I think the best apps are yet to be written. I recently wrote a blog post (<a href="http://ledgersmbdev.blogspot.com/2013/06/tangent-design-thougths-about-next-gen.html" rel="nofollow">http://ledgersmbdev.blogspot.com/2013/06/tangent-design-thou...</a>) outlining ways I thought the SSL PKI could be tweaked to make it quite resistant to this sort of eavesdropping.<p>It is still on the HN new feed, if folks want to discuss technical details, but the reason I want to mention it here too is that key management is very hard in a case of resisting surveillance. The current PKI ideas place too much trust in third party certificate authorities (meaning the government can easily pull off man in the middle attacks with the help of network providers if they want, even without your keys), and because each negotiation occurs without context of past ones, there is no way to detect such behavior other than "the CA said watch out" or "this certificate isn't even plausible." Of course you can solve these by enforcing that everyone on your network uses th same local CA that you control but that breaks as soon as you want to talk to someone outside.<p>Building a PKI that can resist such efforts is not trivial and it involves challenging our assumptions. Until we do so however, we will run into all kinds of problem. I may be being paranoid, but it seems like this is a good time to be paranoid.<p>One of the things that SSH gets right is that it takes a diachronic approach to key validation. We should be building this in everywhere and alerting on key changes, while providing a way to ensure that keys can be safely and securely changed without having errors.
I remember the time, about 6 or 7 years ago when I've asked in front of the whole class to the associate professor of the security course, whether building a text messages encryption app would have been a good idea as project for the course. The answer was a smickering "only a drug dealer would be interested in such a thing".<p>oh man, that hurt... if I only knew a valid point against the "I've got nothing to hide" argument as I do now...
Read these "Bugs, Caveats, Side Notes" published on the Onion Browser app's web site:<p>Major iOS SDK Limitation: Websites using HTML5 <video> tags will leak <video>-related DNS queries and data transfer outside of Tor. This includes YouTube, Vimeo, and any website using iOS-compatible HTML5 video. This is a behavior of the embedded QuickTime player and there is currently no known workaround. (h/t to josyw.)<p>iOS SDK Limitation: Javascript cannot be disabled in the `UIWebView`, so script-based detection may identify your device even if User-Agent Spoofing is enabled.
iOS SDK Limitation: Related to above, the HTML5 Geolocation API cannot be disabled. The browser will ask you for permission to access your location if a website asks for it via the HTML5 Geolocation API. If you allow this, then said website will (obviously) know your actual current location.<p>That doesn't sound remotely safe to me.
I would appreciate if someone went and fixed the title to have the word "mobile" in it. I was expecting something very different than I got :)
Sadly, TextSecure and RedPhone are distributed on the Google Play platform, so, if you don't want to tie a Google account to your phone or use Android without the proprietary Google applications, you're out of luck. (They are not included in the free and open source f-droid repository due to disagreements with the author.)
If you have an Android phone, I'd recommend getting an Open Source ROM (so you can verify it is secure) and removing as much proprietary software as possible. I'd also use Firefox as Chrome for Android isn't Open Source (even though Chromium, Blink, etc are).
For the desktop:<p>- Tor<p>- Bitmessage<p>Bitmessage is specially interesting because it's not only encrypted and private, it actually solves the problem of spam and offers 3 kinds of messaging under the same interface: email-like, broadcast messages ala Twitter and chan boards.
I think the real question should be is there possibly a back door on your mobile os of choice, because it won't matter what app you use if your os is already capable of capturing that data system wide.