Horizon Innovations

Ideas are easy, implementation is hard

Software

by

The Secure Mobile Phone

How secure is secure?

I was installing GNU-Guix Linux operating system the other day and pondering on the FSF ideology of only using free and open software. Almost all the hardware of the machine I was installing on was made by Intel, and Intel has released a lot of their software as open source and free. So good so far, except for the WIFI module which to get going I have to use a closed source software. The problem with closed source software is that the code cannot be checked and so a degree of trust is involved. Also, with AMD as well as Intel, there are design flaws in their hardware that can only be mitigated through software, such as the microcode for their processors. These are always closed source and therefore not available to truly open source systems, leaving them venerable to problems if you stay true to open source - catch 22!

Onto the mobile.

Can a mobile phone be truly secure? Probably not, because as soon as you connect to the telephony service, a triangulation of your position is fairly easy. In all other aspects it's quite possible depending on the hardware you use. At the moment is appears like the Pinephone has the best chance as the telephony modem has been "reverse engineered" to run off open source software. Everything else in the phone can (and does) use open source software. Other phones may be open too as there are several Linux phones available.

Onto the practical.

Which phones are or can be made secure in a general sense?
The Apple iPhone security is unknown as it's hardware and software are proprietary and therefore by definition, cannot be trusted, no matter what their marketing may say.
Android phones are a bit of a mixed bag. The Android system itself is open source, which is good news. However, Google have added their own proprietary software which is not so good. This is placed in the system and is difficult to remove, although it can be done. Many of the Android phones have closed source hardware, the software for the modem, for wifi/bluetooth etc are proprietary. Sometimes these have to be taken on trust. So far there have not been any reports of these being infected with mal/spyware.
Linux phones are few on the ground, and some Android phones can be converted to run Linux. See PostmarketOS and TouchOS (Ubuntu based).

Which phones

This depends on many factors ranging from personal to how secure. So, I'm not going to recommend any phones (or at least not here). If you want to be at the forefront for secure technology, then a Linux phone would probably be your go to. Other than that, and Android phones can be made fairly secure with a little technical knowledge.

There are many "how to's" out on the net for your phone to unlock the bootloader and to "root" the device, so I'm not going to go into detail. Maybe check xda-dvelopers.com/forum for info on your device. The "why" is a different matter. One or both are needed to change things on the phone to make them more secure or less insecure.

The bootloader

Unlocking the bootloader enables different systems to be installed and run (booted). So to change from Android Motorola to LineageOS, the bootloader must first be unlocked and a recovery flashed across, then LineageOS installed and booted.
LineageOS is an independent Android built off Googles open source ASOP. It comes with a few basic apps to get you going. LineageOS does use proprietary software from the manufactures for some of the hardware to function. Most of the other ROMS (Android systems) are based on, or from LineageOS.

Rooting

Rooting the phone will allow system files to be modified, removing google and vendor bloat.

Other aspects

I mentioned LineageOS as a alternative to the makers version of Android. There are 2 others I'd also recommend: GraphenOS & Replicant OS however both are limited on the number of devices they support.

Applications

Almost all of Googles app track you in some way, and with the Google software installed, almost every app usage some detail goes back to Google. Google is an advertiser and will therefore use all this info to target ads at you through all aspects of the net. There are open source alternatives for virtually everything that Google does, the one thing that Google has done is made things very convenient for the user, which makes it difficult to move away.
Here is a list of alternative open source apps that don't track you or sell your data for profit:

  • Maps - OsmAnd
  • email - K9
  • Browser - ungoogled-chromium
  • Calendar - Etar
  • Notes - Carnet
  • Drive - Nextcloud

Those are the main ones. To opt out of Google completely would mean moving email to an encrypted email service like Protonmail, Nextcloud can hold your calendar, tasks, photos, Carnet note, sync to your desktop and more. De-googling your life I've already written about. Other browsers offer different protections, like Brave browser, firefox, private browser, and Tor browser.

Fdroid

Once LineageOS is installed and running, installing apps is done through a service from F-Droid and their app as Google play store won't be available. F-Droid hosts all the above apps except for a few of the browsers.

Communication

Now this is an important topic. The standard phone calls and sms can be tapped into. For sms there's Signal, not fully open source but it is encrypted and so far has a good reputation. Other form of text communication involve other platforms and services. Xmpp/Jabber is a good and safe system when encrypted. Matrix platform is another good system that is open source, private and like Xmpp is very reliable. Worthy of note is telegram, although again like Signal is not fully open source has a good reputation and is very popular.

Social platforms

These are a pain as they are built to extract info from you. So as soon as you login, they are gathering info. So the main thing here is to reduce what they get to a minimum, if you want of need to use their services. There are "wrapper" apps that access the mobile website of the social platform and restrict what it has access to on your device, like blocking location, camera and microphone.

Other notes

Once a device is free of Google and the manufactures bloat (and spyware - yes it does happen) then the insecurity of the device is down to how YOU use it.
Many years ago I used to remove spyware from Windows machines. After removal I'd lock the machine down and show the customer and they'd be well please. Quite often I'd get a call a couple of week later say "somethings gone wrong, can you check" and sure enough they switched off the protection and visited some dodgy website.
So it doesn't matter it your phone is the most secure in the world if you don't use it right. Security is an inconvenience, and only discipline will keep it that way. If you value your privacy, you'll keep it secure.

Final Note

Security is as srong as th weakest link. It doesn't matter how secure your phone is, if you're commincating with an insecure phone, the security is compromised.

Good luck!
Stay safe.

And a site that covers some apps, what to avoid, what to use: https://github.com/pluja/awesome-privacy

by

RedNotebook on OSX – how to

This is a short how-to for using RedNotebook on OSX Snow Leopard.
Firstly, some notes: I am not an expert on doing these things. Below is just a guide and following them is done at your own risk, just because it works for me doesn't mean it will work for you. For getting RedNotebook to run was a bit of trail and error and as I haven't worked out all the reasons for doing this way and not streamlining it, it is a little long winded. And so onward...

What is RedNotebook and why use it? I have been using it for some time for my journal and notes for my blogs. It runs great on GNU/Linux and has a Windows installer, but I don't use Windows very much and I do have an Apple machine. And to quote the RedNotebook home page "RedNotebook is a graphical diary and journal helping you keep track of notes and thoughts. It includes a calendar navigation, customizable templates, export functionality and word clouds. You can also format, tag and search your entries."

I didn't work out how to run it on OSX for my self completely, I used a few guides, tried each and it worked. In theory, you just be able to follow the instructions at Softpedia which is laid out (along with the other) below so all I did is in one place.

RedNotebookis needs python, gtk and PyYaml to run. It would also be useful to have the Developer Tools (XCode) 2.3 or newer; 2.5 or 3.x is recommended (availble from Apple (requires id) for free). So here is what I did.

Downloaded RedNotebook and unpacked it.
Downloaded PyYaml formhere and unpacked it.

I have MacPorts installed so I first installed what I thought was needed (in terminal):-

$: sudo port install python_select python26 py26-gtk py26-webkitgtk gnome-python26-extras py26-yaml

Then cd'd in rednotebook directory and did the same

$: sudo python setup.py install

Then:

$ rednotebook

To see if it would work or give me pointers as to what is missing.

As this didn't work fully I did PyYAML directly.
Then cd'd in to PyYAML directory
the in terminal:

$: python setup.py build
$: sudo python setup.py install

Some of the packages are not recognised as being installed so next on to installing GTK and Py-GTK using jhbuild. The problem is that jhbuild will fail if macports or fink is on the system, so two choices exist, remove macports/fink or create another user with admin rights, log out and log into new account. I did the latter Then:
I downloaded and installed git (from here because I needed for GTK-OSX
Once git was installed I then
Downloaded gtk-osx-setup.sh to my home directory and ran it with

$ sh gtk-osx-build-setup.sh

This installs jhbuild in ~/.local/bin/jhbuild. It will also install ~/.jhbuildrc and ~/.jhbuildrc-custom and will copy the current gtk-osx modules into ~/Source/jhbuild/modulesets.
(If you're running Tiger see here as some of Tiger's software need upgrading)
As jhbiuld is installed in ~/.local/bin you must either add that path to your path, alias jhbuild, or call jhbuild with that path, eg.

$ ~/.local/bin/jhbuild shell

I chose to type in terminal:

$ echo 'export PATH=~/.local/bin/jhbuild:$PATH' >> ~/.profile

Closed terminal and then opened again.
Then

$ jhbuild bootstrap
$ jhbuild build meta-gtk-osx-bootstrap
$ jhbuild build meta-gtk-osx-core

The boostrap was successful but the other two weren't. When a module fails you are presented with a menu. I always tried number 1 first and went down the list in order to see what each did. On most occasions the module was skipped and jhbuild moved on to the next until it could go no further. I did this for osx-bootstrap and osx-core. Once done I logged out and logged back into my original account and fired up the terminal.
I then cd'd into PyYAML and ran the command:

$: sudo python setup.py install

then

$ rednotebook

And it worked,

The pywebkit installed with macports is for some new features. It is available here which you can download and compile the usual way (read install notes that comes with the package)

I hope this helps someone to enjoy the very useful RedNotebook on OSX Snow Leopard.