

TextSecure response to Stagefright Android vulnerability - mfincham
https://github.com/WhisperSystems/TextSecure/issues/3817

======
bmelton
TextSecure user, and I can verify this as accurate.

When I first saw the stagefright bug, I looked for a way to disable MMS in the
app. There is no way to disable MMS in the app, so I had a friend MMS me a
message, and I got the warning as the post describes.

Feel free to test it out for yourself, but it was nice to see that TextSecure,
by its nature, is secure from this bug through design.

~~~
nickpsecurity
"Feel free to test it out for yourself, but it was nice to see that
TextSecure, by its nature, is secure from this bug through design."

My take based on Moxie's comment. Good design.

------
acconrad
Err wow I didn't think me raising an issue on Github would put me on the
frontpage of HN. But I am glad to see that they handle this well by default -
another reason why I will be keeping it!

------
emmab
I haven't found a way to block numbers in TextSecure or I would use it

... Oh they implemented it last month :D
[https://github.com/WhisperSystems/TextSecure/issues/222](https://github.com/WhisperSystems/TextSecure/issues/222)

------
secfirstmd
As a digital and security training for human rights defenders and journalists
all over the world - this is one of the reasons why I try as hard as possible
to push the awesome work of the WhisperSystems team and Moxie.

------
kekebo
There's a tool called "Disable Service" with which you can unload app- and
system daemons, including MMS processes (both in your messaging or globally on
a system level):
[https://play.google.com/store/apps/details?id=cn.wq.disables...](https://play.google.com/store/apps/details?id=cn.wq.disableservice&hl=en)

------
steveklabnik
See also:
[https://github.com/WhisperSystems/TextSecure/issues/3818](https://github.com/WhisperSystems/TextSecure/issues/3818)

------
jtchang
This is a great example of where usability and security meet. Auto downloading
MMS messages is certainly much nicer from a UX perspective. However it can
lead to bugs as we are witnessing.

I think they struck a good medium.

------
mintplant
If I'm running Android without TextSecure, how do I mitigate this?

~~~
barbs
I turned off auto-retrieve of multimedia messages in the settings. I took a
couple of handy screenshots here:

[https://imgur.com/xaAsWZY](https://imgur.com/xaAsWZY)

~~~
mintplant
Thank you!

------
guelo
I don't think a popup warning is much protection. Most people really want to
see that picture that they think they just received.

~~~
mfincham
The kind of folks running TextSecure have already made an effort to install a
replacement messaging application, hopefully this helps them also pay
attention to the warning.

If nothing else it'll slightly slow down a worm utilising this exploit...

------
glokon
I wonder if this also affects Telegram as well?

~~~
bmelton
From what I've seen, the bug doesn't affect iOS devices, so while I have no
idea whether the behavior between TextSecure and Telegram is the same, iOS
isn't vulnerable either way.

~~~
ascorbic
I'm assuming glokon means Telegram for Android.

~~~
bmelton
Well color me ugly. I didn't know that existed.

