How Secure is the Freedom Phone?

This article was written for Peak Prosperity by Terence Kam, founder and cybersecurity consultant at iSecurityGuru.com. You can follow his company on LinkedIn. Or subscribe to his writings on Medium, where he writes on a wider variety of topics.

There has been a lot of buzz lately about the Freedom Phone. It is a smartphone for those who want to escape the clutches of Big Tech censorship, namely Apple and Google.

After all, when it comes to smartphones, we have a duopoly: Android and iOS. Most Android smartphones are controlled by Google and all iOS smartphones are controlled by Apple. If you do not want to trust both of them, you will essentially have nowhere else to go.

Hence, the Freedom Phone is an attempt to break into the Big Tech duopoly and give choice to those who do not want to trust Google and Apple.

What is the Freedom Phone?

The Freedom Phone is an Android smartphone with Google’s code completely stripped out.

Why is Android used?

Creating a brand new smartphone operating system from scratch is a colossal amount of work. Nobody does it nowadays. Even iOS and Android is based on the Unix operating system, which has decades of history behind it.

Since there is no point in re-inventing the wheel by re-creating a brand new smartphone operating system from scratch, it is much easier and expedient to use an existing and proven open-sourced operating system, which is Android. Since the source code of Android is made freely available for modifications and redistribution, it is the most natural choice for creating an alternative non-Big Tech smartphone platform.

How secure is it?

This is a very good question. Putting politics aside, I am skeptical about the security of this platform. The reason is, there is simply not enough information to make an informed evaluation about this smartphone. There are far too many unknowns.

Where is the security white paper?

The Freedom Phone’s website says that the smartphone is based on “freedom, security and privacy”.

But how exactly does it achieve that?

Without a security white paper, there is no information on their security/privacy philosophy and implementation. I cannot see their thought process behind the implementation.

To give you an example of why a security white paper is useful, take the example of Apple. After reading Apple’s security white paper on iMessage, I was able to make the inference that its encryption is good enough to prevent mass surveillance, but not good enough to protect an individual from being targeted by a state-sponsored actor. The white paper also tells me that Apple’s iMessage encryption is not truly end-to-end encrypted (see this article on what “end-to-end encryption means). That explains why China, Iran and Russia allow iMessage while they ban apps like WhatsApp.

For the Freedom Phone, without a white paper, I cannot make any evaluation.

How much control does Freedom Phone have in the manufacturing process?

The Freedom Phone seems to be a rebrand from this Umidigi phone. Umidigi is a Chinese brand.

It is not clear how much control does Freedom Phone has over the entire manufacturing process. How is the Android implemented on the phone? Who wrote the custom code and drivers for the Android in the phone? How well tested is the code? Who wrote the code inside the various hardware components?

Again, I do not know the answers to any of these questions. Furthermore, I am sure there are even more unknown unknowns that I am not aware of.

Where is the commitment to provide continuous software updates?

As I wrote before in Top 10 Things You Must Do to Avoid Getting Hacked,

The IT industry has not figured out how to write secure code. Every time hardware and software vendors released new products, more lines of computer code are released as well. More lines of code mean more cybersecurity holes. That means there are always holes to be patched.

Worse still, there are always massive backlogs of holes to be found and patched. For example, even today, Microsoft is still finding holes in code written a dozen years ago in their latest Windows operating system!

Therefore, vendors are always on the never-ending treadmill of releasing patches for security holes in their code. You will need to be always up to date with the patches to be secure.

Will Freedom Phone stay around in the long haul to continuously provide patches to security holes that will inevitably be found?

Even Apple, with their reputation of security, are constantly patching security holes found in their code. Will Freedom Phone have the financial longevity to do the same?

If not, the Freedom Phone will be insecure within a few years.

Who polices their app store?

The reason why people choose the Freedom Phone is that they promise not to censor.

But that was the case for Google’s Android platform in the early days too. Back then, Google had a hands-off approach to the apps that were published in their app store. The result was that Google Android’s platform’s app store was rife with malware, scams and dodgy apps. Eventually, Google had to follow Apple’s Wall Garden approach by vetting every app in their Google Play Store. Today, every app listed in the Google Play store is supposed to be vetted by Google. But still, I hear of malware making its way to the Google Play store.

So, although Freedom Phone promises not to censor their App Store, are they still going to vet every app for malware and scams and dodgy apps? If not, you can be sure their App Store will soon be a cesspit for hackers and scammers.

Unfortunately, in this politically-charged environment, any form of security vetting will carry the smell of ‘censorship’. This is bound to be problematic for their non-censorship philosophy.

Are you allowed to install apps outside the app store?

My bet is, you will be allowed to sideload apps into the smartphone. But it will be the user’s responsibility not to accidentally side-load malware into their smartphone.

Final thoughts

Cybersecurity and privacy are hard.

It takes decades upon decades of lessons, thinking and innovation to get to where we are today in terms of security and privacy. Yet, this problem is still not solved. Hackers and trackers are still finding ways to get around the Great Wall of Cybersecurity that the IT industry has built over the decades.

But the Freedom Phone seems to be a product made in relative haste. For a product made so hastily, it is approaching the level of over-confidence to claim that it has solved the problem of security and privacy.

At best, it will take many years (even more than a decade) for the product to mature to the point of meeting its claim of security and privacy.

Personally, I will give it a pass.

This is a companion discussion topic for the original entry at https://peakprosperity.com/how-secure-is-the-freedom-phone/

At least in this case.

 
 

I got rid of my iPhone a month ago… and purchased something called The Light Phone. Partly to get off of Big Tech… partly to get my time back. (I had been spending way too much time on the iPhone… about 5+ hours per day.)
What I love about the Light Phone is… it’s a hotspot, so I can use it to get online and work remotely. It’s got Phone, Texting a Calculator and Podcasts - that’s it! So I can still listen to Peak Prosperity podcasts from anywhere. A month in now and I feel so much more present when driving… meeting… eating with friends and family. I find myself asking a lot more questions and talking to people - and feeling more connected!
Only downside is - they are on back-order. So it takes 2-3 months to receive one of these phones. But if you’re looking to get off big tech, it’s one way to start: http://thelightphone.com

I made a video about the Freedom Phone when it came out and explained how it is basically a complete rip off and how you are much better off just installing Lineage OS on your current phone:
https://www.youtube.com/watch?v=zCiUddclWFI

Too bad. I wont buy a smartphone until the issues of privacy are fixed. Its a nonstarter for me.

Can anyone recommend a good-quality Faraday bag for a smartphone that I can buy online in Canada? Thanks in advance.

Blackphone from Silent Circle and Geekphone tried to break the duopoly and failed miserably. https://en.wikipedia.org/wiki/Blackphone
I bought a blackphone and still use it as a basic phone. The support has been ended long time ago and running apps is essentially impossible due to security issues.
Personally I think any attempt to do a de-googled android fork is setup to fail. Google did not design Android for such purpose and will frustrate competition every step of the way… don’t be evil was their motto for a long time for good reason!
The best chance to break the duopoly is a pure linux open software based platform.
Librem 5 from Purism has a good shot https://puri.sm/products/librem-5/
Their operation seems well funded and they have experience in designing hardware. They found out the painful way why hardware for a phone is called so… its hard. I worked for the big scandinavian phone manufacturers 3 decades ago and volume production quality is an art by itself.
The kickstart project has been running for years and only now final version phones are shipping. The supply chain problems cause lead times of > 52 weeks if you order today.
So for urgent needs Purism is not an option but in the longer term a linux based mobile platform has potential. More and more people want to get away from big tech!

https://privacypros.io/products/faraday-bag-bundle/

Would any of the security gurus here comment on Fair phone with /e/ OS? It is based on Lineage I believe. It was easy to find out that Freedom Phone is just a gimmick. I have harder time making up my mind about Fair phone with /e/ when it comes to privacy.

If I were in the surveillance “industry”, I would have problem; too many cats, puppy-dogs and what-I-had-for-breakfast data.
I would prefer to have the criminally minded self-select and I would produce a “security phone” in the hopes that those with secrets to hide would buy my product.
If everybody bought one and posted selfies of their latest hair-do, I’d be back at square one, and would have to think of something else.

For a more technical, detailed look at the Freedom Phone, see here:
Ars Technica: The MAGA-targeted freedom phone has a breathtaking amount of red flags.
https://arstechnica.com/gadgets/2021/07/the-maga-targeted-freedom-phone-has-a-breathtaking-amount-of-red-flags/
Basic security really isn’t that hard. The problem is largely that vendors sell things based on bells and whistles, and shiny features, not security, practicality or reliability. The corollary to that is that people mostly are trained like seals to buy based on bells and whistles, and shiny things. As Chris is always saying “it didn’t have to be this way”.
A large number of vulnerabilities are still based on such simple problems as buffer overflows, and private information sent in plain text.
There’s a saying in the IT industry: “Security is a process, not a product”. Whatever you choose, do your research. But remember, the “smart” part of smartphone usually means you’re being surveilled constantly in many different ways.
 

With Lineage, you can choose not to install Google Play Services. This means most of the apps the cool kids use will not work for you but are free from most of the google spyware.
The hardest to live without is the Push type functionality. You end up with a phone that can browse the web and last I checked apps like Audible would run if you were into that. But anything “social” is hobbled if it runs at all. Maybe this is a benefit to you?
But it can be intimidating to install all of that. I may move my One Plus 7T over to lineage or OmniRom soon. I theoretically need Teams for work but maybe I will just deal with the fallout of not getting timely notifications on my phone.
And of course once you get into it, why not install “Hotdog” or “Derpfest”? So far, I have found these alternative ROMS to be best for a smartphones’ “second life” after vendor support ends. But if you are determined, you can make your phone half smart and remove a lot of spying.

For most people, here is the only finished phone I would recommend anyone consider at this time: https://pine64.org/devices/pinephone_pro/
They are targeting this to early adopters, so it is probably about time for me to buy one, but this has been getting a lot of careful attention and reviews along the development path, and it comes from one of the most respected linux computer (integrating hardware+software) companies. Because they are only just now opening up to general orders, the OS will doubtless be getting updates but they collaborated heavily with a lot of linux groups and I will be astonished if it isn’t a really solid, really secure, product.
I paid for a Librem5 phone I think 3 years ago, when it was promised as “only a few months away” from ship ready. A few months became years and I don’t have any reason to believe they are anywhere close to having a completely functioning phone. And, when (if) they do, I expect software to be limited, because they do not have the partners that pine has cultivated. I haven’t asked for my money back, yet, but if I buy a pinephone and like it, I will probably try. I have my doubts if they have money available to return. I think they had good intentions and just took on more than they could chew.
 
Then, there are a lot of linux projects working to repurpose android phones. If you have access to a suitable old android phone, and you are a “do it yourself” sort of hacker, here is a brief mention of some linux OS only projects:
 

https://distrowatch.com/weekly.php?issue=20211115#waydroid There are a number of Linux-based mobile operating systems currently available. Some of these strive to provide an open, GNU/Linux platform while others are children of the Android family. Some of these projects are able to collaborate to share code and progress. The UBports team have published a blog post which outlines various ways the developers work with other distributions and mobile platforms. One key component that gets shared is called Halium. "Halium provides a Hardware Abstraction Layer that allows GNU/Linux to run on mobile devices that come pre-installed with Android. Halium contains the device-specific Linux kernel with drivers, as well as Android services needed to talk to the hardware and the telephony stack oFono. Thanks to the Halium abstraction layer, Ubuntu Touch, Droidian, LuneOS and other mobile Linux platforms have the same way to use the Android source code, launch Android services and flash images to devices. So Halium makes sure that all these projects are able to boot on a phone. By collaborating on these low-level components, these distributions have a common Linux base. This allows each project to focus on the development of the higher layers, where they differ from each other in their user interfaces."

I am optimistic we are really close to having a real, usable, high privacy alternative to android and apple iphone. There are many, many qualified people and companies interested in making this a reality. I expect 2022 to be the year when you will start to see some of these viable alternatives -- probably starting with the pinephone launch.

I have a friend who has a side business selling de-Googled phones. I’ve had mine for a couple of months now, and it works well. He set it up for me, so I don’t know all about the specifics. It runs GrapheneOS, which I believe is basically a fork from the open source Android. Instead of Google Play, I get apps off F-droid (preferred but less selection) and Aurora Store.

A secure phone really feels like an oxymoron to me. Agree about the need for constant patching. I also agree with Arthur that if you really do have a secure phone, that’s a bit of a honey pot trap too. NSA will go out of its way to hack it, for that reason alone.
I seem to recall CIA running a “secure communications” company out of Switzerland. Twice. Ah, the irony.

https://www.securityweek.com/report-claims-cia-controlled-second-swiss-encryption-firm Swiss politicians have voiced outrage and demanded an investigation after revelations that a second Swiss encryption company was allegedly used by the CIA and its German counterpart to spy on governments worldwide.

For me, I just assume the phone is the least secure device I own. I try hard not to use it for anything important. Like banking, for instance. I tried the blackphone thing, but when I saw the MAC address of my new phone resolved to a CCP chip manufacturer...I stuck with my ancient Samsung device. They can do anything they want when they control the hardware. And they probably do. Someday a non-google OS that's properly maintained will happen. Not sure we're there yet. I have the same concern about routers. Is an infrequently-updated DD-WRT better than stock software that may well have backdoors built in? Hard to know. Its a quagmire.

I was looking at the website (https://grapheneos.org/) about a week ago. It sounds pretty solid, as a project. I even went as far as looking for a supported android phone (https://grapheneos.org/faq#recommended-devices) and checking ebay for a Pixel5 (about $600 as I recall).
Can you give us a review of your experience and, specifically, what you feel the tradeoffs are vs actual android?? I think that might be really valuable to many! I know I would like your opinion and any details on high and low points.

I’ve had good experiences. It basically runs like a regular Android smartphone. For maximum anonymity he said you’d want to use WiFi calling, but I have my old AT&T SIM card slotted for practicality.
My friend pre-installed apps that don’t track you. He recommends not installing Facebook, Twitter, etc., so we’ve used Telegram and Session instead. He prefers Tutanota or K-9 Mail for email, but I already had Protonmail so am still using it for now. He set up a Nextcloud server for cloud storage which works fine. I use Antenna for podcasts, only one out of 7 (Sovereign Man) occasionally gives me errors syncing for some unknown reason. For GPS maps, he prefers Magic Earth, but Waze apparently doesn’t track you either and has more up to date maps so it’s on as a backup. I use the Duck Duck Go browser - only problem I’ve ever run into with it so far was Ticketmaster didn’t like it when I tried to resell a ticket, transferring it to a friend worked fine, though. Really little to no issues, and I don’t miss the creepy reminders I’m being tracked, like Google Maps figuring out where I work and deciding to take its own initiative come up with “helpful shortcuts” and the like.

A relative has a masters in computing and writes in machine code. It pisses off his bosses because they haven’t a clue what he is doing.

Hey, we are perfectly free to snuggle up in our cabin by the fire watching the world afar (aka, reading Zerohedge and PP) from our cell phones as our every click is monitored.
My goal is not to go un-monitored, but to stay enough below the radar that there are many others worth monitoring long before us, at least for now.
-Travis

The problem is that all phones really have 2 operating systems. One is the iOS/Android, the second that that runs the radios and has complete access to everything on the phone. Here is an article describing this:
https://www.osnews.com/story/27416/the-second-operating-system-hiding-in-every-mobile-phone/
The only way I can think of to possibly secure your communications when using a phone is to use 2 devices. One to use end-to-end encryption and then tether to the smartphone using it like you would any untrusted network. Anything of importance must be encrypted before being given to the network. You also need to make sure the phone your using is crippled (remove the camera/microphone/gps antenna, etc). But it still will know where you are via triangulation from the cell phone towers.
The moral of the story is if you are near a “smart” device, assume you are/could be monitored/tracked. That includes your “smart TVs”, computers, phones, thermostats, ring type doorbells, robot vacuums, newer cars - anything that connects to a network.
The only other thing you can maybe do to protect privacy is to make the data less useful. Randomly surf or find software that will randomly web surf for you. Open a side wifi to the world so people will randomly use it for you. Fill out surveys and lie. Have a rooted phone? - use an app that lies about where you are to the applications (FYI - you will be blocked from most application stores while in Antarctica). When you do this, you will know it’s working when you get really odd ads that have nothing to do with you.