Uncategorized Archives - Page 3 of 3 - Gruveo

Category Archives for Uncategorized

An Apology to Our French Users

French flag heartTomorrow, on October 14, the Gruveo app for iOS goes live. We couldn’t have been happier if not for one thing: The app will not be available in the French App Store at launch.

As we mentioned in a post a few weeks ago, France has very strict laws for importing encryption products. Gruveo is no doubt such a product because it encrypts all of your calls. Unfortunately, getting the permission from the French government to release the app in France is a lengthy and time consuming process, with no time frame guarantees.

Ironically, France is Gruveo’s 5th biggest market, with almost 7% of the past month’s calls having been made by our French users. We are thus very motivated to make the iOS app available in France as soon as possible. It’s just that it won’t happen tomorrow, and we are very sorry for that.

The App Store Blues

The Gruveo app awaiting review in the App StoreWe have submitted the Gruveo iOS app to App Store almost a month ago, and, frankly, we expected it to be live for a while by now.

Well, things haven’t quite worked out that way. To start with, the approval process for that first version took full 21 days, which is extraordinary even by the App Store standards.

And then, our app got rejected because of a tiny crash that we had overlooked.

Fortunately, our beta testers made us aware of the crash ahead of Apple so we lost minimal time fixing the bug and resubmitting the app. We resubmitted last week and are now anxiously awaiting that “Ready for Sale” status! (Don’t worry, the app will be free, it’s just how Apple puts it.)

On the Bright Side…

On the bright side of things, the App Store approval delay gave us enough time to make sure that Gruveo works perfectly on the new iOS 8 and looks just as great on iPhone 6 and 6 Plus.

We have also spent some time improving our web app. In particular, there was a pesky bug with camera muting under certain conditions in a call between Chrome and Firefox. It’s fixed now.

Finally, Gruveo got its first mention on Forbes last week, which makes us super-excited!

We hope to be able to share more good news very soon 😉 Thank you for using Gruveo and stay tuned!

Gruveo Security Explained

We at Gruveo take our users’ privacy and security very seriously. In this blog post, we’d like to share some details on the technology behind Gruveo and the security and privacy measures we have in place.

The Gruveo Technology

Gruveo uses WebRTC for all video and voice calls made using its platform. WebRTC is a free, open technology that enables web browsers with Real-Time Communications (RTC) capabilities.

Gruveo uses the browser’s implementation of the WebRTC engine and operates it via the high-level JavaScript APIs exposed by the browser. As such, Gruveo has no way of compromising the internal workings of WebRTC, including its security stack.

Is WebRTC Secure?

WebRTC is often described by the industry professionals as the most secure VoIP solution out there.

WebRTC specification requires that all transferred data – audio, video and custom application payloads – must be encrypted end to end while in transit. This is achieved by employing the following protocols:

  • Datagram Transport Layer Security (DTLS) is used to negotiate the secret keys for encrypting media data and for secure transport of application data via SCTP.
  • Secure Real-Time Transport (SRTP) is used to transport audio and video streams.
  • Secure Real-time Control Transport Protocol (SRTCP) is used for delivery of sender and receiver statistics and control information for an SRTP flow.
  • Stream Control Transport Protocol (SCTP) is used to transport application data on top of the established DTLS tunnel.

DTLS is a privacy protocol that is very similar to TLS (SSL), but with a minimal number of modifications to make it compatible with the UDP transport used by WebRTC. DTLS enables a secure data channel between peers that cannot be tampered with. No eavesdropping or message forgery can occur on a DTLS encrypted connection.

SRTP is a secure variant of the standardized format for delivery of real-time data, such as audio and video over IP networks. SRTP media cannot be decrypted by a third party thus ensuring that IP communications across the Internet remain private. In other words, SRTP ensures that WebRTC voice and video traffic will not be heard or seen by unauthorized parties.

Finally, WebRTC is a peer-to-peer technology where calls are established directly between the peers’ devices for lower latency and added security. In some situations, a peer-to-peer call cannot be established and the call data has to travel through the Gruveo’s servers. However, DTLS and SRTP ensure that the call contents cannot be decrypted on the server even in such a scenario.

Text Messaging Security

All text messages on Gruveo are relayed via Gruveo’s secure servers. The messages are relayed to and from client endpoints in encrypted form using TLS (SSL) as part of the WebSocket Secure (WSS) protocol.

Other Important Considerations

The Gruveo website is only accessible via the secure HTTPS protocol.

Endpoint security is out of Gruveo’s control. For example, we cannot detect or prevent a virus running on a client machine from recording the user’s communications, on Gruveo or otherwise.

All Gruveo users are encouraged to choose longer, non-trivial codes for connecting to ensure against a random third party joining under the same code before the intended counterpart does.

Once a call between two parties has been established on Gruveo, no one else can connect to it, even if they enter the same code. Anyone connecting under the same code while you are talking will get a “busy code” message.

We hope that this has been helpful in understanding how Gruveo protects your privacy and security. If you have more questions, please don’t hesitate to contact us right away.

Thank You!

Wow! The past couple of days have been really crazy over here at Gruveo. Shortly after the Gruveo 2.0 launch, the story was picked by a number of major media outlets across the world and we’re currently going through a massive traffic spike. This is what we call a “Lifehacker test” for our servers – thankfully, they are coping just fine.

Over just the past three days, people from 72 countries used Gruveo to make their “world’s easiest” video call. The story about Gruveo landing on Android has been retweeted over 800 times.

But what’s really important to us is this…

Feedback like this is the best possible payoff for the months of hard work we spent developing Gruveo 2.0. This is what keeps us pushing forward to bring the world’s easiest video calls to everyone. And make no mistake, there is even more exciting stuff coming this summer 🙂

Thank you very much for making it all happen!

How is Gruveo Secure?

Update August 15, 2014: The below post applies to an earlier version of Gruveo that used Flash. Click here for a detailed review of the current version’s security.

2013 has brought revelations about the massive scale of US surveillance on Internet communications. People all over the world learned that most of their Internet activities are routinely logged, recorded and analyzed. In light of these revelations, we at Gruveo feel that it’s our duty to explain to our users how their calls are protected and what mechanisms we use to ensure the security of their Gruveo communications.

The first thing to note is that wherever possible, all Gruveo calls are established using the so-called peer-to-peer (P2P) technology where data flows directly between the users’ computers. Almost by definition, the absence of a middle point relaying your calls means that it’s harder for a third party to intercept them.

Whether a call is established using P2P is determined by the firewall configuration of the particular pair of users. If a call cannot be established via P2P, it is relayed using our secure servers. Gruveo is quite good in “piercing” firewalls to establish P2P calls, however: 63.1% of the past month’s calls were established over peer-to-peer.

The decentralization brought by peer-to-peer is just part of the story. No matter if your call is established via P2P or not, it is encrypted end to end as part of the RTMFP protocol (P2P), or RTMPS/RTMPTS (non-P2P). In RTMFP, all network traffic is encrypted using 128-bit cipher. RTMPS/RTMPTS rely on the industry-standard SSL standard for traffic encryption.

Last but not least, given how Gruveo connects users, isn’t it possible that someone else can connect to your call just by accidentally entering the same number while you’re talking to somebody? The answer is no – once a Gruveo call is established, it is “sealed” and anyone entering the same number will create a new session just as if your call didn’t exist.

We hope that this answers the important questions you might have about the security of your Gruveo calls. Don’t hesitate to head off to the FAQ and our privacy policy for more information, or drop us a line with any further inquiries!