Privacy & Security

When encryption is not enough


A revolutionary innovation: Multi-Layer Security Protocol – MLSP® from XCell Technologies

True End-to-End Encryption and True Protection

If you are either super important, super paranoid, or a super spy, there are times when you need to be able to use a cell phone without leaving a trace or giving someone a chance to intercept your calls and text messages, including law enforcement and intelligence agencies.

Secure = encryption? Well, think again…

Nowadays, most people are affected by eavesdropping problems, even if they are not aware of it. Not to mention so-called “off-air GSM interception systems” or also “IMSI catchers”, “GSM interceptors” or “StingRays”. Since 2014, it has been known that the outdated SS7 (Signaling System No. 7) protocol can be used to easily intercept SMS-based data traffic by using diameter-based networks regardless of the device or operating system type. Vulnerabilities in Signaling System No. 7 can also be easily exploited by hackers because it is a 50-year-old protocol that is likely part of much of the world’s cell phones and text messaging.

In general, most users who are aware of cell phone eavesdropping through the above technologies believe that using encryption solutions will protect their calls and text messages. Is encryption a real solution? Let’s see…

Law enforcement, homeland security, and other related actors have numerous methods to intercept messages and read text content, even when encryption is used. From SS7 exploits, encryption backdoors, or deliberate weakening of common encryption algorithms to legal hacking that bypasses encryption and high-tech decryption technology are all at their disposal.

Encryption does not protect your privacy at all

Recent headlines warn that the government now has more powers to hack your cell phones inside and outside the US. The changes to federal criminal court procedures known as Rule 41 are to blame. They significantly expand how and when the FBI can legally hack cell phones. But just like NSA hacking operations, FBI hacking is not new. In fact, the bureau has a long history of secretly hacking us, going back two decades.

Back doors are provided for law enforcement.

Encryption backdoors are still largely seen as weakening protection for everyone in order to provide protection for some people on rare occasions. As a result, workarounds such as those found by the FBI are likely to remain the most common approach in the future. Indeed, law enforcement agencies have greatly expanded their hacking capabilities in recent years.

Many reputable encryption developers and companies have chosen to retain the ability to read and use their customers’ content, or have decided that there is not a sufficient business reason to add end-to-end encryption or user-controlled encryption. Their users’ encrypted content is more easily accessible to law enforcement because they own the decryption keys. These same companies offer their services in such a way that encryption does not preclude them from handing over the content to law enforcement in response to a search warrant. Are these services as secure?

Lawful Hacking

It has become apparent that most national security agencies have immense surveillance capabilities that are actively deployed on a massive scale, especially in countries where law enforcement and national security functions overlap. In addition to encryption master keys and built-in backdoors that give law enforcement extraordinary access to everyone’s secrets and privacy, they now have unprecedented access to information through open-source intelligence, metadata collection, sophisticated traffic analysis tools, and data analysis algorithms. Many local and international laws mandate insecurity by requiring government access to all data and communications that enable lawful hacking (also known as circumvention of encryption).

Encryption vendors and law enforcement are working together to solve the access “problem.” One proposed solution is one-way information sharing, where manufacturers alert law enforcement to unpatched vulnerabilities so that the government (and anyone else who discovers them) can use those vulnerabilities to gain access to communications and data. This is a terrible proposal – one that puts manufacturers in the line of fire for liability and promotes further weakening of device and software security.

Several people with backgrounds in security and systems have begun researching possible technical mechanisms to give the government extraordinary access.

Our approach to SMS encryption and protection

We at XCell Technologies are serious about mobile security and bring you the most advanced SMS security solutions. Concerns about mass surveillance by the government and their ability to decrypt anything using given master keys, backdoors, lawful hacking or effective decryption solutions were the factors that drove us to develop a brand new and 100% secure SMS communication, that not only uses strong military-grade encryption, but also adds a new layer of security by exploiting the GSM network via MLSP® to ensure that there is no way to intercept text messages or metadata, even in encrypted mode. All of this outperforms existing commercially encrypted apps, services, devices, and even law enforcement access to your sensitive data.

GSM provides only a basic set of security features by default to ensure adequate protection for the operator and the customer. Over the life of a system, threats and technologies change, and so security here at XCell Technologies is regularly reviewed and changed, and then applied to our products.

Our SMS encryption technology uses GSM network architecture and SMS transport protocol and can send / receive encrypted and uninterceptable messages.

Our SMS encryption application called XCrypt uses breakthrough multi-layer technology to protect SMS from interception and decryption. As a unique encryption application, XCrypt uses a brand new patented technology to send/receive encrypted messages in addition to strong military encryption: discrete GSM channels or Multi-Layer Security Protocol®. This protects not only encrypted text messages, but also metadata that is not encrypted.

XCrypt Concept. An insight into techniques used for 100% secure text messages


  • “A-subscriber” phone is the sender phone that sends encrypted messages via MLSP®.
  • “B subscriber” phone is the receiver phone that decodes and displays the received message.
  • Plain text message: a standard text message that can be read by anyone. Can be intercepted and read without any effort.
  • Encrypted message: an encrypted text message that can only be read using the correct password. Can be easily intercepted in encrypted mode, but cannot be read. A password is required to read the message.
  • Metadata: Data about data. SMS metadata is not encrypted because it is not contained in the encrypted text itself, but law enforcement agencies collect unencrypted metadata to characterize the encrypted data. SMS metadata includes data about sender, recipient, message encoding (UTF8, UnicodeX, etc.), date/time, and length.
  • Uninterceptable message: a text message (plaintext or encrypted) that cannot be intercepted under any circumstances.
  • True end-to-end encryption: no Internet and 3rd party servers involved.
  • XCrypt: Software application that uses MLSP® to send/receive ultra-secure messages.


Multi-Layer Security Protocol – MLSP® consist of:

1. Physical layer: encrypted text message.

The phone encrypts text messages using the following protocols:


– AES 256

– Elliptic curve (ECIES) 256

– SHA256

– Protected by ITSEC evaluation level 3

2. Multilayer routing and transport protocol. Encrypted SMS data is randomly segmented and distributed in bursts by Application Port Addressing Technology over discrete GSM channels that are not normally “intercepted” by mobile interception systems (IMSI catchers, GSM interceptors or StingRays), both in the air interface (UM interface with respect to GSM networks) and in the Abis, A and C-G mobile network interfaces. In this way, SMS data that is usually sent over GSM Layer 1 (and is largely intercepted on Layer 1) is sent through a combination of GSM Layer 1 and GSM Layer 2 (LAPDm). As a result, no mobile interception systems (such as GSM interceptors) and legal interception systems (SS7 interception systems, also known as network switch-based interception or interception with the help of the network operator) are able to intercept the entire message, but only a few bursts that are encrypted anyway.

3. Metadata protection. Normal SMS metadata is not stored in a separate file (called metadata file). XCrypt separates metadata and the data it describes (encrypted SMS text) and sends the metadata file in bursts over the network, using the same port addressing technology. Metadata is of little value without the data file (SMS) to which it refers. At the same time, metadata makes the data more usable and therefore more valuable. An encrypted text message with a separate metadata file reveals nothing about the SMS sender and recipient.

How does it work?

1. Phone level:

At the phone level, XCrypt uses a technology called “port directed SMS” which is widely used in J2ME MIDP on mobile devices. The concept is that when a user sends an encrypted SMS message to a “B subscriber” phone, a specific port number is specified along with the encrypted message so that only the device “listening” on that specific port can receive an encrypted message. When a message is received on a port that the application recognizes, the message is forwarded directly to the secure inbox (XCrypt app) instead of going to the default inbox.

XCrypt encrypts text messages locally at the military level and then, through message segmentation and port addressing, sends randomly split bursts (bit streams) along with specific port address data by adding redundant bits to the binary information chain to the “B party” phone. Along with the encrypted split message, the application on the “A-party” phone sends port addressing data that triggers the opening of a specific port address on the “B-party” phone. In this way, the encrypted message is allowed through to bypass the phone’s normal inbox and land directly in the secure inbox.

All of these steps are transparent on the receiving phone (“B subscriber”), which also requires user interaction for the message to be forwarded to the secure inbox and decrypted by entering the correct password. On the “B subscriber” phone, bursts encrypted by port destination address are selectively received, concatenated, decrypted, and displayed only on the “B subscriber” phone using the same XCrypt application that recognizes specific receive ports.

If the “B-party” (target phone) does not also have the XCrypt app installed, then the received message will neither be delivered nor displayed by the phone (even in encrypted/unreadable mode), due to port addressing technology that filters messages by port addresses.

When encrypting SMS, the metadata file is generated separately from the text message and not as an integral part of the message as in normal SMS. The metadata file is then truncated and sent in bursts over the GSM network using port addressing technology. In this way, no metadata can be intercepted using SS7 means.

At this level, the phone’s vulnerability relates to forensic hardware and software that want to extract system files and private data from the phone, including decrypted messages stored on XCrypt secure Inbox.

XCell phones are protected against forensic procedures by volatile USB filters that do not allow unauthorized USB connections, triggering self-destruction of the motherboard. In addition, XCrypt runs on a sandbox partition that is 100% encrypted and protected from file extraction by a self-deletion mechanism.

2. Um level

The Um interface (the radio link between the mobile network and the subscriber phone) is the part of the GSM network most vulnerable and exploited by MItM attacks (IMSI catchers, GSM interceptors and StingRays), as no help or consent from the network operator is required.

XCrypt uses the GSM network architecture and the SMS transport protocol to protect (already) encrypted messages that should be intercepted despite the encrypted mode. After encryption, the modulation signal has a carrier wave with GMSK (Gaussian Minimum Shift Keying) modulation. GMSK is a two-state modulation based on frequency shift keying.

At the Um interface, XCrypt uses MLSP® technology: encrypted message bursts are sent not only on the usual L1 SMS channels – SDCCH (Standalone Dedicated Control CHannel) signaling channels – but also on other available channels that are not subject to SMS interception, forcing signaling layer 2 (data link layer based on LAPDm protocol) for SMS transport.

Since GSM interceptors only “listen” to the physical SDCCH channels to intercept text messages, they will only intercept some encrypted bursts sent over SDCCH, but not the entire encrypted message split and sent over multiple channels by MLSP® technology.

The same is true for the metadata file: It is sent in bursts over the network, separate from the encrypted message body. No metadata extraction is possible at this level.

3. Core network level

The four-layer transport protocol stack of SMS (application, transmission, relay and connection) is used at this level and the transmission layer of this stack is the one that secures the text message. The GSM core network consists of the Mobile Switching Center (MSC), the Home Location Register (HLR), the Authentication Center (AuC), the Visitor Location Register (VLR), and the Equipment Identity Register (EIR), all of which are vulnerable to network-based interception, also known as SS7 interception or lawful interception. This type of interception can only be successfully conducted by law enforcement and homeland security agencies, with the help of network providers who allow the installation of surveillance hardware (SS7 boxes) on their core network based on the Communications Assistance for Law Enforcement Act (CALEA).

The purpose of CALEA is to enhance law enforcement’s ability to lawfully intercept communications by requiring telecommunications providers and telecommunications equipment manufacturers to modify and design their equipment, devices, and services to have built-in targeted interception capabilities that allow federal authorities to selectively intercept any telephone traffic. CALEA covers bulk interception of communications, not just tapping specific lines, and not all CALEA-based access requires a warrant. In general, implementing Lawful Interception is similar to implementing a conference call. While A and B are talking, C can join the conversation and listen silently.

At this network level, the main security vulnerability is lawful eavesdropping. XCrypt takes advantage of the GSM core network and sends both encrypted and non-interceptable text messages using MLSP® technology. Core network protocols cannot be enforced as the Um interface can. Actually, there is no need to tamper with these protocols and transmission layers as long as message bursts traversing this part of the cellular network can be logically concatenated (joined) by port addressing and can only be decrypted by “BParty” phones running the same XCrypt application and knowing the correct password. Consequently, no text messages can be fully intercepted by a third party using CALEA – Lawful Interception. A few encrypted SMS bursts that may be intercepted by SS7 cannot lead to SMS interception in any case. Thus, no private data is collected by this method, the privacy of the phone user is preserved from “A-party” to “B-party” phone.

Let’s face it: most of today’s encryption solutions only care about the text itself, neglecting the metadata of messages that continue to be sent over the network in plain text due to network requirements. Law enforcement and other actors take advantage of this by collecting unencrypted metadata to characterize the encrypted data, and metadata in this way is a valuable source of information for them.

The use of MLSP® technology at both the perimeter and core network levels means that it is not possible to collect unencrypted message metadata, i.e. there is no way to extract any information other than the encrypted message.

It has long been known that it doesn’t matter how secure your organization or your personal information and assets are if you connect them to less secure third parties. So remember: servers are third parties.

True end-to-end encryption does not require third parties on the path from “A-party” to “B-party”.

To ensure the highest level of security and privacy, XCrypt does not require an Internet connection, third-party servers or monthly subscriptions. All processes and protocols run locally on the phones (on the sandbox partition) and in this way provide not only true, unbreakable end-to-end encryption, but also non-attackable messages for the reasons explained above.

XCrypt has already been implemented by default in XCell Basic v3 Stealth Phones, in both Basic and Advanced versions.

Now XCrypt MLSP® is also installed on XStealth Phone, our Android Ultra Secure Stealth Phone.