RedPhone Beta (for Android) review

RedPhone Beta for Android gives you a lightweight, free, dead-simple way to make encrypted phone calls but don't expect anything more.
Photo of RedPhone Beta (for Android)

Owning a smartphone means opening yourself up to new attacks on your privacy, but it also means having the ability to fight back. RedPhone Beta for Android is a smart and free app that lets you make and receive encrypted voice calls to other RedPhone users.

RedPhone Beta was originally developed by the famed security researcher Moxie Marlinspike, and was snatched up by Twitter when he joined the company in 2011. While briefly unavailable, it has returned as an open source project.

The first time you start up RedPhone, the app will prompt you to register your phone number by tapping a button. And then you’re done; that’s it. RedPhone doesn’t ask for passwords, logins, or even for users to create an account. The app is designed with privacy in mind, so it requires as little from you as it can.

Secure Calling in RedPhone Beta
Once registered, users have two options for making encrypted calls. The first is to use the RedPhone app itself, which accesses your phone’s contacts list, recent calls, and favorite contacts. There is, noticeably, no dialer pad to enter a number. The stripped-down UI  is likely by design, as one of the perks of RedPhone Beta is that it seamlessly integrates into the Android dialer—which is the second way to place a RedPhone call. Launch the built-in phone app as normal and dial a number. If the person you’re calling has RedPhone Beta installed, then a dialog prompt will give you the option to make a secure call, or continue with an unsecure call.

Once a call is placed through RedPhone Beta, it becomes a VoIP call—meaning that, calls can be placed through Wi-Fi, even when mobile data networks are unavailable.  If a Wi-Fi network is unavailable, the call will use your wireless data and not your talk minutes. 

Because RedPhone can complete calls over Wi-Fi, users can actually switch their SIM cards and still be able to make secure RedPhone calls. They can even insert SIM cards from phones that have not previously been registered with RedPhone.

When you receive a RedPhone call, the app displays a special accept/reject screen similar to a regular phone call. Once accepted, the app completes some server magic and connects the two speakers. For added security, both caller and receiver will see the same random two-word passphrase on their phones—presumably to verify each person, since either party can ask the other to say the password out loud.

How It Works
Behind the scenes, RedPhone Beta uses four components. There are the clients—the caller and the recipient—and two kinds of RedPhone servers. First, the “master” servers authenticate the two callers, then the “relay” servers organize the VoIP connection. Thoughtcrime Labs writes that the relay servers move the encrypted information between caller and receiver, as peer-to-peer communication would be difficult if not impossible on carrier networks.

On their blog and GitHub account, RedPhone’s creators describe how they worked to create a low latency network for VoIP calling. According to the developers, the master servers are kept in trusted locations while the relay servers are spread throughout the world in order to facilitate lower latency calls.

RedPhone Beta In Action
In my tests, I didn’t notice excessive latency on the calls. The delay seemed to be under a second, and comparable with that of a regular phone call.  However, I carried out all my testing in the United States and while Thoughtcrime Labs has worked to distribute more relay servers around the world, callers in other countries might experience different latency rates.

Security apparently comes at a price, as RedPhone Beta lacks some of the creature comforts of unsecured calling. Sound quality on RedPhone Beta seemed slightly degraded when compared to an unsecured call, but not to the point where the conversation was greatly affected.  At worst, speech sounded clipped and mechanical.

More importantly, RedPhone Beta does not keep a list of encrypted calls, missed or received. It does, however, indicate in the notification center when a RedPhone call has been missed, and logs unsecured calls. This makes total sense as it is privacy app and a log of missed secure calls or unsecure voicemails would defeat the purpose. However, the notification center messages are easy to miss so it does require users to coordinate their encrypted conversations to a certain degree.

Should an unsecured caller attempt to reach you while you’re on a RedPhone call, he or she will hear a busy signal—a rarity these days, and perhaps too obvious a sign that you’re up to something. The missed call will appear in your RedPhone and default phone app history.

Also problematic is the fact that RedPhone Beta is limited only to Android devices. While likely due to Android’s fundamentally more open nature, it further limits the people to whom you can place secure calls.

If you try to call a non-RedPhone user from inside the app, a message appears asking if you want to send them a download link. Tapping “no” will end the call, so users should be sure to make their unsecured calls from the built-in dialer. Annoyingly, RedPhone will not automatically forward your unsecured calls to the default dialer. Tapping “yes” will send a text message to your would-be recipient, which is unfortunately longer than my carrier allows, thus breaking the included download link.

While my testing did not include probing vulnerabilities in the RedPhone network or encryption scheme, I did notice one potential flaw with RedPhone: it assumes that you are the only person in possession of your phone and your phone number. While the call may be encrypted, if the phone you’re calling has been lost or (if you’re truly paranoid) the number has been hijacked, then the call is inherently unsecure. This could be addressed by prompting users for a password, but that would likely upset the app’s ease of use. In truth this is outside the scope of RedPhone, which aims to deliver accessible encryption, but it’s important to understand the limitations of any security product.

Is RedPhone For You
RedPhone Beta for Android is a dead simple and seamless way to keep your conversations secure and private. Its low threshold for entry is in stark contrast to TrustCall, our Editors’ Choice for encrypted calling, which used physical chips in the phone to manage verification but comes at a steep price of $119.

While it may not have an extensive list of features, RedPhone Beta works well and its open source status will hopefully mean continued improvement and advancement over time. If nothing else, you can’t beat the price or the pedigree.

More {Product Category} Reviews:

Specifications
Type Personal
Free Yes

Verdict
RedPhone Beta for Android gives you a lightweight, free, dead-simple way to make encrypted phone calls but don't expect anything more.
Published under license from Ziff Davis, Inc., New York, All rights reserved.
Copyright © 2012 Ziff Davis, Inc