Let us begin our review of the RedPhone Android app from Open Whisper Systems with a brief history of the company itself. Since the early inception of the modern smartphone, security of calls has been a concern for many users. In 2010, Moxie Marlinspike (pseudonym) and Stuart Anderson started a small start-up to address Android mobile phone security issues. In May of 2010, they released an app for the Google Android mobile platform called RedPhone. RedPhone was the first voice over Internet protocol (VoIP) program that allowed Android users to make end-to-end encrypted phone calls between other RedPhone users.
In November 2011, Twitter was looking for skilled people to improve its own security. They bought Whisper Systems for an undisclosed amount and its two talented founders went to work for them. Initially they took RedPhone offline, but people complained because many protesters used RedPhone during the Arab Spring. In July of 2012, Twitter released RedPhone as a free and open-source app under the general public license version 3 (GPLv3).
In January 2013, Marlinspike left Twitter to again take up the cause for mobile privacy and security. He did this by starting up the open-source project Open Whisper Systems to continue development on the RedPhone app for Android and its sister app, TextSecure. The project is funded by community donations of both time and money, as well as grants. Our review found that the project team includes of a small dedicated core development team and a group of volunteers. Open Whisper Systems stated goal is to make it easy for anyone to secure their mobile device communications. Revelations that came to light in June of 2013 illustrated that such apps were not only needed, but that they were an absolute necessity if we wanted to keep our communications private and secure.
In June 2014, Secure Messaging Scorecard, a project of the Electronic Frontier Foundation (EFF) gave the RedPhone app 7 out of 7 checks. They received checks for being encrypted in transit, being encrypted in a way such that Open Whisper Systems could not read it, allowing users to be able to verify the identity of the person they where speaking with, protecting past communications if future keys are stolen, having code open to independent review, properly documenting the security of RedPhone, and having its code audited recently. Open Whisper Systems’ other two apps (TextSecure Private Messenger for Android and Signal Private Messenger for iOS) also received 7 out of 7 checks on the EFF scorecard. Signal is an application which integrates TextSecure and Redphone into a single app for iOS devices.
Private Calling with RedPhone for Android
Now that we have reviewed a little bit about the history of the Open Whisper Systems project, let us examine the RedPhone app itself. RedPhone works similarly to Skype and Google Voice. It is a VoIP app that sends your phone calls over Wi-Fi or data via the Internet. It is compatible with Signal for iOS and provides a cross-platform communication tool for encrypted voice phone calls. It differs from the other mentioned apps in that it lets you encrypt the entire call end-to-end if both users run either RedPhone or Signal. It integrates into the standard Android phone dialer so you can use it to call everyone on your contact list. This means that if you make a call using the regular dialer and the person you are calling has either RedPhone or Signal, it will prompt you to encrypt the call. You must first install and register your phone before you can use the app to make encrypted VoIP calls. Follow these steps to install and register the app.
Installing and registering the RedPhone app on your Android phone:
- Step 1 – Download the the RedPhone app from the Google Play store and install it
- Tap “Install” and accept the Terms of Service (app permissions) by selecting “Accept.”
- The app will download and install automatically.
- Note – If you do not agree to the app permissions the installation will cancel.
- Step 2 – Configuration and initial setup
- Register your phone – enter your country (where SIM card was purchased) and phone number and press register
- You will receive an SMS message with 6 digit code to verify your registration
- If no SMS is received, you can select to hear an automated 6 digit voice code.
- Verify your registration
- Register your phone – enter your country (where SIM card was purchased) and phone number and press register
To make a call using the app once it has been installed and you have verified your phone number, simply run the app and select the person you want to call from your contact list. If your recipient has either Signal for iOS or RedPhone for Android installed the call will be encrypted and two orange words will appear on your screen. Read these words to verify that the connection has been secured. If these words are different on your screen and the person you called, it means the call is not secure and you should hang up. That’s all there is to it. The RedPhone app has a few basic options. It will allow you to look at your contacts who use RedPhone or Signal, display your call history (incoming call, outgoing calls, and missed calls), show your frequently called contacts, and allow you to use a dialer to call phone numbers not in your contact list. If you try to make a call to a contact that does not have either Signal or RedPhone installed, it will prompt you to send them an unsecured SMS message to install the RedPhone app. This allows RedPhone to be a full replacement for your core Android dialer. Below are a few screenshots of the RedPhone app in action.
The RedPhone app uses the ZRTP protocol to setup an encrypted VoIP channel for the actual call and AES-128 in CBC mode encryption for the data. This the the protocol developed by Phil Zimmermann and is also used by Silent Circle in their Silent Phone app. Calls made using either RedPhone or Signal benefit from forward secrecy because new keys are generated for every call. This limits the security liability if a future key been compromised.
RedPhone was designed specifically for mobile devices, using audio codecs and buffer algorithms tuned to the characteristics of mobile networks. It was designed with speed in mind and Open Whisper Systems has servers in 10 different countries to help lower call latency. The RedPhone app uses push notifications to preserve your device’s battery life and ensure that your call is still sent, even if your recipient has their phone off. This allows RedPhone to provide fast, highly available, high quality mobile voice communications for its users.
RedPhone Review: Conclusion
The Open Whisper Systems team is a small community ofvolunteers and a grant funded core development team. They work to provide secure, easy to use mobile privacy apps for everyone. Their current apps include TextSecure Private Messenger for Android, RedPhone: Private Calls for Android, and Signal Private Messenger for iOS. The RedPhone app provides a secure cross-platform communication tool that allows its users to make private calls to not only other RedPhone users, but also Signal for iOS users. The VoIP calls are sent using Wi-Fi or data over the Internet. Once the RedPhone app is installed, it integrates seamlessly with your Android device’s core dialer and contact list so that you can easily make secure, private calls with friends and family using your mobile phone.
Our review also showed that the RedPhone app is secure enough for your business calls as well. It uses the ZRTP protocol to setup an encrypted VoIP channel between callers. For the actual call data, it uses AES-128 encryption in CBC mode. Encryption is done locally on the callers devices before transmission so not even Open Whisper Systems can access your private calls. Its code is open source and available free for others to use, modify, or improve upon under general public license version 3 (GPLv3). We recommend that you try the RedPhone out for yourself and recover the privacy you once had when communicating with others using your Android phone.