Help from the Community
The Copperhead Tor Phone Prototype
Systemic Threats to Software Freedom
Installation: F-Droid apps
- Download the apk.
- Unzip the apk with unzip org.thoughtcrime.securesms.apk
- Verify that the signing key is the official key with keytool -printcert -file META-INF/CERT.RSA
- You should see a line with SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0 EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
- Make sure that fingerprint matches (the space was added for formatting).
- Verify that the contents of that APK are properly signed by that cert with: jarsigner -verify org.thoughtcrime.securesms.apk. You should see jar verified printed out.
Then, you can install the Signal APK via adb with adb install org.thoughtcrime.securesms.apk. You can verify you're up to date with the version in the app store with ApkTrack.
Future work: More Device Support
Future Work: MicroG support
Future Work: Netfilter API (or better VPN APIs)
Future Work: Fewer Binary Blobs
Future Work: F-Droid auto-updates, crash reporting, and install count analytics
Future Work: Build Reproducibility
Future Work: Orbot Stability
Future Work: Backups and Remote Wipe
Future Work: Baseband Analysis (and Isolation)
Future Work: Wifi AP Scanning Prevention
Future Work: Port Tor Browser to Android
Future Work: Better SIP Support
Future Work: Installation and full OTA updates without Linux
Future Work: Better Boot Key Representation/Authentication
Future Work: Faster GPS Lock
- Added information about secondary SIP/VoIP usage in the Usage section and the Future Work sections.
- Added a warning not to upgrade OrWall until Issue 121 is fixed.
- Describe how we could remove the Linux requirement and have OTA updates, as a Future Work item.
- Remind users to check their key fingerprint at installation and boot, and point out in the Future Work section that this UI could be better.
- Mention the Neo900 in the Future Work: Baseband Isolation section
- Wow, the Signal vs F-Droid issue is a stupid hot mess. Can't we all just get along and share the software? Don't make me sing the RMS song, people... I'll do it...
- Added a note that you need the Guardian Project F-Droid repo to update Orbot.
- Add a thought to the Systemic Threats to Software Freedom section about using licensing to enforce the update requirement in order to use the AOSP.
- Mention ApkTrack for monitoring for Signal updates, and Intent Intercept for avoiding risky clicks.
- Mention alternate location providers as Future Work, and that we need to pick a decent backend.
- Link to Conversations and some other apps in the usage section. Also add some other links here and there.
- Mention that Date and Time must be set correctly for Orbot to connect to the network.
- Added a link to Moxie's netfilter code to the Future Work section, should anyone want to try to dust it off and get it working with Orwall.
- Use keytool instead of sha256sum to verify the Signal key's fingerprint. The CERT.RSA file is not stable across versions.
- The latest Orbot 15.2.0-rc8 still has issues claiming that it is connected when it is not. This is easiest to observe if the system clock is wrong, but it can also happen on network disconnects.