The State of Mobile VOIP: Redphone

A couple years ago, Whisper Systems released a product called Redphone that is quite intriguing. Redphone is both an app for Android and iPhone, as well as a service (like Skype). The easiest way to describe Redphone is that it's SIP with a fixed configuration, ZRTP and TURN. That is:

• all the parameters are set by the system making configuration trouble-free
• all the calls are encrypted with ZRTP
• while SIP is usually peer-to-peer, Redphone calls go through Redphone's servers.

You register with Redphone using your phone's number. (It also works with Google Voice.) Redphone verifies it with a text message that it automatically responds to.

When you call, you specify another phone number. You can use the stock dialler and, if the other person is registered, it will use that instead. Redphone "rings" this device using either an SMS message, or a Google or Apple push notification, whichever the receiver prefers.

NOTE: In my experience, Google push notifications don't appear to work (or at least not be reliable) over a NAT'd local network (most wifi). If you aren't receiving calls, try switching to "always use SMS".

If the call is accepted, the two phones begin an elaborate protocol to both encrypt the conversation and make sure that no one has intercepted the call in between the two phones.

After a call has begun, Redphone will display two words on the phone's screens. You read one word; the other party reads the other word. If the pair matches what the phones show on the screens, then you can be reasonably sure that no one is in between you two, relaying the call's data.

ZRTP specifies that, once you have called someone, you shouldn't have to go through the "compare words" protocol again, however rumor has it that Redphone doesn't store this information. I can't say I mind, since it seems (to me) like the best place to attack the protocol, and the word pair protocol is quite unobtrusive.

Redphone is fairly hassle-free. ZRTP doesn't require previously trading public keys with anyone. The security relies on you recognizing the voice at the other end, and the word pair. Calling someone is as simple as selecting them out of your contact list. If you or your communicado's are tech-newbs, but you want security, this is the app to use.

Redphone was written by Moxie Marlinspike, a name well known in the security business, and Stuart Anderson. Redphone was acquired in 2011 by Twitter, who seems to be trying to make a name for itself among Middle Eastern protesters. However, the service can and has gone away before. Have a back-up.