Hacker News new | past | comments | ask | show | jobs | submit login
TextSecure response to Stagefright Android vulnerability (github.com/whispersystems)
86 points by mfincham on July 28, 2015 | hide | past | favorite | 24 comments



TextSecure user, and I can verify this as accurate.

When I first saw the stagefright bug, I looked for a way to disable MMS in the app. There is no way to disable MMS in the app, so I had a friend MMS me a message, and I got the warning as the post describes.

Feel free to test it out for yourself, but it was nice to see that TextSecure, by its nature, is secure from this bug through design.


"Feel free to test it out for yourself, but it was nice to see that TextSecure, by its nature, is secure from this bug through design."

My take based on Moxie's comment. Good design.


Err wow I didn't think me raising an issue on Github would put me on the frontpage of HN. But I am glad to see that they handle this well by default - another reason why I will be keeping it!


I haven't found a way to block numbers in TextSecure or I would use it

... Oh they implemented it last month :D https://github.com/WhisperSystems/TextSecure/issues/222


As a digital and security training for human rights defenders and journalists all over the world - this is one of the reasons why I try as hard as possible to push the awesome work of the WhisperSystems team and Moxie.


There's a tool called "Disable Service" with which you can unload app- and system daemons, including MMS processes (both in your messaging or globally on a system level): https://play.google.com/store/apps/details?id=cn.wq.disables...



This is a great example of where usability and security meet. Auto downloading MMS messages is certainly much nicer from a UX perspective. However it can lead to bugs as we are witnessing.

I think they struck a good medium.


If I'm running Android without TextSecure, how do I mitigate this?


I turned off auto-retrieve of multimedia messages in the settings. I took a couple of handy screenshots here:

https://imgur.com/xaAsWZY


Thank you!


Install TextSecure.

Alternately, disable MMS auto-processing.


Why wouldn't you be running TextSecure?


No one I know uses it or will use it. Is there another reason I should?


Even if your friends don't yet use TextSecure, you can still send / receive messages with them; when they do (if they do) get TextSecure, then messages can be encrypted -- until then, they will be as insecure [and with privacy issues] as normal default messaging.

So, what do you lose if you use TextSecure ... even if your friends don't or won't use it? What is the problem?


I don't think a popup warning is much protection. Most people really want to see that picture that they think they just received.


The kind of folks running TextSecure have already made an effort to install a replacement messaging application, hopefully this helps them also pay attention to the warning.

If nothing else it'll slightly slow down a worm utilising this exploit...


It mitigates the worst part of the threat: An exploit that happens without any user involvement.


First of all, TextSecure does display pictures in MMS. It just doesn't call out to stagefright to do so. I've never recieved a video message, so don't know how that works.

Second of all, the difference between a 0-click infection and a 1-click infection is huge in terms of time it takes for a worm to spread.


I wonder if this also affects Telegram as well?


From what I've seen, the bug doesn't affect iOS devices, so while I have no idea whether the behavior between TextSecure and Telegram is the same, iOS isn't vulnerable either way.


I'm assuming glokon means Telegram for Android.


Well color me ugly. I didn't know that existed.


I believe you have to click to load the videos (data saver). But that might just be old/archived-ish videos.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: