QKSMS is definitely the best replacement for stock messaging app. It is nicely designed and has a lot of features that similar messaging apps lack. It's fully open source and available on F-Droid repo which means many known vulnerabilities of the dependencies are checked, and the strict rules set by the F-Droid team are met. Here I'll mention few security features which would be nice to have (it should be noted that, however, the short messaging service is inherently insecure and any sensitive info can easily be detected and leaked by the service provider or detected by the govt.):
SMS Storage: SMS should be deleted immediately from the SMS database (as it's not secure) and stored it in QKSMS' database (the latter is implemented). The storage could be encrypted as well.
Backup & Restore: Currently backup results in a single JSON file containing all SMS. Backups should be encrypted (provided user wants to do so) using an encryption method such as PGP or you could use OpenKeychain's API to do so.
Startup Security: An user should be able to "lock" this app so that SMS aren't readable unless unlocked by the user.
All three features are already included in other messaging apps such as Signal.
QKSMS is definitely the best replacement for stock messaging app. It is nicely designed and has a lot of features that similar messaging apps lack. It's fully open source and available on F-Droid repo which means many known vulnerabilities of the dependencies are checked, and the strict rules set by the F-Droid team are met. Here I'll mention few security features which would be nice to have (it should be noted that, however, the short messaging service is inherently insecure and any sensitive info can easily be detected and leaked by the service provider or detected by the govt.):
1. SMS Storage: SMS should be deleted immediately from the SMS database (as it's not secure) and stored it in QKSMS' database (the latter is implemented). The storage could be encrypted as well. 2. Backup & Restore: Currently backup results in a single JSON file containing all SMS. Backups should be encrypted (provided user wants to do so) using an encryption method such as PGP or you could use OpenKeychain's API to do so. 3. Startup Security: An user should be able to "lock" this app so that SMS aren't readable unless unlocked by the user.All three features are already included in other messaging apps such as Signal.
I really like the SMS storage suggestion. Knowing my SMS messages are locked behind a separate password would be nice.
(Sort of off-topic, but not..:))
Just.. wish there weren't so many permissions (yes, I can appreciate the requirements /and complexity of Android ecosystem) and also there are four trackers reported: https://reports.exodus-privacy.eu.org/en/reports/112638/
Every permission that is added is actually used by some user-facing feature or is simply required for SMS support, so I'm afraid there isn't much I can do there
Regarding the trackers, I can probably get rid of Mixpanel. Can't remember that last time I actually opened it
Amplitude and Firebase/Crashlytics are essential to my workflow however, so I don't see myself removing them from the Google Play version of the app anytime soon. That being said, these trackers are not included in the F-Droid releases, so you always have that option if you want to avoid them
That being said, these trackers are not included in the F-Droid releases, so you always have that option if you want to avoid them.
Yeah. I was going to say just this. Thanks.
Regarding trackers, ACRA is an accepted tracker on F-Droid (but you have to disable any trackers on F-Droid by default anyway).
Amplitude and Firebase/Crashlytics are essential to my workflow however, so I don't see myself removing them from the Google Play version of the app anytime soon.
I completely respect your decision on that. Users of Google Play Services are being tracked by Google already. There's no reason to remove them from the Google Play Store version of the app.
I really like the SMS storage suggestion. Knowing my SMS messages are locked behind a separate password would be nice.
Yeah. This sort of implementation are already available such as Silence and Signal (the former was actually a fork of the latter). But these apps have some additional features which are irrelevant here.
Every permission that is added is actually used by some user-facing feature or is simply required for SMS support, so I'm afraid there isn't much I can do there
Regarding the trackers, I can probably get rid of Mixpanel. Can't remember that last time I actually opened it
Amplitude and Firebase/Crashlytics are essential to my workflow however, so I don't see myself removing them from the Google Play version of the app anytime soon. That being said, these trackers are not included in the F-Droid releases, so you always have that option if you want to avoid them
An option to disable analytics when present would be nice for those who don't want any data being send from their device.
Most helpful comment
Every permission that is added is actually used by some user-facing feature or is simply required for SMS support, so I'm afraid there isn't much I can do there
Regarding the trackers, I can probably get rid of Mixpanel. Can't remember that last time I actually opened it
Amplitude and Firebase/Crashlytics are essential to my workflow however, so I don't see myself removing them from the Google Play version of the app anytime soon. That being said, these trackers are not included in the F-Droid releases, so you always have that option if you want to avoid them