Red Phone (For Android)

Red Phone (For Android)

Red Phone (For Android) - A call on a cell phone is, by no measure, a secure one. If it's not the NSA listening in, it could be local police, or just a clever hacker with a portable cell tower. If you need to share secrets, or just don't want to be part of a surveillance state, there's RedPhone for Android. This free app lets you seamlessly make fully encrypted Voice over IP (VoIP) calls to other RedPhone users on Android and Signal users on iPhone. Living the secure life has never been easier.

RedPhone was originally developed by famed security researcher Moxie Marlinspike, and was snatched up by Twitter when he joined the company in 2011. Though briefly unavailable, RedPhone has returned as an independent, open source project. (We first reviewed the product when it was in beta.) Whisper Systems also offers a secure texting app, appropriately called TextSecure.

Secure Calling in RedPhone
The first time you start up RedPhone, the app prompts you to register your phone number by tapping a button. And then you're done; that's it. RedPhone doesn't ask for passwords, logins, or even for users to create an account. The app is designed with privacy in mind, so it requires as little from you as it can. Note that RedPhone uses an SMS message to confirm registration, so don't bother installing it on a Wi-Fi only tablet.

In Redphone you'll find all your contacts, recent calls, a recently added dial pad, and favorite contacts. The stripped-down UI is likely by design, as one of the perks of RedPhone is that it seamlessly integrates into the Android dialer. If the person you're calling has RedPhone installed, then a dialog prompt will give you the option to make a secure call, or continue with an unsecure call. Or, choose someone to call from the Contacts panel of RedPhone, which only displays other RedPhone users.

RedPhone (for Android)When you receive a RedPhone call, the app displays a special Accept/Reject screen similar to that of a regular phone call. If you receive a call from an insecure line while making an encrypted call, the new caller will be dumped to voice mail but you'll receive no alerts.

For added security, both the caller and receiver will see the same random two-word passphrase. If you're concerned that someone is impersonating the person on the other line, you can speak the first word and have them speak the second. Dead-simple live authentication.

Because RedPhone can complete calls over Wi-Fi, you can actually switch your SIM cards and still be able to make secure RedPhone calls. You can even insert SIM cards from phones that have not previously been registered with RedPhone. If a Wi-Fi network is unavailable, the call will use your wireless data and not your talk minutes.

The downside of this nearly invisible approach is that you can't add contacts directly from RedPhone. The app could also use a good polish, as some elements don't always look clean or finished. For example, I could not for the life of me, figure out how to add contacts to my favorites list. The recent calls section of RedPhone is likewise confusing.

RedPhone in Action
I wanted to keep in touch with my partner without risking someone listening in on my calls while attending the Black Hat conference. She installed Whisper System's iOS app, Signal on her iPhone and I used RedPhone on a Samsung Galaxy S5$79.99 at Amazon. I occasionally had a hard time getting calls to connect, and had a few calls drop after connection was established. Sometimes, it sounded like my partner's voice was sped up and compressed, as if to make up for lag time. But most of the time, phone calls sounded great with little or no latency.

Back in the PC Labs, simple tests showed an average latency of 0.788 seconds over Wi-Fi. That's slower than a standard cell phone call, but most of the time I didn't notice. Note that I carried out all my testing in the United States, using both Wi-Fi and 4G LTE wireless service. Your mileage may vary.

While my testing did not include probing vulnerabilities in the RedPhone network or encryption scheme, I did notice one potential flaw with RedPhone: It assumes that you are the only person in possession of your phone and your phone number. While the call may be encrypted, if someone steals your phone, that person could impersonate you.

This could be addressed by prompting users for a password, but that would likely upset the app's ease of use. Then again, RedPhone aims to deliver accessible encryption without jumping through hoops.