2

This question is about the new WhisperPush-feature in CyanogenMod-ROMs: http://www.cyanogenmod.org/blog/whisperpush-secure-messaging-integration

Prerequisite:

  • Me and a friend of mine have both enabled the new WhisperPush-feature on our CyanogenMod-phones.
  • Our mobile plan allows us to send unlimited SMS without extra cost.
  • We don't have a constant internet connection (no mobile-data plan)

Scenario:

  1. I currently have an internet connection (via WiFi) and send a SMS to my friend
  2. WhisperPush sees, that we're both using WhisperPush/TextSecure and sends my message (encrypted) via TextSecure.
  3. My friend does not have an internet connection right now.

As far as I understand the system, my message will not be delivered until he gets online somehow. Correct me if I'm wrong.

Since this is not what we want, we both want to disable WhisperPush.

Question:

How do we do this? If we just uninstall the WhisperPush-App, wouldn't that mean:

  1. That our accounts remain active (and the data remains on the servers)?
  2. If a third person using WhisperPush sends me a message, it will be send via TextSecure, but never received by me, because I disabled the app?

Since the App does not offer any option to delete my Account, how am I able to effecively disable my account and delete the app without any further consequences?

Community
  • 1
beesteak
  • 141
  • 1
  • 2
  • 8
  • The messages are encrypted. You can't delete the account through the phone. You likely have to do it through a browser, logged into your account, and use the option that might or might exist there. – Ramhound Feb 26 '14 at 13:41
  • Is there a possibility to login via a browser? Do you have a link? I haven't found anything –  Feb 26 '14 at 13:49
  • I just took an educated guess that WhisperPush is a third-party service. I was mistaken. Looks like TextSecure instead encrypts your text messages. So your text messages are being delievered by your provider and the contents are encrypted. There is no "account" to delete per say. – Ramhound Feb 26 '14 at 13:55
  • To be clear your service provider is the one who would store the encrypted message. You would have to get an entirely new phone number, and even then, they wouldn't delete your the old account for other regulatory reasons. – Ramhound Feb 26 '14 at 14:06
  • No I think you got this wrong. TextSecure doesn't encrypt my SMS. It is a messaging platform similar to WhatsApp, Telegram or others (but with end-to-end encryption). And WhisperPush is a kind of Middleware that decides whether my message is being sent via SMS or via TextSecure. Hence there has to be a TextSecure account in the background storing my contacts-list etc. (Or did I completely miss something here?) –  Feb 26 '14 at 14:16
  • The TextSecure website itself says it encrypts your SMS messages. The encrypted messages are indeed sent through the OpenWhisper servers. Of course I am not sure how "encrypted over the air" provides ends to end encryption. Telegram ( isn't secure their "encryption" is not secure ). It does not appear you can delete any information stored on the Open WhisperSystems TextSecure server. My guess is the account is simply an identifier type account ( i.e. DeviceID@PN@MACADD type deal ). – Ramhound Feb 26 '14 at 14:31

2 Answers2

2

I have an answer for you. Cyanogenmod should implement a simple solution! The fix can be found on the final post of this page:

http://forum.cyanogenmod.com/topic/87482-critical-flaw-in-whisperpush/

You'll need android studio installed on your PC to use "adb" in terminal/command-line.

These are the steps that are suggested on that site:

You could try to unregister manually:

pc:$ adb shell
phone:$ su # (enable root for ADB first)
phone:$ cat /data/user/0/org.whispersystems.whisperpush/shared_prefs org.whispersystems.whisperpush_preferences.xml
# take note of pref_push_password and pref_registered_number
pc:$ curl -v -X DELETE --basic --user $pref_registered_number:$pref_push_password https://whisperpush.cyanogenmod.org/v1/accounts/gcm/
# add -k to skip the certificate warning

The HTTP response code should be 204.

Source: http://forum.cyanogenmod.com/topic/87169-disabling-whisperpush/#entry448596

  • Perfect. Seemed to work with curl -v -k -X DELETE --basic --user "$pref_registered_number:$pref_push_password" https://whisperpush.cyanogenmod.org/v1/accounts/gcm/. At least I got a 204. Hopefully my account is really deleted. –  Feb 27 '14 at 00:09
1

Cyanogenmod now has a website that allows you to unregister from WhisperPush if you forgot to unregister during first setup right after installation. With this you can stop using the service completely or switch to Signal Private Messenger (formerly known as TextSecure).

How to unregister from cyanogenmod whisperpush:

  1. Visit the Whispertool website
  2. Enter your phone number
  3. Enter the verification code they'll send you
  4. Done!
Manu
  • 3,094
  • 7
  • 22
  • 40
ichziehwiehechtsuppe
  • 11
  • 2