Unplugged Phone

akc3n

The reason it's not widely mentioned here or elsewhere is that it relies heavily on marketing theatrics and buzzwords, resembling the typical 'privacy phone' scam. Moreover, their single page bullet point summary of the audit report doesn't hold much significance.

JoeS

Good to know, thank you! I'm very loyal to GOS but wanted to know. It seems highly suspect given the background of the people behind it.

GrapheneOS

Nearly all privacy and security products are scams, with few exceptions. That's how the industry works.

GrapheneOS

Many open source projects are misleading users with false privacy and security claims too. It's not limited to proprietary products.

AlanZ

Yeah, nothing inspires more confidence than a "proprietary privacy OS" combined with an antivirus for a phone, lol.

GrapheneOS

Much more information became available. Unplugged began repeatedly spreading misinformation about GrapheneOS combined with false marketing for their product so we looked into it and determined that it's a clear cut scam. Unplugged Phone is a non-hardened, low-end MediaTek device running an outdated fork of AOSP. It has a MediaTek SoC from 2021 and no secure element. It's missing a bunch of basic hardware, firmware and software security features. It lags at least a year behind on Android releases and significantly behind on backported security patches. It will almost certainly begin falling much further behind and won't receive proper long term support.

They forked a bunch of open source apps including the incredibly unwise decision of using Element (Matrix) as a secure messaging app. Matrix is not a good choice for secure communications. It has it bolted on as an afterthought and it consistently has major breaches in the security of the encryption integration. They also used a fork of DivestOS Hypatia antivirus app for their antivirus. They aren't complying with the GPL licenses for a bunch of these apps which are GPL licensed or for the Linux kernel.

They're paying for partnerships to promote their product with a focus on marketing it to conservative Americans based on political ties and partnerships with podcasts, etc. rather than having any substance behind it. It's a blatant scam and they're completely ripping those people off while putting them at risk. Their devices lack basic defenses against data extraction and exploitation. They're far worse than using an iPhone rather than better. The only thing they have going for them is relative obscurity but that's not a viable security approach especially since they're trying to turn it into a successful product. It's a quite standard low-end MediaTek device running a non-hardened AOSP fork so it's not as if attackers need to develop new exploits specifically for it. They only need to test / adjust existing exploits for it without needing to overcome any significant additional security.

Unplugged's services are very sketchy and it's highly questionable that it's in any way more trustworthy than using Apple or Google services. They're not offering as much end-to-end encryption as Apple. The approach for their device itself along with the clearly false marketing for it shows that their apps and services are going to be quite problematic too beyond the ones people have looked into and found major issues with already. It's an entirely marketing driven approach to security with no substance behind it. We're quite comfortable calling this a scam, which is clearly what it is.

Scott

They open sourced now the code

https://github.com/werunplugged

This is fair skepticism, and if we were in the consumers’ shoes, we would challenge the upstart company with its big privacy claims and promises too.

Some researchers, influencers and technologists in the privacy tech and cybersecurity communities have publicly cautioned or even attacked the UP Phone. Although this is unfortunate and rare, we realize we must earn the public’s trust over time with consistent product development and by our actions.

Now, with this preface, we are pleased to announce the first of a series of open-source announcements regarding the UP Phone software and the LibertOS operating system. This follows our announcement in January that we are unlocking the UP Phone’s bootloader – without voiding the warranty – an industry first.

matchboxbananasynergy

Scott This follows our announcement in January that we are unlocking the UP Phone’s bootloader – without voiding the warranty – an industry first.

More lies. This is already the case with Pixels...

de0u

Scott They open sourced now the code

https://github.com/werunplugged

It seems that may be Linux kernel version 4.19.191 (link). If so, that is interesting. I think I'm seeing only one commit on one branch in that repository, so it's not immediately clear whether there are changes beyond that kernel version.

For reference, I believe GrapheneOS is using kernel versions 6.1 and 6.6 (link).

matchboxbananasynergy

I've had some more time to look at this. So, let me say a few words about what we actually have here:

4.19 kernel that they're now releasing and spinning it as some kind of public good, when the kernel is GPLv2...

https://github.com/werunplugged/UP-Antivirus Their "antivirus" app, which takes code from Hypatia and TrackerControl, both of which are GPLv3 apps. They needed to have published their code from the start if they're using GPLv3 code. They are again trying to spin this as some gesture of good will when they're using projects that require them to do this.

https://github.com/werunplugged/up_sms The SMS app, which seems to be a fork of https://github.com/octoshrimpy/quik (another GPLv3 project). At the time of writing, their fork is 21 commits ahead of, and 286 commits behind Quik. You can see their changes on top of Quik here: https://github.com/werunplugged/up_sms/commits/master/. It's not clear if they are going to keep porting Quik's new changes to their fork of the app but so far it doesn't seem to be happening.

In conclusion, they're publishing code that they're required to publish due to the GPLv3 license of the projects they're using, and is something they needed to have done a long time ago. They are not publishing the vast majority of the code, just the kernel and two apps. Nothing from the actual OS. Please don't fall for their marketing ploy of saying they're open sourcing the code when all they've done is publish some of the code they are required to publish by the license.

They're lying about offering things that already exist as an industry first, and they're claiming they're being attacked, when they've continuously spread misinformation about projects doing real privacy and security work.

They have specifically targeted an audience of non-tech savvy people of a specific political spectrum and are banking on the fact that they don't know any better.

It is genuinely sad to see people paying for products like this - the best we can do is try to warn people.

Xtreix

matchboxbananasynergy It's clear that their announcement is just an illusion and that they remain what they are, liars and scammers, and they know it perfectly well.