For #Conversations_im I literally developed the UI first. I had a somewhat working UI before I was able to put a single #XMPP message on the wire.

A shared library between different platforms is a good thing. People are trying to do this in XMPP (Snikket SDK, Macaw, Prose) and if I were to start something new for Conversations I'd use something like Kotlin Multiplatform too.

However there is also value in diversity of implementations and the good ideas will prevail concept of XMPP.

I'm on my way back from the Berlin XMPP Sprint and had a fantastic time. Thank you so much @debacle for organizing it, and thank you to everyone who participated. It was especially cool to see some new faces; it's pretty amazing that the #XMPP developer community is still able to attract new talent.

I made good progress on finally being able to show full-size avatars (profile pictures) in #Conversations_im. Stay tuned to learn more about that towards the end of this week.

Conversations 2.18.2 is available on Google Play and has client side mitigations for a server side security issue that was recently discovered and fixed in #ejabberd¹ and #OpenFire²

Go update your server. But just in case that takes a minute Conversations has your back too!

This release also fixes an issue with restoring (importing) backups on recent Android versions.

¹: process-one.net/blog/ejabberd-…
²: github.com/igniterealtime/Open…

#XMPP #Conversations_im

ejabberd 25.04

Just a few weeks after previous release, ejabberd 25.04 is published with an important security fix, several bug fixes and a new API command.

^{Jérôme Sautret (ProcessOne)}

#Conversations_im has the ability to fetch outage status information from an independent server and display that in case the regular #XMPP server can not be reached.

This is powered by XEP-0455 (xmpp.org/extensions/xep-0455.h…).
TLDR: Server gives client a URL to a JSON file during normal connects, client will hold on to that URL and fetch the JSON file in case server is unreachable.

Security audits are a funny thing. We lack the (financial) resources for regular, thorough penetration tests. However I’m aware that some of the higher profile users of #Conversations_im occasionally perform audits without my direct involvement and without publishing it afterwards. Those audits aren’t adversarial as indicated by them wanting me to fix what they find.

The funniest instances are when they want to be credited for finding an issue but refuse to make the audit public.

A big thank you to Radically Open Security for performing the audit and to @nlnet for funding it.

Radically Open Security has been a long term partner of #Conversations_im ever since they did the first #OMEMO audit back in 2016!

Recent audit: conversations.im/2025_audit_co…
OMEMO audit: conversations.im/omemo/audit.p…

A recent security audit of #Conversations_im¹ found that wildcard certificate handling didn’t fully comply with the spec.

Conversations was accepting *.a.example for c.b.a.example, even though wildcards are only meant to match a single label.

This issue has been fixed in version 2.18.0, now live on Google Play.

¹: conversations.im/2025_audit_co…

#XMPP #Jabber

I think I’ve found a relatively nice solution for #FediLinks in #Conversations_im.

You can put web+ap URIs into a message (or room description) and ideally a click on those will open your Mastodon client. However if no installed app supports those (the only app that I’m aware of is Fedilab) Conversations will open a browser instead.

Currently no app will create web+ap links but it is fairly easy to handcraft them.

cc @SoniEx2

#XMPP #ActivityPub

For the next #Conversations_im release I’m refactoring how URIs are linked / made clickable. I’m adding a bunch of URI schemes like tel and mailto on top of the existing xmpp, http(s) and geo but removing support for "things that look like web URLs but aren’t actually URIs" (like 'example.com') to avoid some false positives.

Once the 2.18.0-beta comes out tomorrow or so let me know if you see things that isn’t matched and should be matched or vice versa.

Is there any #ActivityPub / #Mastodon URI scheme used in the wild that would allow me to open an ActivityPub account directly in my Android app?

I've seen 'acct' and 'web+ap' mentioned but none seem to be implemented.

The goal is that given a text of "Here is my Mastodon profile acct:daniel@gultsch.social" #Conversations_im can link that directly into #Tusky. (Just like mailto and xmpp URIs open my E-Mail or IM app respectively)

Have @apps or @Tusky considered that? If not why not?

If you're still recommending #Signal, you may have missed the tech oligarchs' takeover of the US government. The best time to recommend European alternatives was 8 years ago; the second best is now.

#Conversations_im #XMPP #Jabber

I'm skipping #FOSDEM this year, but the #XMPP Standards Foundation will be there! Stop by the Realtime Lounge¹ to chat about XMPP, pick up some merch, and maybe grab a #Conversations_im sticker—while supplies last! 🚀

¹: xmpp.org/2025/01/xmpp-at-fosde… (K building 2nd floor, beside the elevator)

XMPP

XMPP - The universal messaging standard

^xmpp.org

I don’t usually do this kind of evangelism, but if you’re looking for a reason to try #XMPP on #GlobalSwitchDay, now’s the perfect time: #Conversations_im is currently free on Google Play!

play.google.com/store/apps/det…

I love open source, and I want young people to know there’s a career path outside of #FAANG. Open source can be financially sustainable—it just gets super hard if one of your key goals is making your investors even richer. #Conversations_im is about the same age as #Matrix. I never took VC funding, and I’m doing fine.

#OpenSource

⚠️ 🚨 It’s time to stop using Blabber.im 🚨⚠️

The abandoned fork of #Conversations_im has a critical security issue: attackers can bypass STARTTLS negotiation, resulting in an unencrypted connection to a fake server. This vulnerability is similar to the STARTLS attack discovered in various email clients¹

✅ Fixed in Conversations 2.13.1 (Feb 2024)

📢 Please migrate to Conversations immediately! It's free on Google Play until the end of the year and always free on #fdroid

¹: archive.fosdem.org/2024/schedu…

FOSDEM 2024 - [Protocols] Security of STARTTLS in the E-Mail Context

^{archive.fosdem.org}

This is also free from trackers!
reports.exodus-privacy.eu.org/…

And you can get it on #fdroid too!
f-droid.org/en/packages/eu.sia…
#Conversations_im

Conversations | F-Droid - Free and Open Source Android App Repository

Encrypted, easy-to-use XMPP instant messenger for your mobile device

^f-droid.org

Continuing a decade-long tradition #Conversations_im is currently available for free on Google Play.

play.google.com/store/apps/det…

Merry Christmas 🎄 Happy Holidays ☃️ and have fun at #38C3

Conversations (Jabber / XMPP) - Apps on Google Play

An encrypted, user friendly XMPP instant messaging client optimized for mobile

^{play.google.com}

Did you know that you can configure custom notification sounds per contact or group chat in #Conversations_im?

Apparently not many people knew that so the next version will make, what essentially is a native Android feature, easier to access via the overflow menu of contact or group chat details.

gultsch.video/w/8wZSkoad1bv4VH…

Conversations: Custom notifications

Conversations 2.17.7 makes it easier to configure custom notifications for contacts and channels

^PeerTube

After the next #Conversations_im update have a look at our new Chat Bubble Settings. We are now providing a few customization options that, among other things, allow you to render all message bubbles left aligned.

In combination with the setting that turns off the background color, this is relatively close to what Dino or other team messengers look like.

In 2015 I spent a couple of weeks in Singapore and I still remember sitting at a café and implementing the feature that merges multiple messages into the same bubble.

Today this feature has been removed from #Conversations_im in favor of moving the bubbles closer together. This gives better control over per messages actions such as sharing, quoting or adding a reaction.

I installed #Signal and #Conversations_im on a clean install of #GrapheneOS on my Pixel 4a and measured the battery impact. The results are shocking!

Both messengers had only one contact: my regular phone.

I used my regular phone to send messages to the Pixel 4a (which was not used for anything else over the course of the experiment).

I always sent the same message via Signal and #XMPP (mixing up which app went first). In total I sent ~32 messages in intervals of 10mins to a few hours.

Should #Conversations_im add stun.conversations.im as a fallback for #XMPP servers missing XEP-0215: External Service Discovery?

I’ve hesitated to add anything resembling "calling home" (no update checker, no metrics).

However, the main goal here wouldn’t be improving A/V call success (though it helps) but making P2P file transfers more reliable. Many servers still lack HTTP Upload, and the refactored Jingle File Transfer would benefit greatly from a fallback STUN server.

• Yes (72%, 63 votes)
• No (27%, 24 votes)

For those who can’t wait for Emoji Reactions I made #Conversations_im available for free on Google Play for the next couple of days.

play.google.com/store/apps/det…

(Note that the Google Play version has some drawbacks like no address book integration and no public channel discovery. For channel discovery you can use search.jabber.network directly.)

Conversations (Jabber / XMPP) - Apps on Google Play

An encrypted, user friendly XMPP instant messaging client optimized for mobile

^{play.google.com}

#Conversations_im has just surpassed 250,000 installs on Google Play. 🥳

The official, publicly visible, install badges are handed out for 100k and 500k. Growth has been very linear over the last ten years so stay tuned for the next big milestone in 2034! 😜