There are no absolutely secure smartphones. Any gadget transfers a lot of data to the mobile network, for example. If u use public WiFi, you can automatically forget about security. Still, on Android you can install special programs for security. Or you can develop some by your own.
I do agree with you there is no secure smart phone as it stands as they devices can be compromised by people who understand them well
And possibly android should be the OS to use for a more controllable privacy option
I respectfully disagree with the statement "if u use a public WiFi you can automatically forget about security".
That is true, if you use any "standard" phone. If on the contrary your device is aware of how a public WiFi works then there is no problem.
For example, our devices can connect to any WiFi. Our smartphones come with a low level IP firewalls that blocks all incoming connections both on IPv4 and IPv6 other than those coming from the encrypted VPN, only after the connection has been established.
Our phones do selectively block fake antennas that pretend to be a known WiFi already authorized by our phones, by keeping a map of the authorized mac addresses of the authorized antennas.
When it comes to connecting to the VPN gateway, we do not even use DNS queries to find the right IP, our connections are made using stating IP addresses for the VPN gateway (not for the phone interface, of course).
We do not exchange asymmetric keys on-line and the authentication is done against a certificate that is pre-installed on the phone at the moment the phone is shipped.
Certificates are updated every 12 months, so we update (send a new phone) every 12 months at top.
Once the connection is established with the VPN gateway (using AES256-CBC) all that any operator will see over the WiFi will be encrypted traffic back and forth our device and a remote IP (the VPN gateway) which may be chosen randomly by our clients at every reboot of the phone from a set of up to 80 different gateways in 80 different countries.
The traffic is further obfuscated as it is directed usually toward port 53, which is the port used to query a DNS server.
In other words whoever would sniff the WiFi traffic would see a lots of encrypted queries to some remote DNS. That's all. So I find difficult, even if you install Wireshark in any open WiFi, to figure it out what our device is doing.
Since we are on the subject, our phones do only encrypted calls, messaging and e-mail.
Both sender and receiver connect the way I described above to different gateways.
On top of the encrypted VPNs runs, for each service (voice, message, email) an encrypted query to a distributed hash table with static IPs, updated at every boot. Those static IPs are located all across the globe in several countries, mostly managed by university research centres, not us.
Through those queries, the calling party is able to find the VPN gateway IP and port of the called party (not the real IP address).
The calling party will never know the real IP of the called party and vice versa. Once the "virtual" IP are known the calling party will establish a peer-to-peer call (or text or email).
Again, the actual call will be established only if the called party has previously authorized, and exchanged, a symmetric key with the calling party, through a safe channel.
In our case the safe channel is optical, meaning, both phones need to be close to each other and exchange a bar code when they are first paired.
From there, a perfect forward secrecy method to update the keys is used.
Once the party is acknowledged, an end-to-end encryption (AES256 o TwoFish) will be used to encrypt the correspondence.
This encryption goes on top of the previous two VPN encryptions (one for the called and one for the calling party).
Traffic goes obfuscated (port 53) from the calling device (in one country) to the VPN gateway (another country) to the other VPN gateway on random port in another country, and finally on the last device, in another country again.
It is very similar to what TOR does, with the difference that TOR cannot be used because it doesn't guarantee enough bandwidth.
Anyway, it is getting really out of topic. All this to say, that just if you use any WiFi, that doesn't mean that your connection is doomed. That's all.
