing that "demands" robust security for chatting. I have the app installed, but I'm a little confused about the way friends are added to the app. I see how to generate a qr code, but I don't see how to take a pic of someone else's qr code to add them into my friends list. If the schmoose team takes a copy of your public key, then they would be able to decrypt any text encrypted with your private key, and can effectively be a man in the middle. I need a little more detail to see that they are doing it right. I don't currently know anyone else using schmoose. I may try to install it on my wife's phone sometime over the weekend to test it a bit.

Edit: nevermind, I saw how to use the QR code to import other contacts.

I was going to tell you how to import via QR code, but you found it. Good deal. Schmoose sure doesn't make things clear, does it?

Right, the man in the middle attack is a real vulnerability with this app, I assume. Until Schmoose releases their security model we really can't know just how our public key travels on its way to our contacts.

I'm testing it on my phone and my wife's phone, too. LOL, she loves it when I borrow her phone for hours on end. (Ok, not really, it annoys the crap out of her.) Ha!

 

[jmshub]

I was overlooking the section where you add friends. As I look into this a little further, I see that there is a "Master Password" to synchronize your account with other devices. It appears that this password is the password to the private key. All of their security is dependent on that step. If they maintain the private key, that isn't ideal. And if the master password is recoverable, or if they have access to the private key in any way, then they can read your chats.

Edit: Reading the schmoose website, it says that the private key is maintained on your device, and they don't have it. It sounds like they are taking a security first model and I like that... I hope everything is put together correctly.

 

[speedtouch]

I was overlooking the section where you add friends. As I look into this a little further, I see that there is a "Master Password" to synchronize your account with other devices. It appears that this password is the password to the private key. All of their security is dependent on that step. If they maintain the private key, that isn't ideal. And if the master password is recoverable, or if they have access to the private key in any way, then they can read your chats.

Edit: Reading the schmoose website, it says that the private key is maintained on your device, and they don't have it. It sounds like they are taking a security first model and I like that... I hope everything is put together correctly.

I think the private key is generated on your device when you register it with Schmoose. Because you can send/receive messages before ever creating the Master Password. The MP just allows you to connect multiple devices to one account. I'm not sure where the MP is kept. If they do it like SpiderOak or LastPass, then it means they have no way to recover it. (Which is very good, of course.)

Right, they do say the private key is kept locally. I'm cautiously optimistic that their security model is legit.

 

[Jaskys]

What do you have to hide?

Why would you need "Encrypted messaging"?

There's services such as skype/viber/facebook for normal people, you know..?

 

[speedtouch]

Why do you lock your doors, put a numerical unlock code on your phone, close your doors/windows/drapes, put a password on any account, have a safe, put letters in an envelope?


You're arrogantly asking the wrong questions.


Gee, I never thought of Viber, Kik, or Facebook. Thanks for your amazingly useless and off-topic post.

 

[speedtouch]

Some observations that I noticed after really using the app a lot last night on my and wife's phone:

1. The app does not run in the background, which defeats the purpose of an instant messenger.
2. There is no way to block contacts.
3. As best I can tell, there is no way to prevent yourself from being added to someone else's contact list.
4. There's a bug in the editing of your Profile. Once you declare a nickname it's there forever and can't be removed.
5. As best I can tell, there's no way to prevent yourself from showing up in the Contacts search results.

I'll be communicating these issues to the devs. They're pretty slow about responding to email, so who knows when this type of stuff will get fixed.

 

[esskar]

Hey speedcouch,

we are not that slow in responding, we are just busy with programming and responding to other requests as well! ;-)

Some answers to your questions:
* Private Keys stay on the device, and will never be transfered. If you - as user - have multiple devices, each device will have its own private key.
* The master password (multi device password), is just there to help protect you. Let's think for a minute. When you are a basic user, you are allowed to have 3 devices. So, you register with an wp8 phone and android phone. And you dont have another device. Now, you change phone providers and you'll get a new number for one of your phones. You edit your profile and added your new phone number, but you forgot to delete the old one. Over the time, your old provider gives your old number to another customer what also registers with schmoose using your old number since it is now his number. Without a master password, he was able to become you. We thought alot about that but couldn't come up with an better solution for that kind of scenario.

Regards,
Sascha Kiefer, esskar, CTO at Schmoose S.A.

 

[speedtouch]

Sascha, welcome! I'm glad to see your post here.

I'll try to be more patient in the future when waiting on email from you and your team. Sorry!

Good. I'm glad to know private keys will remain on the device.

Thanks for explaining the master password, it makes sense.

 

[speedtouch]

Looks like Schmoose arrived on Android today. Cool! Now we can talk securely with our friends who use that OS.

 

[speedtouch]

Version 1.2.1 of Schmoose was released yesterday. It fixed a very annoying stuck tile issue. Nice to see them continuing to update the app after their Android release. Don't abandon us, Schmoose!

 

[anon(5789608)]

Hey speedcouch,

we are not that slow in responding, we are just busy with programming and responding to other requests as well! ;-)

Some answers to your questions:
* Private Keys stay on the device, and will never be transfered. If you - as user - have multiple devices, each device will have its own private key.
* The master password (multi device password), is just there to help protect you. Let's think for a minute. When you are a basic user, you are allowed to have 3 devices. So, you register with an wp8 phone and android phone. And you dont have another device. Now, you change phone providers and you'll get a new number for one of your phones. You edit your profile and added your new phone number, but you forgot to delete the old one. Over the time, your old provider gives your old number to another customer what also registers with schmoose using your old number since it is now his number. Without a master password, he was able to become you. We thought alot about that but couldn't come up with an better solution for that kind of scenario.

Regards,
Sascha Kiefer, esskar, CTO at Schmoose S.A.

Hi!!

Please, allow "block user" options in free account!