Alt text: Spongebob screaming “I fucking love right to repair. I want to fucking excercise my legal right to maintain my property to reduce electronic waste and save money instead of supporting planned obsolescence in the technology space” with an iFixit knife and smartphone in his hands.

  • argv_minus_one@beehaw.org
    link
    fedilink
    arrow-up
    10
    ·
    2 years ago

    Repairing your old phone won’t make it any less insecure. The baseband firmware is a gaping security hole in basically all smartphones, and the only phone I know of that mitigates it is the eye-wateringly expensive Librem 5. It’s a very sad state of affairs.

    • CalcProgrammer1@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      2 years ago

      The baseband firmware isn’t very secure I agree, but there’s a lot you can do to the application processor OS to make it more secure and more private without tinkering with the modem side. Stock Android installations are bloatware and spyware heaven. Just putting a de-Googled AOSP based ROM on your phone does wonders for mitigating “telemetry” and going for a proper Linux OS like postmarketOS allows for full disk encryption too. Is this going to prevent your telco from spying on your GPS location? No, but it’s a huge step in the right direction.

      I daily drive a PinePhone Pro and it’s pretty much the closest you can get to a secure/private smartphone. The modem being a separate module is a huge step in the right direction here as it reduces the attack surface that the modem can perform on your data, not having access at all to the RAM, camera, microphone (IIRC gets routed to modem only when in a call, determined solely by the application processor). Unfortunately the modem is also the GPS source so it doesn’t protect against that. The PinePhone modem also has open source firmware but it only runs on the application processor of the modem module, not the actual DSP.

      My reasons for going with Linux phone are more to do with the fact that I want a pocket Linux PC for doing development stuff on though and less about the security aspect. I don’t run FDE but I like knowing it is an option.

      • argv_minus_one@beehaw.org
        link
        fedilink
        arrow-up
        4
        ·
        2 years ago

        The baseband firmware isn’t very secure I agree, but there’s a lot you can do to the application processor OS to make it more secure and more private without tinkering with the modem side.

        Yes, but it doesn’t matter very much if the baseband is compromised, because then the attacker has complete control over the entire phone.

        Does the PinePhone isolate the baseband processor like the Librem 5 does?

        • CalcProgrammer1@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          2 years ago

          Yes, the PinePhone and PinePhone Pro both use the QUECTEL EG-25 modem module. The application processor (Allwinner A64 or Rockchip RK3399) is isolated from the baseband processor as the modem module connects over USB (as well as a dedicated audio routing path via I2S I believe, but the routing is controlled by the application processor). There may also be a UART connection, not sure. The baseband does not have the same direct memory access and peripheral access that most Android chipsets with integrated basebands have.

          Also, while I know security by obscurity isn’t a good security measure, replacing the OS and kernel on an Android phone would make it harder for the baseband to get anything of value by probing the system memory directly. Yes, it’s still possible, but much more unlikely than with a stock Android ROM that any baseband exploit would likely be targeting.

          You also have the option of just not loading firmware to the baseband, but then your phone is limited to WiFi only.

            • CalcProgrammer1@lemmy.ml
              link
              fedilink
              arrow-up
              2
              ·
              2 years ago

              Are you hoping for them to be produced in the USA? I highly doubt that will ever happen (unlike the Librem 5). Pine has their HK based store and and an EU store but the HK store ships worldwide. I’m in the US and bought my PinePhone and PinePhone Pro from the HK-based official Pine Store, took a while to ship but otherwise they’re definitely available for US buyers. I haven’t heard of any plans for a US-specific Pine Store (think the EU store was to work around EU import duties that we don’t have in the US). There’s also AmeriDroid, which is a US-based reseller that stocks a lot of Pine products, I’ve bought a different SBC from them and had a pretty good experience but I haven’t bought Pine stuff from them.

              • argv_minus_one@beehaw.org
                link
                fedilink
                arrow-up
                2
                ·
                2 years ago

                I don’t expect PinePhone to be made in the USA—I realize that’s an unrealistic expectation in this day and age—but I do need to be confident that it’ll work in the USA. So far, all I see about that is individual users like you talking about using it in the USA, with varying degrees of success, not an official statement by Pine64 and/or American phone companies.

                The reason for my concern is that I consider my phone to be my lifeline. If I have an emergency, the only way to call for help is by using my phone. If I get lost somewhere, the map on my phone is my best chance at finding my way out. This isn’t the '90s when I could just walk up to someone and ask for help or directions; if the news is to be believed, doing that in this day and age could get me shot.

                Per the Wikipedia articles about PinePhone and PinePhone Pro, both models are mainly for developers of smartphone software. My understanding is that this means these products are not yet ready for use as I described above. Please correct me if I’m wrong—I’d be thrilled to have a phone that I can completely trust!

                • CalcProgrammer1@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  3
                  ·
                  2 years ago

                  I think at that point you aren’t really concerned about anything region-specific so much as you’re concerned about the general state of Linux as a viable mobile OS. That is entirely understandable, at the moment it does not provide the same degree of functionality you would get from an Android phone, even a de-Googled one.

                  Maps (and GPS for that matter) are not really usable. GNOME Maps exists and does work as a map viewer for OpenStreetMap, but it does not do real-time navigation and, more importantly, I have not been able to get GPS to work reliably. Location works when connected to WiFi but it’s just using a WiFi map location service not GPS. For some reason I can’t get a good GPS fix on either PinePhone. Google Maps works in a browser, but only to the degree you can use it on desktop. Right now, you’re not going to use your PinePhone as a proper GPS navigation device.

                  The phone functionality seems reasonably solid these days, but it’s very basic. It places calls, it receives calls, and that’s about it. No Bluetooth, no using USB headsets. The audio routing is pretty much fixed to the hardware audio path from the earpiece and mic to the modem. There is an option of using USB audio for the modem with the open firmware which theoretically will allow the audio routing to be flexible, but it isn’t reliable in my experience.

                  SMS seems pretty solid. Sending and receiving texts works, MMS now works provided you have the mmsd service set up and running. Can’t complain too much there.

                  Visual Voicemail is available and was working fine, though in the past week or two it doesn’t seem to be working but could just be an issue on my end.

                  Mobile data works as expected.

                  The PinePhones still have an issue where the modem drops out and reconnects, sometimes it doesn’t want to come back up but restarting eg25-manager fixes it.

                  It sounds like the state of mobile Linux and the PinePhone aren’t there yet for you, but I would say the same holds true for the Librem 5. It might not have the modem dropout issue, but otherwise it’s running much the same software stack.