Posted by Alexander Hanff on November 14, 2014.
Over the last week I decided to start a new project mostly as a proof of concept but also down to curiosity as to how easy/difficult it would be – I decided to try to make myself a secure phone.
Hardware-wise it was fairly simple, I have an old HTC Desire handset which has been sat in a drawer since I initiated a lawsuit against Google back in 2012 so after a little preparation I rooted the device and installed a Custom ROM with the latest Android KitKat 4.4 system on it, but none of the Google applications (including Google Play). Ideally I would like to find a more secure ROM based around privacy but the Beanstalk 4.4+ ROM I am using is suitable for testing purposes. The phone has no SIM card installed so the only network connectivity it can use is WiFi.
I already run my own VPN server and my own mail server so the device has been setup with a client for OpenVPN and K9-Mail for my email with APG (a GNUPGP implementation for Android) and OpenVPN ensures that all my data is encrypted between the device and my own gateway server, protecting me when I use public WiFi networks. That is a good start but I wanted to go further.
Obviously, given that it is a phone it is useful if I can actually make calls on it – fortunately I have a VOIP (SIP) account for work with forced encryption so that takes care of that part but only allows me to make calls to colleagues using the same service, if I wanted to extend that I would need to add a provider that also routes calls to regular phones (PSTN) or setup my own Asterisk server with an analog interface card. I will be setting up my own Asterisk server as a VOIP gateway in the next two weeks so I can provide friends and family with a means to call me and me to call them, which will also take care of video conferencing and instant messaging (realtime text). So it seems my email, my data, my voice, my video and my instant messaging needs are all catered for and encrypted by default. But being a privacy geek, that isn’t enough for me either – I want to do more.
Now, about 18 months ago I was developing a web site for a law firm and wanted to include Twitter feeds on the site – I was using the Drupal content management system for the site and tried a number of plugins to enable Twitter feeds but I quickly grew annoyed with them all because they were built in a way which always forced the site’s visitors to make a connection to Twitter’s servers and therefore allowed Twitter to plant a tracking cookie on their devices. This was unacceptable to me and I needed to find a way to prevent it – so I wrote my own server side Twitter application which polled the Twitter server for updates periodically and saved all the data locally – then when a user visited the site, the Twitter feed was built entirely from that local data. This worked great, it allowed me to serve the feed on the site without compromising its visitors’ privacy.
I found myself thinking about this the other night as I attempted to fall asleep and it occurred to me, I could use the same app (or at worst a modified version of it) to provide Twitter services to my secure phone and not only Twitter, using the same concept I could create server side apps for all the online services I wanted to use (providing they have an API for third party developers to hook into, which most do). Furthermore, I could encrypt that data on my server and then store it in a database, allowing me to retain everything I want, indefinitely. This means that the only connections from me that these services would ever see would be from my server, so they wouldn’t be able to plant cookies on me or track me across web pages, they wouldn’t be able to detect my location.
But then how do I get that data to my device? I decided it was time to look into writing Android apps, because I am pretty sure that none of the existing apps for Twitter, LinkedIn and other online services I use would be able to plug in to my server side apps. Now it has been 17 years since I wrote any Java applications, so I can assure you I wasn’t in a hurry to take that route, but I recalled that pretty much all mobile device operating systems (Windows Phone, iOS, Android, Blackberry and even Symbian) are able to run HTML5 apps in what are called WebViews so with a little bit of digging I discovered Ionic and Cordova (PhoneGap) which is a framework for building iOS and Android apps without having to write a single line of Java and furthermore, this framework can interact with the device hardware APIs as well, which means my apps functionality wouldn’t be restricted to just accessing remote data services, I could write a whole bunch of new apps which use my phone hardware (such as a new SIP client using SIPjs).
Now I was cooking on gas and decided to do some further research to see just exactly how difficult it would be to replace insecure local apps with homebrewed secure apps which store data on my server. You see, if it is not on my phone, then if my phone gets stolen or taken at a border crossing – none of my data will be compromised – and if I require a password for each service before the data can be retrieved from my server, it adds a strong layer of privacy protection. I started out playing around with the framework and trying out a few things and after a day I now have an almost fully functional Address Book stored in a database on my remote server. The next stage is to integrate social feeds for each of the users and see if I can make calls directly to the contacts via VOIP/PSTN gateway.
Once I finish the address book, I will be replacing a bunch of other apps such as my photo gallery, my social networks, file storage and anything else I can think of – from what I have read of the framework, there really shouldn’t be anything I can’t do and if there is, then I guess I will have to dust off the old Java books and start developing my own “native” apps to do it. Then I need to do further research on how to bake all these apps into my own custom Android ROM to replace the Beanstalk 4.4+ ROM I am using for testing.
Now many readers might be thinking “Why go to all that fuss, just download existing apps!” and yes I could do that, but with each app I download developed by third parties I am exposing myself to privacy (and security) risks, as most of these apps are collecting vast amounts of information and selling it to advertisers not to mention the services I am using the apps to access. Sure it is inconvenient to re-write all these apps myself but as a privacy geek, it is a useful exercise to see if it is possible to become self sufficient in the online ecosystem, because if I can, I can document it and maybe help others to achieve the same. I can even open source my project so others can use, extend and improve on it.
So keep an eye on my articles – I will be adding more about the project as it progresses, it is going to be an interesting journey but I am confident the end results will make it worthwhile.
I decided on a name for the project after I wrote the original article – I wanted a name which expresses the reason and origins for the project and have decided on Articul8. It is a mesh of “articulate” which means to clearly pronounce, and “Article 8” (Article 8 of the European Convention on Human Rights is the Article that gives every European citizen the fundamental right to freedom of communications). I feel this project is a clear articulation of Article 8 and therefore, Articul8 seemed an appropriate match.
Submitted in: Alexander Hanff, Expert Views, News_privacy