Smartphones may be our most personal devices -- we carry them everywhere, and they know more about our lives than our closest friends -- but they were never designed with security or privacy in mind.
The apps we download harvest too much data (like the flashlight app that needs access to your contacts book) and the handsets themselves are just as vulnerable to hackers and malware as PCs, but harder to protect.
There have been a few attempts to tighten up smartphone security -- witness the recent introduction of end-to-end encryption on some widely-used messaging apps. But if you're really paranoid, or if they really are out to get you, then you're going to need something more.
Enter a small set of companies, ranging from startups to industry giants, offering smartphones designed to counter the efforts of business rivals or government agencies to snoop on your communications. These secure smartphones come at a price -- often an eye-watering one.
Sirin Labs' glitzy launch of the $14,800 Solarin smartphone was attended by Hollywood stars Leonardo DiCaprio and Tom Hardy. In stark contrast, Boeing, which developed the Boeing Black smartphone for its defence and security clients, offered this terse comment: "Boeing has developed a secure mobile solution that is designed to meet the needs of defense and security customers. Due to customer sensitivities, we cannot disclose who is currently using the device or considering a purchase."
The problem with smartphone security
Part of the problem with standard smartphones is that they do so much: thanks to a hyper-competitive marketplace there's a constant race to add more capabilities, which means that security often tends to lag behind.
"When you look at the standard off-the-shelf commercial smartphone, especially these days, the attack surface is enormous, and for a determined attacker it would be relatively easy to hack the device and obtain data of any kind," warns Bjoern Rupp, CEO of GSMK, a Berlin-based secure phone maker.
"An illusion is being created by many players that something is more secure or robust than in reality. If you have a determined attacker, this thing lasts for not even a minute," he warns.
Since it was revealed by NSA-contractor-turned-whistleblower Edward Snowden that governments had been sweeping up vast quantities of our online communications, many companies have boosted the security around their messaging apps: Apple's iMessage and Facebook's WhatsApp are both now using end-to-end encryption, for example.
But encryption can only protect you so far: while an app might be secure, that's not much help if you've already been tricked into downloading a piece of malware that's sending screen grabs of your messages or recording your calls.
All of which means that if someone really wants to spy on your communications, secure software alone will not be enough to protect you, Rupp argues.
"You also need to secure the phone itself against attacks from the outside, and that is something you can only do if you harden the operating system -- and that in turn means you have to ship complete phones because you can't do that in the form of an application."
The Android connection
One thing these security-hardened phones have in common is that they all run versions of Google's Android operating system. This may seem odd, as Android has long been dogged by a poor reputation for security. However, building on Android is much easier than building a smartphone OS from scratch. Also, because the core of Android is open source, it's much more likely that bugs will be spotted and fixed.
"Android had the advantage that, in essence, the core of Android is open-source so it was much easier to compile our operating system from the source code just the way we wanted, without special permissions or licences," said Rupp.
"It's mainly economics and timeliness: Android is fighting a stigma of being not secure because there are so many different versions out there, and those versions can't all be updated simultaneously," says Hyder. Silent Circle operates its own bug bounty programme and has paid out thousands of dollars to researchers who spot flaws in its operating system, promising to patches major vulnerabilities in 72 hours.
Security-hardened software and hardware isn't cheap: a CryptoPhone handset from GSMK can cost €2,450. So what can you expect for the money?
GSMK's CryptoPhones use a heavily stripped-down version of Android that lacks some common smartphone features because of the security risk: they don't support MMS and you won't be able to connect your Bluetooth headset, for example.
The phones are designed so the company itself can't snoop: the encryption keys are generated automatically on the device in a random pattern.
"We don't have all these multimedia codecs which are at the heart of most of Android vulnerabilities: we just don't include them and other components of the OS are stripped down by intention and modified," said Rupp.
Don't trust the hardware
The internal processes of the smartphone also come in for additional scrutiny, including the obscure-but-essential baseband processor, which manages all of the phone's wireless communications.
That's because a determined attacker could hack into the baseband processor, open the microphone and thus listen to a conversation before it was encrypted -- something that standard antivirus software would never spot because that only monitors the application processor.
"As a general principle we do not trust the hardware, but always monitor everything," said Rupp.
GSMK sells to governments, police and military, NGOs and multinationals in sectors such as energy, automotive, lawyers and journalists -- people who are likely to come under surveillance from well-funded rivals or government agencies.
"Our customers have to assume these attacks are being carried out either because they are conducting a billion-dollar transaction in the case of an investment bank for instance, where there is a very strong economic motivation to use advanced attacks because they can potentially provide you with a huge payoff, or because they are governments or international organizations where even lives may be at stake," says Rupp.
According to Rupp, there can also be a cost-saving element: without secure phones, some customers in investment banking could only discuss certain sensitive deals in person, so the phones can save money, speed up projects and pay for themselves in a week.
"From a consumer's point of view you could say this looks kind of expensive, but for those people that need it, it's actually not that expensive," he said.
Still, using a smartphone inevitably means compromising privacy, says Silent Circle's Hyder.
"If you want to have a smartphone you're opting into the public, you're opting into sharing information about yourself -- whether it's just your IP address, your phone number or [that] you're doing Uber and Amazon," he says.
Calls from Silent Circle's Blackphone are encrypted, as is all the data on the device: "If you power that phone down and have a reasonable passphrase on it, it's just a brick of glass. All the data at rest is completely encrypted, and we have no cloud storage that would be a backup: with that, it just becomes a brute-force task which will likely take you ten to fifty years -- it's just not worth it," says Hyder.
The handset features a 'privacy meter' that shows which apps are sharing data and allows users to turn them off. "It just gives you greater control over the data that you do share because you are going to share some data when you use a smartphone," says Hyder.
Silent Circle's Silent OS is also built on top Android, and the company boosts security by offering a bug bounty to encourage researchers to report flaws, and it aims to roll out updates rapidly.
Compromise is inevitable
Despite all these efforts, there's still no such thing as a perfectly secure smartphone: there's always an element of compromise involved, says Hyder, unless you want to give up on using phones completely: "The most secure smartphone out there is the one that's at the bottom of the river."
But will the security of everyday smartphones ever catch up with what's offered by these niche suppliers? As mainstream smartphone makers race to add yet more features it remains unlikely, says Rupp.
"The complexity that they build into these devices is their worst enemy. If you want to reduce the attack surface you have to reduce the complexity, and that's not easy for these companies without having to do a lot of explaining to their normal consumer customers."