Horizon Innovations

Ideas are easy, implementation is hard

android

by

The Secure Mobile Phone

How secure is secure?

I was installing GNU-Guix Linux operating system the other day and pondering on the FSF ideology of only using free and open software. Almost all the hardware of the machine I was installing on was made by Intel, and Intel has released a lot of their software as open source and free. So good so far, except for the WIFI module which to get going I have to use a closed source software. The problem with closed source software is that the code cannot be checked and so a degree of trust is involved. Also, with AMD as well as Intel, there are design flaws in their hardware that can only be mitigated through software, such as the microcode for their processors. These are always closed source and therefore not available to truly open source systems, leaving them venerable to problems if you stay true to open source - catch 22!

Onto the mobile.

Can a mobile phone be truly secure? Probably not, because as soon as you connect to the telephony service, a triangulation of your position is fairly easy. In all other aspects it's quite possible depending on the hardware you use. At the moment is appears like the Pinephone has the best chance as the telephony modem has been "reverse engineered" to run off open source software. Everything else in the phone can (and does) use open source software. Other phones may be open too as there are several Linux phones available.

Onto the practical.

Which phones are or can be made secure in a general sense?
The Apple iPhone security is unknown as it's hardware and software are proprietary and therefore by definition, cannot be trusted, no matter what their marketing may say.
Android phones are a bit of a mixed bag. The Android system itself is open source, which is good news. However, Google have added their own proprietary software which is not so good. This is placed in the system and is difficult to remove, although it can be done. Many of the Android phones have closed source hardware, the software for the modem, for wifi/bluetooth etc are proprietary. Sometimes these have to be taken on trust. So far there have not been any reports of these being infected with mal/spyware.
Linux phones are few on the ground, and some Android phones can be converted to run Linux. See PostmarketOS and TouchOS (Ubuntu based).

Which phones

This depends on many factors ranging from personal to how secure. So, I'm not going to recommend any phones (or at least not here). If you want to be at the forefront for secure technology, then a Linux phone would probably be your go to. Other than that, and Android phones can be made fairly secure with a little technical knowledge.

There are many "how to's" out on the net for your phone to unlock the bootloader and to "root" the device, so I'm not going to go into detail. Maybe check xda-dvelopers.com/forum for info on your device. The "why" is a different matter. One or both are needed to change things on the phone to make them more secure or less insecure.

The bootloader

Unlocking the bootloader enables different systems to be installed and run (booted). So to change from Android Motorola to LineageOS, the bootloader must first be unlocked and a recovery flashed across, then LineageOS installed and booted.
LineageOS is an independent Android built off Googles open source ASOP. It comes with a few basic apps to get you going. LineageOS does use proprietary software from the manufactures for some of the hardware to function. Most of the other ROMS (Android systems) are based on, or from LineageOS.

Rooting

Rooting the phone will allow system files to be modified, removing google and vendor bloat.

Other aspects

I mentioned LineageOS as a alternative to the makers version of Android. There are 2 others I'd also recommend: GraphenOS & Replicant OS however both are limited on the number of devices they support.

Applications

Almost all of Googles app track you in some way, and with the Google software installed, almost every app usage some detail goes back to Google. Google is an advertiser and will therefore use all this info to target ads at you through all aspects of the net. There are open source alternatives for virtually everything that Google does, the one thing that Google has done is made things very convenient for the user, which makes it difficult to move away.
Here is a list of alternative open source apps that don't track you or sell your data for profit:

  • Maps - OsmAnd
  • email - K9
  • Browser - ungoogled-chromium
  • Calendar - Etar
  • Notes - Carnet
  • Drive - Nextcloud

Those are the main ones. To opt out of Google completely would mean moving email to an encrypted email service like Protonmail, Nextcloud can hold your calendar, tasks, photos, Carnet note, sync to your desktop and more. De-googling your life I've already written about. Other browsers offer different protections, like Brave browser, firefox, private browser, and Tor browser.

Fdroid

Once LineageOS is installed and running, installing apps is done through a service from F-Droid and their app as Google play store won't be available. F-Droid hosts all the above apps except for a few of the browsers.

Communication

Now this is an important topic. The standard phone calls and sms can be tapped into. For sms there's Signal, not fully open source but it is encrypted and so far has a good reputation. Other form of text communication involve other platforms and services. Xmpp/Jabber is a good and safe system when encrypted. Matrix platform is another good system that is open source, private and like Xmpp is very reliable. Worthy of note is telegram, although again like Signal is not fully open source has a good reputation and is very popular.

Social platforms

These are a pain as they are built to extract info from you. So as soon as you login, they are gathering info. So the main thing here is to reduce what they get to a minimum, if you want of need to use their services. There are "wrapper" apps that access the mobile website of the social platform and restrict what it has access to on your device, like blocking location, camera and microphone.

Other notes

Once a device is free of Google and the manufactures bloat (and spyware - yes it does happen) then the insecurity of the device is down to how YOU use it.
Many years ago I used to remove spyware from Windows machines. After removal I'd lock the machine down and show the customer and they'd be well please. Quite often I'd get a call a couple of week later say "somethings gone wrong, can you check" and sure enough they switched off the protection and visited some dodgy website.
So it doesn't matter it your phone is the most secure in the world if you don't use it right. Security is an inconvenience, and only discipline will keep it that way. If you value your privacy, you'll keep it secure.

Final Note

Security is as srong as th weakest link. It doesn't matter how secure your phone is, if you're commincating with an insecure phone, the security is compromised.

Good luck!
Stay safe.

And a site that covers some apps, what to avoid, what to use: https://github.com/pluja/awesome-privacy

by

Escaping From Google

In the wake of Facebook data fiasco and Googles collection for their own end, I thought it would be an interesting project to see if it's possible to go Google free on Android, and Google free completely for my business. A lot of people use Google for a lot of things ranging from email to maps, drive (storage) to music and of course search.

In the wake of the passing of the AA bill through the Australian parliament, i have updated, amended and added to, to take this into account.

What are the replacements for the most common apps used and how does it effect the work flow?

One of the biggest hurdles to overcome is th idea that nearly all of Googles apps are integrated, they are connected to each other, and on Android, many apps use the Play Store (Google) notification system. Some apps have reduced functionality without the Google connection.

The Apps

Google Android PC/Mac/Linux
Search Duckduckgo/Smartpage  
Maps OSMAnd~ Openmaps
Gmail Protonmail/Tutanota  
Calendar Etar Lightning/Nextcloud
Drive Nextcloud/Mega.nz  
Chrome Waterfox/Via/Orfox (requires Tor) Brave  
Music Blackplayer/VLC VLC
Keep Markor Atom
Launcher Nova/ Lawnchair  
Message (SMS) Signal  
Photo Nextcloud/ Smugmug  
Doc’s Nextcloud/polaris office/Andropen office LibreOffice/ Openoffice
Password Keepass2android KeepassXC

 

And for Android itself: LineageOS is probably the most well known and has the most available supported devices. Mokee (needs some modding) or Resurrection Remix OS (more found on xda-developers.com) are also good and generally kept up to date. There are more specialised android remakes that are far more secure.
Replacing the Android system is the only way to take Google off your device. It is a lot easier to do now than before and some manufactures are friendlier than others with this.

As I've put a non standard (manufactures) Android on all my phones, for this review I use my Sony Xperia Z. It's not a new phone but still works well and the community support is outstanding.

The biggest part of Google is their free online apps that can sync across devices. It was revealed a while ago that they use AI bots to search through your email, docs etc for keywords so they can present you with more relevant advertising. I'm not keen on this. What to do about it? Well, most businesses these days have a website, which means they have a server. On my server I've installed an app called Nextcloud. Nextcloud can, with the aid of plugin and third party software do almost everything Google does, except look at your stuff, there is also an encryption plugin. Your calendars, photos, file storage, music and video streaming, encrypt it all, sync to all your devices and it's open source software (and it's free!).

Keepass is a password encryption storage system. Cross platform. Here will give you what is available https://keepass.info/download.html

Update:

As the new AA Bill is so invasive with it's powers (I'm not going to get political here) what can be done to protect yourself from spying eyes and keep your privacy?

I researched most of this a while back. Besides the above, if you have a server for your website, move it to a safe country like Switzerland. Then for your finance and communication, I'd suggest using an operating system from a USB stick. There are a number around, one that is most recommended is Tails (https://tails.boum.org/) as it comes with almost everything you need to stay safe. On their website they even have an installer to take the hassle away. I've used Tails and can recommend them. Along with ProtonVPN, you'd be good to go. This is a bit of a hurriedly finished post, so I'll be updating it over the next few weeks just to make sure I've covered everything.

Any questions or suggestions that I've missed are most welcome.

Stay safe 🙂

by

Freeing The Asus Transformer Prime

asus_prime-1-cropI have had the Asus Transformer Prime for a while now and considering its hardware specifications I am a little disappointed with its performance. Taking into account it had a quad core + one processor its multi-tasking abilities leave a little to be desired, in fact, my HTC DesireHD gives it a good run for its money and it has a single core processor (and far less memory). So, what is the problem and how to fix it? After some investigation it would appear that the stock kernel (the heart of the operating system) is at fault. And to fix? Free the TF201 by unlocking the bootloader and installing a "ROM" (modified operating system) that can take advantage of the hardware. This is how I did it.

Usual disclaimer etc

Running Jellybean

First to unlock the bootloader. This can only be done by Asus and fortunately they have provided a way. Asus say their unlocker will only work for the ICS bootloader, many (including me) have reported that it works with the Jelly Bean bootloader. Use this link Asus Boot Unlocker
Then install a custom recovery, I use TWRP - Clockwork recovery isn't compatable.
Then to free the root - this is done with the installation of TWRP
And finally to install a new ROM!

I have tried out a few different ROMs to see what the're like and how they perform.
First was Androwook, this is based on the Asus original but with a different kernel and the option to remove (install without) the Asus apps (bloat to some people). It is a speedy and stable ROM with no real complaints. And it is based on the original the Asus android version is 4.1.1
Next was Teakbean. This is a combination of Teambake and personal scripts by the developer of the ROM. This worked really well. Only complaint is its not being developed anymore. On a personal note, if I had the time I would jump at picking this up and developing it further but alas time and knowledge is in short supply. Based on 4.1.1
Blackbean: A good ROM based on Teambake again. In steady development. It is stable and quick (so far - it is all relative) and has a few quirks which hopefully will be ironed out.

After trying out several more I have decided to stay with the Energize ROM by NRGZ (developers "tag"). This is also based on the original ROM by Asus and has the option of installing with or without the Asus apps. Earlier this year NRGZ ported over the TF300 ROM to the TF201 which bring a smoother experience with the 4.2 added extras from Google. The Energize ROM also has a dark(ish) and blue theme with many HTC icons, leaving a pleasant overall look.

Update: I have now migrated to BB8 (BakedBean8) by Team Baked, with a custom kernel and over clocking. Now runs smooth with minimal lag.