How Secure is the Freedom Phone?
How Secure is the Freedom Phone?
This article was written for Peak Prosperity by Terence Kam, founder and cybersecurity consultant at iSecurityGuru.com. You can follow his company on LinkedIn. Or subscribe to his writings on Medium, where he writes on a wider variety of topics.
There has been a lot of buzz lately about the Freedom Phone. It is a smartphone for those who want to escape the clutches of Big Tech censorship, namely Apple and Google.
After all, when it comes to smartphones, we have a duopoly: Android and iOS. Most Android smartphones are controlled by Google and all iOS smartphones are controlled by Apple. If you do not want to trust both of them, you will essentially have nowhere else to go.
Hence, the Freedom Phone is an attempt to break into the Big Tech duopoly and give choice to those who do not want to trust Google and Apple.
What is the Freedom Phone?
The Freedom Phone is an Android smartphone with Google’s code completely stripped out.
Why is Android used?
Creating a brand new smartphone operating system from scratch is a colossal amount of work. Nobody does it nowadays. Even iOS and Android is based on the Unix operating system, which has decades of history behind it.
Since there is no point in re-inventing the wheel by re-creating a brand new smartphone operating system from scratch, it is much easier and expedient to use an existing and proven open-sourced operating system, which is Android. Since the source code of Android is made freely available for modifications and redistribution, it is the most natural choice for creating an alternative non-Big Tech smartphone platform.
How secure is it?
This is a very good question. Putting politics aside, I am skeptical about the security of this platform. The reason is, there is simply not enough information to make an informed evaluation about this smartphone. There are far too many unknowns.
Where is the security white paper?
The Freedom Phone’s website says that the smartphone is based on “freedom, security and privacy”.
But how exactly does it achieve that?
Without a security white paper, there is no information on their security/privacy philosophy and implementation. I cannot see their thought process behind the implementation.
To give you an example of why a security white paper is useful, take the example of Apple. After reading Apple’s security white paper on iMessage, I was able to make the inference that its encryption is good enough to prevent mass surveillance, but not good enough to protect an individual from being targeted by a state-sponsored actor. The white paper also tells me that Apple’s iMessage encryption is not truly end-to-end encrypted (see this article on what “end-to-end encryption means). That explains why China, Iran and Russia allow iMessage while they ban apps like WhatsApp.
For the Freedom Phone, without a white paper, I cannot make any evaluation.
How much control does Freedom Phone have in the manufacturing process?
The Freedom Phone seems to be a rebrand from this Umidigi phone. Umidigi is a Chinese brand.
It is not clear how much control does Freedom Phone has over the entire manufacturing process. How is the Android implemented on the phone? Who wrote the custom code and drivers for the Android in the phone? How well tested is the code? Who wrote the code inside the various hardware components?
Again, I do not know the answers to any of these questions. Furthermore, I am sure there are even more unknown unknowns that I am not aware of.
Where is the commitment to provide continuous software updates?
As I wrote before in Top 10 Things You Must Do to Avoid Getting Hacked,
The IT industry has not figured out how to write secure code. Every time hardware and software vendors released new products, more lines of computer code are released as well. More lines of code mean more cybersecurity holes. That means there are always holes to be patched.
Worse still, there are always massive backlogs of holes to be found and patched. For example, even today, Microsoft is still finding holes in code written a dozen years ago in their latest Windows operating system!
Therefore, vendors are always on the never-ending treadmill of releasing patches for security holes in their code. You will need to be always up to date with the patches to be secure.
Will Freedom Phone stay around in the long haul to continuously provide patches to security holes that will inevitably be found?
Even Apple, with their reputation of security, are constantly patching security holes found in their code. Will Freedom Phone have the financial longevity to do the same?
If not, the Freedom Phone will be insecure within a few years.
Who polices their app store?
The reason why people choose the Freedom Phone is that they promise not to censor.
But that was the case for Google’s Android platform in the early days too. Back then, Google had a hands-off approach to the apps that were published in their app store. The result was that Google Android’s platform’s app store was rife with malware, scams and dodgy apps. Eventually, Google had to follow Apple’s Wall Garden approach by vetting every app in their Google Play Store. Today, every app listed in the Google Play store is supposed to be vetted by Google. But still, I hear of malware making its way to the Google Play store.
So, although Freedom Phone promises not to censor their App Store, are they still going to vet every app for malware and scams and dodgy apps? If not, you can be sure their App Store will soon be a cesspit for hackers and scammers.
Unfortunately, in this politically-charged environment, any form of security vetting will carry the smell of ‘censorship’. This is bound to be problematic for their non-censorship philosophy.
Are you allowed to install apps outside the app store?
My bet is, you will be allowed to sideload apps into the smartphone. But it will be the user’s responsibility not to accidentally side-load malware into their smartphone.
Cybersecurity and privacy are hard.
It takes decades upon decades of lessons, thinking and innovation to get to where we are today in terms of security and privacy. Yet, this problem is still not solved. Hackers and trackers are still finding ways to get around the Great Wall of Cybersecurity that the IT industry has built over the decades.
But the Freedom Phone seems to be a product made in relative haste. For a product made so hastily, it is approaching the level of over-confidence to claim that it has solved the problem of security and privacy.
At best, it will take many years (even more than a decade) for the product to mature to the point of meeting its claim of security and privacy.
Personally, I will give it a pass.
– Peak Prosperity –