OpenKeychain is a free and open-sourcemobile app for the Android operating system that provides strong, user-based encryption which is compatible with the OpenPGP standard. This allows users to encrypt, decrypt, sign, and verify signatures for text, emails, and files. The app allows the user to store the public keys of other users with whom they interact, and to encrypt files such that only a specified user can decrypt them. In the same manner, if a file is received from another user and its public keys are saved, the receiver can verify the authenticity of that file and decrypt it if necessary.
Together with K-9 Mail, it supports end-to-end encrypted emails via the OpenPGP INLINE and PGP/MIME formats. The developers of OpenKeychain and K-9 Mail are trying to change the way user interfaces for email encryption are designed. They propose to remove the ability to create encrypted-only emails and hide the case of signed-only emails. Instead, they focus on end-to-end security that provides confidentiality and authenticity by always encrypting and signing emails together.
Reception
OpenKeychain is listed on the official OpenPGP homepage and the well-known developer collective Guardian Project recommends it instead of APG to encrypt emails. TechRepublic published an article about it and conclude that "OpenKeychain happens to be one of the easiest encryption tools available for Android." The publisher Heise reviewed it in their c't Android magazine 2016 and discussed OpenKeychain's backup mechanism. The academic community uses OpenKeychain for experimental evaluations: It has been used as an example where cryptographic operations could be executed in a Trusted Execution Environment. Furthermore, modern alternatives for public key fingerprints have been implemented by other researchers. In 2016, the German Federal Office for Information Security published a study about OpenPGP on Android and evaluated OpenKeychain's functionality. OpenKeychain has been adapted to work with smartcards and NFC rings resulting in a usability study published on Ubicomp 2017.
Funding
The OpenKeychain developers participated in 3 Google Summer of Code programs with a total of 6 successful students. In 2015, one of the main developers got a one-year funding to improve the OpenPGP support in K-9 Mail paid by the Open Technology Fund.
History
OpenKeychain has been created as a fork of Android Privacy Guard in March 2012. Between December 2010 and October 2013 no new version of APG was released. Thus, OpenKeychain has been started with the intention of picking up the development to improve the user interface and API. A first version 2.0 has been released in January 2013. After three years without updates, APG merged back security fixes from OpenKeychain and some months later rebased an entire new version on OpenKeychain’s source code. However, this process stopped in March 2014, while the OpenKeychain developers continued to regularly release new versions. A number of vulnerabilities found by Cure53 have been fixed in OpenKeychain. These are still not fixed in APG since its last release in March 2014. Since K-9 Mail version 5.200, APG is no longer supported as a cryptography provider.
