two women making a secure call

Secure Calling App : What You Need to Know

two women making a secure call

You need a secure calling app, but it’s hard to know which one to choose.

This article will walk you through what you need to know and how to evaluate your choices.

What’s Important:

  • End-to-End Encryption
  • Verification of Encryption
  • Platform
  • Reliable Connection
  • Regional Servers for Low Latency
  • Easy Contacts

End-to-End Encryption

End-to-End Encryption is the industry term for encrypted cell phone communication being encrypted directly between two mobile devices. This should be first and foremost in any secure calling app comparison. Don’t be fooled by any app or service that doesn’t say end-to-end encryption.

To explain what this means, I first want to explain what it is not.  Why? Because a lot of people see “encrypted calling” and think they are protected end-to-end, but they are only encrypted from their device to the provider’s server.

graphic showing the rokacom app store
graphic showing the rokacom app store
Just because it's on the app store, doesn't mean it provides end-to-end encryption. Always read the fine print when choosing a secure calling app.

Normal Secure Calling Apps Decrypt at the Server

In a normal VoIP call that is “encrypted” your call is encrypted to the providers VoIP server via TLS.  Then the call is decrypted and runs through the VoIP server unprotected.  Your call may or may not be re-encrypted on its way back to the other person on the call.

Why is this important? Anyone who has access to that phone server can hear or record your call, including the VoIP provider, mobile phone carrier, governments or hackers.

Read the Fine Print

In fact, our research show there are a good number of apps that say “end-to-end encryption” but they don’t mean device to device.  They mean your device to their server, then your call is unencrypted on their server where they can listen or record your call.

True End-to-End Encryption

True encrypted calls will exchange the encryption keys directly between user devices.  The server is only there to route the calls across the Internet and through NAT’ed firewalls. Since the keys are generated on the users’ devices and only the public keys are shared with the other user, the provider or anyone listening in the middle can’t hear what you are saying, let alone record it.

Verification of Encryption

A “Man in the Middle Attack” is the method used to intercept end-to-end encrypted calls and messages. It involves intercepting each side of the encrypted call and making the two devices “believe” they are encrypting to each other, but in reality, it is decrypting and re-encrypting the data to the other user. The secure calling app you choose should have some way to verify the encryption is secure end to end.

ZRTP to the rescue

You need a method to verify that you’re encrypted all the way to the other device. Consequently, ZRTP is a very popular End-to-End Encryption protocol and built to address the man in the middle attack vector.

Short Authentication String or SAS Code

ZRTP uses a Short Authentication String to allow the users to hear a sequence of number and letters or a phrase in the other person’s voice.  The verification comes when the two users have the same SAS code on each side in the other person’s voice.  Read more about ZRTP and SAS codes on Wikipedia.

Platform

This one is pretty simple; you need a secure calling app for iPhone and Android.  If the provider doesn’t support both, you’ll be limited in who you can call.  You want encrypted phone calls for your iPhone and Android users to be the norm, so the apps should be made to each platform’s standard.

Reliable Service

Encryption is great, but if the service is unreliable, then users will fall back to using unencrypted calling.  This is the biggest complaint we see with free secure calling apps, calls are unreliable and drop all the time.  If you really care about securing encrypted calling, then it’s worth paying a small amount to ensure you’ll always be able to place the call!

secure calling app makes worldwide calls
secure calling app makes worldwide calls
If your organization has a global presence, then you need to consider the reliability of service all over the world when choosing a secure calling app.

Regional Servers for Low Latency

The service you choose needs to have regional servers located in close proximity to their users.

If you, everyone you call and the services’ servers are in the same geographical area, you’re good.  If you’re like the rest of us, you want and need to call people all over the country and the world. Your secure calling app service needs to have lots of servers in lots of locations.

Easy to Use Contacts

When we first started RokaCom, our users required easy to use contacts.  It wasn’t enough that we had the best reliability; customers wanted better Contacts Management.  If you can’t easily find the person on the same secure calling app, you won’t use it.

Enterprise vs Local Contacts

If you’re using this for your business, you have two choices:

  1. Use a Service that pushes the Global Contact Lists to the App
  2. Send Everyone’s Mobile Phone Number out to every employee and contractor.

The global contact list is automatic.  The mobile number option will require everyone to manually enter their coworkers’ phone numbers.

Some apps have automatic contact import and lookup, which works well for existing entries. However, this option doesn’t work well when you have an Enterprise Organization and decide to go with Option 2.

Making Your Choice:

There are other things to consider when choosing a secure calling app, but the issues outlined above typically come up when discussing secure calling with our users.  Whichever secure call app you choose, if you want true protection, make sure the encryption is end-to-end.

If you want to see how RokaCom compares, sign up for a free trial and see for yourself.

About Patrick Stump

The CEO and founder of Roka Com, Patrick has been a key player in both offensive cyber intrusion and security operations with multiple branches and agencies of the United States Government (USG), the military, and commercial industry.

Connect with Patrick on LinkedIn