How Seecrypt Protects Your Phone from Call Surveillance

Just before Edward Snowden leaked his treasure trove of NSA documents, triggering a minor boom in mobile privacy apps, the Seecrypt Group released its encrypted call privacy app, Seecrypt. In the eight months since, like many app makers, the company has seen an influx of new users.

While surveillance reform is being hashed out in Congress, the need for secure communication platforms is remains necessary, and surely always will. Seecrypt says its app, first launched in April of last year, features military-grade encryption. Though its user call logs are stored for a short amount of time for performance reasons, private data is not logged into Seecrypt's system.

I recently spoke to Seecrypt's CEO Mornay Walters through email about the encryption behind the app, and how if one of the app's two public keys were broken, the other key would still be operational. We also talked about how Seecrypt is working to expand beyond the borders of app development into other privacy and security offerings.

How are calls encrypted and the keys changed for each session?

The cryptographic protocols and processes within Seecrypt allow two devices to establish a secure end-to-end session between the two devices. When Alice (device A) communicates with Bob (device B) a key exchange takes place, after which the two users can opt to trust each other in future communications by comparing the exchanged public keys.

The exchanged public keys are used to encrypt all data transferred between the two devices. Two different public-key systems (RSA and ECDSA/ECDH) are used for the key negotiation and authentication, and two different stream ciphers (AES in counter mode and RC4) are used for the data encryption. The two different stream ciphers are used so that even if one of each pair of algorithms is broken, the remaining algorithm will still protect the plaintext information.

So, what happens when Seecrypt is installed on a mobile device?

When Seecrypt is installed on the user’s device the application generates a public and private pair of 2048-bit RSA keys using a SHA512 hash, and a 384-bit elliptic curve digital signature algorithm (ECDSA) key using a SHA384 hash. Both Alice and Bob apply an identical pseudo random function to generate sufficient key material to derive keys for RC4 and AES encryption. The session keys are unique for each session and the uplink and downlink channels are secured independently. A summary of the key is displayed during the call so that both parties can authenticate each other verbally.

The session keys are used together with the key streams to encrypt all traffic using RC4 and AES. Best practice information security techniques are used to ensure that the streams are protected from buffer overflow and initial key stream weaknesses.

You say it's military grade, no?

Yes, and military grade refers to the fact that its equal and in some cases better than current military and government communication solutions.

The network is private and metadata isn't stored, but does Seecrypt have access to call metadata at any point, or is it automatically deleted?

By the nature of any software design, logs of all transactions are captured for a small time to ensure all systems and process operate at optimal levels. But, no private data around communication transactions are logged on the system.

If the team were asked by authorities to store metadata, what would the response be?

Seecrypt operates in South Africa and by law has to acknowledge any legal requests.

Has Seecrypt been asked to store metadata by South Africa or any other government?

No, we have not been approached by any organization with any legal request.

Obviously, this is good for privacy-minded individuals, but your website also notes that the app is good for protecting enterprise or business communications. 

Companies communicate daily to millions of end users be it OTP, banking transactional messages, appointment reminders, etc. With the exception of a few companies that have their own mobile apps, most companies communicate in a non-secure, non-private method with their clients via email or SMS. Those that have their own apps may also use SMS, which, by default, is not secure or private and costs the company money.

Seecrypt's enterprise messaging service allows for corporations to communicate to end users' authenticated endpoints, which is cryptographically anchored to the system. When a message is sent from Company A to User A, the message can only be received by user A, and is transported encrypted over the internet at no transactional costs with no metadata footprint. Seecrypt is currently developing a secure suite of software libraries that companies may use in their own development programs.

You've noted a 400 percent increase in users globally, and 1000 percent in the US alone, after Edward Snowden's NSA leaks. What are the challenges that come with that increasing demand?

There are a number of challenges for any company that face a massive growth over night, Seecrypt continues to grow especially in the ongoing face of privacy and security invasion and meeting the challenges of operating a global solutions over the internet remains a constant challenge. The challenges range from hiring experienced developers to dealing with an ever growing network and network/cyber attacks.

No one challenge can be singled out as a primary, as each company will have their own challenges. To grow you need good people, solid network infrastructure and passion and belief for what you do.

Is the team thinking of creating any new privacy apps?

Yes, Seecrypt will expand beyond the borders of an “app” and will launch a new range of products that will allow everyday consumers, enterprise, and government organizations to communicate securely and privately over the internet via a host of new applications and uses. More detail will be shared in the coming weeks, which will co-inside with the launch of SC3 our next generation base platform for secure voice and messaging.