3T is an uncompromising platform in terms of security and privacy. It is also very flexible, so different layers and settings can be selected and configured on demand. This makes it possible to meet the individual security needs of different organizations, further enhancing the private network usability.
Platform Features
Two autonomous environments living in one device – a normal one and a secure one.
Dual boot
The solution provides two completely autonomous operating systems. They run on alternate and fully independent environments with separate data storages – a normal one and a secure one. Switching between environments is possible only through a specialized secure application. The dual boot application design disallows remote switches leaving the option entirely on the user’s will.
Secure OS
The Secure OS is customized with the most advanced safety features:
- Latest Android distribution with the highest performance privacy-by-design principles implemented. This ensures a highly secure environment that still provides a smooth Android experience.
- Automatic VPN protected over the air updates bring the latest advanced data protection and privacy features.
- Firewall against tracking, surveillance, spying, penetrating and data thefts.
- Only whitelisted secure applications. Both built-in and optional ones.
- Full control over installed applications
- Secure encrypted communications – voice calls and text messaging.
- Secure browsing.
- Prevention of metadata collection.
- Geolocation tracking resistance.
- Secure data exchange within the community.
- Always-on VPN for anonymous presence across the internet.
- Integrated firewall.
- No external traffic and corresponding content can come through outside the tunnel.
- No data leaks outside the tunnel.
- All the internal traffic is encrypted and inaccessible by third parties.
- Fully forced – can never be avoided or stopped by programs and users neither remotely, nor locally.
- Integrated firewall.
- Only authentic access is guaranteed by:
- complex pin codes at entering the environment
- separate pin codes when running the different applications
- Disabling Wi-Fi and Bluetooth when not in use
- Banned access for unauthorized third party usb devices
- Secure push notifications
- Internal-Operations-Only protocol applied. The OS does not have to use cloud services or to trust third parties. It is maintained entirely internally within the private infrastructure.
- Disk encryption protected by secure element authentication and security design
- Secure element provides a strong access protocol based on credentials that are stored and processed inside the chip.
Normal OS
The Normal OS represents a hardened Android for casual use. Although normal it is still provided with an encrypted file system, thus no security compromises are left in it. Android 11 comes with some additional security changes:
- Improvements to the BiometricPrompt API
- Mobile Driver’s License support
- Secure Storage to make it easier for apps to share data blobs
- Expanded use of sanitizers to several security-centric components
- Improved Call Screening
- Introduction of the GnssAntennaInfo class for improved GPS privacy
- Secure audio capture from USB device
Hardware
- 3-T P1 has a secure hardware shelter with extended privacy controls
- Privacy Mode with no possibility for remote or software interventions. Physical button disables the camera, location services, microphone, Bluetooth, screen recording, screenshots and activates airplane mode. The Privacy Mode sets up an efficient shield against malicious acts like:
- Hostile surveying by disabling cams
- Wiretapping by disabling mic
- Unasked connecting to the device remotely via Bluetooth
- Qualcomm® Snapdragon™ 662 – a secure, robust and power efficient chipset that is designed to provide high performance and high level of user comfort.
- Snapdragon 662 comes with multiple advanced properties in terms of security:
- Biometric Authentication: Fingerprint, Iris, Voice, Face
- On-Device: Qualcomm® Mobile Security, Key Provisioning Security, Qualcomm® Processor Security, Qualcomm® Content Protection, Qualcomm® Trusted Execution Environment, Camera Security, Peripheral Security, Crypto Engine, Qualcomm® Malware Protection, Secure Boot, Secure Token
- Qualcomm® Hexagon™ Vector eXtensions significantly increases the processing efficiency
- Qualcomm® Sensing Hub enables voice assistant to be always-on immediately catching any command.
- Authentication and integrity checks at each reboot of the system to intercept any malicious attempts for modifications, replacements and unauthorized executions.
- Widened performance and security of executed operations thanks to the built in Cryptographic accelerators.
- Remarkable AI-driven engine for fast and powerful performance, vast multitasking capabilities and smart intuitive on-device interactions. All running on a major-league fortified and sustainable platform.
- The integrated Qualcomm® FastConnect™ 6100 Mobile Connectivity System makes the Snapdragon 662 to be Wi-Fi 6-ready for powerful connections that include battery-saving benefits and enhanced Bluetooth 5.1 capabilities. Wi-Fi 6 ensures confident connections with the supported cutting-edge WPA-3 security protocol.
- The supported elements of the WPA-3 Wi-Fi Security protocol give robust security across a wide range of environments and applications.
- Snapdragon 662 comes with multiple advanced properties in terms of security:
Infrastructure
Secure Linux-based backend
- Linux is a secure OS by design.
- Linux systems are hardly infected by viruses.
- Linux does not grant full access by default.
- Linux incorporates a sequence of built-in security defenses (UEFI Secure Boot, Linux Kernel Lockdown, SELinux, AppArmor MAC)
Private VPN server
- Privately hosted VPN eliminates the risks on public VPN servers (especially that you do not need to trust them)
- Provides encrypted traffic tunnels even through open public networks
- Single sign-on authentication
- Less latency compared to a traditional VPN.
DNS-over-HTTPS server
- DNS queries over HTTPS protect you from leaking information to your internet provider
- Encrypts the DNS traffic
- Prevents from man-in-the-middle infiltrations
Private app repository server
- Runs a private built-in app repository with a curated selection of apps.
- Lineup management
- Arranged list of pre-approved trusted applications.
- Applications installation executions
Attestation Server
- Provides the relevant backend infrastructure for the auditor app.
- Substantial authentication of the remote device and its software.
- Remote wipe-out integration supported – can be executed automatically at attestation failure.
Audit Server – a secure and powerful multitasking server with multiple activities in recording and active monitoring.
- Automatic audit logs – continuously structuring and recording all events across the infrastructure and on devices. Reporting log data – automatic and on demand.
- Automatic executions of testing sessions on schedule. Internal testing system developed in order to frequently perform security checks.
- Monitoring and analytics – statistical data over the infrastructure activity is collected, monitored for patterned biases and summarized. Summarizations are automatically sent to responsible administrator users within the community.
MDM (Mobile Device Management) – a secure device management platform for closed private networks that brings multiple safety features:
- A security-oriented and customizable device management platform for closed private networks that brings multiple safety features.
- Keeping apps up-to-date remotely (push)
- Collecting log files on the server
- Data passes only through HTTPS protocol, thus cannot be accessed by third parties
- Integration with the attestation service
- Remote wipe-out – a security feature that provides the ability to remotely erase data. It can generally be used if a device has been stolen or lost, ensuring that the information on it can never be accessed by others.
- Remote password change
- VPN management
- Continuous device audit logging
- Trusted CA certificates management
- Wi-Fi management:
- SSID
- Security Policy
- Credentials
- Application Library frequent updates
- Password expiration time.