Cryptology ePrint Archive: Report 2014/904

How Secure is TextSecure?

Tilman Frosch and Christian Mainka and Christoph Bader and Florian Bergsma and Joerg Schwenk and Thorsten Holz

Abstract: Instant Messaging has gained popularity by users for both private and business communication as low-cost short message replacement on mobile devices. However, until recently, most mobile messaging apps did not protect confidentiality or integrity of the messages.

Press releases about mass surveillance performed by intelligence services such as NSA and GCHQ motivated many people to use alternative messaging solutions to preserve the security and privacy of their communication on the Internet. Initially fueled by Facebook's acquisition of the hugely popular mobile messaging app WhatsApp, alternatives claiming to provide secure communication experienced a significant increase of new users.

A messaging app that claims to provide secure instant messaging and has attracted a lot of attention is TextSecure. Besides numerous direct installations, its protocol is part of Android's most popular aftermarket firmware CyanogenMod. TextSecure's successor Signal continues to use the underlying protocol for text messaging. In this paper, we present the first complete description of TextSecure's complex cryptographic protocol, provide a security analysis of its three main components (key exchange, key derivation and authenticated encryption), and discuss the main security claims of TextSecure.

Furthermore, we formally prove that - if key registration is assumed to be secure - TextSecure's push messaging can indeed achieve most of the claimed security goals.

Category / Keywords: cryptographic protocols / protocol analysis, public-key cryptography, applications, instant messaging, confidentiality, authenticity,

Original Publication (with minor differences): 1st IEEE European Symposium on Security and Privacy

Date: received 31 Oct 2014, last revised 5 Apr 2016

Contact author: tilman frosch at rub de

Available format(s): PDF | BibTeX Citation

Note: Extended, revised version including full protocol overview.

Version: 20160405:210121 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]