A Truly Private and Secure Android Phone?

by Adam Gill

The tech buzz in early May surrounded the UnaPhone Zenith, purported to be the first truly private Android phone. Phone manufacturer Elephone is working with Tutanoa, a secure webmail provider, to produce this smartphone that puts privacy first. We wanted to check it out, so here is our take on what should be a truly awesome device.

UnaOS

The project team uses the Android 6.0-based UnaOS to create the hardened, secure and private phone that the Indiegogo campaign says is without compromise. UnaOS is an extreme spinoff of the basic Android operating system that has focused on creating the best environment for privacy. This version patches the known Android OS vulnerabilities and encrypts the phone plus the external MicroSD storage of up to 256 GB. At the moment, UnaOS is not open source, but the team revealed on the UnaPhone Indiegogo page that they will open the proprietary source code after it has been audited. There is still no timeframe for this, though.

To maintain security, the UnaPhone Zenith on UnaOS does not allow the installation of any third party applications on the phone. This secures users from many potential dangers. These apps can come bundled with malware, spyware, viruses and other threats, which the phone avoids by simply rejecting all apps. App stores try to keep the apps that are uploaded to them clean, but shady developers and hijackers are always working to make sure that some malicious programs get past their security filters. The safest way is to just not use third party apps at all.

The UnaPhone also does not use any Google services or apps. Android is from Google, so this is quite interesting. Of course, Google is one of the worst offenders when it comes to invasive data mining, so staying away from the company’s long arms was a first goal of this private phone. Without third party apps, using social media and similar apps on mobile is also not allowed. This keeps the phone immune to any snooping by data-hungry companies that use apps to conduct surveillance on devices and their users.

Game apps are, of course, a huge no-no, so users of the UnaPhone Zenith will have to find other ways of keeping themselves occupied on long commutes. The project explains that separating work life and personal life, particularly play time, are very important for securing privacy. The UnaPhone is for secure and private communications, so it can do email aside from calls and text messaging, but it is not an all-around device that takes care of entertainment needs.

UnaPhone Apps

The UnaPhone Zenith, of course, has its own apps that are guaranteed private and secure. These apps are open source, specifically chosen for inclusion on the phone. They serve communication needs and are focused on productivity. The email provider app Tutanota is a secure provider that works together with an added email client. The phone also has the Callprotector encrypted communications app, encrypted SMS, Pretty Good Privacy encryption, a proprietary VPN with OpenVPN support and an IMSI catcher (Stingray) detector. It also has a complete office suite, PDF, notes and notepad plus Conversations, a calculator, a dictionary and text editor, offline GPS, web browser, and WiFi file transfer capability. And it isn’t as dull as it sounds because it has an equalizer and a Digital Signal Processor, a sound recorder, music and video capability, a camera and gallery, a flashlight, FM radio, and even a pedometer plus several other apps.

Surveillance Issues

The phone itself is pretty awesome, but the company behind it, Una Inc. Ltd., is a UK company. This worries us because of how the British GCHQ has a very close relationship with the NSA, and because of the new Investigatory Powers Bill that supports their snooping efforts. The bill, dubbed the Snooper’s Charter, will mandate encryption backdoors. This means that in theory the UK government will be able to access all encrypted data on the UnaPhone. We are not sure exactly what will happen, of course, but this law makes us uneasy about the future security of the phone. If the phone is manufactured outside of the UK or under a different company not registered in the UK, then maybe it can escape being backdoored.

Una has responded to this fear by stating that the company will not keep any encryption keys, and that the encryption of storage is done on the phone itself so that there is no need to share it. They also explained that the end-to-end encryption of communications is not handled by the company so that they cannot intercept any data packets or install backdoors. The company does not agree with the Snooper’s Charter, and says that they have a Plan B in case compliance becomes a problem. They stressed that they are dedicated to the privacy and security of the UnaPhone because they value the privacy and security of users.

The developers’ attitude is encouraging, but there are still a few security hitches to work out. Over the Air (OTA) updates can compromise the security of even 100% audited open source software if malware gets injected into the updates by government agencies or criminal elements. Governments have been known to push updates on users to insert spyware and malware, so this could happen again with the right application of pressure. The UnaPhone OTA channel is encrypted, however, so hopefully this will ensure that nothing malicious gets through. The only thing left to worry about is the government forcing updates that will include backdoors.

All Android phones have hardware problems that cannot be patched, such as the baseband processor, which is a proprietary chip used for managing all functions that use the device’s antenna. It is recognized by security experts for its ability to be used as a backdoor. ISPs can circumvent encryption through this chip and access data in plaintext. The developers agreed that total baseband isolation is impossible because the modem comes embedded. They have, however, put in a Paranoid Mode that deactivates the baseband modem so that it cannot be manipulated when not in use. To maintain GSM functioning, users can connect an external modem with a SIM card via OTG to do calls and text messaging and other things.

This brings us to SIM card security, since the card is another processor that the UnaPhone team does not control. Paranoid Mode helps here, as does the Stingray detector, which blocks attempts to intercept data and prevents SS7 network attacks and silent SMS. We are looking forward to the implementation of the kill switch that will automatically put the phone in offline (airplane) mode when an attack is detected. All in all, the UnaPhone team has done a great job of making this phone secure.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: