GoldenSMS is a J2ME application used to send sms in a secure way to another mobile phone that has the application. The messages are send in a way that is extremely difficult to retrieve the encryption key or decrypt the messages from the ciphertext because the key is changed every time a sms is send. If the key is obtained in some way (ie. having physical access to the mobile phone) only the sms send from that time can be decrypted, all the previous messages are safe because the key renewal process is done in a destructive way, that means that you can't determinate the previous key used and decrypt the previous messages.

Go to top

This aplication needs a mobile phone or sms capable device with:

• J2ME / KVM virtual machine
• Connected Limited Device Configuration (CLDC) 1.0
• Mobile Information Device Profile (MIDP) 2.0
• Wireless Messaging API (JSR-120) 1.0
• Bluetooth API (JSR-82)
• File Connection and PIM (JSR-75)
• Mobile Media API (JSR-135)

A small list of devices that support this specifications:

• Nokia
  • All Series 40 Platform 3rd Edition
    • Nokia 6265, 6270, 6111, 6265i, 6126, 6131, 6136, 6125, 6282, 6233, 6234, 6165, 7370, 6280
  • All Series 60 Platform 2nd Edition
    • Nokia E50, 5500, N93, N73, N72, N71, N80, N92, E60, E61, 6600, 6620, 7610, 6260, 6630, 6670
  • All Series 80 Platform
    • Nokia 9500, 9300
• Sony Ericsson
  • K750, W800, K600, V600, Z520, W600, W550, W900, W810, Z530, W300, K510, K310, K610, K800, K790, W950, M600 and P990
• Motorola
  • A45, E1000
• Benq / Siemens
  • S75, SFG75, SL75, SXG75
• All SavaJe Phones
  • Jasper S20

The application uses the following libraries:

• Bouncy Castle Crypto APIs, available in http://www.bouncycastle.org
• MicroLog - Logger for JavaME, available in http://microlog.sourceforge.net

Go to top

The encription mechanism used in GoldenSMS is really simple and efficient, it ensures that the sms sent can't be read by anybody but the receivers phone, and it also ensures that if for some reason the secret hash used to encrypt the sms is found by an attacker only the sms sent after that can be decrypted, all the previous sms remain safe.

The following image explains how does the algoritm work:

The sender and the receiver share a secret hash that is used to encrypt and decrypt the SMS, this hash was created when the users decided to use the application to exchange SMS and was generated using one of the available methods:

• Pseudo-Random generated data
• Data from an picture taken at the moment of the key setup
• Data from a file in the mobile phone filesystem

The shared hash is created from one of the mentioned methods using the SHA-1 hash algoritm and is keeped on the mobile phone with the phone number of the other user.

When a sms is sent, the sms is xored with the secret hash of the previous sms (or the initial hash if this is the first sms) adn the resulting cyphertext is sent to the receiver mobile phone.

The SHA-1 hash of the sms replaces the previous hash for the destination user on the senders mobile phone.

When the user receives a sms the application is started by the PushRegistry and the application uses the secret hash of the previous sms (or the initial hash if this is the first sms) to decrypt the sms using the xor operation.

After sucessfully decrypt the sms, its contents are shown to the user and the SHA-1 hash of the sms replaces the existing hash for the sender on th receivers mobile phone.

Go to top

Here are some screenshots of the application using the emulator:

Go to top

You can install GoldenSMS in the following ways:

• Download the application to your PC and transfer the jar to your mobile phone using Bluetooth, data cable, Irda, Wifi (the available interfaces depends of the model of your mobile phone).
• Install Over The Air - in this installation you only need your mobile phone, however this may have cost involved because you are consuming traffic.

Go to top

Beta v1: 96.6 KB

Go to top

List of planned thing to do in future versions of the application:

• Change the contact list screen, use an ordered and searchable list for contacts.
• Submit the application to the Java Verified Program (http://www.javaverified.com)
• Improve UI design, make it look nicer. Probably use j2mepolish.
• Add support for internacionalization.
• Get a good certificate to avoid the need of user adding my certificate to the trusted list. Need to gather some houndreds of dollars, probably i get some donations :-)

Go to top

This aplication is licensed under the terms of the GNU Lesser General Public License
For details check the license terms or an explained version.

Go to top

You can contact me at this e-mail: rjlopes at gmail dot com

In case you have any problem using the application, want help, find a bug use the mailing list or the forum available in the support section.

Go to top

If you have any problem using the applcaition you can get help in the project forum or using the mailing list.

• Forum
• Mailing list

If you are sure you found a bug on the application please fill a bug report, please make sure that nobody already submited a bug for the same issue.

Go to top

1. Why do i need this application?
   You need this application if you are interested that the sms you send to another person be keep private, that means that nobody be able to read its contents.
2. How safe is it?
   The encryption mechanisms and the algoritm used are really safe, however a third party with many computational resources might be able to break the protection mechanism. After all everything can be breaked is just a matter of time, determination and enough resources.
3. What happends if someone has physical access to my mobile phone?
   He might be able to get a copy of the encryption keys, after that all messages send from that time might be compromissed, you should meet with your contact and create a new key.
4. Why does the application always ask me if i want to do XXXXX?
   That happends because the application is not signed, i had to buy a certificate to be able to sign the application, however the certificates are expensive (houndreds of dollars). But there is a workarround, you can add my certificate the trusted certificates of your mobile phone and the messages go away. You can find the certificate here

Go to top