Smack API 4.0.6

Smack is an Open Source XMPP (Jabber) client library for instant messaging and presence. A pure Java library, it can be embedded into your applications to create anything from a full XMPP client to simple XMPP integrations such as sending notification messages and presence-enabling devices.

Download Smack API 4.0.6 Latest build: November 24, 2014

Smack API 4.0.6

Latest Blog Entries

Smack 4.1.0-beta1 available

The Ignite Realtime community is happy to announce the first beta version of the upcoming Smack version 4.1. Smack is an open source XMPP client library written in Java with multi-runtime support. It can be used with Java SE and Android runtimes. If you haven't done already now is the ideal time to grab Smack 4.1.0-beta1 and try it out. Compared to the alpha versions of 4.1 the API is considered stable and API changes are unlikely to happen.


Release highlights include support for XEP-198 Stream Management (disabled per default), improved multi-threading performance, improved MUC API and support for SCRAM SHA-1.


Everyone is invited to test beta1 in his projects. The community forum awaits your feedback and bug reports. Although the beta version has proven reliable so far, please only use it productive after intensive testing.


An incomplete list of API changes can be found in the Smack 4.1 Readme and Upgrade Guide. Please consult the Readme before using Smack 4.1.


As always, Smack 4.1.0-beta1 is available from Maven Central.

Tags: planetjabber , smack , release 0

Smack 4.1.0-alpha1 available

After months of hard work it's at the time to release the first alpha version of Smack 4.1, the open source Java XMPP client library, for testing purposes.


Smack 4.1 marks a milestone in the development history of Smack, as it's the first version that runs native on Android. This means that aSmack is no longer required and will be phased out in the future. Future aSmack releases will be solely form the stable 4.0 branch.


Together with support for Android, Smack 4.1 also adds support for XEP-198 "Stream Management" in smack-tcp. XMPP connections with enabled Stream Management provide acknowledgments of sent stanzas (and acknowledges received stanzas to the server) and allow transparent stream resumption in case of a network outage (for example because of a WiFi ↔ GSM switch on Android).


Smack 4.1.0-alpha1 is now available from Maven Central and we would welcome interested and adventurous users to try this early alpha release and provide feedback. For more information about using Smack 4.1 and how to include it in your Android project, consult the "Smack 4.1 Readme and Upgrade Guide".

Tags: planetjabber , smack , release 9

(a)Smack 4.0.0 released

5 months after the relase of Smack 3.4.1 the Ignite Realtime developer community is proud to annouce the first release of Smack 4, which marks a milestone in the development history of Smack. Smack has undergone a major overhaul and refactoring, including moving from Ant to Gradle and from SVN to git.


Smack 4 also includes security related fixes. Users are encouraged to update  as soon as possible.


Many people have helped to develop this release. We especially would like to thank


- Ryan Sleevi of the Google Chrome Security Team for reporting a security flaw in ServerTrustManager ( SMACK-410)

- Thijs Alkemad for reporting a security flaw regarding IQ spoofing ( SMACK-533, SMACk-538)

- Lars Noschinski for fixing the IQ spoofing flaws and adding support for roster versioning ( SMACK-399)

- Jens Offenbach for helping making Smack an OSGi bundle ( SMACK-343)


Since the API has changed in Smack 4, make sure to read the "Smack 4.0 Readme and Upgrade Guide".  A full changelog can be found in JIRA.

Tags: planetjabber , smack , release 6

(a)Smack 4.0.0-rc2 released

Six weeks after the release of the first Release Candidate (-rc1) of Smack 4, the Ignite Realtime Community is proud to announce the release of the second and likely final Release Candidate.


Smack 4.0.0-rc2 contains many improvements and bug fixes. The API underwent some major changes and is considered stable. Now is the perfect time to test (a)Smack 4.0 if you haven't already. Smack is available from Maven Central (direct link). aSmack can be obtained from


Make sure to read the upgrade guide and the previous blog post about Smack 4.

Tags: planetjabber , smack , release 4

(a)Smack 4.0.0-rc1 has been released

We are happy to announce the release of (a)Smack 4.0.0-rc1. This is the first aSmack release that is in sync with Smack's codebase and therefore marks an important milestone for Smack on Android. It is also the first non-snapshot release that is going to be available on the Maven Central Repositories (SMACK-265).


Smack 4.0.0-rc1 includes some major changes and important improvements including security related fixes. While this is marked as release candidate, users are encouraged to update because some important security bugs have been fixed. Please consult the "Smack 4.0 Readme and Upgrade Guide" for further information regarding the changes between Smack 3.4 and 4.0.


Previous Smack versions suffered from a missing "Basic Constraints" check in ServerTrustManager (SMACK-410): this allowed anyone with a valid CA-signed certificate for any domain to generate a certificate for any other domain that would be accepted by Smack's ServerTrustManager. Moxie Marlinspike found the same error in IE back in 2002 and wrote a detailed summary about it:

We would like to thank Ryan Sleevi of the Google Chrome Security Team for reporting the issue to us.


The fix for Smack was simply removing ServerTrustManager and the related code altogether. ConnectionConfiguration now only has a setting for a custom SSLContext. We shifted the responsibility for TLS certificate validation out of the library to the user, where it belongs. A fixed version of ServerTrustManager may return as an optional module in a future Smack release. Contributions are, as always, welcome.


A second important security vulnerability often found in XMPP implementations was made public by Thijs Alkemad aka xnyhps early this year. Affected implementations did not properly verify the 'from' attribute of IQ responses and were therefore vulnerable to spoofed IQ packets. You can read more about it here:


Thijs also reported Smack as vulnerable in SMACK-533 and SMACK-538. Thanks to Lars Noschinski, patches were quickly provided and Smack is now immune.


(a)Smack 4.0.0-rc1 is considered mature. It is marked as release candidate because we have only a small number of people who are testing the current (a)Smack development snapshot. We ask everyone using Smack in some sort of staging, development or non-critical production environment to try 4.0.0-rc1 and report any problems or feedback to the community forums.


Thanks to everyone working on Smack 4.0:


git shortlog -sn 3.4.1..4.0.0-rc1

   166  Florian Schmaus

    10  Lars Noschinski

     4  Georg Lukas

     2  Vyacheslav Blinov

     2  rcollier

     1  Daniele Ricci

     1  Jason Sipula

     1  XiaoweiYan

     1  atsykholyas


Besides the mentioned security issues, Smack 4.0 contains also many new improvments and other bugfixes. An overview of all resolved issues in Smack 4.0.0-rc1 can be found in JIRA


Smack 4.0.0-rc1 can be downloaded from maven central

aSmack 4.0.0-rc1 is avaiable as jar at

Tags: planetjabber , smack , release 3