Signal secure comms app for iPhone gains TextSecure compatibility

Open Whisper Systems has released version 2 of its Signal secure calling app for iPhone. This is an important iteration, as it introduces secure text messaging that’s compatible with the outfit’s TextSecure app for Android — for now, Open Whisper Systems’ secure voice app for Android, RedPhone, remains separate from that, though everything will come together later this year in a Signal app that works across iOS, Android and the desktop. As secure communications operations go, Open Whisper Systems has good credibility, offering end-to-end crypto, auditable open-source code and decent identity verification. The TextSecure protocol has also found its way into WhatsApp, which is why Android-toting users of that Facebook-owned messaging app enjoy extra security these days.

Orange’s Libon app lets you take calls to your number over Wi-Fi

Libon, the WhatsApp and Skype competitor from French carrier group Orange, has an interesting new feature called Reach Me, which will allow people to send and receive calls over Wi-Fi using their mobile phone number, regardless of who their actual carrier is.

The Libon app has been around for more than two years now — Orange won’t say how many users it has amassed during that time, but the carrier group uses it to offer special calling deals through its local operators, and Libon chief Dominic Lobo told me that people are using it in over 100 countries.

The Reach Me feature is being pitched as a way to get around poor indoor mobile coverage. “If someone calls you, the call is picked up by your Libon service – all you need is Wi-Fi coverage in your home or wherever you are and you’ll never miss a call,” Lobo told me.

I reckon that also makes it an interesting proposition for those traveling overseas and looking to avoid roaming voice fees, though they would of course need to have a Wi-Fi connection, and Libon will have to have been enabled in the country where they are.

Orange will show off the Reach Me feature at Mobile World Congress next week, and will roll it out commercially during the first half of this year. Italy will be first, somewhere around the end of March. According to Lobo, Italy has a lot of Android phones (the feature will be available on that platform first) and enough existing Libon users to provide Orange with good data on the initial rollout.

In addition, Orange doesn’t have a carrier in Italy, making it a good showcase for the so-called “over-the-top” (i.e. provided over the internet like Skype et al) nature of the app. “We want to demonstrate that we can launch it in a market unrelated to ours,” Lobo said.

Facebook owns the four most-downloaded mobile apps in 2014

Mobile analytics firm App Annie released a report on app trends on Wednesday that sorts out what kind of software people downloaded on their phones and tablets in 2014. The answer: Facebook-owned apps, including Facebook, Facebook Messenger, WhatsApp and Instagram, were the four most-downloaded apps worldwide when combining iOS and Android downloads in 2014, according to the report.

Because App Annie doesn’t put games and apps in the same category, the global list doesn’t include titles like Candy Crush Saga or Subway Surfers, which might account for more total downloads than Facebook’s utilities. But Facebook’s performance is still impressive, and an indication that the company’s multiple-app strategy might be a success. On the other hand, most of Facebook’s homegrown apps — such as Paper, Groups and Rooms — do not show up on any other top charts provided by App Annie. Facebook purchased both Instagram and WhatsApp.

Top Global App Downloads 2014

The top app worldwide in terms of revenue in 2014 was Line, a Japanese-based messaging service popular in parts of Asia. Its sibling gaming app, Line Play, clocked in at number three in terms of worldwide iOS and Google Play revenue. (Pandora was second.) On the gaming side, Clash of Clans generated the most revenue, although fellow freemium sensation Candy Crush Saga was the most downloaded.

In a reminder of why both [company]Google[/company] and [company]Facebook[/company] want to break into China, neither company placed a single app in the top ten iOS apps either in terms of revenue or downloads, because neither company widely offers its services in China. The Chinese app leaderboards are filled with apps from Chinese web companies like Tencent, Alibaba and Baidu.

Reflecting the fact that China is quickly becoming the the biggest market for iOS devices, App Annie found that China generated the third most revenue for iOS among countries in 2014, taking the third-place spot from the United Kingdom.  Japan ended up being the country that generated the most revenue for Android developers during the period. Games remained the most downloaded category of apps across countries.

The single most downloaded app in the United States in 2014 was Facebook Messenger, thanks to Facebook requiring its users to download a separate app to use the service. Pandora Radio was the most downloaded music app in the United States, landing at the fourth most downloaded app excluding games, and number one in terms of getting people to pay.

United States downloads 2014

App Annie reported that there were more Google Play app downloads than iOS app downloads, but iOS apps still brought in significantly more revenue. Google Play accounted for 60 percent more downloads than iOS, but iOS apps generated 70 percent more revenue.

The entire App Annie report is worth a look and you can find it here.

WhatsApp cracks down on people using unofficial clients

WhatsApp is banning users from its service for 24 hours because they were caught sending and receiving messages on an unofficial client that wasn’t made by WhatsApp.

Many users afflicted an were using Whatsapp+, one of the most popular third-party WhatsApp clients for Android phones. Android Police noted that people using another WhatsApp alternative, WhatsappMD, are also reporting being banned.

Last weekend, as BGR India pointed out, several tech-focused websites in India erroneously reported that WhatsApp+ was actually going to be the new WhatsApp app, for some reason — perhaps because its support for themes and emoji can be seen as improvements over the standard client. In a statement posted to its FAQ page, WhatsApp explained why it banned certain Whatsapp+ users, and it’s not because it feels threatened by an app with skins:

WhatsApp Plus is an application that was not developed by WhatsApp, nor is it authorized by WhatsApp. The developers of WhatsApp Plus have no relationship to WhatsApp, and we do not support WhatsApp Plus. Please be aware that WhatsApp Plus contains source code which WhatsApp cannot guarantee as safe and that your private information is potentially being passed to 3rd parties without your knowledge or authorization.

Another reason why WhatsApp might want to control the clients its users can access is to make upgrades and updates easier to deploy. For instance, WhatsApp recently added an encryption system to its Android app, and is currently working to bring it to other platforms, like iOS. Having a bunch of amateur-level unofficial clients floating around could make the development process more complicated. WhatsApp is rumored to be launching a browser-based version of the service soon, which would lessen cross-platform issues.

In the early days of WhatsApp, there were devices that the messaging service didn’t support, like those running WebOS or Sailfish or certain Nokia feature phones. Plus, third-party clients were able to pull of nifty tricks the main app would never attempt, like merging your SMS messages and WhatsApp messages. But WhatsApp is available for every major mobile operating system — including iOS, Android, Blackberry and Windows Phone. Considering that [company]Facebook[/company] paid $18 billion for WhatsApp, it’s safe to assume that the official clients have had more resources devoted to them than lesser-known apps on Google Play.

Unlike Twitter, which has had its own long-running saga with third-party clients, WhatsApp never invited other developers to produce third-party clients and the official API does not allow it. Several unofficial APIs exist for interested developers to produce a WhatsApp client, but the company has tried to exterminate those as well. In 2014, WhatsApp used DCMA takedowns to remove several unofficial APIs from GitHub.

Unfortunately for apps like WhatsApp+, whose developer bragged his app works again, the fix for users is simple: delete non-approved WhatsApp apps and install the official one.

UK’s Cameron won’t “allow” strong encryption of communications

The British prime minister David Cameron has suggested that if his Conservative Party wins the upcoming general election, it will not allow encrypted communications that cannot be read by the security services.

On Sunday, Cameron told ITV News: “I think we cannot allow modern forms of communication to be exempt from the ability, in extremis, with a warrant signed by the home secretary, to be exempt from being listened to. That is my very clear view and if I am prime minister after the next election I will make sure we legislate accordingly.” He repeated the sentiment again on Monday (video embedded below.)

The Tory leader has already said that he wants to bring back the Communications Data Bill, a.k.a. the “Snooper’s Charter,” if his party wins the upcoming general election in May. This is not news as such; the only reason the bill is on ice is that the Conservatives’ current coalition partners, the Liberal Democrats, refuse to allow it to be tabled. (The Lib Dems did, however, allow the “emergency” passage of the DRIP Act, which brought in the main planks of the Snooper’s Charter – mandatory data retention for various kinds of internet communications – on a temporary basis.)

However, the Tories’ rhetoric has predictably ramped up in the wake of the Paris killings. The idea of banning secure communications is a recent development (though it follows on from the frustration of U.K. intelligence chiefs) and is utterly flawed. Even armed with a warrant from the Home Secretary, security services would be stymied by a basic WhatsApp text chat, an email exchange properly encrypted using PGP, or an [company]Apple[/company] iMessage or FaceTime conversation – all of which use end-to-end encryption.

These, we must assume, would be the services that Cameron would not “allow” if voted back in. However, it is hard to see the British government succeeding in stopping the use of such tools. Even if (a big “if”) the government got some kind of concession from the big commercial players (key escrow?), systems such as PGP don’t even have a centralized company behind the curtains. And then there’s the issue of anonymity — monitoring the communications of someone using the anonymized browsing tool Tor, for example, is difficult to say the least. Would online anonymity also be banned?

It’s just not a sensible idea, but that doesn’t always stop the introduction of new laws. Labour leader Ed Miliband, the head of the opposition, has said he would resist the immediate reintroduction of the Snooper’s Charter and would give a “cautious and considered” response to security chiefs asking for more powers. That doesn’t mean he won’t cave in — Labour has a bad record on this stuff, and the current government took power in 2010 promising to “reverse the substantial erosion of civil liberties under the Labour government and roll back state intrusion.” But, particularly after Snowden, this is clearly going to be a live issue on the campaign trail.

Snapchat’s $10B value proves ephemeral messaging is here to stay

Snapchat’s new round of financing, which values the company at somewhere close to $10 billion, is more proof that it has tapped into a powerful need on the part of many users — namely, the desire to have their messages disappear rather than being permanent

Samsung cans cross-platform ChatOn messaging service

As predicted last month, Samsung is pulling the plug on its ChatOn messaging service.

The Korean news service Yonhap reported on Friday that [company]Samsung[/company] will axe the service on February 1, quoting the company as saying it was doing so “in line with efforts to meet the changing demands in the market and provide differentiated services to users, focusing on other areas such as health and mobile commerce.”

ChatOn has been around since 2011 as a fully cross-platform play – it wasn’t just for Samsung phones, though it came preinstalled – but, according to plausible calculations by TechInAsia, it was unlikely to have gathered more than 50 million active monthly users. Considering Samsung shipped 320 million smartphones in 2013, that’s pretty poor, and it left the app way behind the likes of [company]Facebook[/company]’s WhatsApp (600 million monthly active users) and [company]Tencent[/company]’s WeChat (around 440 million last time we checked.)

Those reports back in November suggested that ChatOn would only be canned in some regions, but it looks as if it will expire everywhere in the first quarter of 2015, including in the U.S., although that market will reportedly get a different shutdown date than elsewhere. According to Samsung, users will be able to download their chat record, photos and videos before the closure.

Should we expect every messaging app to offer full privacy?

Earlier this week a bunch of former Skype employees launched a new app called Wire, which offers Skype-esque voice calls, messaging, and the ability to embed things like YouTube videos and SoundCloud tracks in conversations.

I, like many others, wrote a piece about the release, noting that the company’s Swiss jurisdiction is relatively privacy-friendly. Someone quickly commented, pointing out – correctly – that this is “no replacement for full, end-to-end encryption.” Fair enough, but I’ll admit my initial take on Wire put very little emphasis on security or privacy, because the company itself didn’t either.

Sure, if you scroll down a lot on Wire’s homepage you’ll see a nondescript promise that “Wire interactions are secure and we comply with European privacy laws and regulations,” but it’s not an angle that Wire even mentioned in its press release, nor in its initial blog posts.

That said, Joseph Cox at Vice Motherboard took a good look into Wire’s small print and noted that, while Wire’s FAQs said voice calls enjoy full end-to-end encryption over its networks, messages and media are only encrypted between the user and Wire’s data centers – not while at rest in those data centers.

This didn’t fit with a separate statement in Wire’s support section, which claimed that “your messages and conversation history can only be seen by you and the people in those conversations”, a statement that Wire removed after Cox flagged up the contradiction. The episode prompted some to accuse Wire of being a security snake oil vendor.

Now, if Wire’s claim about the privacy of conversations had been more prominent and not simultaneously debunked by the company itself, it would look an awful lot like a lie. The company should also be much clearer on its homepage about what it means by “secure”: that is to say, pretty secure against hackers, but not hiding personal data from the company itself and its various commercial arrangements.

However — and perhaps I’m feeling overly generous in the run-up to the holiday season — I think we need to look at what Wire actually is and consider the tradeoffs it’s making, before calling it a dud.

As a messaging service, Wire appears to be a very different beast from, say, WhatsApp, which is comparatively streamlined. Billed as a “communications network,” if anything Wire resembles a framework for small, closed social networks – think Google+ minus the public stuff — built around messaging rather than posting.

Wire’s text communications service is not designed primarily to be a secure channel (and here we’re in the linguistic gray zone where “secure” blurs into “private”), but rather for integration with third-party services such as YouTube and SoundCloud. For that reason, I don’t find it in the least bit surprising that, while WhatsApp can offer end-to-end encryption, Wire messages aren’t encrypted in the company’s data centers.

As Wire’s privacy policy states:

Through the Service, you may be able to link to technology, software and services owned and controlled by third parties (the “Third Party Features”) such as, but not limited to Youtube and SoundCloud. You may be permitted or required to submit personal information to access Third Party Features. These Third Party Features may collect information about you when you visit them or otherwise communicate or interact with them.

Third-party services are Facebook’s excuse, too. Maybe someone will at some point succeed in marrying genuine end-to-end encryption with a complex ecosystem approach, but I’ve not seen an example yet. As Wire’s founders suggested in a recent Guardian interview, their algorithmically ordered group chat and search functionality also don’t play nicely with cryptographic keys. Will Wire even consider encrypting its users’ data at rest? “We’ve made technical design and product choices to provide Wire users with the benefits of a certain feature set and are constantly reviewing those choices with security in mind,” a spokeswoman told me by email. Let’s take that as a “no,” for now.

Another reason not to treat Wire like something it isn’t: The terms state that, if Wire gets sold, its users’ personal information could be part of the package, and that includes the contents of chat conversations. The company also hasn’t yet decided how it will make money. The spokeswoman told me that the firm is “considering a number of monetization options” that will include paid-for premium features – I can’t see any guarantee that they won’t also include more Facebook-style data mining.

Strong privacy advocates will rightly turn their noses up, but here’s the question: Should people avoid Wire? That depends entirely on the person. Apart from that errant phrase at launch (again, perhaps I’m being too generous), Wire doesn’t tout itself as the privacy enthusiast’s choice. That doesn’t mean it won’t provide value to some people, like Facebook does.

As I’ve suggested before, privacy is a sliding scale. Some people want very high levels of privacy, while others are happier giving up some of these things for various perks, such as free services, or the potential for deep integration with third parties that are more about sharing than privacy.

Sometimes a person (like me) wants more privacy from one service, and can live with less from another. Wire looks interesting from a user experience standpoint, but as with Facebook — which I do use, because people who are dear to me use it — I’d be wary of putting anything too sensitive on there.

It’s perfectly alright for different products and services to occupy different points on the privacy spectrum, as long as their users know what to expect. On that point, Wire’s launch was shaky, but not necessarily a dealbreaker. Here’s hoping the company offers a clear and consistent message about its limitations from here on.