I was sent a Secure Phone Pixel 6a from MLABS to test out. For the last month I have been extremely happy with the device and its default security features and ease of use out of the box. Anyone who is looking for a secured smartphone should go this route. A few of my favorite things;
Separate profiles. I really really dislike Google being all up in my business. This phone allows you to keep Google on a completely separate profile with no ability to access your data. There is another profile with a free open source app market called f-droid which I would recommend to any android user. I added another profile strictly for banking and another for games. This keeps everything containerized and secure.
Signal messenger , hardened browser and Orbot (TOR) is loaded up and configured out of the box meaning your browsing history and communications are extremely secure vs sms or using an encrypted messenger alone. WiFi connections are spoofed to avoid fingerprinting and managing permissions for apps is super simple.
And of course, the whole phone is encrypted all the way down to Private DNS.
I get about 2 days of battery life. Everything worked out of the box with my Verizon sim card (wifi calling is important to me)
You can checkout the FAQ from the OS devs here. The entire device is open source and very easy to use.
To keep this review fair the only thing I had to struggle to overcome was the default included keyboard. I am a fan of swipe (dragging your finger across the keyboard to type vs punching letters) and the ability to hold down a letter to get to the secondary key (vs hitting one of the symbol buttons to get to the numbers or symbols). Because the OS is stripped down even installing a keyboard that included swipe didnât let me use the feature. I had to bake the swipe lib into the keyboard build itself and install it. Because I could control all permissions I am sure the keyboard has no internet access. Let me know if you need help installing OpenBoard with Swipe when you get your phone.
Use discount code HIGHSECURITY for 5% off. When you buy a phone I get a small commission which I will direct back into forum hosting costs.
I would recommend going and paying cash for the phone at BestBuy or Walmart and sitting on it for 6 months before activation. ( No need to give credit card or any form of electronic payment that can be traced)
Make sure not to active it near your other phones to!
I think customer service is worth paying for if youâre not into messing with your phones os / bootloader/ root. These days Iâm too lazy to do any of that and just run fresh aosp. Idk what all they package together, preload, change etc but I know rom work is for the computer nerd who wants to diy.
You are dumb if you buy and use this. Every âencrypted phoneâ ever has been glowing. Why would you trust this company with your liberty? Trust maths, open source encryption protocols such as PGP, not some new random âsecure phoneâ company.
Usa customers were not affected by the fbi phones being sold i do not believe. There is this pesky thing called the 4th amendment and probable cause that got in the way.
I was quite shocked wjen i saw the rest of the world was not similiarily protected
If a nation-state wants your data/info/messages, theyâre gonna get it. They probably already have it.
Be glad you very likely arenât interesting enough for anyone to give a fuck about what youâre doing
And you can consider Google and Facebook/Meta to have nation-state level resources.
There is fuck all real info on the mlabs website other than marketing copy.
âWe pre-install all of these secure apps for you!â
And nothing else? How do we know? How can we verify that? Why should we trust the people running this company?
I sure wouldnât. At best this looks like convenience in the form of security theater to me.
If you give a shit about your security, do it yourself. Hardening systems and devices properly takes time and effort. Understanding those systems and how they work is a good layer of protection in itself.
Iâd take an off the shelf random android phone from a well-known manufacturer before these guys.
Factory reset it when you buy it. Remove whatever adware or bloatware that you can. A custom ROM might be a good idea. Install signal if you trust it. Use whatever else if you donât.
I wouldnât get too reliant on Signal - ever since they opened up to allowing crypto payments on their platform they painted a target on their backs. Itâs only a matter of time before someone verifiable sends a payment for something the US government doesnât like, and the feds move in. Signal is likely still secure. But itâs entirely possible that it isnât.
Practice zero trust security. Donât trust the device. Donât trust the hardware. Donât trust the firmware. Donât trust the software. Donât trust people you donât know. Limit your exposure through any single vector.
I have a pretty big trust issue, one of my largest concerns right off the bat with this system. I verified through wireshark the device is setup to use grapheneos update servers and grapheneos defaults on mostly everything. I Verified the apk hash were legit fdroid builds from my computer of the installed apps. I verified fdroid itself.
anyone familiar with GraheneOS knows there is a feature to check it against another GrapheneOS phone. This is called Device Integrity Monitoring. Tutorial | attestation.app which doesnât do a whole lot of the phone comes compromised but I already went through an update cycle and verified the update comes from grapheneos proper and passed an integrity check.
Open source gives you the ability to verify these things vs the loaded to the brim proprietary garbage the FBI handed out. I hate to name drop, you can look on the mlabs site yourself, the creator of Samsung Knox is the CEO and the other founders are real people who also happen to be in our industry.
I donât own the equipment or knowledge to verify the actual hardware is in fact a pixel 6a and there isnât a hardware backdoor but this isnât a fly by night company that glows in the dark to me. Its a company selling grapheneos secured pixel devices with all open source apps. Thats something I can get behind aka endorse.
I was just speaking with another member here, and I firmly believe that there should be a published list of advertisers with their f4200 handle associated. It is only a matter of time before unscrupulous individuals decide to abuse the banner, and I believe accountability will start with the transparency of who is running the ad campaign.
I have been using this phone for about 6months now. I am not tech savy so i gave it to the people who build all my previous phones and it had all the features i had them do to all otherâs already built in and very easy to use. I would do your own research but j am more than happy with it and am using it as i type this
I spent a lot of time thinking about this. If they had their repository with prebaked ROM open sourced and you could build it in a sanitized environment in a reproducable way (see gnu guix) pass a hash check and integrity check it would also ensure the phone wasnât fiddled with in transit. Side effect being you would know 100% what code you are running and its verified with the ability for you to go eyes on. The goal isnât to for grapheneos forked but to put it on a phone so the average non techie can use it, but skeptics can verify. In this case you wouldnât need to trust the people running it or go through the integrity checks like I did, which can only go so far.
Sure. That would let you have a certain level of trust with the software. From my understanding it is non-trivial to manipulate the software in a malicious way so that it will pass a hash and integrity check while still carrying the malicious payload, but possible.
The above doesnât ensure that there is no hardware or other lower level adjustment being made. It also doesnât ensure that the hardware they are buying doesnât come with that as standard from Google.
The vendor putting out a canary notice with each update similar to how Qubes does would be not valueless to those who care about such things.
A third party security audit of their system, build process, installation, etc would also be a decent idea.
If that had all of those things in place Iâd be less actively hostile to the product overall.
Iâd still never buy one, but Iâm not the target market.
