Secure chat on iOS, Android, and Computer

5

Chatting securely online today seems virtually impossible. With Skype, Kik, Whatsapp, BBM, and all other chat providers begin wiretapped and logged, private chatting is crucial. When you chat online, YOU should have full control over where the messages go, and who see’s them. Yes, we are using another providers service so we have to abide by their privacy policy, and terms of service, but this isn’t right. Our chats shouldn’t be read, leaked, and left in plain text. Almost all big services these days log our chats, it feels there is nowhere to go. Also, these apps always cooperate with bigger government forces, and sometimes even sell the data. These apps are just as bad as email providers. There are very limited options in terms of private chats. (Note: I am not an expert on the protocol listed below, so if I make a technical error, please excuse this and notify me via the comments.)

How can I chat securely online?

Chatting securely online is actually fairly simple. The method available allows you to connect your account to your computer, smartphone, tablet, or any device. The service is called Jabber. Jabber uses a protocol known as XMPP. XMPP was originally named Jabber just as a side note. I will get into security features below, but one great thing about XMPP is that you can run your own XMPP server. XMPP is not dependent on one central server, its all independent. With all other name brand apps, you HAVE to use their server, and you don’t know where the data is going. With Jabber, you can choose to know who is handling your data. XMPP has a huge technical background to it, so read the Wikipedia article on it if you want to learn how it operates.

How is XMPP/Jabber secure?

This chat client is secure due to its open source nature. Virtually all Jabber services allow encryption to be enabled, and/or its enabled by default. My personal favorite, DuckCo XMPP, automatically forces encryption. On mobile, on the computer, and on any client, the duck.co server forces your chat to be encrypted. Encryption is just the start to a secure chat. This means that your ISP, and outside intruders cannot read the messages begin sent, and/or received over the network. Even if you are using this app over 2G, 3G, or 4G network lines, its still encrypted. But then XMPP takes one more step. Almost all servers by default log data. I am not sure if the DuckCo server automatically logs data. I would personally assume that they purge their data if they retain any any. But we can go one step further to secure the chat. With XMPP we can use OTR/Off the Record chats. The chats are %100 anonymous. Chats with OTR can never be logged, and the data may have never even been there before. This works by installing the cypherpunks.ca OTR certificate. Then you will start a private chat with the other party, and nothing is logged. No conversations can be comprised, simply because the data is retained.

How do I set this up?

Setting this up may sound complicated, but it is actually very easy. This can be used on Windows, Mac OSX, Linux, iOS, Android, and is supported across a genre of other devices. To start, you will want to download the client.

If you are on the computer, you will want to download Pidgn. Windows uses Pidgn, Mac OSX uses Adium, and Linux uses a Pidgn/Custom build. All the downloads are available from the Pidgn download page, even the source code. Once that is downloaded and set up open the client. You will now need to go to duck.co, or whichever XMPP server you want to use. Here is a list, also DuckDuckGo has a reliable XMPP server (you register inside the Pidgn client). I recommend using Duck.co. Click the register button on the website. Put in your desired username, and password. You can put in a fake email, they don’t ever email you or require verification. Once done open up Pidgn, and go to Accounts> Manage Accounts> Add

Pidgn XMPP Set Up, Freedom HackerEnter [email protected] into the username field, and enter your password into the password field. Click remember password, then click Add. You may have to click authorize a few times, and let it connect. Once connected, tell your friends to chat with you at [email protected] To add a friend, click Buddies> + Add Buddy, put in their [email protected] (or their XMPP service), and hit add. It will prompt them to authorize, then you will have to authorize the adding, then you are available to chat. To install the Off the Record chat, go to https://otr.cypherpunks.ca/ and download the .exe, or the file your client uses. Follow the set up instructions it gives, and let it install. Once that is done, go into Pidgn, navigate to Tools> Plugins> Off-the-Record Messaging (make sure its checked).

OTR Chat Set Up, Freedom HackerThen when starting a chat with a friend, click Start private conversation, let it authenticate, then it should say Private, or Unverified.

Off-the-Record Set Up, Freedom HackerNow you have an Off-the-Record secure chat on your computer.

For Android/iOS/Mobile

Set up is just about the same, sign up on Duck.Co, or your preferred service.

Open the ChatSecure app, and hit the + button on the top right of the application. Choose existing account, if your using Duck.Co. It will prompt you with Account Type, click Jabber (XMPP), input your details and let it connect. Once connected click on your account name, and you should see a black screen. To add a contact on the bottom you should see type to filter. Type anything in, and click the Tap to Invite button on the screen, and add your friends [email protected] Now you can have an encrypted chat from Android to Android, Android to iOS, or Android to Computer. You can also have the same Jabber account on your Android device, hooked up to iOS and/or computer.

  • iOSChatSecure/Numerous other XMPP related apps OTR BUILT IN

Open up the ChatSecure app. Click the gear icon in the upper right hand corner. Click + New Account> Jabber (XMPP). Enter your [email protected], and password. Then click remember password. Click Log In in the upper right hand corner. Let it login (THIS APP DOES NOT ALWAYS WORK THE FIRST TIME ON iOS DEVICES. MULTIPLE TRIES MAY BE NECESSARY). Once connected, go back to the main app screen, and click the + in the upper left hand corner. Add your friends [email protected] Now you can have a secure chat from iOS to iOS, iOS to Android, and/or iOS to Computer. You can also have the same Jabber account on your iOS device, hooked up to Android and/or computer.

Overall

Overall secure chat is crucial. You want to know where your data is going, so you should be able to decide. Jabber is the only secure, private, and Off-the-Record chat I trust. Don’t you want to have control over your data?

About Author

Brandon Stosh is the founder and CEO of www.freedomhacker.net. Stosh is a cyber security researcher and professional consultant who strives to provide reliable news on cyber-security based topics.

5 Comments

  1. Hi Brandon,
    I’m new to Jabber, but have heard much of it in the past few years. It’s a shame that people can no longer trust the popular platforms with their communication (ie. Skype, FB, etc.).
    I reviewed the Jabber.Me website, but couldn’t find anything about enforced pervasive encryption. How do you know they’re enforcing encryption on their service?

    Thank you for your time, and I look forward to following your journalism.

    Sincerely,
    John Burns

    • Hello John,

      Yes Jabber is great. I too agree it is sad popular platforms have become utter trash. But for Jabber.me, the site is fully owned by the company http://www.tigase.org/ , and http://www.tigase.com/ . Jabber and the other sister sites have absolutely no data on what the services entail. For Tigase, they have full FAQ’s and all servers details there. In terms of enforced encryption, Jabber uses SASL (https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer). I am not completely sure if the services note they use or force enforced pervasive encryption, I will have to take a look into that and possibly rewrite the article. Regardless, I recommend you utilize OTR which is a plugin the XMPP server can follow.

      I recently wrote an article on some more encrypted chat applications that can be used across various platforms. I suggest you check it out, https://freedomhacker.net//secure-messaging-apps-for-smart-phones/ .

      I will take a look into the site more and see if I find anything on it. Thank you for the kind words on the site :).

Leave A Reply

Send this to friend