How secure is secure?
I was installing GNU-Guix Linux operating system the other day and pondering on the FSF ideology of only using free and open software. Almost all the hardware of the machine I was installing on was made by Intel, and Intel has released a lot of their software as open source and free. So good so far, except for the WIFI module which to get going I have to use a closed source software. The problem with closed source software is that the code cannot be checked and so a degree of trust is involved. Also, with AMD as well as Intel, there are design flaws in their hardware that can only be mitigated through software, such as the microcode for their processors. These are always closed source and therefore not available to truly open source systems, leaving them venerable to problems if you stay true to open source - catch 22!
Onto the mobile.
Can a mobile phone be truly secure? Probably not, because as soon as you connect to the telephony service, a triangulation of your position is fairly easy. In all other aspects it's quite possible depending on the hardware you use. At the moment is appears like the Pinephone has the best chance as the telephony modem has been "reverse engineered" to run off open source software. Everything else in the phone can (and does) use open source software. Other phones may be open too as there are several Linux phones available.
Onto the practical.
Which phones are or can be made secure in a general sense?
The Apple iPhone security is unknown as it's hardware and software are proprietary and therefore by definition, cannot be trusted, no matter what their marketing may say.
Android phones are a bit of a mixed bag. The Android system itself is open source, which is good news. However, Google have added their own proprietary software which is not so good. This is placed in the system and is difficult to remove, although it can be done. Many of the Android phones have closed source hardware, the software for the modem, for wifi/bluetooth etc are proprietary. Sometimes these have to be taken on trust. So far there have not been any reports of these being infected with mal/spyware.
Linux phones are few on the ground, and some Android phones can be converted to run Linux. See PostmarketOS and TouchOS (Ubuntu based).
This depends on many factors ranging from personal to how secure. So, I'm not going to recommend any phones (or at least not here). If you want to be at the forefront for secure technology, then a Linux phone would probably be your go to. Other than that, and Android phones can be made fairly secure with a little technical knowledge.
There are many "how to's" out on the net for your phone to unlock the bootloader and to "root" the device, so I'm not going to go into detail. Maybe check xda-dvelopers.com/forum for info on your device. The "why" is a different matter. One or both are needed to change things on the phone to make them more secure or less insecure.
Unlocking the bootloader enables different systems to be installed and run (booted). So to change from Android Motorola to LineageOS, the bootloader must first be unlocked and a recovery flashed across, then LineageOS installed and booted.
LineageOS is an independent Android built off Googles open source ASOP. It comes with a few basic apps to get you going. LineageOS does use proprietary software from the manufactures for some of the hardware to function. Most of the other ROMS (Android systems) are based on, or from LineageOS.
Rooting the phone will allow system files to be modified, removing google and vendor bloat.
I mentioned LineageOS as a alternative to the makers version of Android. There are 2 others I'd also recommend: GraphenOS & Replicant OS however both are limited on the number of devices they support.
Almost all of Googles app track you in some way, and with the Google software installed, almost every app usage some detail goes back to Google. Google is an advertiser and will therefore use all this info to target ads at you through all aspects of the net. There are open source alternatives for virtually everything that Google does, the one thing that Google has done is made things very convenient for the user, which makes it difficult to move away.
Here is a list of alternative open source apps that don't track you or sell your data for profit:
- Maps - OsmAnd
- email - K9
- Browser - ungoogled-chromium
- Calendar - Etar
- Notes - Carnet
- Drive - Nextcloud
Those are the main ones. To opt out of Google completely would mean moving email to an encrypted email service like Protonmail, Nextcloud can hold your calendar, tasks, photos, Carnet note, sync to your desktop and more. De-googling your life I've already written about. Other browsers offer different protections, like Brave browser, firefox, private browser, and Tor browser.
Once LineageOS is installed and running, installing apps is done through a service from F-Droid and their app as Google play store won't be available. F-Droid hosts all the above apps except for a few of the browsers.
Now this is an important topic. The standard phone calls and sms can be tapped into. For sms there's Signal, not fully open source but it is encrypted and so far has a good reputation. Other form of text communication involve other platforms and services. Xmpp/Jabber is a good and safe system when encrypted. Matrix platform is another good system that is open source, private and like Xmpp is very reliable. Worthy of note is telegram, although again like Signal is not fully open source has a good reputation and is very popular.
These are a pain as they are built to extract info from you. So as soon as you login, they are gathering info. So the main thing here is to reduce what they get to a minimum, if you want of need to use their services. There are "wrapper" apps that access the mobile website of the social platform and restrict what it has access to on your device, like blocking location, camera and microphone.
Once a device is free of Google and the manufactures bloat (and spyware - yes it does happen) then the insecurity of the device is down to how YOU use it.
Many years ago I used to remove spyware from Windows machines. After removal I'd lock the machine down and show the customer and they'd be well please. Quite often I'd get a call a couple of week later say "somethings gone wrong, can you check" and sure enough they switched off the protection and visited some dodgy website.
So it doesn't matter it your phone is the most secure in the world if you don't use it right. Security is an inconvenience, and only discipline will keep it that way. If you value your privacy, you'll keep it secure.
Security is as srong as th weakest link. It doesn't matter how secure your phone is, if you're commincating with an insecure phone, the security is compromised.
And a site that covers some apps, what to avoid, what to use: https://github.com/pluja/awesome-privacy