What the title says. I’m trying to discern if using a number acquired and served through JMP for phone and text, versus a mobile carrier, provides a better data security and privacy experience.
On the one hand I wouldn’t be subject to the almost yearly data breaches that a number of the carriers experience, nor their potential snooping. However on the other, I’m not sure if using JMP and Cheogram actually provides any increase in privacy or security on that front?
It depends on what your threat model is. For example, do you want to mitigate the ability to easily link accounts and other information to you based on a single phone number? If so, then this will help with that assuming you (at least temporarily) use multiple numbers through JMP. On the other hand, if you want your communication to be private then there are better alternatives.
Ultimately, this is similar to using a privacy respecting email provider over gmail. Unless you take some additional precautions, your communications have a similar security/privacy exposure. It can be an improvement (assuming you trust JMP), but it is not the best means of communication in terms of privacy.
Any 3rd party security audit that would help on this specifically?
How not? Cheogram is using xmpp, no? Just using jmp as a 3rd party service to give you a number. Right?
I’m hosting my own xmpp server to have better control over my data, ensuring the in-app texting is secure. Of course over a mobile number of a text recipient, they’re still vulnerable to normal carrier bs and therefore so would my messages be exposed. But I think cutting back shows and potential to block the spam calls
That’s correct, but the XMPP portion of this communication chain is just your device to the JMP service. Any messages sent or received to another phone number are delivered via SMS/MMS. As a result, those messages can be read by unrelated 3rd parties. I assume something similar is possible for voice calls as well (or at the very least the call start/stop times and the other number on the call can be determined).
Essentially this just shifts trust from a mobile phone carrier to JMP. However, I understand that it may be more challenging to hack a VOIP number than perform a SIM swap attack. Another benefit of JMP for privacy is the more challenging tracking of location for a JMP phone number.
I’m not saying that using JMP is bad. I am saying if you need a secure and private way of messaging someone then this is not the best solution.
I think if anything the appeal to me is to be able to jump ship on a number anytime I feel it’s too compromised, with minimal registration requirements-- I.E. personal information. For any communications that are more sensitive, I typically use encrypted mediums.