Application for Android

How does it work?

Alice and Bob wants to send messages over a secure SMS channel.

  1. Alice and Bob installs the app.
  2. Alice clicks the Add ('+') button and selects Bob from her list of contacts.
  3. Bob receives contact request from "Alice". Bob accepts the contact request and derives a shared secret.
  4. Alice receives a contact request notification and derives the same shared secret.
  5. Alice calls Bob or vice versa and confirm they both see the same authentication code (e.g. '1A2B').
  6. Alice and Bob can now send secure messages through the app.

The TL/DR version of the above is available in the README.txt of the source distribution.

Technical details

Target Android versions: 2.0 "Eclair" - 4.3.x "Jelly Bean" (API level 5 to 18), 4.4.x+ "KitKat" (API level 19+)┬╣
Cryptographic library: SpongyCastle (BouncyCastle renamed to avoid conflicts with the crippled version in the OS)
Key Agreement: Elliptic Curve Diffie Hellman (ECDH)
Elliptic Curve: secp256k1
SMS transport encryption: AES-256 in OFB mode
Storage encryption: AES-256 in OFB mode
Storage encryption key protection: key = PBKDF2(sha256, pass phrase, 256-bit salt, 512 rounds)
Transport key replacement: key_for_msg_n+1 = sha256(key_for_msg_n, pepper)

┬╣From API level 19 it is no longer possible to prevent encrypted SMS messages from reaching the default SMS application. The application is still fully functional, but an encrypted version of each message will appear in your regular SMS inbox.

Motivation for permissions

The source code is always authoritative for how permissions are used. The following only applies to the version supplied by MydriaTech and can't be guaranteed for derivative works and/or distributions.

Used for sending encrypted SMS messages and contact requests to contacts the user has selected or approved.

Used for intercepting and handling encrypted SMS messages and contact requests. Unrelated messages are left untouched.

Used to allow the encrypted message notification to vibrate the same way the regular SMS notification would.

Used to lookup the mobile phone number of a contact the user has selected to add.
Used to lookup the name of incoming contact requests.
Used for matching the incoming number with the correct contact (incoming numbers might for example have a country code).