Today I was trying to inform myself about privacy protections of the Covid-19 contact tracking apps (the apps to identify potentially dangerous contacts). While they do seem promising to me, since open-source projects seem to be seriously developed, I was wondering: is this really useful when the phone hardware itself can be compromised? Is it possible to check it is not? And could a viable open source hardware phone be developed, so that checking becomes much easier?
I think that with these new tracking needs, these questions have become even more important, if not technically, at least because of the "cultural push" for surveillance.
Hoping that my message was in the right section, I thank you for your patience
Open source phone could be done - and has been done (e.g. OpenMoko, PinePhone and probably others). You may have to live with some binary blobs, though - e.g. the baseband (radio) software. Both for commercial reasons (the manufacturer is not interested in releasing that) and legal ones (most radios these days are software controlled and locking down the software is the easiest way to fulfill the legal requirement that the end-user must not be able to change things such as frequencies or transmit powers).
Can it be viable? Commercially? No. Absolutely not. Something being open source is not a selling point for 99.9% of the people who are buying a phone and the development costs are such that it would never pay for itself in the competition of the existing phone manufacturers.
Then there is the entire infrastructure - carriers, networks, etc. which isn't open and that has no obligation to let your gadget on their network. Coincidentally, that's also where most of the worst surveillance actually happens - the police will get your location information, all your call information, texts, audio etc. from the carrier, they don't need your phone for that. Carriers are also frequently selling a lot of this information to advertisers, private investigators, researchers, etc. So whether or not the phone is open source really doesn't matter.
On-device surveillance is a problem only when we are talking about applications doing nefarious things (e.g. Facebook or LinkedIn exfiltrating your contact information) - but then that would be pretty much the same even on a open source phone, unless you ban such applications or restrict their data access (which will most likely break them). That will likely make your customers pretty unhappy.
Alternatively it can be an issue when we are talking about spooks hacking into your device for surveillance. However, that's more a subject of spy movies and very targeted attacks on certain individuals, not something that can and is done en-masse. And then that the device is open source likely doesn't matter much unless you develop also your own chips, baseband, etc. - a totally unviable proposition due to costs, patents and lack of market for such a thing. Even worse, if you are targeted by such adversary, having any phone on you is likely the last thing you would want anyway (the phone can be physically bugged, it can still be surveiled remotely through the carrier, etc.)
So if you are worried about surveillance an open source phone is a red herring. Lobby for better privacy laws and their enforcement instead.