ChatSecure, Conversations and Zom
We are excited to announce that major changes are planned for the underlying architecture of ChatSecure Android, and that there is a new UX-focused fork of the existing iOS and Android code bases called Zom. In the upcoming months, we will be releasing a new version of ChatSecure Android that will be powered by the core of Conversations, as well as the first releases of Zom for iOS and Android. Both will have a new package name and signing key, so the existing ChatSecure Android app will prompt you on every launch to either download the new version of ChatSecure or Zom.
ChatSecure & Conversations
Conversations is currently (in my opinion) the best modern open source Android XMPP client. It was originally founded, and still primarily maintained, by Daniel Gultsch. This summer he mentored Andreas Straub’s GSoC 2015 project to develop and implement a new XEP for asynchronous encryption based on Axolotl. They are calling it OMEMO (OMEMO Multi-End Message and Object Encryption), and it’s a genius way to adapt TextSecure’s fantastic Axolotl protocol in a way that’s compatible with almost every existing XMPP server (anything that supports PEP).
The source code to the current version of ChatSecure Android will soon be reaching end-of-life, and all new features and maintenance of that code will be happening in the Zom Android fork. The Zom fork is focused on a simplified and streamlined user experience, targeted toward a less tech-savvy crowd, but still powered by strong cryptography under the hood.
To keep the ChatSecure™ brand consistent across platforms, we are partnering with Daniel Gultsch to create a whitelabeled version of Conversations to become the new ChatSecure Android. ChatSecure Android will continue to be offered for free on Google Play and F-Droid, but will be signed by a new key, so keep an eye out for that. We’ll do our best to ease the transition.
Daniel and I discovered that we both have been working on methods to make it easier to whitelabel ChatSecure and Conversations. The primary purpose of these whitelabeling methods is to allow for downstream forks to more quickly and easily merge security updates and new features. As a nice side effect of this work, we will also soon be offering both automated and bespoke professional whitelabeling services to finally satisfy the (nearly constant) demand.
For more information about ChatSecure for Business, see below.
Soon we will be implementing OMEMO Encryption in ChatSecure iOS, and immediately contributing our OMEMO XEP code upstream to XMPPFramework so that other apps can benefit. We plan to utilize the pre-existing Objective-C library AxolotlKit, written by Frederic Jacobs, that has been used in production since the release of Open Whisper System’s Signal v2.0 for iOS. Unfortunately AxolotlKit is still currently GPL (and therefore not redistributable to the App Store) so this work is on hold until we can negotiate a change to an App Store-comptible copyleft license like LGPLv2 or MPL 2.0 from Fred and Moxie.
ChatSecure & Zom
As I mentioned earlier, the Zom fork is focused on a simplified and streamlined user experience, targeted toward a less tech-savvy crowd. Our goal is to produce a messenging product that is fun and easy to use, while also being secure by default, and as decentralized as possible. Users shouldn’t have to know or care that this is built for security under the hood, all they need to care about is being able to send cat pictures and emojis to their friends without fear of censorship or retaliation. This is a notoriously hard problem to solve.
Zom Android will have a radically different UI than the current version of ChatSecure Android, is a hard fork of the current code. Many advanced features will be hidden or removed for the sake of simplicity (with sane secure defaults of course!), which we feel is the right move when targeting the mass market. It will also only support a single account at a time, have a bigger focus on media sharing, and sport silly stuff like sticker packs.
Under the hood, it will still support OTR, XMPP, Tor, SQLCipher, certificate pinning, and all that crypto goodness that you expect, all bundled up behind a shiny new interface designed to hide or minimize the vast majority of the complexity. No use in having a secure messenger if it’s as hard to setup and use securely as PGP, right?
Zom iOS is a soft fork of ChatSecure iOS, meaning it was designed to track upstream as closely as possible. We will continue to develop new features first in ChatSecure iOS, and push them to the downstream forks, such as Zom, as soon as they are stable. We will also ensure that security updates are available to every downstream fork as soon as possible.
Our ChatSecure Core whitelabeling system is made possible by the newly supported iOS 8.0+ dynamic frameworks.
ChatSecureCore.framework contains the entirety of the upstream ChatSecure source code and resources, and allows for every string, image asset, and resource file to be customized via the
Another nice bonus is that this work will open the door for ChatSecure for Mac, which will be the first open source, modern, native, sandboxed XMPP client for OS X. The lack of maintenance of Adium has made this issue especially urgent so, if you’d like to help, please be in contact!
ChatSecure for Business™
Since early 2012 ChatSecure development has been financially supported by the following (outstanding) organizations: The Guardian Project, OpenITP, Rights Action Lab, and the Open Technology Fund. There have also been many smaller individual donations over the years (thank you)! Although open source grants and donations can be a great way to fund certain kinds of software development, the process can be glacial, arduous, and unforgiving at times. Even though I intend to continue funding ChatSecure development with grants for the immediate future, I still think it would be wise to begin diversifying our funding portfolio.
Despite living in Berkeley, with a close physical and social proximity to the frothy tech scene of San Francisco and Silicon Valley, I still have no desire to seek VC funding for ChatSecure. I was part of the first class to the awesome Matter startup accelerator as a co-founder to OpenWatch, an anti-authoritarian citizen journalism app. That whole concept didn’t really fly in the VC world, so eventually we pivoted our core technology to become Kickflip.io, an open source mobile live broadcasting SDK + SaaS platform. My experience with the VC scene, although mostly pleasant, has made it very clear that traditional VC is a tough fit for open source privacy / security software.
Whitelabel ChatSecure iOS and Android apps
I get emailed approximately once a week from some organization or individual who is seeking to produce a whitelabeled version of ChatSecure. In the past we haven’t really had the resources to help to anyone, and even had to tell people to abandon their efforts due to the legal complexity of offering GPL license exemptions for the iOS client.
This has been the equivalent of leaving money on the table for years, especially considering I know for a fact there at least a few “illegal” forks of ChatSecure on the iOS App Store. I believe that ChatSecure should remain under a copyleft license for the benefit of the public good, but I never intended to prevent the free binary redistribution of our code on the App Store (an unfortunate side effect of the GPL) as long as the source code to your modifications remains available.
As I mentioned in a previous blog post, future releases of ChatSecure iOS will be available under the MPL 2.0, which is a fully App Store-compatible copyleft license (also used by Firefox and VLC for iOS). It’s most similar to the LGPL, so you only have to distribute the source to modified ChatSecure files, and you only have to seek a license exemption if you plan to modify upstream code.
This solution has extra benefits because it encourages downstream forks to minimize their modifications to upstream code, allowing them to more easily pull in security updates and new features. Most students, individuals, and small organizations won’t need to pay for a license if they follow the requirements of the MPL.
Larger organizations and customers seeking bespoke solutions will desire the freedom to release deeper proprietary modifications, so we will be developing a fair pricing model to support these kinds of applications as well. This new revenue model can also help offset our reliance on grants, and allows for a greater diveristy of messaging products all built upon a solid ChatSecure foundation.
An XMPP client without a server is rather useless, so we will also be offering paid XMPP server and ChatSecure Push hosting. Since we believe in the power of open source software, both the client and server implementations will be completely free (as in source), and designed to be easily deployed by a moderately technical end user. Running your own secure XMPP server continues to be extremely difficult for the average person, so we intend to solve that:
- Paid SaaS hosting for XMPP and Push infrastructure.
- Secure Server Hardware solution for Enterprise networks that lives behind your corporate firewall.
- HIPAA and other data security regulation compliance.
- ChatSecure Server for Android. Quick to setup, easily provision new devices, secure by default (end-to-end and at-rest), and user friendly.. even for novices! This open source Android XMPP server app will be based on Prosody and will use Orbot’s
.onionservices to provide universal NAT traversal (even over cell networks).
If you’re interested in ChatSecure for Business please send me an email as soon as possible so we shape our product offerings to better match your needs in the upcoming months.
We’re on track to release the first beta version of ChatSecure Push in both Zom for iOS and Android, as well as ChatSecure for iOS. We’ll be using separate federated instances to demonstrate decentralized push between multiple native mobile applications. We plan on integrating some components of ChatSecure Push into Conversations as well. It’s by far the #1 most requested iOS feature, so I hope you’ll like it.
Axolotl / OMEMO
Work on implementing Axolotl / OMEMO into ChatSecure iOS will begin as soon as we can negotiate a license change to AxolotlKit. Hopefully we can sort that out quickly and get to work.
We plan to support unencrypted group chat in ChatSecure iOS v3.2 this fall. Work on np1sec (aka mpOTR) for multi-party OTR has been slow, but appears to be progressing. OMEMO works for small group chats as well, so we may adopt that in the meantime.
ChatSecure for Mac
ChatSecureCore.framework effort will soon make it possible to create a sandboxed desktop version of ChatSecure for Mac. Want to help? Drop me a line.
ChatSecure Server for Android
It’s still too hard to host your own secure XMPP server. We are going to change that… some time next year.
We will be putting more effort toward providing secure communications tools to individuals, small teams, and larger businesses alike. Feel free to reach out if you’d like to discuss business applications for ChatSecure or have ideas about opportunities for growth.
iOS 9 Tor VPN
As a quick side note, iOS 9 added a neat new API for full device VPN, which opens the door for a better way to implement Tor on iOS. We are working on it!
I had sort of a wild idea the other day to integrate ChatSecure with the Keybase API, which is basically a cryptographic identity provider and aggregator of your semi-decentralized signatures scattered around on Twitter, GitHub, etc. You can think of it as a successful mashup of a social network and a GPG keyserver. There’s a lot of cool UX stuff we could do there, so I’d like to hear any ideas! Also, Chris, we should chat!
We will soon be hiring mobile, frontend, and backend developers with some or all of the following qualifications.
- iOS: Objective-C, Swift, C, AutoLayout, Storyboards, CocoaPods, iPad, Cocoa, Mac UI, XCTest, an app in the App Store
- Android: Android 4.0 SDK and higher, Android NDK, Java, C, Android Studio, Gradle, JUnit, an app in the Play Store
- Backend: Python, Django, Ubuntu, Go, Rust, Docker, your own API
- General Programming: data structures, flow control, POSIX, standard stuff. Experience with Test Driven Development would be nice.
- Security: Some basic knowledge of cryptography is a must, but don’t stress about the advanced stuff. You must have experience with modern secure / defensive coding practices, familiar with common vulnerabilites in native code, identifying potential areas of concern, surface area analysis, etc.
- Open Source contributions are highly recommended: individual projects, larger projects, pull requests, bug reports, QA, documentation, modular coding practices, semantic versioning, Travis-CI, GitHub, git. Know how to find the best existing open source libraries that solve a need. Be able to quickly assess a library’s code quality and general maintenance health compared to similar projects. Know when to just rewrite it from scratch instead. Know how to properly publish your new open source library.
- Freelance Contrators Only: Sorry, there are currently no full time or permanent positions. Interns are OK though! If you’re looking for that steady 9-5 you really should be looking somewhere else, because this ain’t it. Fortunately Obamacare has made buying individual health insurance a lot better for us freelancers.
- Equal Opportunity: We do not discriminate based on race, color, sex, religion, national origin, age, disability, sexual orientation, genetic information, reprisal, socioeconomic class, radical political beliefs, tattoos, hair color, clothing style, or otherwise.
- Berkeley, CA: East Bay or SF preferred. Remote may be negotiable though!
Want to stand out by sending your application early? Email me with a link to your GitHub profile and a short introduction.
That’s All Folks
Until next time. Thank you!
I’ve noticed that many apps have been appropriating ChatSecure iOS code for their whitelabeled products, even though the code is not currently suitable for this purpose. There are a lot of cross-dependencies, assumptions about the ChatSecure brand, and some unfortunate spaghetti code that has accumulated over the last few years of development. The GPL license also currently prevents people from legally shipping forks or devirative works that include our code to the App Store (without an exemption). Although many people and organizations have requested license exemptions since our move to the GPL, we haven’t had the time or legal resources to grant any.
Now that we are also working on a whitelabeled version of ChatSecure ourselves, the pain of keeping the two versions in sync has made it apparent that a major refactor needs to happen as soon as possible. This will be done in two phases:
- Creating a monolithic framework containing almost all of the existing ChatSecure iOS code.
- Splitting that framework into multiple sub-frameworks each concerned with a single domain: UI, network, database, encryption.
Additionally, to accomodate forks and other open source projects that wish to reuse our code, we will be relicensing these reusable components under the copyleft MPL 2.0 license. This is the license used by Firefox and VLC for iOS. It is most similar to the LGPL in that binary distributions require attribution and that modifications to the code need to be publicly available. It doesn’t virally spread its terms to the rest of your program like the GPL, there’s no issue with static linking like the LGPL, and it is fully compatible with the App Store.
Organizations that wish to release closed source / commerical / proprietary apps will also be able to use the code as long as they follow the terms of the MPL 2.0. In short, just give us proper attribution, and publicly distribute any source code changes you’ve made to our framework.
This will require a very large refactor of the existing ChatSecure code into reusable components. Right now there is a tight coupling (aka spaghetti code) between the UI, XMPP network stack, database, and encryption layer. Each of these components will need to be split into reusable components with no cross-dependencies.
For the first step, we will create a monolithic ChatSecure framework that includes the entirety of the ChatSecure iOS code as a reusable library. This will allow improvements and security updates to the core ChatSecure code to be more readily available to whitelabeled apps.
After that is complete, we will begin splitting up the monolithic framework into smaller and more manageable frameworks: UI, network stack, database, and encryption layer. When that is complete, it will become much more feasible to create novel UI experiences that diverge from the upstream ChatSecure iOS UI code, without sacrificing the ability to easily merge in security updates and new backend features.
Bonus: ChatSecure for Mac
As an unintended bonus of this work, it will then be possible to eventually create a native OS X desktop client for ChatSecure. The current standard for OTR+XMPP on OS X, Adium, hasn’t been updated since last year but depends on Pidgin’s libpurple, which is known for containing many security holes. The lack of Adium updates puts users at risk, and it looks like new development is almost completely stalled. It also doesn’t use OS X sandboxing so any Adium vulnerability allows an attacker to read and write (almost) any file on your computer, including past conversations, passwords, etc. We can fix that.
On the Roadmap
We are now well on our way to implementing our design for decentralized push support, courtesy of a new grant from the Open Technology Fund. Yes, we are finally fixing the XMPP push problem! We are very excited to ship beta versions of ChatSecure that will include this functionality in early Q4 2015. This is a feature that can be included in ANY app (we have SDKs for iOS and Android), that allows your users to communicate with users of other apps. No more walled gardens!
This work is compatible with and compliments the existing effort to add push support to XMPP itself.
We will also be integrating the mobile friendly Axolotl end-to-end encryption protocol into ChatSecure iOS, following the lead of the Conversations team. This is the same protocol used by TextSecure/Signal, developed over at the amazing Open Whisper Systems.
We are also working on a streamlined onboarding process to help new users who are unfamiliar with the intricacies of XMPP. Stay tuned for more updates regarding that exciting new feature!
A Bright Future for Secure Messaging
With all of these changes in place, we will be able to deliver a more seamless user experience that can rival that of other popular mobile messaging apps. We are committed to open source, open standards, decentralized protocols, and delivering the most secure and user-friendly product possible.
Thank you for your support!
ChatSecure iOS Security Audit
Last year OpenITP generously funded a security audit of the ChatSecure iOS client, performed by QuarksLab in Q1 2014. It was the first professional security audit of the code and it revealed a few critical issues that we were able to quickly address.
Originally ChatSecure was designed to be a multiprotocol IM client that supported OTR over AIM, Google Talk, Facebook, and generic XMPP. Because libpurple, used in Pidgin and Adium for chat network support, is licensed under GPL we could not distribute it on the App Store. Additionally libpurple has had quite a few vulnerabilities itself, so instead we chose to use two Objective-C libraries: XMPPFramework for GTalk, Facebook and XMPP, and a lesser-known library called LibOrange for AIM support.
XMPP and STARTTLS
One of the issues they found was the ability for an attacker with a privileged network position to potentially block the STARTTLS functionality of XMPP, which is used to initiate TLS connections. Although we support TLS with certificate pinning, XMPPFramework directly followed the XMPP specification which states the server is to specify (in plaintext) whether or not TLS is supported or required. This is a problem for all protocols utilizing STARTTLS (including email), and no server should ever allow plaintext connections in 2015. We worked with the XMPPFramework maintainers to add the ability to require TLS connections regardless of what the server reports. This way if an attacker tries to force a downgrade attack, the connection simply fails.
Many XMPP server operators have pledged to require STARTTLS for all client-to-server and server-to-server connections. Due to this change, many servers no longer federate with Google’s XMPP gateway because Google still doesn’t support server-to-server STARTTLS.
LibOrange and AIM
LibOrange (for AIM/Oscar) was originally included back in 2011 when ChatSecure (then called “Off the Record”) was a proof of concept pre-release hobby project to demonstrate libotr on iOS. The LibOrange code originally was not carefully audited and turned out to contain serious flaws in both its memory handling, and the example implementation, which included debugging commands that were not documented or fully understood.
Although we had been planning to remove AIM support for other reasons, thanks to Quarkslab we immediately removed LibOrange and AIM support and pushed a new release as soon as these flaws were uncovered on 2/21/2014. Fortunately there were no complaints from our users after its removal.
If you still use AIM on other chat clients, you should disable it immediately and migrate to other networks. AIM is a centralized messaging service hosted in the US, and has a complete view of your message content, history, contacts, and metadata (IP address, connection/disconnection times, etc). Using OTR over AIM only helps protect message content.
Since the audit last year, we have implemented a number of features to improve security. For example, all content is locally encrypted in a SQLCipher database, and it is possible to connect to XMPP servers over Tor.
Even better is to physically host an XMPP server for yourself and your friends, but unfortunately this is still very difficult to get right, even for tech savvy users.
The combination of XMPP+OTR+Tor still offers the best and easiest way to provide decentralization, content/metadata protection, and censorship resistance. Unfortunately this combination is difficult to make user-friendly, especially on mobile devices. Both XMPP and OTR were originally designed for desktop computers and are definitely showing their age in the age of mobile.
There are efforts to replace this combination, such as Pond, but it’s almost impossible for a non-technical person to understand or setup.
If you don’t need decentralization or metadata protection, TextSecure/Signal is a very good choice because it is easy to setup for non-technical users and works very well on mobile. Its main downside is that you still need to use a real phone number to register, and to communicate with other people you need to share your phone number with them, which is not always desirable. It also makes open federation impossible.
We are still committed to supporting the XMPP+OTR+Tor combination in ChatSecure for now, but are monitoring the maturity of new technologies that solve usability headaches without sacrificing decentralization, content/metadata protection, and censorship resistance. We are working on a solution for interoperable push messaging in ChatSecure, XMPP will also soon finally have a way to provide mobile push notifications, and Axolotl (which underlies Signal/TextSecure) has proven to be a great replacement for OTR on mobile devices.
Although open source software with deterministic builds remains a best practice for security software, careful coding techniques cannot always protect against all flaws, especially when linking against 3rd party libraries. We will be commissioning a new professional security audit of the ChatSecure iOS and Android code to be completed by the end of the year.
ChatSecure iOS v3.0 Released
Over the last year, David Chiles and I have been working on a major overhaul of the iOS app to modernize the user experience and incorporate additional security features. The most significant user-facing changes are:
- The buddy list has been replaced by a list of your most recent conversations, bringing it in line with modern messaging clients.
- Conversation archives are encrypted using SQLCipher.
- Experimental Tor support for custom XMPP accounts.
Download ChatSecure for free from the App Store. If you’re a developer you can also compile it yourself from the source code on GitHub.
Right now (to my knowledge) we are the only messaging app on the App Store that supports Tor. Although the current implementation appears to be functional, please only use it for testing purposes until it has been studied further by security professionals. In other words, do not rely on it for strong anonymity, and use something like TAILS instead.
During our journey to add Tor support, we first tried to extract the Tor management code from Mike Tigas’s Onion Browser, but discovered it was too tightly coupled with the rest of the app. We also investigated Tor.framework by Hive Wallet but it required some awkward patching of the Tor source code, and has since been deprecated by the original developers. Eventually we discovered Claudiu-Vlad Ursache’s CPAProxy, a more modern attempt at a thin Objective-C wrapper around Tor’s control port. Although it is currently missing a few features like customizable bridges and pluggable transports (and a security audit), I would encourage other developers who are interested in adding Tor support to their iOS apps to help us improve CPAProxy.
When ChatSecure iOS v2.0 was released over a year ago, it contained a major overhaul of the internal data model to support Core Data, Apple’s solution for data persistence. We originally planned on utilizing the MITRE Corporation’s encrypted-core-data project, which adds a customized
NSPersistentStoreCoordinator backed by Zetetic’s SQLCipher. Unfortunately working with Core Data can be terribly frustrating, especially when you cannot debug its closed-source internals.
Fortunately we discovered YapDatabase by Robbie Hanson, an Objective-C key-value-collection store built on top of sqlite. It has all sorts of nice features like a coherent concurrency model, fast full text search, easy binding to
UITableView, and more. If you develop iOS apps, I strongly encourage you to check it out, especially in conjunction with something like Mantle. Because it is built on top of sqlite, it was relatively straightforward for us to add SQLCipher support (use the
YapDatabase/SQLCipher Cocoapods subspec).
New User Interface
Our overhaul of the UI started at the OpenITP UX Sprint, which brought together developers and designers to help improve the usability of crypto tools. One of the biggest challenges when creating security software is ensuring it’s usable by normal humans. During this event we decided to finally move away from the “buddy list” because it no longer reflects how people use messaging apps, especially on mobile. In its place, we added the “Conversations” view, which simply lists your most recent conversations and is designed to feel similar to the built-in iOS Messages app.
We also decided to use Jesse Squires’ totally awesome JSQMessagesViewController for the messaging UI. We were previously using a custom solution designed to imitate the iOS 6 Messages.app, but this new approach should allow us to more easily add in-line media messaging in the future.
On the Roadmap
This release has a large amount of internal refactoring that should (hopefully) make it easier to maintain and add new features. Here are some features we are planning on adding over the next year:
- Inline multimedia messaging via OTRDATA
- A modern onboarding experience that makes it easier for new users to get started
- More options for users behind restrictive firewalls (Tor pluggable transports)
- An interoperable privacy-conscious solution for push messaging
- Axolotl, the mobile-friendly asynchronous encryption protocol used by TextSecure
- Internet-free hyperlocal chat network over Bluetooth LE
- Sandboxed Mac OS X port
- An easy way for users to set up their own XMPP server
Unfortunately, despite the recent proliferation of “secure messaging” apps, we are still a long way from ubiquitous, easy to use, decentralized, verifiable end-to-end encryption.
Fixing the XMPP Push Problem
XMPP is at serious risk of being permanently replaced by proprietary alternatives that have already solved the mobile push messaging problem. Remember in the 90s how many closed IM networks there were? Today it is much worse.
Run a thin XMPP client on a ‘man-in-the-middle’ server that can relay messages to clients via push message when mobile clients aren’t actively connected. Many iOS messenger apps use this method without clearly informing the user.
- Can add push support for any arbitrary XMPP server
- Very obvious, centralized point of failure
- Allows for easy eavesdropping or even active MITM attacks
- Requires plaintext storage of remote login credentials (e.g. Gmail passwords)
Persistent sockets is how XMPP was originally designed to work. Acquire a long-lived socket and keep it open… forever. Android apps are able to use this method, as well as iOS apps that declare VoIP functionality. On iOS this socket is supposed to be for VoIP signaling only, so you can be terminated by the OS for too much activity while in the background (e.g. presence updates).
- XMPP works as designed, most of the time
- No modification to existing infrastructure
- Battery drain because the antenna cannot be powered down
- Disconnection can still occur from wireless network problems
- iOS apps can still be terminated by the OS under memory pressure or too much socket activity
Abandon XMPP Compatibility
Many apps have abandoned traditional XMPP in favor of proprietary modifications that lack federation and interoperability. WhatsApp took ejabberd, an open source XMPP server written in Erlang, and modified it to send native push messages, but of course it only works with their official apps.
- Relatively easy to implement
- Lock in users to your proprietary ecosystem
- Locks you in to their proprietary ecosystem
- No federation between domains
- No federation between apps: each app developer taking this approach is their own silo, unable to communicate with any others
How Push Messages Work
If you’re not familiar with Apple’s APNs or Google’s GCM, these services are the officially sanctioned way of sending push messages to mobile apps. However, there are certain limitations that prevent easy XMPP-style federation:
- You cannot (easily) send push messages to someone else’s app
- Push messages on iOS are not guaranteed to be delivered (although they usually are)
- Push message payloads on iOS cannot be processed by the app in the background before iOS 7
The biggest problem is that there is no easy way to send push messages between my app and your app. For me to send a push to one of your app’s users on iOS, I must first obtain an APNs SSL certificate/key pair from you, and one of your user’s ‘push token’ that uniquely identifies their device to Apple. These push tokens are potentially sensitive information because they allow Apple to locate your device (in order to send it a push).
Solving Inter-app Push
To solve the XMPP push problem, we need multiple pieces of new infrastructure:
- Solve the problem of how to send raw push messages between two arbitrary apps.
- Define spec for where clients (apps) should send messages when contact is “offline”
- Define spec for where servers should send messages when contact is “offline”
Instead of having each app developer manually provide every other app developer an SSL push certificate and push tokens, an intermediary server can be built to automate this process and obscure the actual push tokens, as well as control potential spam.
However, this approach will require cooperation between XMPP clients and XMPP servers in order for federation to work properly.
ChatSecure iOS can connect to almost any XMPP server, so it can be a client for multiple JIDs. A user could have the accounts [email protected] and [email protected] and expect to receive background notifications for both accounts. This means the operators of the XMPP servers for example.com and jabber.org will need to understand and implement our spec to send pushes to our client.
Push Relay Server
This is the server that sends the final push to the app user. It will need to accept POSTs from authorized pushers, which can include XMPP server operators, individual app developers with other relay servers, or even other end users. For ChatSecure iOS we can do this by having users register a unique username/password with our instance of the push relay server, tied to an optional email address identifier for password resets.
After registering a “ChatSecure Push” account, you must add a device to receive pushes, which includes the required information for delivering the final push message (the APNs token) and probably a user friendly identifier / basic device info.
To receive push messages to your account (which are then forwarded to all your registered devices), you must request a whitelist token from the server to give to your friends and authorized XMPP servers. Anyone with a whitelist token will be able to send you messages directly to all of your devices by crafting a POST message to our relay server.
An old draft of how this server might work is available here but it needs to be updated because we identified serious problems with this spec a long time ago. However, we never updated the draft online from our notes, so we lost all of that work. Great.
XMPP clients will need a way to ask another clients if they support receiving pushes via a relay. Since pushes can be sent from anywhere, clients will also be able to send pushes directly to other clients through the relay as long as they have their friend’s whitelist token. They will also need to respond to XMPP server inquiries for whitelist tokens to allow pushes to be sent by the server if a message is sent by a client not supporting direct push.
XMPP servers can ask their connected clients if they support push relays and, if so, forward messages they receive to the push relay server when the client is offline. This will require the XMPP server to obtain a whitelist token from the user as well.
Because this method can bypass the XMPP server entirely, it allows for non-XMPP protocols to participate.
What Still Needs to be Done
We need to fix/finish our server draft spec and deploy a proof of concept XMPP server and push relay for the chatsecure.org domain. Additional work will also need to be done to integrate this for the ChatSecure clients.
There are many issues to be overcome, and there are very few developers who care about developing an interoperable standard because there is absolutely no financial incentive… and it is very difficult to do correctly. Proprietary messaging apps can get hundreds of millions in financing and large teams of engineers. We have to make do with much, much less.
Another big problem is that OTR is incompatible with this approach unless we use hacks to wake up clients to establish new sessions but, even if we do that, the messages won’t be able to be decrypted by multiple devices. The TextSecure protocol may provide some answers here, but they also haven’t solved the inter-app federation problem in a way that allows users to run their own backend or custom TextSecure clients.
Perhaps work should be directed toward extending the TextSecure infrastructure to support inter-app communication and federation instead of extending the aging OTR and XMPP protocols beyond their meaningful lifetime.