Secured Android Smartphone
A Brief Spec and Overview
I want to build a secured phone that can be used as either a hardened comms device, or even as a daily driver. I have a decade of experience in practical applied operational security, and over 5 years of experience working on secured Android phones. This project is my last attempt to make a secured phone for everyone. I have the unique skills, knowledge and experience to create the device, but I am no business man and there is no real “secured phone” market.
The costs of developing, manufacturing, maintaining, distributing and supporting the devices is very high. The market is very small. As a pure business focussed solely on “secure phones” it is not financially viable. There are ways to overcome these obstacles, and you can help.
UPDATE: added an FAQ
First the specs, which people have been clamouring for, and then an explanation of the goals and objectives of the project.
Hardware: Google Pixel 3a
Boot loader: Google’s boot loader. Locked. Signing keys for the OS.
OS: compiled stock GrapheneOS. Signing keys embedded in the bootloader. Private OTA update server
App Store: F-Droid, with a custom repo and collection of apps. All of the apps are available through a combination of: the Calyx Repo, Guardian Project Repo, and F-Droid repo.
The initial offering of the secured phone was decided the month before DEFCON 2019. The idea was to gauge the interest in pursuing a secured phone for people who:
- Would rather pay for a device than assemble and maintain one themselves [ain’t nobody got time for that]
- Wanted a device, could afford one, but were not comfortable making one [shut up and take my money!]
- Need a secured device but cannot afford, nor build one. [beneficiaries]
- Fund software development of a proprietary security app integrated into the OS. It creates a secured secret container for sensitive applications and data, along with a process that monitors for hostile environment factors and proactively secures the container. For more information see my 2014 syscan presentation: Click and Dragger, Denial and Deception on Android VIDEO SLIDES
- Fund the upstream FOSS projects that are used by the device. Many people download and use FOSS tools without donating (that is fine), but this product allocates a portion of the sales price to each app/tool etc. and donates. This project relies on those tools and it is moral, ethical and practical to support the upstream FOSS projects.
- Finally, to have sufficient profit to compensate me for my time working on the project.
The unit cost is very high due to having to purchase retail devices, pay the donations, cover other unforeseen costs (eg returns), and have enough left over to maintain and expand the project, in addition to subsidising phones for those who need but cannot afford them.
Production costs, before any overhead
Initial estimates to produce one unit: $450
Actual cost to produce one unit: $900
This is the “wholesale cost.” Simply making one phone costs about $900. Funding for the project and everything else has to be added on top of that. This raises the retail price of the device substantially. Making it a less attractive purchase, reducing the units sold… death spiral.
There are ways to address the costs and price points, such as offering different hardware and software solutions with tiered functionality. However, this would increase costs, due to additional Q&A, development, and supply chain logistics. It is not a solution to make the business viable, but can be a solution to make more affordable devices.
Post DEFCON decision
I ran a poll to see if anyone was interested in buy a device. There were 200 people who said they were. I assumed a 3% conversion rate, so figured something up to about 5 units. It wasn’t even close.
Due to the lack of interest, further work on the project was abandoned. Assembling a device for someone who “can pay, doesn’t want to build” or “can pay, doesn’t know how to build” was left open as an option on a case-by-case basis.
- “I could make one of those for, like, $300 in 30m” –
Nothing is stopping you, feel free to do so. It’s less trivial than you imagine, but go for it. The goal of this project is not to sell a bare secure ROM on a phone. The goal is to fund the development of future secure phone software. Buying the phone distributes money to secure FOSS projects, and supports the research & development of future security software.
- “Still, seems pretty steep though. Can’t you cut some corners?”
You get what you pay for.
The overhead price includes not only R&D, support, maintenance, operations, etc. It also includes budgeting to provide subsidised devices for those in need. People escaping abusive relationships. NGOs. Reporters. Those who desperately need a safe phone, but have neither the capability nor the resources to make their own.
- “Why Android? Why not…” –
Android is the ideal platform. It is an existing stable software platform, with robust security features and APIs to build on. It has a vibrant FOSS ecosystem of apps which enhance the security and utility of the phone. Developing on anything else would require significantly more development resources, and cut the phone off from the great security apps that already exist for Android.
- “Can’t you just sell the ROM? Or license it?” –
The market is very small, very niche. The people who could flash the ROM are the same who could flash GrapheneOS anyway. I have no desire to spend my time on something with such a small value add and no long term benefit to infosec.
A large segment of the people these phones are designed to help can’t flash a ROM. Those who can flash a ROM, either can pay the license but don’t have time for building a phone, or, they have the time but cannot afford the license. In short, I believe it would cannibalise the business.
There may be merit in a reseller program, but straight licensing of the ROM is not going to happen. Licensing would require additional development – the licensing infrastructure. At what price point does it become viable?
- “Do you know about librem5, Calyx, Guardian Project, GrapheneOS etc?” –
Yes. In most cases I am working with them, in talks with them, or in preparation to talk with them (depending on the viability of this project)
- “What security problem does this solve that any other phone doesn’t?” –
Let’s talk about the future version, the one that will be funded by this generation. The threat model is: user has no control over their device, it is being searched by a hostile threat actor, discovery of any incriminating apps/data leads to a negative outcome. The phone proactively escalates its stealth and security in lock step with the examination.
In the worst case, even if the threat actor discovers the secret compartments within the phone, they still can’t access them without the cooperation of the user.
Additionally, it creates a malware hostile environment reducing the functionality of many “spouseware” monitoring apps, prevents sideloading of apps, and attempts to block installing malware from a third party source.
- “What about a Kickstarter, GoFundMe, or something?” –
The real problem with this project is not “initial seed capital.” That is a tractable problem (eg kickstarter.) The difficulty to be overcome is creating a sustainable business so that the business can continue to improve and help those in need.
- “You want to build a secure phone business? Niche market man…” –
I do not want to spend my time building a secure phone business. I want a secured phone. No one is making what I want, and I know others need. I’ve created many versions in the past. Now I’d like to create a modern version. This approach is intended to get me the secured phone I want, and provide maximum benefit to everyone else who needs, or wants, a secured phone.
When you support this project you’re helping to build better security devices for those who need them. We can benefit everyone, or we can wait for someone else to get around to doing it.
There is an interest spike, which I suspect is temporary due to the current interest in iOS security.
I am not sure that there is a sustainable business in this market, it is very niche, most ppl who need them have no money, and many of the rest can easily make one themselves.
The path for this project to reach its maximum potential is tricky
- self sustaining,
- supporting the development of improved security apps,
- providing subsidised devices to people in need
As a pure business, the per unit price point requires a larger market than “friends of friends.” Without supporting investment or other outside funding, there is no way to start and continue the project.
(No, I’m not going to bother asking the Open Technology Alliance to fund this project. They’ve rejected every grant proposal I’ve sent. Their selection process is too opaque and confusing, and it simply isn’t worth the hassle.)
I would very much love to produce and sell a proper secured mobile device. One that protects the user and their data both with secrecy and security.
I spent the last 5 years building various prototypes, models, versions and variants. I am tired of wasting my time creating software that will never be used. This project is an opportunity to realise my goal of an affordable secured phone. After the failed DEFCON experiment, I was prepared to abandon it and move on to the other things I care about.
Finding a viable plan to make my vision a reality has eluded me. This might be the chance.
After the recent spike in visibility and interest, I am in talks with people who may have larger markets and potentially be able to help creating a business or non-profit.
I very much hope this works.