GPG on your Android Phone

All the traffic coming off your phone, if unencrypted, is clear for the telco to see. With the advent of sniffing using RF or IP based solutions it is becoming increasingly easy to intercept email traffic. Toss in the mobile, on-the-go world and we are stuck with soft targets. For corporate folks there are certificates, but that isn’t a solution generally trusted for home users. Root CA are easy to compromise with the “everything goes” Microsoft and Linux root updates. Enter PGP/GPG which allows you to take out the middle man (although you can still use a key server if you choose) and validate the keys yourself. The “what if” can still be an issue, but overall for personal communications I find it the most secure method. With Android being a more open platform there exists solutions for sending secure emails on-the-go. First lets get some software installed on your phone. All of these are found in the Google Android Market or from the links provided:

These two packages together integrate to allow for seamless encrypt/sign on your mobile phone. There are some shortcomings you need to be aware of:

  1. APG does not support key servers yet so you will need to have your buddies keys on the phone or sent to you
  2. k9mail and Gmail App do not play friendly. They will coexist, but unless you disable one of their syncs you will constantly get dual alarms for each incoming message

With your Android phone now rocking the correct apps, it is time to get some keys on the phone to make this adventure worthwhile. Whats that you say, no keys? If you have a standard gpg install the commands below will get you up and running. PGP users are on their own mainly because I despise their program. Assuming you are on a UNIX system (what else would you use?)

  1. gpg –gen-key
  2. Hit enter to accept the defaults (DSA+Elgamal/2048bits)
  3. When asked for how long to make your key valid I recommend 1 year. 2 if you are feeling frisky
  4. Next steps are identification. Make sure they match what you use on your Signature block and SMTP identification.
  5. Done! Generated key will be in your home director ~/.gnupg
  6. Now to generate the Revocation Key in case you loose or compromise your key
    1. gpg –output revoke.asc –gen-revoke ‘name’
  7. Next we need something other than our private key to send to folks
    1. gpg –armor –output pubkey.txt –export ‘name’
  8. It isn’t supported by APG, but most GPG clients support searching for keys in the event of email receipt. MIT is the most popular location to search with PGP right behind them
    1. gpg –send-keys ‘name’ –keyserver hkp://pgp.mit.edu
  9. Verify your keys are there by doing: gpg –list-keys

Wow that was awesome! Your key is now searchable and accessible. There is little to make this more secure than self-signed certs until you get the key verified by your buddy. Fingerprints are the best way. Next lets grab the keys from our system and move them to the Android phone. The files are in your ~/.gnupg/*.gpg and move them to your SD card by whatever means you deem fit. If you use PGP Desktop then look for the *.asc files and move them to your phone.

Alright pick your android phone up. Due to the Android phone SUCKING for screenshots (something iPhones have done since 2.0) I am going to verbally walk you through it. Less interesting than pics, but all you are going to get.

  1. With APG open click Menu and Manage Public Keys
  2. When the screen changes click Menu again and select import
  3. Navigate to your SD Card location with the keys from ~/.gnupg and click the pubkey and import
  4. Click back to the main screen and this time click Menu and Manage Secret Keys
  5. Navigate to your SD Card location with the keys from ~/.gnupg and click the seckey and import
  6. Now lets add our Gmail account (assuming you have one…if you dont you are weird…) Menu -> Add GMail Account

Now we have APG setup and right now that really is only good for k9mail, though the developers have opened the API to any other program. Here is to hoping for a chat program or IRC client…Next go-to K9mail and I am going to assume you can figure out the configuration of your mail server. If you are reading this, chances are VERY good

  1. Click and hold on your account and select Advanced
  2. Click Cryptography at the bottom of the list
  3. Select APG as the OpenPGP Provider
  4. Select Auto-sign

Done! Thats all it takes to encrypt and sign emails from your Android device using GPG. Until APG adds keyserver support you will need to repeat the key import steps with your POC’s public keys. Good luck and happy encrypting