Adium's security

Jonathan8 · Post by **Jonathan8** » Sat Feb 03, 2007 3:25 pm

Hi everyone,

I just downloaded Adium 1.0 and I must say, I'm impressed.
The following post is by no means an (indirect) insult on Adium, but more asking for a confirmation of what I think (that it is a secure app, since it even uses Keychain).

For instance, how secure is it to connect to your messenger service (in this case MSN) with Adium? To investigate this, I used a Mac Firewall called LittleSnitch, of which the results are displayed below.

Adium 1.0:
redux.adiumx.com on TCP port 80 (http)
207.46.28.93 on TCP port 1863 (msnp)
by2msg2104614.phx.gbl on TCP port 1863 (msnp)
65.54.179.228 on TCP port 443 (https)
by2msg1262112.phx.gbl on TCP port 1863 (msnp)

MSN's standard Microsoft Messenger 6.0.1 client:
by1msg4246211.phx.gbl on TCP port 1863 (msnp)
65.54.183.202 on TCP port 443 (https)

As you can see the IP addresses for the https connection don't match, but this probably is caused by MSN themselves (who spread load accross multiple servers).

What information is sent to redux.adiumx.com?

In addition, why connect to so many MSN protocols in a relatively short time span (5 min.)? Is this because MSN won't let Adium have one connection for the whole session?

I do know that Adium X 1.0 is certified by Softpedia to not contain any Spyware, but I would like to check to make sure how the security system really works.

Softpedia's certification, tested on 18 May 2005

I do question how they could have tested version 1.0 on 18 May 2005?

networkredux · Post by **networkredux** » Sat Feb 03, 2007 7:46 pm

I can help you with a portion of your question.

The Adium client is checking in with redux.adiumx.com to verify versioning, comparing versions available to what you are running. If your version is out of date, the client will give you an option to upgrade before proceeding.

I'm sure someone from the Adium development team can provide you with additional insight and details regarding your questions.

Thanks

Thomas Brenneke
Network Redux, LLC
http://www.networkredux.com

Post by **evands** » Sat Feb 03, 2007 8:07 pm

When connecting to MSN, a client does not connect to a single IP address and go from there. Instead, in the course of connecting, the client communicated with one or more servers, and you're right that there are a large number of servers which are "randomly" used -- presumably by "randomly" we mean some sort of automatic load balancing on the part of Microsoft. Retrieving buddy icons and information from users can also trigger connections to different "switchboard" servers, which changes the number and kind of IPs contacted. Finally, MSN Messenger 6 uses a different version of the MSN protocol than Adium 1.0 does (Messenger 6's is slightly newer -- we're hoping to upgrade to that version at some point in the future), which certainly could cause various differences.

As far as redux.adiumx.com: That is contacted when pulling in version information in the form of an RSS feed (http://www.adiumx.com/sparkle/appcast.xml). If you enable sending of anonymous usage data (for which you were prompted the first time Adium did a version check, probably when you first launched 1.0), other information is sent. At the time you were prompted, there was a toggle to view all that info... I do not know of a way to get back to that window in Adium 1.0, though adding one in the future would be a good thing for setting people's minds at ease if they later forget what they read.

The data which is sent is the various statistics visible at http://www.adiumx.com/sparkle and no more. No individually identifying or pirvate data is or ever will be sent. We even expressly set up the server not to retain logs of IP addresses for version checking so we're not 'accidentally' collecting potentially identifying data.

Hope that helps set your mind at ease,
Evan

Jonathan8 · Post by **Jonathan8** » Sat Feb 03, 2007 10:11 pm

Thank you all very much for your infornmative replies, I now trust Adium far more. Probably I will use Adium now as my main IM client, since I now know for sure it is secure.

I will enable the anonymous data function straight away, since I think that will help the development of Adium (does it?).

Post by **evands** » Sat Feb 03, 2007 11:19 pm

Jonathan8 wrote: I will enable the anonymous data function straight away, since I think that will help the development of Adium (does it?).

We've never had such a feature before 1.0, but we're hoping that aggregate anonymous data can help us prioritize feature requests, predict the impact of changes in OS X version requirements, and know how useful new functionality that might require certain hardware would be to our userbase as a whole.

Jonathan8 · Post by **Jonathan8** » Sun Apr 08, 2007 11:59 pm

I've another question: I read somewhere than Gaim/Pidgin stores passwords as plain text on the computer. Since AdiumX seems to be based on Gaim, does Adium store passwords as plain text?

Post by **bgannin** » Mon Apr 09, 2007 12:13 am

No, we store passwords in Mac OS X's Keychain.

Post by **Catfish_Man** » Mon Apr 09, 2007 1:35 am

You can find graphs of the collected data at http://www.adiumx.com/sparkle

Post by **The_Tick** » Mon Apr 09, 2007 4:11 pm

On a side note:

Softpedia generally passes whatever software it can in order to boost their numbers. I've not seen any indication that they do more than just post application information for mac applications.

In some circles of the mac software community they are regarded as a joke.