Secure chat on iOS, Android, and Computer
Chatting securely online today seems virtually impossible. With Skype, Kik, Whatsapp, BBM, and all other chat providers begin wiretapped and logged, private chatting is crucial. When you chat online, YOU should have full control over where the messages go, and who see’s them. Yes, we are using another providers service so we have to abide by their privacy policy, and terms of service, but this isn’t right. Our chats shouldn’t be read, leaked, and left in plain text. Almost all big services these days log our chats, it feels there is nowhere to go. Also, these apps always cooperate with bigger government forces, and sometimes even sell the data. These apps are just as bad as email providers. There are very limited options in terms of private chats. (Note: I am not an expert on the protocol listed below, so if I make a technical error, please excuse this and notify me via the comments.)
How can I chat securely online?
Chatting securely online is actually fairly simple. The method available allows you to connect your account to your computer, smartphone, tablet, or any device. The service is called Jabber. Jabber uses a protocol known as XMPP. XMPP was originally named Jabber just as a side note. I will get into security features below, but one great thing about XMPP is that you can run your own XMPP server. XMPP is not dependent on one central server, its all independent. With all other name brand apps, you HAVE to use their server, and you don’t know where the data is going. With Jabber, you can choose to know who is handling your data. XMPP has a huge technical background to it, so read the Wikipedia article on it if you want to learn how it operates.
How is XMPP/Jabber secure?
This chat client is secure due to its open source nature. Virtually all Jabber services allow encryption to be enabled, and/or its enabled by default. My personal favorite, DuckCo XMPP, automatically forces encryption. On mobile, on the computer, and on any client, the duck.co server forces your chat to be encrypted. Encryption is just the start to a secure chat. This means that your ISP, and outside intruders cannot read the messages begin sent, and/or received over the network. Even if you are using this app over 2G, 3G, or 4G network lines, its still encrypted. But then XMPP takes one more step. Almost all servers by default log data. I am not sure if the DuckCo server automatically logs data. I would personally assume that they purge their data if they retain any any. But we can go one step further to secure the chat. With XMPP we can use OTR/Off the Record chats. The chats are %100 anonymous. Chats with OTR can never be logged, and the data may have never even been there before. This works by installing the cypherpunks.ca OTR certificate. Then you will start a private chat with the other party, and nothing is logged. No conversations can be comprised, simply because the data is retained.
How do I set this up?
Setting this up may sound complicated, but it is actually very easy. This can be used on Windows, Mac OSX, Linux, iOS, Android, and is supported across a genre of other devices. To start, you will want to download the client.
If you are on the computer, you will want to download Pidgn. Windows uses Pidgn, Mac OSX uses Adium, and Linux uses a Pidgn/Custom build. All the downloads are available from the Pidgn download page, even the source code. Once that is downloaded and set up open the client. You will now need to go to duck.co, or whichever XMPP server you want to use. Here is a list, also DuckDuckGo has a reliable XMPP server (you register inside the Pidgn client). I recommend using Duck.co. Click the register button on the website. Put in your desired username, and password. You can put in a fake email, they don’t ever email you or require verification. Once done open up Pidgn, and go to Accounts> Manage Accounts> Add
Enter Username@jabber.me into the username field, and enter your password into the password field. Click remember password, then click Add. You may have to click authorize a few times, and let it connect. Once connected, tell your friends to chat with you at username@jabber.me. To add a friend, click Buddies> + Add Buddy, put in their username@jabber.me (or their XMPP service), and hit add. It will prompt them to authorize, then you will have to authorize the adding, then you are available to chat. To install the Off the Record chat, go to https://otr.cypherpunks.ca/ and download the .exe, or the file your client uses. Follow the set up instructions it gives, and let it install. Once that is done, go into Pidgn, navigate to Tools> Plugins> Off-the-Record Messaging (make sure its checked).
Then when starting a chat with a friend, click Start private conversation, let it authenticate, then it should say Private, or Unverified.
Now you have an Off-the-Record secure chat on your computer.
For Android/iOS/Mobile
Set up is just about the same, sign up on Duck.Co, or your preferred service.
- Android – Gibberbot/ChatSecure OTR BUILT IN
Open the ChatSecure app, and hit the + button on the top right of the application. Choose existing account, if your using Duck.Co. It will prompt you with Account Type, click Jabber (XMPP), input your details and let it connect. Once connected click on your account name, and you should see a black screen. To add a contact on the bottom you should see type to filter. Type anything in, and click the Tap to Invite button on the screen, and add your friends username@jabber.me. Now you can have an encrypted chat from Android to Android, Android to iOS, or Android to Computer. You can also have the same Jabber account on your Android device, hooked up to iOS and/or computer.
- iOS – ChatSecure/Numerous other XMPP related apps OTR BUILT IN
Open up the ChatSecure app. Click the gear icon in the upper right hand corner. Click + New Account> Jabber (XMPP). Enter your username@jabber.me, and password. Then click remember password. Click Log In in the upper right hand corner. Let it login (THIS APP DOES NOT ALWAYS WORK THE FIRST TIME ON iOS DEVICES. MULTIPLE TRIES MAY BE NECESSARY). Once connected, go back to the main app screen, and click the + in the upper left hand corner. Add your friends username@jabber.me. Now you can have a secure chat from iOS to iOS, iOS to Android, and/or iOS to Computer. You can also have the same Jabber account on your iOS device, hooked up to Android and/or computer.
Overall
Overall secure chat is crucial. You want to know where your data is going, so you should be able to decide. Jabber is the only secure, private, and Off-the-Record chat I trust. Don’t you want to have control over your data?
Have you any comments on Wickr? It seems they take secure chatting seriously?
Hi Brandon,
I’m new to Jabber, but have heard much of it in the past few years. It’s a shame that people can no longer trust the popular platforms with their communication (ie. Skype, FB, etc.).
I reviewed the Jabber.Me website, but couldn’t find anything about enforced pervasive encryption. How do you know they’re enforcing encryption on their service?
Thank you for your time, and I look forward to following your journalism.
Sincerely,
John Burns
Hello John,
Yes Jabber is great. I too agree it is sad popular platforms have become utter trash. But for Jabber.me, the site is fully owned by the company http://www.tigase.org/ , and http://www.tigase.com/ . Jabber and the other sister sites have absolutely no data on what the services entail. For Tigase, they have full FAQ’s and all servers details there. In terms of enforced encryption, Jabber uses SASL (https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer). I am not completely sure if the services note they use or force enforced pervasive encryption, I will have to take a look into that and possibly rewrite the article. Regardless, I recommend you utilize OTR which is a plugin the XMPP server can follow.
I recently wrote an article on some more encrypted chat applications that can be used across various platforms. I suggest you check it out, https://freedomhacker.net/secure-messaging-apps-for-smart-phones/ .
I will take a look into the site more and see if I find anything on it. Thank you for the kind words on the site :).
Hi Brandon,
About the Apps: Have you tried IM+ for iOS?
ChatSecure has been great, but it has a major problem with logging you off after 10 minutes because it lacks Apple Push Notification. I’m testing IM+ now, and so far so good. It is however closed-source.
Here’s a great reference on a few key security questions from them:
http://forum.shapeservices.com/viewtopic.php?f=3&t=24983&p=64248&hilit=apple+push&sid=2a2f0536922a3d364fdd358311747012#p64248
What do you think?
Hi and thanks for the recommendation. I have never personally used IM+ for iOS. The security questions do make it seem like a very trusted app. I think its a great service to connect your apps to if the claims hold true. I too agree, ChatSecure can be very buggy. Sometimes it outright fails based on the device, but it works a majority of the time.
Just another recommendation, if your looking for secure chat applications that host their own chat, take a look at.
https://freedomhacker.net/secure-messaging-apps-for-smart-phones/
But IM+ seems like a really great app, they seem like a trusted group! Thanks for noting them!