yet another XMPP instant messenger

yaxim 0.8.8 - Important Security Update

yaxim’s stated first goal is security. Unfortunately, there are days when you realize you failed hard at reaching that goal. All versions of yaxim before 0.8.8 are vulnerable to a Man-in-the-Middle attack, where an active attacker can redirect and read all your traffic by using a valid SSL certificate for his own server.

Please update immediately to 0.8.8 (ChangeLog, commit history)!

Man-in-the-Middle Vulnerability

yaxim has fallen victim to the problem known as CVE-2014-5075, allowing attackers to hook into the connection between yaxim and your server, and to read all your data (including your XMPP password!).

It is not known if this vulnerability has ever been exploited in the wild. Thereforeyou should immediately upgrade yaxim and change your XMPP server password. The latter can also be accomplished using yaxim 0.8.8.

New Password Change Dialog

Previous versions of yaxim only allowed changing the password stored in yaxim, not the one on the server.

Because changing your XMPP password is an important security element, and the embarrassing security vulnerability that existed in yaxim over the last years forces the author to make it possible, the password change dialog now incorporates the ability to change your password locally and on the server:

server password change dialog

If you only want to change the password in yaxim, but not on the server, just untick the box:

local password change dialog

Because the XMPP password is stored in yaxim’s (unencrypted) preferences, and most users do not remember their XMPP password anyway, this mechanism does not require entering the old password. If you consinder this a security problem, please do not give your smartphone to potential pranksters.

On related news, the startup wizard also requires to re-enter the password when registering a new account.

Other Security Improvements

As of now, yaxim will try to use TLSv1.2 or TLSv1.1 first, on Android 4.0 and later. Older Android devices are limited to TLSv1 unfortunately. SSLv3 will not be accepted any more, in accordance with current recommendations.

Furthermore, with this release it is no longer possible for third-party apps on your phone to access yaxim’s contact list or chat history. This issue was reported by Tarek Saier and is incorporated in 0.8.8.

Improvements have been made to the packet queue handling with XEP-0198, helping with very laggy connections.

User Interface Changes

The status dialog has been revamped by Joerg Mensmann. Now it features colorful icons in the status drop down menu as well as auto-completion for your old status messages:

new status dialog

A new setting allows to disable contact group display, moving all your contacts into one large group.

Furthermore, the “OK” button to send chat messages has been finally aligned to the bottom of the window, so it no longer moves up if you type a long chat message, and there is a new “huge” setting for the chat window font.