This is going to be fun. I have no stake in this, I am going to just yell at the clouds in this one. But I will also try to share what is available about the UP Phone (UnPlugged Phone) and the services underneath it.
NOTE: All of this may change. If this turns out to be the best thing since sliced bread, keep in mind I’m writing this in July 2022.
The Unplugged Systems Ltd. is a company from Cyprus, currently offering a “government-grade secure phone developed for data privacy and security.” It offers to keep you away from Apple and Google’s grasp, replacing them instead with the UP App Suite, a collection of apps meant to provide security to its users. While the HQ is located in Cyprus, the R&D is located in Israel.
On the surface, this is all good. Let us compare this offering to other private options currently on the market, and see if this new device comes out on top (at least on paper for now).
The Unplugged phone is supposed to be a device modified to use Unplugged’s proprietary OS, LibertOS. LibertOS is likely to be an Android fork, since the FAQ mentions the following:
Will I have the same experience as with a normal phone?
Yes and no. If you are already an Android user you should be familiar with our user experience as it is very similar to Android. However, for obvious security and privacy reasons, the UP Phone doesn’t have Google Play Services preloaded. The Play Store is replaced by the unrestricted UP Store. Most Android apps are fully compatible with the UP Phone, but you’ll be using them in a secure, privacy-first environment.
Since it will be compatible with Android apps, it is most likely a fork of AOSP or some custom ROM sans Google Play services. Your guess is as good as mine at this point, but it all depends on how much effort they want to put in.
The specs of the phone are unremarkable by today’s standards, “boasting” a 6GB of RAM device with an 8-core Mediatek processor, 128GB of storage, and a fingerprint sensor. My main issue would be with the MediaTek. MediaTek is not known to appear in any flagship phones, being confined to the likes of Moto, Xiaomi, Oppo, Vivo, etc. MediaTek chips are mid-range at best, budget at worst. However, this chip is meant to be a Dimensity. Introduced in 2019, it’s supposed to compete better with Exynos and Snapdragon chips. We will have to see.
But hey, I’ll use a device if it’s private and for a good price.
This is where this gets fun!
The UP phone is priced at $850. If you jerked at the price, you’re not alone. We’ll get into alternatives later, but the price is only partially for the phone. As can be read in the Pre-order terms and conditions, the “limited edition” UP phone cost covers a UP subscription. This means, according to the preorder, that if you receive your device and return it within 14 days of getting it, you will be getting no more than $650 back. Therefore, we can assume that the cost of the UP suite is $200.
What amount of time this price denotes (if used in full) is unclear at this point. But paying two hundred dollars for a service, and then getting told to fuck if you find out it’s not all you’ve been hoping? Whew, the balls on some companies. I believe I paid ~$400 for my online services… after 10 years of having them. This price tag makes it very hard to just try out. If someone buys the phone and finds out they don’t enjoy the services, what then?
The warranty itself is pretty standard. It applies for 1 year (not standard in the EU, but I’ll allow it), but it only applies to the device itself. If they push a brick-like patch, we may never know what happens. However, to reiterate, the entire OS is proprietary, the hardware is made by a third party. Probably cannot avoid that with any private phone (unless you make one yourself).
One part of the website security researchers will probably be most interested in is the tab Security report. I opened it eagerly, expecting the full description of how threats were mitigated in the app, how the defenses were set up. Who knows, I may learn something for my own security use! Some setting I missed before in my own setup, who knows? It may even help me as a “look at how Unplugged did it” in trainings!
The penetration test targeted the website and application, most likely UP App Suite (but the name is not mentioned). The test followed OWASP Top10 testing methodology. This is understandable, since we’re discussing a website. I have done some of these (not nearly as many as I’d like to do to be an authority), but I can imagine the possible findings. For the mobile app, I was expecting the company to follow something like OWASP MASVS or Mobile Top10, but hey, it may have been implied under the Top10 umbrella.
Imagine my surprise when the report turned out to be one page, no details, 6 sentences in total, each of which apparently warrants its own bullet point. “No security risks were identified,” it says.
This is poor even for an executive summary. I really feel that there may be a full report somewhere, but this is far from inspiring confidence. If this is an honest pentest report, I cannot say I’d install UP anything based on it, and the company needs to work on their verbosity. There must be a full report, even something like “This part of UI does not work well”.
Two options: Either they gave them their full app and they just speedran it, or the company received a gutted app. This is not unusual, either, since the client can play with scoping and decide “Hey, of all these machines and all the open ports, just test this one port on this one machine. That’s what we hardened, we want a nice checkmark.”
- Full name
- E-mail address
- IP of connection
- Phone number
This in itself does not inspire confidence in me. A service tailored towards privacy should not store any of my information. Compared to the regular offerings (GrapheneOS, LineageOS or CalyxOS), I don’t really need to share anything other than the IP address of my connection. The aforementioned OSs could also be downloaded from a public connection (café, McDonalds) and then install at your own leisure. Afterwards, neither of these require anything of you. The updates can be, again, downloaded in public spaces, and that can be the only connection to the server.
On the other hand, what PrivatOS requires is communication between you and the service every time you connect to it, be it messages, phone calls, video calls or just general VPN usage.
Now for the big hitter:
(…) Information about you may also be released in order to comply with any valid legal obligation or inquiry or process such as a search warrant, subpoena, statute or court order.
What. the. actual. FUCK.
If I’m choosing a private OS and service, I do not want to see this. Combined with the info they collect regularly and the fact that US can have gag orders, I can’t feel secure with a service that literally states it’s going to snitch on me. This is also a good example of not keeping all your eggs in one basket. I don’t want my VPN provider to know what messages I send, and I don’t want my messaging service to know my browsing history. Anyone offering an “all-in-one” solution just shouts “honeypot.”
Compare this to Signal, which does not store nearly as much information, as proven by a court order.
If we’re thinking private, we need to give up some convenience. With Apple, you get all apps in one place, it’s all tailor-made for iOS, no problems. Stock Android you may get on a phone you buy will be quite similar.
Forget all of that. Fragmentation will be the name of the game, but only as much as you may want to. We’ll talk about each of the options we have to cover the basics of PrivatOS and make a better device for cheaper, while also staying private.
As much as I hate to say it, your best out-of-the-box option may be a Google Pixel 6a. Priced at ~$450, it’s almost half the price of the UP Phone, and it has some flagship features, such as the ability to install custom ROMs and relock the bootloader. This gives you the option to say “Fuck the private lifestyle” and reinstalling the stock OS, should you ever feel the need to, or when you’re selling the device/passing it on to that one relative who can’t live without Google Play store.
Another option (as I have found this week) is a FairPhone 4. Priced at a much steeper €579-649, it is more expensive, however this phone also supports locking the bootloader. I cannot attest to how secure it is, I’ve never tried to break the OEM lock on a Fairphone, but it’s better than my own phone which, if bootloader is locked with a custom OS, will flip the shit and brick itself.
If we’re talking Pixel, we have options. One is GrapheneOS and the other is CalyxOS. Both of these are quite similar in their approach, i.e. maximum privacy and hardening, but each approach the topic a little differently. If you can try both, go for GrapheneOS first, since it is the more restrictive of the two, and see if you like it. If everything works and you don’t encounter any deal-breakers, congratulations, this is your phone. If you do, move to Calyx and give that one a shot.
The price of these OSs is staggering: $0.00. That is the power of open source. You can download it and use it without ever giving out a cent. We can use this money to work on other aspects of our privacy.
As for Google Play (since both are Android), both projects approach this differently. CalyxOS opted for a microG installation which can spoof Google play signatures and pretend that Google play is present, when in reality it is just microG telling the apps that it is. GrapheneOS recently started implementing “Sandboxed Google Play”. If you have some apps which need GSF (Google Services Framework) to even start, you can set up a different user, and all the filthy Google Play apps will have no way to reach your other, precious apps.
The UP App Suite offers several functions: The UP Store, UP Messenger, UP VPN and UP Antivirus. Let us look at each of them, one by one.
The UP Store should contain all apps you may need for a private phone. Cool, but what about the other apps I might want? That’s where F-Droid steps in.
F-Droid contains hundreds, maybe even thousands of apps, which are all FOSS (Free and Open Source Software), so they are free to download. Furthermore, F-Droid offers hints on certain apps if they raise any red flags, such as:
- Does the app use non-free network services (does it connect to Cloudflare to work)?
- Does the app report on your usage?
These two alone have saved me some headache, but your mileage may vary. Check out F-droid if you’re on Android, just have a look around to see what it offers. Who knows, you may replace some apps that rely on Google Play.
This is where I’m going to suggest WhatsApp.
HA! Got you there for a second, didn’t I? No, fuck Whatsapp. If you need it, it’s fine, but for your real secret chats, we have a few options: Signal, Molly, Briar, Wire, Conversations, and Matrix.
I may not have the time to go into each in depth, but I’ll highlight the main points:
- Signal is the de-facto first option for a secure messenger. Open source, but running on Signal-owned servers. Downside: Needs a phone number (but who says a burner SIM doesn’t exist?)
- Molly is an open-source fork of Signal, adding some functionality and piggy-backing off Signal servers. Same transport mechanism, different UI, different functions.
- Briar: The paranoid’s choice. This messenger does not use any servers. All the talking must be done only when both parties are online. If I send you a message from my Briar account and you’re not online, it’s not arriving. However, if I sent a message and went online before you could go online, that message is not arriving either. All must be done when both are online. No servers between you and the person you are talking to.
- Wire I don’t have much experience with, but I’ve put it on the list just because I heard so much about it. Apparently it shouldn’t require a phone number and supports voice/video calls, which is a nice touch.
- Conversations: You can find this app on F-droid in all its glory. It uses XMPP servers, and the best part of XMPP is that you can roll your own. If you have a server you trust, you can install it there and have a “safe haven” for you and your friends to talk.
- Matrix: There’s been so much written on Matrix (or Element, as it is known) that it’d be a shame not to include it. Fun fact which I cannot confirm: The UP Messenger appears to just be a reskin of Element for Android.
The VPN choice will have to be up to you depending on where you can get service, but know this: No VPN will protect you if you repeatedly do bad shit on it. It protects you from advertisers knowing where you are, but if the cops come, no VPN service will save you. Tor might, but any VPN, paid or free, will give you up in the blink of an eye.
Top choices: ProtonVPN, PrivateInternetAccess. The bonus of PIA is that you can buy gift cards and pay that way (not giving them even your payment info). If you want to roll your own, something like PiVPN or simple Wireguard/OpenVPN setup may do the trick.
I don’t use one on my phone. Simple. But if you really want to, check out F-Droid for some FOSS antivirus goodness. There are many good reasons to use an antivirus everywhere.
While Unplugged Systems Ltd is thinking of what else to add to their array of apps, I will do the thinking for them and offer not only what the app should do, but also which ones you can use (feel free to insult my intelligence and call me an idiot for liking app XYZ):
- Adblocking: NetGuard, Blokada
- 2FA: Aegis
- Mail client: K9-Mail
- File browser: Simple File explorer
- Calendar: Simple Calendar
- Password manager: Keepass, Password Store
- Online storage: NextCloud, SyncThing
- VPN: WireGuard (on F-Droid)
- Browser: Fennec, Tor Browser, Bromite
- YouTube: NewPipe (if you have Android and don’t have NewPipe, treat yourself, I promise you won’t regret it)
- All that server maintenance: Termux
- Any proprietary app from Google Play: Aurora Store
That is a lot of apps that I use on an almost daily basis.
You may look at the apps and think: Okay, I can see these apps and install them for free, but Nextcloud needs some place to save the data! And Wireguard needs a server!
You are absolutely right. But if we consider this for a second, we didn’t spend all the Unplugged money yet! Even if you sprang for the 650$ limited edition Fairphone 4, we still have about 200$ left over.
This is where you can do some of the setup yourself, or pay for some secure hosting and setup a server in the cloud. I have all my stuff running at home, from a good home server with 4TB of storage and an X200 laptop as the bare metal. If I ever need to log into it, it runs my VPN server and I SSH into it. If I need files on the go, I can use sftp to start an encrypted file transfer from anywhere in the world, as long as my laptop is online.
My hosting runs me about $3.50 a month. This is enough storage for all my immediate-access files (in PGP encrypted formats) and the website with all the bells and whistles. It only gives me 20GB of storage, but for those things I need to get off my phone fast and can’t wait, it’s plenty. The $3.50 box, if we want to hit the $200 cap, will run happily for 57 MONTHS. That is just shy of 5 years for $200. Compare that to the $200 price tag on UP App Suite, if you buy the phone and realize it does not fit your needs.
In short, if you have $850 lying around:
- Buy a FairPhone, support the project.
- Download CalyxOS.
- Set up a home server (NAS will do). You can spend all of the $200 dollars on it, everything else can be had for free.
- Install F-Droid, download FOSS apps.
- Be happy
Alternatively, if you’re a cheapskate like me:
- Buy a Pixel 6a ($450)
- Download GrapheneOS
- Set up the same home server, but now you can beef it up for ~$400
- Install F-Droid, download FOSS apps.
- Be happy.
The Unplugged phone sounds like every other “secure phone in history.” It will give you a one-stop-shop for all your privacy needs, but that is exactly the problem. If I wanted to trust one company with all my data, privacy, security, and software needs, I would still have my Google account. Or buy an iPhone, as disgusting as that may feel to me. If we’re going for privacy, no one company should have the complete picture, or even an accurate slice of it, for that matter. I’m not saying I’m unhackable or untraceable, but I’m doing the best I can with the tools and skills I have.
Don’t let anyone tell you you need a specific device from a specific company to get all the privacy. Don’t even trust me! I may be wrong a few months from now. But privacy is something you cannot just buy and forget about. It is something to keep, like a plant. If you don’t pay attention to it, it will die. And it’s very hard to find again. Do your own research, but remember: It’s not about following my tutorial here. It’s about setting up some practices that will help you in the long run.