Conversations is an Open Source & Secure Jabber/XMPP Client for Android
Facebook Messenger, WhatsApp, and WeChat are the top three instant messaging apps currently dominating the market. Their continued dominance is easily explained by their inclusion of a simple to use interface along with a user base of millions of people. However, each of these IM apps share one flaw: they are owned by Social Media giants. If someone signs up for a WhatsApp account, they also have to agree to Facebook’s user license agreement. It’s generally understood that you trade in your privacy to use these convenient services. Although WhatsApp developers implemented end-to-end encryption as a standard feature, the app itself isn’t fully open source so it comes down to blind trust whether you believe that Whatsapp can’t collect data on you.
For a smooth messaging experience, all of the major instant messaging apps rely on Android’ss native message transfer implementation called Google Cloud Messaging (GCM). The message gets into touch with business interests before it even reaches the server. Most users aren’t willing or able to verify if the service they are using keeps its promises, and even experts can only guess if WhatsApp still fulfills certain security standards after the application has been updated. Every update requires an independent security audit which requires the cooperation of the provider—in this case Facebook.
Independence is the key here, which leads us to Conversations Messenger. It is a fully open source instant messaging app which avoids using GCM by using the XMPP protocol instead—giving control to the user. Conversations allows you to run multiple accounts simultaneously and you can even use a different account for each contact. While other messengers don’t visibly mention which server the given information is uploaded, Conversations lets the user decide which Jabber server deserves their trust. Or, you could even just use your own server. Conversations also offers a server optimized for its requirements, and the first 6 months of server use are free.
Choice separates Conversations from the crowd. The application supports switching between encryption algorithms on the fly and you can choose from three encryption algorithms: PGP, OTR, and OMEMO. While PGP and OTR are well trusted algorithms, OMEMO pushes it further. OTR was never suitable for a majority of users simply because both communication partners had to be online at the same time for message delivery. OMEMO solves this major drawback of OTR; message delivery doesn’t require both users to be online simultaneously.
OMEMO offers Forward Secrecy. What does this mean? It offers an extra layer of protection keeping your data safe. Here is a scenario: end-to-end encryption relies on the private key stored solely on the device, so if the phone is stolen, the private key falls into the hands of the thief. Without Forward Secrecy, the thief could decrypt all messages stored on the phone. The Forward Secrecy protocol generates a random key for each session, so even if the private key is in the wrong hands, the stored messages are still safe.
Usually users trust the identity of their conversation partner, so that’s why OMEMO uses device identities. Every OMEMO key comes with a unique fingerprint allowing to verify the conversation partner for example via a phone call. Once the chat partners are verified, the Double Ratchet algorithm ensures that only the recipient of the message is able to decrypt it. Double Ratchet generates and encrypts every message with a temporary key. Once delivery is successful, the key is worthless and can’t be used to decrypt anything. It is only meant to keep data safe while traveling through the world wide web.
Conversations is available on the Google Play Store and Amazon App Store. Although the app store versions aren’t free, the application is open source so you can compile it for yourself or grab it from F-Droid.
Interested in learning more about the app from the horse’s mouth? Daniel Gultsch, lead developer of Conversations, took some time to answer my questions.
Interview with the Developer of Conversations
Q: Would you please briefly introduce yourself?
A: My name is Daniel Gultsch and I am working as a freelance software developer and advisor.
Q: What motivated you to develop Conversations?
A: I am using Jabber/XMPP for many many years. Even back in 2009 I was able to use Jabber on my Nokia e71. Sometime around the year 2012 I switched to an Android phone, so I suddenly was unable to use Jabber. There was a Jabber client for Android available (Xabber), but it was the opposite of visually appealing.
In early 2014 I wondered how difficult it might be to develop a chat client, that looks better (than Xabber). At this point I had experience in the field of software development, but not for Android. After a few days a UI Mockup came to life, so I wondered how difficult it could be to teach sending and receiving of jabber messages to this UI. Three month of full time work later, the first version of Conversations was released.
Q: Can you give three reasons why Conversations protects your privacy better than Whatsapp or Threema?
A: I don’t have to give my private phone number to strangers if I want to chat with them. I could have a private and a business account. I can disable the business account after my shift, to prevent my boss from annoying me during my free time. WhatsApp allows everybody to analyze my app usage patterns any time. (My boss could stalk me to investigate if I am using WhatsApp during my working hours or if I am using WhatsApp at night instead of sleeping and coming well rested to the office.) This is different with Conversations; Conversations also doesn’t upload my entire address book to Facebook.
Q: How much does a one year subscription of a Conversations.im account cost?
A: 8 Euro (about $9 US). After a six month trial period. Subscriptions don’t renew themselves. It is not required to terminate the subscription.
Q: What advantages does a Conversations.im account offer compared to other XMPP servers?
A: New features, which require server side support are delivered to conversations.im first. Generally speaking we are trying to run conversations.im with a bit higher requirements. A server, that is driven by a hobby project, might fail for a day, while the person is on holidays. We try to avoid such things for conversations.im. At least during the service hours there is always somebody around capable of taking care of the server if required. Furthermore you support the development of the server, which is also open source. Changes that are specifically made for our Conversations App end up in the code of the server and are available to others.
Q: Can I purchase Conversations via Bitcoin?
A: Not the app. The app is sold at Google PlayStore, they don’t accept Bitcoins. It is possible to download the app for free via the Open Source App Store F-Droid. In that case I gladly accept donations via Bitcoin.
Q: What is OMEMO?
A: An (optional) End to End Encryption for Jabber.
OTR failed easily. If a certain message is lost because of bad phone signal coverage, follow up messages can’t be delivered neither. Furthermore OTR is only capable of exchanging messages between exactly two devices max. For example: When I am logged in with two devices simultaneously (mobile phone and desktop) my counterpart has to decide if he wants to send the messages to the phone or to the desktop. If my counterpart isn’t able to clairvoyance, which device I am currently using, this is a problem. Apart from that messages are of course not synced in that case, and I miss a part of the conversation history on each device. OMEMO gets rid of both problems. OMEMO is more reliable and capable of handling more devices.
Q: What is Forward Secrecy?
A: Let us assume I would delete my conversations history frequently (can automatically delete message older than a configured time period.
Let us assume somebody was storing my entire encrypted communication.(So he can’t do anything with it, he has the encrypted text, not the plain text. Now this individual steals my phone. The messages themselves aren’t located on the phone anymore (they are deleted frequently), but my key material (my private key) is still there.
If an encryption doesn’t have Forward Secrecy, that somebody is able to combine the key material found on my phone plus the encrypted messages that he recorded before he is able to reconstruct the plain text. If the encryption has Forward Secrecy, this isn’t possible.
Q: What does the term Per Message Overhead describe?
A: The amount of bandwidth required respectively added by the encryption. Let us assume a non encrypted message has a size of 2KB and the same message encrypted would have a size of 5KB. In this case 3KB is the „overhead“ created by encrypting.
Q: Are you planning to implement a call feature?
A: No. New features come if I need them myself or if they make sense from an economic perspective. (How many more people would use the App if this feature was there and how expensive is it to develop such a feature?) Unfortunately the call feature is very, very, very expensive and personally I don’t care much for this feature.
Q: How can I support the development of the app after purchasing the application?
A: There are details about how to donate on our website. Promotion and advertisement of course helps as well and the app is Open Source. Those who are able to develop software, can of course help with coding.
Q: Did you develop the OMEMO-Algorithm on your own?
A: No. It was a Google Summer of Code Project.(Google Summer of Code means Google pays students 3 month for working on Open Source Projects.) OMEMO was developed for Conversations by a student.
Q: What are your further plans for the development of Conversations?
A: Really big new features aren’t likely to come. Conversations does everything it is supposed to do. Under the hood there will be one or another tweak (Data usage/ connectivity speed and so on.) But that is nothing visible for the average user. A small thing, that is most likely going to be realized next is the possibility to confirm the transfer, before the picture is sent. Till date pictures are always sent immediately.
Q: Is it allowed to compile Conversations on your own from your Github and use it for private use?
A: Of course. Not only private, also for business and everything else you want. It is also allowed to modify the code to meet individual requirements.
Q: Is it possible to tunnel Conversations via a VPN?
Q: At the end we’d like to hear the hint of a professional. Which measurements, apart from using Conversations, do you recommend to protect the privacy as an android user?
A: Enable Adblocking inside your browser. For example Firefox (also available for Android) and the Add-On uBlock.
Turn off the location services (in recent Android versions, there is a quicktile for it)when they are not in use. Otherwise Google knows where you’ve been all the time.
These two things are very simple to apply and are practical useful.
Editor’s Note: this article was originally written in German by Raúl Radonz. It was translated by Raúl Radonz and was edited by Mishaal Rahman. Raúl Radonz and XDA-Developers would like to thank Mr. Gultsch for taking the time to conduct this interview.