Using an Android phone for the airgapped GPG key signer
Several people recommend only decrypting your master key on an airgapped computer to reduce the risk of having malware that can steal it. What about using an Android phone for this purpose? One could disable the radios in software, encrypt the whole device to protect against tampering, make a faraday cage around the case, and even open up the device to remove the antennas.
Android phones offer several advantages over alternatives:
- An old one can be found readily and cheaply
- Everything you need to use the device is all in one package, as opposed to SBCs
- Battery powered
- Very portable, e.g., could fit inside of a safe deposit box at the bank
It seems like a great idea to me, but I do have a grain of doubt because mobile phones are generally associated with privacy invasion. Could there be any holes on such an android device that would not be present on, say, a laptop or an SBC? All I can think of is the firmware performing telemetry, which would be mitigated (I think) by removing all antennas. Theoretically a laptop or SBC could have the same problem; would it be more likely for a mobile vendor to have something like this, though?
