Gibberbot is an instant messaging app for Android phones. Gibberbot implements off-the-record messaging (OTR), a way to conduct an instant messaging conversation with encryption, authentification, deniability, and forward secrecy.
Gibberbot is an instant messaging app for Android phones, developed by The Guardian Project. Gibberbot implements off-the-record messaging (OTR). Off-the-record messaging is a way to conduct an instant messaging conversation with the following attributes
- Encryption. An eavesdropper cannot read your messages
- Authentication. You can verify the identity of the person you’re chatting to - or at least of the account they are using.
- Deniability. It is not possible for a third party to prove that a particular user sent or received a particular message.
- Perfect forward secrecy. It is not possible for an attacker to decrypt a previous conversation, even if he/she obtains the encryption keys used to encrypt it.
Gibberbot can also use Orbot to route your chats over the Tor network. This prevents an observer from following the source and destination of your messages (effectively, from knowing you are chatting) and provides a way to circumvent web censorship that may involve chat servers being blocked.
Off-the-record messaging only works when both parties in the conversation are using it. This means both parties need to use Gibberbot, another mobile app, or chat software that supports it. Currently Gibberbot is the only option we know of for mobile phones. Off-the-record plugins are available for several PC chat programs, including Pidgin (Windows and Linux), Adium (Mac), Trillian (Windows) and Miranda (Windows).
- For more details on OTR support see http://www.cypherpunks.ca/otr/
- The Tactical Technology Collective has a guide on using Pidgin with OTR
Who should use it?
Gibberbot is designed for people who need to chat securely. If you and the person you are communicating with are both able to use it, secure chat can be used as a replacement for email and text messaging.
Gibberbot should work on any Android phone. It’s probably best for users who are reasonably comfortable chatting and handling their phone, and it’s only currently available in English.
Why use it?
- When used with Orbot, Gibberbot combines the security, privacy and anonymity provisions of off-the-record messaging with the additional anonymous browsing and circumvention protection of the Tor network.
- Gibberbot is currently the only implementation of off-the-record messaging for mobile phones that we are aware of.
- The code for Gibberbot is open source and freely available for download - there are no costs involved except your airtime while chatting.
- The project encourages user feedback through a mailing list, feedback form on their website, twitter account and IRC channel.
Potential risks
At the time of writing, Gibberbot should not be considered mature software. It is still under development. Bugs and unfinished features can make this kind of software hard to use, and may also result in your security being compromised. As the app description page says:
“WARNING: This is an ALPHA release, with active development underway. We fully expect there to be bugs, and users should be fully aware that there may be undiscovered security flaws in our current code. We have released this app into the market because we feel it is stable enough to widen our circle of test users, and will actively address bug as found, and update this release as fast as possible. ”
Gibberbot also requires some technical expertise to be sure everything is working correctly. It’s straightforward when you get it, but you might not want to rely on it as a communications method without testing both your setup and that of the person you’ll be communicating with. Fortunately, the app gives a clear indication of whether your communications are secure.
Other risks of chatting include the risk that your chat provider’s system could be compromised, revealing your contact list and whether you are online, and the risk that, if one or both parties in the conversation have their chat software set up to log conversations, a record of the decrypted messages might still exist. It’s very important to make sure both you and your contacts understand your chat software well, and are sure it’s not recording any information about your conversations.
Installation and setup
- Install Gibberbot from the Android market or by scanning the barcode on the Guardian Project download page.
- If desired, install and set up Orbot. You will definitely need Orbot if the chat server you’re connecting to (for example, talk.google.com, Google Talk’s server) is blocked in your country. You may wish to use Orbot if you want to prevent an observer from seeing that you are chatting. Even without Orbot, your chats will be encrypted.
- If you don’t have an account with a chat provider that supports the XMPP/Jabber chat standard, set one up. Providers that support XMPP include Google Talk, Live Journal Talk and Ovi, as well as many smaller services. When choosing a provider, be aware that while they (or an attacker who manages to compromise their server) cannot see your chats, they can see when you’re online and who your chat contacts are. Choose a provider with technical credibility, and a clear policy on when data will be handed in response to law enforcement requests.
- Start Gibberbot and log in. You will be shown some info screens the first time the app starts, followed by the login screen. At login, you can also choose whether to save your password (not recommended - if you do this, someone else can pick up your phone and impersonate your), and whether you wish to route your chat traffic through Orbot.
 |
- Start an encrypted chat. When you click a contact to start chatting with them, the chat will be marked as not secure (red). Choosing Menu-> Start encrypted chat will attempt to start a secure chat. If successful, the chat will be marked as unverified (orange) if they do have OTR but you haven’t yet indicated to Gibberbot that you’ve verified their identity, or verified and encrypted (green) if you’ve verified their identity previously.
Next, we’ll verify our contact’s identity, and generate a key to allow them a way to verify ours.
- Generate your fingerprint, and verify your partners’. A fingerprint, or key, is what identifies you to the person you’re talking to. For example, I used Gibberbot to generate a fingerprint for my account: 518E411A 3D001F37 5520202D 4BF3E676 FE9ABE06.
 |
You should share fingerprints before chatting, either in person, over the phone (hard, because fingerprints are long!) or through a secure method like encrypted email. Gibberbot has a nice feature for sharing keys in person if you’re both using Gibberbot. From the chat menu, select Verify. Then, press the menu key again and select Your Fingerprint to display your fingerprint as a phone-scannable barcode. From this same menu, your contact can select Scan Fingerprint, and scan the barcode displayed on your phone to verify you Swap roles and repeat the process, and you’re both verified.
In Gibberbot, you can generate your own fingerprint once you start a chat with someone by pressing the menu key and selecting Gen Key. You only need to do this once! Regenerating your key will mean contacts who have verified the previous key need to reverify the new key. To see your fingerprint once it has been generated, select Verify from the chat menu. This will also show you the fingerprint of the person you are chatting to, and you can choose to verify it if it matches the fingerprint you obtained from them previously.
- Start chatting! If both you and your partner have verified eachothers’ keys, you should see a green status message stating that your chat is secure.
 |
Security App Checklist
| Will it work on my phone? | |
| Gibberbot will work on most Android phones. Get it from the Android market or the Guardian project website. Gibberbot is currently only available in English. |
| Risks, Costs and Benefits | |
| Gibberbot provides, secure, private and anonymous instant messaging, as well as Internet censorship circumvention. It does by implementing off-the-record messaging (OTR) and routing chat messages over the Tor network through Orbot. There is a risk that your use of Tor may be detected, and that this may be cause for suspicion. Also you need to be sure that both you and the person you’re chatting with are able to use their OTR-enabled chat software/app correctly. Gibberbot is free. You will pay for data use as normal while chatting. |
| Is this app trustworthy? | |
| Gibberbot needs Internet access permissions to work. It also requests permission to prevent the device from sleeping while chatting. This is a pretty benign permission, but watch your battery life. The Guardian Project develops Android apps for secure and private communications. Gibberbot and their other apps are open source, so the source code is available for public review. There is a user community, mailing lists, an IRC channel for Guardian project apps. No Gibberbot data is stored on The Guardian Project’s servers. If your chat server (e.g. Google’s server if using Google Talk) usually logs chat messages, it will log the encrypted messages - but these are deniable even if decrypted, and can’t be conclusively linked to you. In countries where it is illegal to encrypt your communications you will need to check whether Gibberbot is an apalication you can legally use. Gibberbot is under active development. Installing through the Android market ensures you have access to updates. Check frequently! Update announcements are also made on the Guardian Project’s website. |
| Attachment | Size |
|---|---|
| gibber_starting.png | 191.25 KB |
| gibber_keygen.png | 109.23 KB |
| gibber_secure.png | 87.12 KB |
| gibbersettings.png | 65.6 KB |
Gibberbot is an instant messaging app for Android phones. Gibberbot implements off-the-record messaging (OTR), a way to conduct an instant messaging conversation with encryption, authentification, deniability, and forward secrecy.
Gibberbot is an instant messaging app for Android phones, developed by The Guardian Project. Gibberbot implements off-the-record messaging (OTR). Off-the-record messaging is a way to conduct an instant messaging conversation with the following attributes
- Encryption. An eavesdropper cannot read your messages
- Authentication. You can verify the identity of the person you’re chatting to - or at least of the account they are using.
- Deniability. It is not possible for a third party to prove that a particular user sent or received a particular message.
- Perfect forward secrecy. It is not possible for an attacker to decrypt a previous conversation, even if he/she obtains the encryption keys used to encrypt it.
Gibberbot can also use Orbot to route your chats over the Tor network. This prevents an observer from following the source and destination of your messages (effectively, from knowing you are chatting) and provides a way to circumvent web censorship that may involve chat servers being blocked.
Off-the-record messaging only works when both parties in the conversation are using it. This means both parties need to use Gibberbot, another mobile app, or chat software that supports it. Currently Gibberbot is the only option we know of for mobile phones. Off-the-record plugins are available for several PC chat programs, including Pidgin (Windows and Linux), Adium (Mac), Trillian (Windows) and Miranda (Windows).
- For more details on OTR support see http://www.cypherpunks.ca/otr/
- The Tactical Technology Collective has a guide on using Pidgin with OTR
Who should use it?
Gibberbot is designed for people who need to chat securely. If you and the person you are communicating with are both able to use it, secure chat can be used as a replacement for email and text messaging.
Gibberbot should work on any Android phone. It’s probably best for users who are reasonably comfortable chatting and handling their phone, and it’s only currently available in English.
Why use it?
- When used with Orbot, Gibberbot combines the security, privacy and anonymity provisions of off-the-record messaging with the additional anonymous browsing and circumvention protection of the Tor network.
- Gibberbot is currently the only implementation of off-the-record messaging for mobile phones that we are aware of.
- The code for Gibberbot is open source and freely available for download - there are no costs involved except your airtime while chatting.
- The project encourages user feedback through a mailing list, feedback form on their website, twitter account and IRC channel.
Potential risks
At the time of writing, Gibberbot should not be considered mature software. It is still under development. Bugs and unfinished features can make this kind of software hard to use, and may also result in your security being compromised. As the app description page says:
“WARNING: This is an ALPHA release, with active development underway. We fully expect there to be bugs, and users should be fully aware that there may be undiscovered security flaws in our current code. We have released this app into the market because we feel it is stable enough to widen our circle of test users, and will actively address bug as found, and update this release as fast as possible. ”
Gibberbot also requires some technical expertise to be sure everything is working correctly. It’s straightforward when you get it, but you might not want to rely on it as a communications method without testing both your setup and that of the person you’ll be communicating with. Fortunately, the app gives a clear indication of whether your communications are secure.
Other risks of chatting include the risk that your chat provider’s system could be compromised, revealing your contact list and whether you are online, and the risk that, if one or both parties in the conversation have their chat software set up to log conversations, a record of the decrypted messages might still exist. It’s very important to make sure both you and your contacts understand your chat software well, and are sure it’s not recording any information about your conversations.
Installation and setup
- Install Gibberbot from the Android market or by scanning the barcode on the Guardian Project download page.
- If desired, install and set up Orbot. You will definitely need Orbot if the chat server you’re connecting to (for example, talk.google.com, Google Talk’s server) is blocked in your country. You may wish to use Orbot if you want to prevent an observer from seeing that you are chatting. Even without Orbot, your chats will be encrypted.
- If you don’t have an account with a chat provider that supports the XMPP/Jabber chat standard, set one up. Providers that support XMPP include Google Talk, Live Journal Talk and Ovi, as well as many smaller services. When choosing a provider, be aware that while they (or an attacker who manages to compromise their server) cannot see your chats, they can see when you’re online and who your chat contacts are. Choose a provider with technical credibility, and a clear policy on when data will be handed in response to law enforcement requests.
- Start Gibberbot and log in. You will be shown some info screens the first time the app starts, followed by the login screen. At login, you can also choose whether to save your password (not recommended - if you do this, someone else can pick up your phone and impersonate your), and whether you wish to route your chat traffic through Orbot.
|
- Start an encrypted chat. When you click a contact to start chatting with them, the chat will be marked as not secure (red). Choosing Menu-> Start encrypted chat will attempt to start a secure chat. If successful, the chat will be marked as unverified (orange) if they do have OTR but you haven’t yet indicated to Gibberbot that you’ve verified their identity, or verified and encrypted (green) if you’ve verified their identity previously.
Next, we’ll verify our contact’s identity, and generate a key to allow them a way to verify ours.
- Generate your fingerprint, and verify your partners’. A fingerprint, or key, is what identifies you to the person you’re talking to. For example, I used Gibberbot to generate a fingerprint for my account: 518E411A 3D001F37 5520202D 4BF3E676 FE9ABE06.
|
You should share fingerprints before chatting, either in person, over the phone (hard, because fingerprints are long!) or through a secure method like encrypted email. Gibberbot has a nice feature for sharing keys in person if you’re both using Gibberbot. From the chat menu, select Verify. Then, press the menu key again and select Your Fingerprint to display your fingerprint as a phone-scannable barcode. From this same menu, your contact can select Scan Fingerprint, and scan the barcode displayed on your phone to verify you Swap roles and repeat the process, and you’re both verified.
In Gibberbot, you can generate your own fingerprint once you start a chat with someone by pressing the menu key and selecting Gen Key. You only need to do this once! Regenerating your key will mean contacts who have verified the previous key need to reverify the new key. To see your fingerprint once it has been generated, select Verify from the chat menu. This will also show you the fingerprint of the person you are chatting to, and you can choose to verify it if it matches the fingerprint you obtained from them previously.
- Start chatting! If both you and your partner have verified eachothers’ keys, you should see a green status message stating that your chat is secure.
|
Security App Checklist
| Will it work on my phone? | |
| Gibberbot will work on most Android phones. Get it from the Android market or the Guardian project website. Gibberbot is currently only available in English. |
| Risks, Costs and Benefits | |
| Gibberbot provides, secure, private and anonymous instant messaging, as well as Internet censorship circumvention. It does by implementing off-the-record messaging (OTR) and routing chat messages over the Tor network through Orbot. There is a risk that your use of Tor may be detected, and that this may be cause for suspicion. Also you need to be sure that both you and the person you’re chatting with are able to use their OTR-enabled chat software/app correctly. Gibberbot is free. You will pay for data use as normal while chatting. |
| Is this app trustworthy? | |
| Gibberbot needs Internet access permissions to work. It also requests permission to prevent the device from sleeping while chatting. This is a pretty benign permission, but watch your battery life. The Guardian Project develops Android apps for secure and private communications. Gibberbot and their other apps are open source, so the source code is available for public review. There is a user community, mailing lists, an IRC channel for Guardian project apps. No Gibberbot data is stored on The Guardian Project’s servers. If your chat server (e.g. Google’s server if using Google Talk) usually logs chat messages, it will log the encrypted messages - but these are deniable even if decrypted, and can’t be conclusively linked to you. In countries where it is illegal to encrypt your communications you will need to check whether Gibberbot is an apalication you can legally use. Gibberbot is under active development. Installing through the Android market ensures you have access to updates. Check frequently! Update announcements are also made on the Guardian Project’s website. |
| Attachment | Size |
|---|---|
| gibber_starting.png | 191.25 KB |
| gibber_keygen.png | 109.23 KB |
| gibber_secure.png | 87.12 KB |
| gibbersettings.png | 65.6 KB |
Post new comment