OpenKeychain
Initial release | 1 March 2012 |
---|---|
Stable release | 6.0.4[1] / 27 February 2024 |
Repository | |
Written in | Java |
Operating system | Android |
Type | OpenPGP |
License | GPL-3.0-or-later |
Website | www |
OpenKeychain is a free and open-source mobile app for the Android operating system that provides strong, user-based encryption which is compatible with the OpenPGP standard. This allows users to encrypt, decrypt, sign, and verify signatures for text, emails, and files. The app allows the user to store the public keys of other users with whom they interact, and to encrypt files such that only a specified user can decrypt them. In the same manner, if a file is received from another user and its public keys are saved, the receiver can verify the authenticity of that file and decrypt it if necessary. As of August 2021, it is no longer actively developed.[2]
K-9 Mail Support
[edit]Together with K-9 Mail, it supports end-to-end encrypted emails via the OpenPGP INLINE and PGP/MIME formats. The developers of OpenKeychain and K-9 Mail are trying to change the way user interfaces for email encryption are designed. They propose to remove the ability to create encrypted-only emails[3] and hide the case of signed-only emails.[4] Instead, they focus on end-to-end security that provides confidentiality and authenticity by always encrypting and signing emails together.
Reception
[edit]OpenKeychain is listed on the official OpenPGP homepage[5] and the well-known developer collective Guardian Project recommends it instead of APG to encrypt emails.[6] TechRepublic published an article about it and conclude that "OpenKeychain happens to be one of the easiest encryption tools available for Android (that also happens to best follow OpenPGP standards)."[7] The publisher Heise reviewed it in their c't Android magazine 2016 and discussed OpenKeychain's backup mechanism.[8] The academic community uses OpenKeychain for experimental evaluations: It has been used as an example where cryptographic operations could be executed in a Trusted Execution Environment.[9] Furthermore, modern alternatives for public key fingerprints have been implemented by other researchers.[10] In 2016, the German Federal Office for Information Security published a study about OpenPGP on Android and evaluated OpenKeychain's functionality.[11] OpenKeychain has been adapted to work with smartcards and NFC rings resulting in a usability study published on Ubicomp 2017.[12]
Funding
[edit]The OpenKeychain developers participated in 3 Google Summer of Code programs with a total of 6 successful students.[13][14][15] In 2015, one of the main developers got a one-year funding to improve the OpenPGP support in K-9 Mail paid by the Open Technology Fund.[16]
History
[edit]OpenKeychain has been created as a fork of Android Privacy Guard (APG) in March 2012. Between December 2010 and October 2013 no new version of APG was released. Thus, OpenKeychain has been started with the intention of picking up the development to improve the user interface and API. A first version 2.0 has been released in January 2013. After three years without updates, APG merged back security fixes from OpenKeychain and some months later rebased an entire new version on OpenKeychain’s source code. However, this process stopped in March 2014, while the OpenKeychain developers continued to regularly release new versions. A number of vulnerabilities found by Cure53[17] have been fixed in OpenKeychain.[18] These are still not fixed in APG since its last release in March 2014. Since K-9 Mail version 5.200, APG is no longer supported as a cryptography provider.[19]
References
[edit]- ^ "Release 6.0.4". 27 February 2024. Retrieved 22 March 2024.
- ^ "Note about maintenance mode". GitHub. Retrieved 19 November 2022.
- ^ "OpenPGP Considerations, Part II: Encrypted-Only Mails". Archived from the original on 12 February 2017. Retrieved 11 Feb 2017.
- ^ "OpenPGP Considerations, Part I: Signed-Only Mails". Archived from the original on 12 February 2017. Retrieved 11 Feb 2017.
- ^ "Official OpenPGP Homepage". Retrieved 11 Feb 2017.
- ^ "How To: Lockdown Your Mobile E-Mail". Retrieved 11 Feb 2017.
- ^ "Let OpenKeychain help handle your encryption". Retrieved 11 Feb 2017.
- ^ Mansmann, Urs; Bleich, Holger; Kossel, Axel (2016). "Mit PGP verschlüsselt mailen". C't Android 2016. 1: 50–51.
- ^ Rubinov, Konstantin; Rosculete, Lucia; Mitra, Tulika; Roychoudhury, Abhik (2016). "Automated partitioning of android applications for trusted execution environments" (PDF). Proceedings of the 38th International Conference on Software Engineering. pp. 923–934. doi:10.1145/2884781.2884817. ISBN 978-1-4503-3900-1. S2CID 15474674. Archived (PDF) from the original on 2021-10-06.
- ^ Dechand, Sergej; Schürmann, Dominik; Busse, Karoline; Acar, Yasemin; Fahl, Sascha; Smith, Matthew (2016). "An Empirical Study of Textual Key-Fingerprint Representations". 25th USENIX Security Symposium (USENIX Security 16): 193–208. ISBN 978-1-931971-32-4.
- ^ "BSI Study: Nutzung von OpenPGP auf Android" (PDF). Retrieved 13 Feb 2017.
- ^ Schürmann, Dominik; Dechand, Sergej; Lars, Wolf (2017). "OpenKeychain: An Architecture for Cryptography with Smart Cards and NFC Rings on Android". Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 1 (3): 99:1–99:24. doi:10.1145/3130964. S2CID 212416148.
- ^ "GSoC Archive 2014". Retrieved 11 Feb 2017.
- ^ "GSoC Archive 2015". Retrieved 11 Feb 2017.
- ^ "GSoC Archive 2016". Retrieved 11 Feb 2017.
- ^ "Bringing OpenKeychain Support to K-9 Mail". Retrieved 11 Feb 2017.
- ^ "Cure53 Security Audit" (PDF). Retrieved 11 Feb 2017.
- ^ "OpenKeychain Wiki: Cure53 Security Audit". GitHub. Retrieved 11 Feb 2017.
- ^ "Why APG is no longer supported". Archived from the original on 12 February 2017. Retrieved 11 Feb 2017.
External links
[edit]- Official website
- GitHub repository of OpenKeychain
- OpenKeychain on Google Play
- OpenKeychain Android package at the F-Droid repository