End-to-End Encrypted Voice Calls
Powered by the StealthX Platform
SecureCall is a voice communication app built from the ground up for privacy. No call content ever leaves your device unencrypted. Every call is protected end-to-end using military-grade cryptography.
Website | Play Store Beta | Download APK | Features | Security
- End-to-End Encryption -- Every voice call is encrypted using XChaCha20-Poly1305 (AEAD). Keys never leave your device.
- X25519 Key Exchange -- Ephemeral Diffie-Hellman key agreement ensures perfect forward secrecy. Each call uses a unique session key.
- Zero-Knowledge Architecture -- The server facilitates connections but cannot decrypt calls. No call content is stored or accessible server-side. Signaling metadata is processed transiently for connection setup.
- Anti-Recording Protection -- Active detection of screen recording, microphone hijacking, and spy apps (Pro/Premium).
- Rust Crypto Core -- All cryptographic operations run in a native Rust library via JNI -- no Java crypto, no OpenSSL.
- Source-available client -- The client source code is publicly visible for transparency and independent audit. Copying, building, running, distributing, rebranding, or using the software requires prior written permission from Vendetta Labs.
SecureCall consists of three core components:
| Component | Technology | Purpose |
|---|---|---|
| Android Client | Kotlin / Java | User interface, audio capture, call management |
| Crypto Engine | Rust (via JNI) | XChaCha20-Poly1305, X25519, HKDF-SHA256 |
| Signaling Server | Node.js | Connection establishment, key exchange relay |
For technical details, see the Architecture Overview.
Security is not a feature -- it's the foundation. Our approach:
- Independently auditable -- All source code is publicly available.
- No trust required -- Verify the cryptographic implementation yourself.
- Formal security audit -- Read the full Security Audit Report.
- Security design -- Review our Security Design Document.
Found a vulnerability? Please report it via GitHub Issues.
See SECURITY.md for our full security policy.
Complete documentation is available in the Wiki and the docs/WIKI/ directory:
| Category | Pages |
|---|---|
| User Docs | Installation Guide · User Manual · FAQ |
| Security | Security Design · Audit Report · Encryption Architecture |
| Developer | Architecture · Build Instructions · API Docs |
| Project | Roadmap · Changelog · Known Issues |
Download: GitHub Releases | stealthx.tech
This repository is source-available, not open source.
You may read and inspect the source code for transparency and security review. You may not copy, modify, build, run, distribute, rebrand, host, or use the software or official StealthX services without prior written permission from Vendetta Labs. The SecureCall name and branding are trademarked.
See the LICENSE for full terms.
SecureCall uses the following third-party services. All voice data is encrypted end-to-end on your device before any data leaves it. No third party can read, intercept, or decrypt your call content.
| Service | Purpose | Data Access |
|---|---|---|
| Railway.app | Cloud hosting for the signaling server | Relays encrypted signaling messages only. Cannot decrypt calls. No call logs stored. |
| Metered.ca | TURN relay server for NAT traversal | Relays encrypted media packets when direct peer-to-peer connection fails. Cannot decrypt content. |
| Google STUN | NAT discovery (public IP detection) | Receives IP address only for connection setup. No call data transmitted. Standard WebRTC protocol. |
| Firebase Cloud Messaging | Push notifications for incoming calls | Delivers notification metadata only (caller name, session ID). No call content is transmitted via FCM. |
| GitHub Pages | Project website hosting | Static website only. No user data collected or processed. |
Key guarantees:
- The signaling server is zero-knowledge -- it facilitates connections but cannot decrypt any call content.
- TURN relay servers only see encrypted packets -- decryption keys exist only on the two call participants' devices.
- Firebase is used solely for push notification delivery when the app is in the background. Analytics and Crashlytics are disabled.
- No call content or recordings are shared with, sold to, or accessible by any third party. Signaling metadata is processed transiently for connection setup.
For the full privacy policy, see Privacy Policy.
| Feature | Free | Pro | Premium |
|---|---|---|---|
| E2E Encryption (XChaCha20-Poly1305) | Yes | Yes | Yes |
| Root Detection | Warning only | Blocks | Blocks |
| Certificate Pinning | Yes | Yes | Yes |
| Screen Capture Detection | No | No | Yes |
| Debugger Detection | No | No | Yes |
| Emulator Detection | No | No | Yes |
| Hardware Keystore Required | No | No | Yes |
| Call Recording Allowed | Yes | No | No |
| Aggressive Key Rotation | No | No | Yes |
| Ads | Yes (AdMob) | No | No |
| Crash Reports | Yes (opt-out) | No | No |
Note: Core encryption is identical across all tiers. Security differences affect device-level protections and privacy features.
Can I build the app myself?
SecureCall's client source code is publicly available for transparency and independent security auditing. You may read and inspect the code, but you may not copy, modify, build, run, distribute, rebrand, host, or use SecureCall or official StealthX services without prior written permission from Vendetta Labs.
How do I know the app is secure?
The complete source code is publicly available in this repository. We have conducted a comprehensive security audit (see the Security Audit Report) and welcome independent review by security researchers.
What data does the server see?
The signaling server only facilitates connection establishment. It relays encrypted key exchange messages and signaling data. All voice data is encrypted end-to-end -- the server cannot decrypt any call content. No persistent call history or call recordings are stored. Signaling metadata (connection IDs, session IDs) is processed transiently. FCM tokens may be stored for push delivery and cleared on deregistration. STUN/TURN providers may see network-level IPs required for WebRTC connectivity.
What cryptographic algorithms are used?
- Key Exchange: X25519 (Curve25519 Diffie-Hellman)
- Key Derivation: HKDF-SHA256
- Encryption: XChaCha20-Poly1305 (AEAD)
- Forward Secrecy: Double Ratchet protocol
- Implementation: Native Rust via JNI (no Java/Android crypto APIs)
How can I report a security issue?
Please open a GitHub Issue. See SECURITY.md for our full disclosure policy.
SecureCall ist eine Sprachkommunikations-App, die von Grund auf fuer Privatsphaere entwickelt wurde. Jeder Anruf wird mit XChaCha20-Poly1305 verschluesselt. Die Schluessel verlassen nie Ihr Geraet.
Warum quelloffen? Verschluesselungssoftware muss transparent sein. Sie sollten nie einer Blackbox Ihre privaten Gespraeche anvertrauen muessen. Der vollstaendige Quellcode ist oeffentlich einsehbar -- fuer unabhaengige Sicherheitspruefungen und Verifikation.
Wichtig: Der Client-Quellcode ist oeffentlich einsehbar fuer Transparenz und unabhaengige Pruefung. Die offiziellen SecureCall-/StealthX-Marken, Backend-Dienste, Store-Releases sowie Pro/Premium-Lizenzen werden von Vendetta Labs betrieben und duerfen nicht ohne Erlaubnis kommerziell oder als offizielle Angebote genutzt werden.
SecureCall is a product of the StealthX platform.