/ conversations

Hardening Conversations

Conversations is the messaging app which I currently recommend. You can configure it in order to have a pretty good expectation of privacy, using the OMEMO protocol which is based upon the same mechanism used by Signal and also you can route messages through Tor in order to make it difficult for the government (or anyone else) to log all of the other people you're communicating with. If you're in the UK and read the relevant legislation carefully, they're especially interested in logging use of chat apps and knowing what apps you have installed. The UK may be among the worst of the worst but other countries are rapidly catching up in terms of their privacy violating ambitions.

Unlikely though it may seem, even the mighty Conversations isn't perfect. One particular commit recently came to my attention which indicates that there's a problem with this project which isn't necessarily just a technical one.

"Selecting a default encryption (in our case OMEMO) has several down sides.
First of all users might have perfectly valid reasons not to use encryption
at all such as using the same private server. Second of all the way it was
implemented Conversations would automatically fall back to plain text as soon as the conditions changed (recipient switches to device with no encryption) which lead to unexpected situations.
Thirdly having a default encryptions speaks against the 'mission
statement' of Conversations of not forcing its security and privacey
aspects upon the user.
And last but not least the goal of implementing this feature in the
first place: Be encrypted by default didn't work at all. I don't think
there was a single user that we successfully 'tricked' into using OMEMO
who otherwise wouldn't have used it"

It's true that there may be some valid cases for unencrypted communications. For example, calling for medical assistance under certain conditions might be ok as unencrypted. The risk of not getting assistance could be greater than the risk of communications data being misused by unintended recipients. However, I think these kinds of cases are highly niche and not applicable in the majority of one-to-one messaging situations for which instant messaging clients are primarily used.

On falling back to plain text if the user switches to a device without encryption I think this is a bad way to do things. People should not be using messaging apps without encryption. Period. If they do then attempts to send or receive messages should conspicuously fail in order to warn the user that they are in an unsafe and anomalous situation.

On the third part, I think this is just the wrong frame. It's not about forcing encryption upon people but about ensuring that communications take place by default in the safest way which can technically be implemented. That is, which doesn't recklessly put the users of the system at unnecessary risk. Only if safe ways of communicating fail should the possibility of unsafe methods be entertained, depending upon the situation.

And the last point about tricking users. It's not about tricking but about educating them. There are abundant reasons why unencrypted messaging apps are bad, and I shouldn't need to go into that here.

A workaround

Reading the source code for Conversations indicates that there are various constants which can be changed to make the app generally much safer to use and provide the user with greater peace of mind that they havn't accidentally made configuration mistakes. Perhaps there could be an option to change these values from within the app settings, but I think the fact that they are constants is actually a security feature, since it means that other areas of the program can't alter those values either as a bug or via malevolent intent. But we can change a few constants and then recompile the app and install the resulting apk. This means that you'll need to have Android Studio installed, or otherwise be able to compile an Android app on your system.

For example, to install Android Studio on Arch/Parabola:

mkdir ~/develop
cd ~/develop
git clone https://aur.archlinux.org/android-studio.git
cd android-studio
makepkg
sudo pacman -U *.xz

Now we can get the current version of Conversations.

cd ~/develop
git clone https://github.com/siacs/Conversations

And make the necessary modifications.

sudo pacman -S imagemagick android-tools
cd ~/develop/Conversations
sed -i 's/int ENCRYPTION_MASK.*/int ENCRYPTION_MASK = OPENPGP | OTR | OMEMO;/g' src/main/java/eu/siacs/conversations/Config.java
sed -i 's/boolean OMEMO_PADDING.*/boolean OMEMO_PADDING = true;/g' src/main/java/eu/siacs/conversations/Config.java
sed -i 's/boolean FORCE_ORBOT.*/boolean FORCE_ORBOT = true;/g' src/main/java/eu/siacs/conversations/Config.java

A problem then arises. How can we tell the new modified version of the app from the original? The best way to do that is to change the logo, then you can say something like "Look for the purple lock icon instead of the green circle icon with dots and you'll know you've installed the right app". An example of changing the icon is as follows:

export logo_file=$HOME/Pictures/conversations-hardened.png
convert $logo_file -size 300x300 $HOME/develop/Conversations/src/main/res/drawable-hdpi/main_logo.png
convert $logo_file -size 72x72 $HOME/develop/Conversations/src/main/res/drawable-hdpi/ic_launcher.png
convert $logo_file -size 400x400 $HOME/develop/Conversations/src/main/res/drawable-xhdpi/main_logo.png
convert $logo_file -size 96x96 $HOME/develop/Conversations/src/main/res/drawable-xhdpi/ic_launcher.png
convert $logo_file -size 600x600 $HOME/develop/Conversations/src/main/res/drawable-xxhdpi/main_logo.png
convert $logo_file -size 144x144 $HOME/develop/Conversations/src/main/res/drawable-xxhdpi/ic_launcher.png
convert $logo_file -size 800x800 $HOME/develop/Conversations/src/main/res/drawable-xxxhdpi/main_logo.png
convert $logo_file -size 192x192 $HOME/develop/Conversations/src/main/res/drawable-xxxhdpi/ic_launcher.png
convert $logo_file -size 200x200 $HOME/develop/Conversations/src/main/res/drawable-mdpi/main_logo.png
convert $logo_file -size 48x48 $HOME/develop/Conversations/src/main/res/drawable-mdpi/ic_launcher.png

Once you've done that then run Android Studio, open the app from ~/develop/Conversations and build an apk. When it has built you can then upload it to your phone via ADB with a USB cable.

adb push [Conversations-new.apk] /sdcard/

Make sure you uninstall any existing Conversations app on your phone, install and run Orbot (can be found by enabling the Guardian Project repository within F-droid), then locate the uploaded apk and install it. You should notice that the app icon is different from the usual Conversations one.

Although this works it's not really a scaleable approach and an average mobile phone user probably isn't going to do this and almost certainly doesn't run Arch GNU/Linux on a laptop. The real bug fix here is for the attitude within the above commit message to change. It's 2017 and we've been "post-Snowden" for quite a while now. If you're still in a mindset in which unencrypted communications is acceptable then I think you need to update your priors.