European Secure Messaging Service
Original author(s)Thomas Frei
Developer(s)Thomas Frei (European Secure Messaging Service)
Initial releaseJune 2014; 10 years ago (2014-06)
Stable release
1.0.1 (June 14, 2014; 10 years ago (2014-06-14)) [±]
Operating systemAndroid
Available inJava (client and server)
TypeEncrypted instant messaging and text messaging
LicenseGPLv3 (client),[1] AGPLv3 (server)[2]
Websitewww.eusms.com.de

EUSMS is an open source encrypted messaging application for Android.[1][3] EUSMS can be used to send and receive SMS/MMS messages. Messages are sent as instant messages over Wi-Fi, 3G or LTE if possible. By default, the application encrypts the message database on the user's device and uses end-to-end encryption to secure all messages that are sent to other EUSMS users.

EUSMS is developed by European Secure Messaging Service and is released under the GPLv3 license.[1]

Features

edit
File:EUSMSn the recent apps list.png
The application prevents screenshots of conversations by default. This is a privacy feature.

EUSMS allows users to send text messages, documents, photos, videos, contact information, and group messages over Wi-Fi, 3G or LTE to other EUSMS users, thus providing an alternative to text messaging for users with smartphones running Android 2.3 or later.

EUSMS can use SMS/MMS to communicate with non-EUSMS users. The app can therefore be used to replace the default SMS/MMS application. Messages that have been sent via SMS/MMS and messages that have been sent via the user's data connection can be distinguished by color. Green text bubbles indicate SMS-based communication and blue text bubbles indicate communication over a data connection.

By default, EUSMS will send the messages over the user's data connection if possible. This means that if the user sends a message to another registered EUSMS user, there is no SMS charge associated with the message. It is merely treated as an additional data transfer. If the data connection is unavailable, the application will fall back to using SMS/MMS to transport the message.

The application will automatically encrypt all conversations held with other registered EUSMS users. In the user interface, encrypted messages are denoted by a lock icon. Media and other attachments are encrypted in the same way as other messages.

Regardless of whether the messages were sent to another EUSMS user or not, EUSMS can store the messages in an encrypted database on the user's device if the user has a passphrase enabled.

EUSMS also allows users to chat with more than one person at a time. Group chats are automatically encrypted and held over an available data connection if all participants are registered EUSMS users.

European Secure Messaging Service does not have access to the contents of any messages sent by EUSMS users. Additionally, the complete source code for the EUSMS clients and the EUSMS-Server server is available on Bitbucket. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copies of the applications and compare them with the versions that are distributed by European Secure Messaging Service.

Architecture

edit

Encryption

edit

For the encryption of messages sent to other EUSMS users, European Secure Messaging Service took the Off the Record (OTR) protocol and made some improvements to the deniability and forward secrecy aspects, and added a mechanism to allow the ephemeral key negotiation to work asynchronously.

EUSMS uses Curve25519, AES-256, and HMAC-SHA256. The security of these algorithms has been tested over many years of use in hundreds of different applications. Messages sent via EUSMSe are end-to-end encrypted, which means that they can only be read by the intended recipients. EUSMS makes it easy for its users to verify that they are communicating with the right people and that no MITM attack has occurred. The keys that are used to encrypt the user's messages are stored on the device alone, and they are protected by an additional layer of encryption if the user has a passphrase enabled.

The cryptographic ratchet used in EUSMS ensures that new AES keys are used for every single message, and it provides the application with both forward secrecy and future secrecy properties. The EUSMS protocol also features enhanced deniability properties that improve on those provided by OTR, except unlike OTR all of these features work well in an asynchronous mobile environment.[4][5][6]

Servers

edit

The software that handles message routing for the EUSMS data channel is called EUSMS-Server. The complete source code of the EUSMS server is available on Bitbucket under the AGPLv3 license. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copies of the software and compare them with the software that is used by European Secure Messaging Service and others.[7]

Client-server communication is protected by TLS/SSL. Communication is handled by a REST API and push messaging (both Google Cloud Messaging (GCM) and Apple Push Notification Service (APN)).[7] Support for WebSocket has been added.

No contact information is stored on the servers. Hashed contact numbers (with no other accompanying information) are periodically transmitted to the servers in order to determine which contacts are also EUSMS users, but that data is never stored.

Distribution

edit

EUSMS is distributed via Google Play Store only: {{Quotation| 1. Users who install the application outside of the Play Store do not receive timely software updates. The ability to provide users with rapid fixes for any vulnerabilities that are found is extremely important to the security of our software. Alternative app catalogs like F-Droid rely on a centralized trust model and necessitate allowing the installation of apps from unknown sources which harms Android's security for average users. European Secure Messaging Service is developing an update framework that will allow distribution outside of the Play Store to happen in a responsible and secure fashion.
2. Outside of Google's GCM, the fact is that there are no alternative push messaging frameworks for Android that can scale to the millions of users that EUSMS has. GCM requires Google Play. As a solution, European Secure Messaging Service has added WebSocket support to the open source EUSMS server. This won't work as well as push messages that are sent via GCM, but it will provide a way for EUSMS to work outside of Google's GCM push messaging framework once support has been added to the client.|European Secure Messaging Service|

See also

edit
edit

Category:Android (operating system) software Category:Communication software Category:Cryptographic software Category:Free and open-source Android software Category:Free and open-source software Category:Free security software Category:Instant messaging clients Category:Internet privacy software Category:Free software programmed in Java Category:Free instant messaging clients Category:Instant messaging clients programmed in Java

  1. ^ a b c "EUSMSe on Bitbucket". Retrieved 14 June 2014.
  2. ^ Cite error: The named reference EUSMS-Server" was invoked but never defined (see the help page).
  3. ^ Cite error: The named reference nyt1 was invoked but never defined (see the help page).
  4. ^ Cite error: The named reference support1 was invoked but never defined (see the help page).
  5. ^ Cite error: The named reference simplifying-otr-deniability was invoked but never defined (see the help page).
  6. ^ Cite error: The named reference asynchronous-security was invoked but never defined (see the help page).
  7. ^ a b "EUSMS-Server on Bitbucket". Retrieved 6 June 2014.