Mobile Encryption App
Quick start guide
0 Introduction
The Mobile Encryption App is a state of the art encrypted telephone and messaging application that provides you with secure calls over IP (via GSM/EDGE, 3G, LTE or WLAN), secure messages, and secure storage for your contacts, notes and secure messages. The Mobile Encryption App uses very long encryption keys and a combination of well-known, trustworthy encryption algorithms to ensure that no-one but you and your communication partner can gain access to the information while it is transmitted. (see chapter 15, Encryption Details)
Security Advice: You should always keep your phone with the Mobile Encryption App with you to prevent manipulation by attackers gaining physical access to the device. Installing potentially malicious third-party apps on your phone may, despite the built-in security measures, under some circumstances compromise the security of your data or your secure communications. To mitigate this risk you should only install really necessary apps from trustworthy sources. Additionally you should activate device encryption, secure your phone with a sufficiently long password and use further security-improving configuration options.
1 Preparation for use
Before you can use the Mobile Encryption App it needs to be activated with the access credentials for the secure network. When you ordered the Mobile Encryption App, an activation link has been sent to your e-mail address. When you have installed the Mobile Encryption App, make sure you have a working internet-connection and click on the activation link inside the e-mail. The Mobile Encryption App is now fetching the access credentials from the server. Every activation link works only once. When the access credentials have been loaded, you can see your phone number. You can now hand this number to other Mobile Encryption App users. It always can be found under the Settings menu.
Please note: The access credentials are used only used to grant you access to the secure network. They do not contain any key material or other data that is used for the encryption of phone calls or messages. The keys for the encryption are generated on the phone itself in a completely separate process.
2 Set Passphrase for Secure Storage
The secure storage subsystem contains your encrypted messages, your secure contacts, and your secure notes. After booting up, the Mobile Encryption App will ask you to set the passphrase for the secure storage container. The strength of protection of the secure storage container depends entirely on how difficult it is to guess your passphrase. The minimum length and complexity of the passphrase is set by your system administrator. To better remember a complex passphrase, you could use the initial letters from the words of a poem or song text which you remember well and replace some of the letters by numbers. Avoid words that can be found in a dictionary. You can change the passphrase and configure the automatic timeout for locking the secure storage container under the Settings menu.
3 Check your Mobile Encryption App Number
Your personal Mobile Encryption App number can be found in the Settings screen of the Mobile Encryption App settings menu. You need to be logged into the secure storage container to access the settings menu. Your passphrase will be required if you are not logged in at the moment. Write down your Mobile Encryption App number so that you can give it to your contacts. Your Mobile Encryption App telephone number does not change, no matter what SIM card you put into the phone, even if you use Wireless LAN or a satellite terminal.
4 Data Connection required
Please note that the Mobile Encryption App will establish a data connection to stay online (so that you can be reached) and transmits more data when you make or receive a call. Normal data usage is 2 to 5 Megabyte per 24 hours in standby mode to keep the Mobile Encryption App connected. Using the Mobile Encryption App over a mobile phone network (3G/UMTS, EDGE, or GSM GPRS) without an affordable data plan can result in high charges. When you are roaming on a foreign network, your mobile network operator will typically bill you for additional roaming charges. To avoid such costs it is strongly recommended to use tariff plans with data flat rates. When traveling abroad, book a sufficiently large roaming data package to your cellular plan or obtain a local pre-paid SIM card with a reasonable data plan from the country you are traveling to (remember that your Mobile Encryption App number does not change when you change the SIM card).
Troubleshooting: If you experience difficulties in getting your data connection to work, check with your network operator to set the correct APN configuration until you can use the phone's web browser to access the Internet. Alternatively, use Wireless LAN / WiFi to connect to the Internet. When you can access the Internet from your web browser, your Mobile Encryption App should also be able to establish secure connections. Mobile Encryption App calls and messages require a working Internet connection.
5 Connect to Secure Network
Upon start your Mobile Encryption App will try to connect to the secure network. A successful connection will be indicated by the connection status icon in the main screen showing a checkmark. It will show an connecting-symbol while it tries to connect. If you want to disconnect from the secure network, press the status icon again. If your Mobile Encryption App is not connected to the secure network, the icon will show an offline-icon (like a Stop-sign). In offline-state you are not reachable for secure calls and messages and not data transmission from the Mobile Encryption App takes place.
6 Store your secure Contacts
Names and numbers for your secure communication partners are stored in the Secure Storage, as well as received and sent secure messages and secure notes. The Mobile Encryption App number always starts with +999, followed by a custom number and additional digits. The customer system administrator can set the last digits of the number as desired during the order process. Like your own Mobile Encryption App number, it always stays the same, even if your partner switches to a different mobile network operator or is online via Wireless LAN. The Mobile Encryption App number can be used to send secure messages and make secure calls.
To add a new contact, press the Mobile Encryption App "Contacts" button, then press the Plus-Icon in the lower left corner of the screen. Enter the name and corresponding Mobile Encryption App number for the contact you want to call securely. Please note that Mobile Encryption App numbers cannot be reached from the normal telephone network. You can edit a contact entry later by long-pressing the contact entry and choosing "Details" from the resulting pop-up menu. You can delete also a contact from this menu. Note that when you delete a contact all secure messages received from and sent to the contact will be deleted as well. You can also import contacts that have a Mobile Encryption App number from the phone book of your phone into the secure storage. To do this go to Settings from the main menu and choose Import System Contacts.
7 Make A Secure Call
To call a contact, tapp it in the Contacts screen. The secure call screen opens and, if your partner is available, you will hear a ring tone. When your partner picks up, "Key Exchange" is shown on the display and you will hear a special tone sequence indicating that the cryptographic key exchange is in progress.
After the key exchange is completed, six letters are shown. These six letters are a cryptographic fingerprint of the unique session key used during your secure call. Once the call has been established, read out the three letters that are shown under "You say" and verify that the letters your partner reads out to you are the same as shown under "Partner says". If they do not match, you should not consider the line secure.
The quality indicator icon changes color depending on the delay and overall quality of the connection. If it stays orange or red, try to change to a location with better network coverage. If it stays red and your call has glitches or bad audio, change to a location with better network coverage (like a WLAN), try disconnecting and reconnecting to the secure network (see section 5), then call again. Call quality can be sub-optimal in fast-moving vehicles since mobile networks sometimes have problems with keeping up the data flow with the frequent cell handovers.
8 Send a Secure Text Message
Before you can exchange secure messages with a contact, you need to complete a key exchange for text messaging. To initiate the key exchange, go to the Mobile Encryption App "Contacts" menu and long-press the the contact. Choose Secure Messages from the resulting pop-up menu. The key exchange is initiated autmaticaly.
During the key exchange, public key material is exchanged with your partner. After a key exchange is completed, you will be asked to verify the new key, either with a phone call or by other means. The six letters of the cryptographic fingerprint of your key are shown on the display. Read out the three letters that are shown under "You say" and verify that the letters your partner reads out are the same as shown under "Partner says". Once you have confirmed that the letters match, press the Verify-key. You can now exchange encrypted messages with your partner by selecting the Messages Menu. To initiate a chat, press the Plus-icon in the lower left corner of the Messages-screen and select the desired communications partner. The key material is kept in the secure storage container and is used to generate individual message keys for your future encrypted message communication with this partner. The initial key exchange can be renewed at any time following the procedure above by pressing the "Rekey"-button in contacts detail screen that can be reached by long-pressing the contact in the list and choosing "Details" from the resulting pop-up Menu.
9 Call History
The timeline shows your call and history. It can be accessed from the main screen by selecting the Call History Menu.
10 Lock/Unlock Secure Storage
To lock and unlock the secure storage area, press the "Lock" icon on the Mobile Encryption App main screen. When the Secure Storage is locked when you try to access a function like contacts, messages or notes, that needs access to it, you will be prompted for the passphrase.
11 Export Secure Storage
The Mobile Encryption App offers you to back-up the secure storage (your secure notes, your contacts and messages). In order to export your secure storage go to the Settings menu, scroll down and choose "Export Secure Storage". An encrypted file with the name 'backup_<date>_<time>.secstore' will be generated on your phones sd-card. Additionally MECrypt will ask if you want to sent the file via e-mail. An existing back-up on the phone can be restored over Settings choosing "Import Secure Storage".
12 The Widget
The Mobile Encryption App Widget is a quick way to make secure calls, access secure contacts, the timeline, and secure messages as well as change your online status directly from the Android Homescreen. Tap on the respective icon in the Widget to go directly to the desired part of the Mobile Encryption App Suite or to change your online status.
13 Emergency Erase
In case a capture of your phone by unfriendly elements is imminent, you can use the emergency erase function to overwrite the Secure Storage. You can access this function from the Mobile Encryption App Settings menu. Note that an emergency erase might take several minutes. The longer the emergency erase process has time to run, the better your data is erased.
14 Secure Notes
In addition to the communications functions of the Mobile Encryption App you can store notes inside the Secure Storage. Choose the "Notes" Icon to enter and view your secure notes. To enter a new note, press the Plus-icon in the lower left corner. Edit existing notes by selecting the note from the list. To delete a note, long press its list entry and choose delete from the resulting popup-menu.
15 Technical Details of the encryption
Note: the following information is not necessary for the daily operation of the Mobile Encryption App.
The Mobile Encryption App encryption system has been designed in a way that for each secure call a new key is generated. A 4096 bit long key is negotiated between the two devices with the Diffie-Hellman-key exchange algorithm. From this key the 256 bit long keys for the call encryption are derived by SHA256. This happens in the short period at the beginning of each call, after your partner has accepted the call but before you can hear him. The call itself is encrypted with AES and Twofish running in parallel in counter-mode. using these keys from the Diffie-Hellman key exchange. After the end of each call the key is immediately securely destroyed in volatile memory. For the message encryption this method is slightly modified. Since it would be impractical to run a key exchange before each message a once-negotiated key is stored in the Secure Storage. This key is hashed forward by the SHA256 trapdoor function to derive the temporary key for the current message. Old, already used keys are deleted. The trapdoor function ensures that there is no method for an attacker to calculate old keys from current keys. Both the encrypted message as well as the Secure Storage are, like the secure calls, encrypted in parallel with Twofish and AES with 256 bit keys. This ensures that even for the very unlikely case that one of the two cryptoalgorithms is shown to be weak or attackable in the future, there is no risk of decryption of your communications. The keys for the Secure storage are generated from random entropy and encrypted with an intermediate key that is derived with the PKDBF2 function from your passphrase.
MECrypt will use random microphone noise as an entropy source for the cryptographic random number generator. Such recording takes 0.25 seconds and takes place at every application restart when the secure storage is opened the first time, at the beginning of every phone call during the phone rings and every time a secure message is send.