So it's an Android VM that can be accessed from a browser for $15/month. For an extra $10/month you can attach a phone number to it that has free incoming calls and SMS along with pay-per minute outgoing calls and pay-per message SMS.

I see App Lounge in the screenshot so I assume the VM's are running /e/. Have you tried installing any of the MDM's out there like AirWatch or InTune?

As a thought exercise, how about some light abuse. What would happen if I rammed a couple TB of BitTorrent data through that VM. Maybe used it as seedbox. Or maybe a proxy so I can access a streaming service.

It feels like you're really trying to sell the phone part, and that the Android VM is a means to an end. However, this is just a random phone number that I suspect isn't portable. So if I stop using your service I can't take the number with me. So why wouldn't I get a Skype number for $6.50/month, Skype to Phone for $3.50/month, and then use the web.skype.com page to make all the phone calls I want. Or you can do what I do and use jmp.chat for phone calls and SMS and have it all routed to the XMPP client of your choice (as long as that client supports all the needed features).

The VM without a phone number was a way to offer free trials without having a phone number. Will see if it takes the test of time.

> I assume the VM's are running /e/. Yes.

> Have you tried installing any of the MDM's out there like AirWatch or InTune? No, I haven't tried. Cophone is very new and because of this lacks some functionality or app support.

> What would happen if I rammed a couple TB of BitTorrent data through that VM. Maybe used it as seedbox. Or maybe a proxy so I can access a streaming service.

Any tool can be abused. I have some bandwidth checks in place and some monitoring. More sophisticated abuse prevention is under development.

> why wouldn't I get a Skype number...

It's not just about the number, it's the whole package. Think BYOD but without the hassle of mixing work and private data. These devices could be supplied by your employer, with all the apps and number(s) that you need from day 1.

Hey Tudor,

I really like the concept and I think it could be the future of corporate access in a way, but I'm trying to look at this through a security lens. I think my main concern with this would be around potential unauthorized access and the impact that might have on an organization. If my target market for this is enterprise clients, I would go to great lengths to ensure that the only person who could access this virtual phone, is the user that's intended to access it.

I'll try to keep this short, but here are some ideas I think would really boost adoption and practicality:

1. IP Whitelisting In the portal, users should be able to add a VPN gateway IP or users home IP to an allowlist at the very least.

2. Zero Trust integration The goal here is to be able to enforce device/user identity restrictions in a way that only certain devices/users have access to their virtual smartphone.

3. Management Plane With the above in mind, it might make sense to have IT/Management configure the whitelisting/user certificates for ZTNA in a management portal, so there is separation of duties here.

With the above feature requests in place, I would then add a 3rd line item on the pricing page for "Enterprise Pricing" with a "Contact us for a quote" option.

For my use case, and I think others may have a similar use case, I would like to use this for my MFA applications and various other internal applications, but if there's no way to restrict access to an individual user, this is essentially a huge security risk from a business standpoint.

Hope you find this useful!

Thank you, this is useful!

Indeed risk mitigation is crucial for companies. Your points are really good, I think they struck a good balance between functionality and security.

One other thing that I am considering, since it is a popular request, is to provide an app that can be installed on a physical device. The device would basically act as a proxy for the cophone's notifications but in addition would also notify the user about potential unauthorized accesses.

> 3rd line item ...

Totally! Thanks!

> use this for my MFA applications and various other internal applications

This!

Aren’t you missing the huge whole that Tudor and anyone who works for them can read all your data?

*hole.

Doesn’t seem like running Signal on a phone hosted in someone else’s data center is the smartest thing to do.

It's pretty smart if you're a spammer / phisher. Legitimate use-cases for this setup seem to be few and far between. I wonder how it handles (or skirts) the STIR/SHAKEN requirements in the US.

some of us are trying to get rid of the smart phone ;). I want a flip phone but 2FA is a problem with flip phones. I recently started to use 1password paid just 2FA.

on a serious note, this is unfortunately what scammers like to use, it would be prudent to lock it down before scammers put you in the middle of a legal cases. I have a long story, I tell people about scammmers, but in the case, please be careful. Grandma is getting conned by these telephone virtual numbers.

Agreed. This type of service is ripe for committing fraud. I'd be very very careful about the customers you serve

Do you happen to know more about how the companies that only offer the phone numbers prevent fraud?

They don’t do so super well, in general. There’s a reason that risk scoring solutions for phone numbers often see numbers flagged as VOIP as red flags.

I want to offer some words of encouragement since I did not have a chance to play with it ( mildly busy Friday ). Still, I think it is a genuinely interesting project and I can see myself using it. I will check it out after the day is done. GL. I really think you got something here.

Kindly, how can you seriously be calling this secure?

By your pictures this is /e/OS, a system which hasn't had the browser/WebView updated in 7+ months, is consistently 2 months behind the ASB, is 1 year behind the PSB, and has a PDF viewer with an engine from January 2016.

That is 196 known security issues in the browser, hundreds in the OS, and another 60 in the PDF viewer.

I document these issues and many more here: https://divestos.org/misc/e.txt

If this really is /e/, you seriously need to address this.

Go rebase on an actual production OS like GrapheneOS, my DivestOS, or CalyxOS.

Thank you for your feedback! I will have a look at the alternatives you proposed.

Very interesting concept. I'm not a decision maker at my workplace but it's something I'd definitely mention in conversations. I really like the idea of not having to carry a work phone.

How does it work with notifications? Is it possible to get a notification on the user's phone when one of the apps in the virtual phone pushes a notification?

Not yet! For that you would need to install an app that would basically relay the notifications from the virtual smartphone to your smartphone.

Is it something I can use for 2fa? I jump between a lot of VPNs and systems, and having to use my personal phone device for 2fa is annoying at best, and something I'd like to avoid in future. I don't understand quite what "App Store" means in this context. I can download and install stuff from apple's App Store? Or something else? Thanks.

Yes, you can use it for 2fa. AppStore in this context is the e /OS/ App Lounge: https://doc.e.foundation/app-lounge#where-do-the-application...

From the link: "Where do the applications in the App Lounge come from? App Lounge can be used to install Native as well as Progressive Web Apps (PWAs) from a single interface. Apps are managed differently depending on their source. Applications from the Google Play Store are fetched using the Google Play API. Progressive Web Apps (PWAs) and Open Source Apps from F-Droid are fetched using the CleanAPK API (more info on the CleanAPK is covered below). App lounge allows you to filter apps by Open Source, PWAs, or just show all apps."

> Yes, you can use it for 2fa.

You say elsewhere you provide virtual phone numbers. If this is the case, you cannot use it for SMS-based 2FA reliably. Sometimes you will receive codes, but most of them won’t be delivered.

This is, unfortunately, true. Some codes will NOT be delivered to your cophone.

Only if you and your IT dept could be comfortable with trusting this guy's code, choice of tech stack, honesty, and opsec. Not that suspicions are warranted or that phone 2FA is much better, but still.

How does it compare to something like MySudo or SilentPhone?

Cophone is a complete smartphone - but virtual. You can install any app in the App Store as well as place and receive calls and text messages, just like you are today with your physical smartphone. MySudo and SilentPhone offer a limited set of their own apps that you can use. Cophone does not have this limitation, you can install and use whatever app is available in the store.

You do realize that a lot of apps are blocked on emulators? Do you manage to bypass those limitations?

Yes, this is an issue that I can only partially bypass at the moment.

Any plans to offer other country codes than +1 ?

Yes, this is (also) on high priority. But it depends alot on the country, some have very strict regulations around this. Which countries are you mostly interested in?

Sorry for the misunderstanding. Cophones run e/OS/, which is an Android based OS.

Cophones are running an Android version from e/OS/

You can access the virtual smartphone from a browser running in a physical smartphone. Unfortunately not all smartphones/browsers support it.

Any comments on why e/OS for your image and not GrapheneOS, given superior patch interval and other benefits that your users may want/need?

Because no secure element, which is a hard requirement for GrapheneOS (hence Pixel-only).