Using encryption on Android – A rant

I have had my first Android phone, a Samsung, 5 years ago, and I’ve used three others since then. I believe in others respecting my privacy and the privacy of others. I also try to have a system that is as clean as possible, and update it as often as possible especially for security reasons. For instance, I’m an avid user of the software apps provided by Open Whispers Systems, especially Text Secure, which is as easy to use as it is to install: grab it on the Android Market, install it, pick your password, the system detects whether your contacts may exchange with you securely; then there’s an almost automated key exchange (all this is happening in 2 minutes by  sending and receiving text messages), and you’re done. Chatting securely with your contacts is as easy as sending SMS or using instant messaging.

The story is completely different once you want to use encryption with email on Android (NB: this may be completely different on iOS. Feedback welcome). I have so far been able to install and set up my GPG keys on my phone; but I have not been able to decrypt and encrypt attachments and files. The set up itself was a pain. It should not be, and it is unclear at this stage who’s the culprit (me, the idiot, Android as a system, the email client or even the GPG implementation for Android). Let me explain.gnupg

Not every email client for Android out there supports encryption; and when it does, it does not work like Enigmail: you must first install the email client, set it up; then install an app that enables the use of GPG (APG or GnuPG for Android); then you have supposedly and through a reasonably secure process sent your full GPG keys to your phone (SD card or the internal memory).

At this stage things start to get ugly. Do not be fooled by this innocent looking tutorial for newbies. None of the apps enabling the use of keys will pinpoint or recognize the GPG keys on your phone. In fact, you must be looking for them yourselves. Android, however, is terrible at file management. Despite a dozen file managers available on the market or the F-Droid app store, the experience will be rather  poor because of Android’s insane filetree and naming conventions. As a result, you never really know where the file you have just downloaded is; it seems to change with each application (email, browser) and sometimes mimetype (PDF). Finding your own keys on your system usually requires some luck; and then your phone is enabled with GPG. The actual integration of the GPG app with your email cllient is indeed very easy; but then comes your first message that is encrypted and has an attachment. I did not have much of a success with both inline encryption and S/MIME encryption. I’m willing to admit that inline encryption (i.e someone is only encrypting an email which is just text and whose encrypted part is the text inside the mail and nothing more) should work by now. It didn’t for me, but that’s not really the major point. Say you want to open the file that comes attached with the message. You have successfully decrypted the mail itself (I have seen this happen for other people) but the file, which is a PDF document, needs to be decrypted as well. And it’s not going to happen. Nor the email client, nor the encryption app will make it work; the file will be downloaded somewhere on your system; on your SD card or directly on the phone depending on your pre-existing settings. And then you must find it (most of the time it won’t have the actual file name, but the truncated path turned into a file name which you must be lucky enough to identify. Once you have done that, APG (it was APG in that case) was not able to decrypt the file. There was an error message and that was it.

I don’t rant very often about these matters and usability in general. But in this case I think we have at least a “perfect storm” of the poor usability of a system, and the GPG implementation that simply does not function based on how the underlying system works; email clients like K9 or Kaiten may/could provide part of the solution although it is unclear whether they did anything wrong. They may in turn help doing something right.

The net result of this experience is unfortunate: a large part of my instant messages and SMS is encrypted; but I don’t use GPG with the email I receive; I must wait until I’m on my own laptop or workstation to properly use encryption and open the mails I have received.

I hope it will get fixed at some point and the over process will be improved; it would be a good resolution for 2015!

Leave a Reply

%d bloggers like this: