Färist Mobile

End-user manual
Version 4.0 on BQ Aquarix X

Document version 1.0

WELCOME TO FÄRIST MOBILE

Färist Mobile is an approved smartphone providing comprehensive protection

against cyberattacks and electronic eavesdropping.

A SECURE SMARTPHONE
Färist Mobile consists of a secure operating system based on Android that
runs on the latest high-end smartphone devices.

STRONG PROTECTION WITH APPROVED ENCRYPTION

Färist Mobile has an always-on VPN-tunnel connecting to your corporate
network, to protect all IP-communication. This means that all information
transferred via apps – be it voice, messaging, e-mail or data – is protected.
Strong disk encryption with external keys protects user data against leakage
and theft.
 WELCOME TO FÄRIST MOBILE

PROTECTION AGAINST MALWARE USING WHITE LISTED APPS

Färist Mobile is compatible with standard Android apps, but only
approved apps that are available on the white listed marketplace can
be installed on the Färist Mobile. This prevents malware or other
apps from being installed.

The organization decides which system permissions the apps on the

marketplace are granted, if any.

EASE OF USE
The Färist Mobile user interface is standard Android. All Android apps
function in the same way a user can expect and security is built-in
without affecting the user experience to any extent.
 FÄRIST MOBILE – SYSTEM OVERVIEW

Internal or outsourced server environment

Protected services such as
secure voice, messaging etc

Tunnel termination Storage

in a VPN concentrator

Smartphone as a VPN modem

VPN
Services

FW

Internet

Internet access through

a central firewall

All IP traffic protected by

the VPN-tunnel

Färist Mobile
USING FÄRIST MOBILE
POWER ON

Enter PIN code for Enter PIN code for Swipe the startup screen and Enter PIN code
screen lock the SIM card scan the key for disk encryption for the screen lock
(if activated) using an NFC-tag or a QR-code

Device is encrypted
To start Android, enter your PIN To unlock the encryption of the device
you need to scan or enter your key

EMERGENCY CALL

Press here to enter key manually

Note! SIM lock and screen lock have similar appearances.

Do not mix them up!
 HOME SCREEN
Notifications Status

This is Färist Mobile’s Home screen.

To add a shortcut to an app on the home

screen:

• Open the App launcher. Scroll up or

down to find the app you are looking
for.
• Press & hold the app until the Home App launcher
screen appears, slide it into place, Swipe upwards
and lift your finger . to open.

Overview
Open apps are
shown.

Back Home
Opens the previous screen you were working Takes you back to this Home screen.
in, even if it was in a different app.
NOTIFICATIONS AND STATUS

Incoming text messages and other

events will be notified in the
notifications field. Secure Conversations

Swipe down the notifications field New message

Touch to open Conversations

and click on a notification

to open up the corresponding app. System Update Available
There is a system update available. Press here…

Swipe down again and

common settings will appear.
SECURE CONTACTS

Search for more users

Secure Contacts is a central address book
containing contact information for all users
of the system.

Secure Contacts displays all the contacts Phone symbol:

Contact is locally stored
belonging to the same group as you. in the address book
DevOps

You can search the central directory for

contacts in other groups by pressing the Group symbol:
Contact belongs to the
magnifying glass. same group as you

The symbol to the right indicates if the

contact is in the same group (group
Cloud symbol:
symbol), another group (cloud symbol) or Contact belongs to
another group
a locally stored contact (phone symbol).
SECURE CONTACTS

Press a contact to display the different options

available.

Then select the option of choice:

• call encrypted call,
• send encrypted message or
• call regular (unencrypted) calls.

You can also export contacts to your Android

address book. This procedure may, however,
create local copies that become obsolete if the
directory service with secure contacts will be
changed centrally.

Depending on the policy and configuration, not all

options may be available.
PHONE NUMBERS

A Färist Mobile has two phone numbers;

– one for regular unencrypted mobile calls

– one for encrypted calls

The phone number for regular unencrypted calls depends

on the SIM card.

The phone number for encrypted calls is set by your

system administrator. It starts with the prefix +999. This
number stays the same independent of the SIM card used.

Encrypted calls can be made to any other device

connected to the same infrastructure as your Färist Mobile.
 MAKE AN ENCRYPTED CALL

eller eller

Dial the number manually Call using the local address book Call using Secure Contacts

The plus sign (+) is obtained by pressing and holding the zero (0) key.
No, you cannot use 00 instead of the plus sign (+).
ENCRYPTED CALLS

When an encrypted call is made between two

Färist Mobile devices, an additional layer of
encryption will be activated (ZRTP protocol).

When ZRTP is in use, a 4-letter authentication

code appears that the two callers are asked to
verify. This is to make sure that the encryption
is truly end-to-end.

Since encrypted calls in Färist Mobile are made

in an additional layer of encryption inside the
VPN tunnel, it is usually safe to ignore this step.

Note! Conference calls and 3rd-party IP phones

may not support ZRTP.
CONFERENCE CALLS

Färist Mobile supports conference calls using specific

conference numbers.

A conference is started by dialing

+999 92 <conf nr> <pin code>

For example
+999 92 5000 1234

The conference number and pin code is

chosen by the conference leader. Anyone can
start a conference call at anytime.

Note! The conference number 92 may differ

between systems. Contact your system administrator for
more details.

Tip: The pin code and phone number can be

sent to the participants using Secure Conversations.
DESKTOP IP PHONES

A desktop IP phone can be connected to the Färist

Mobile infrastructure using either Färist VPN or
Färist Micro.

Note! All desktop IP phones do not support ZRTP end-

to-end encryption.

VPN

FW

Internet
SECURE CONVERSATIONS

Secure Conversations is a secure instant messaging

app. It can be used to send text messages, images
and files to Färist Mobile users.

Secure Conversations supports encryption of

messages, strong authentication using digital
certificates, and group conferences.

To start a new conversation, go to the Secure

Contacts app, click on the contact and select
Encrypted message.
SECURE CONVERSATIONS

Before the first message can be sent to a new contact,

the app will automatically perform a key negotiation
with the counterparty (OMEMO).

In order for this key negotiation to be completed, the

counterpart's phone must be turned on. If not, an error
message will appear and the user is prompted to retry
at a later time.
SECURE CONVERSATIONS

The contact’s name from the authenticated certificate

is displayed on the top of the screen.

A green and locked padlock indicates that the

message has been signed and encrypted by the
sender.

A grey shield indicates that the message has been

delivered.
SECURE CONVERSATIONS

Secure Conversations supports group conferences.

To start a group conference, press the plus sign in
the main menu.

Click on the GROUP CHATS tab and then the group

icon management@demo.tutus.se

Choose a name for the group and then invite

participants.

demo@demosystem.se
MARKET

New apps are installed from the Market app. This is

Färist Mobile’s counterpart to Google Play. The
Market only contains the apps that your organization
has approved.

The Market can be used to install additional apps

and to upgrade or remove existing apps.

To install an app, press on it. To, uninstall a previously

installed app, press on it.

Apps are usually automatically updated every night

if there is an available upgrade. Settings for automatic
updates can be changed in Färist Control Center:
Settings.

Some apps may be allowed to communicate outside

of the encrypted VPN tunnel. After initial installation of
such an app, the device must be restarted.
BROWSE THE INTERNET

• The phone's Internet traffic will pass

through the VPN tunnel and via a
central firewall before reaching the
Internet.

• The central firewall may have a policy

that blocks certain addresses, ports,
and content.

• Depending on the policy, the firewall can

anonymize the phone's IP address by
replacing it with its own.

Press the Chromium app

to start the web browser.
CONNECTION STATUS

The F shield indicates the status of the

VPN tunnel

The VPN tunnel is active.

The VPN tunnel is undergoing key negotiation or has not

sent or received traffic for a while.

The VPN tunnel is down

When the VPN tunnel is down, all IP traffic is blocked.

Causes of inactive VPN tunnel can be:
• Absence of mobile internet
• Temporary lack of mobile network due to ongoing regular voice call
• Incorrect configuration or expired certificate
PHONE LAYOUT

Headphone jack

Nano SIM card

Volume control

On/off
Long press to turn on
and off. Short press to
activate screen.
Double press for
shortcut to camera.

NFC reader

USB-C
For charging and Internet tethering
END-USER CONFIGURATION
CHANGE SCREEN LOCK

Färist Mobile has a default screen lock pin

1 2 3 4

In order to prevent unauthorized access, it is

important to change the screen lock!

App launcher➞ Settings➞ Security➞ Screen lock

Depending on your organization policy, different

types of screen locks may be available.

Do not forget the screen lock pin. Without it, the

phone must be reset before it can be used again.
WI-FI

Färist Mobile can use private and public Wi-Fi

networks.

To activate Wi-Fi:

Settings➞ Wi-Fi ➞ On

Public Wi-Fi hotspots may require web

registration (so-called captive portals). To log in to
these, use the Wi-Fi login app. (Note, you can not
use the regular web browser to log in).

Green light indicates that you are connected to the

Internet. If automatic login failed, select "Manual
Login“ in the main menu.
QR CONFIGURATION

Certificates and other policy settings are installed by

scanning one or more QR codes. The codes are
provided by your system administrator.

App launcher➞ Färist Control Center ➞

QR Configuration.

Place the QR-code(s) on a flat surface with good

lightning conditions. Do not place the camera too close
too the QR-code.

Scan one or more QR-code(s). Multiple QR-codes can

be scanned in any order. Important: Reboot the phone
after all codes have been scanned.
SYSTEM UPDATES

When a new system update is available, a notification will

be displayed in the notification field.

For security reasons, it is important that you install the

system upgrade as soon as possible.

It is also possible to check for new system updates

manually.

Note! A system upgrade requires a device reboot. Make

sure you have your screen lock PIN and the disk
encryption key on QR-code or NFC-tag available.
ADDITIONAL FUNCTIONS
FÄRIST MOBILE AS A CRYPTO MODEM

Färist Mobile can be used as a secure mobile/Wi-Fi modem.

The Färist Mobile will protect the laptop in two ways. It will prevent intrusion and
protect the communication to the corporate network.
Connect the computer via the USB to USB C cable and enable USB tethering:

Settings ➞ More ➞ Wireless & networks ➞

Tethering & portable hotspot ➞ USB tethering

Note! Mac OSX may require specific device drivers.

FÄRIST MOBILE AS USB STORAGE

Färist Mobile can be used as a secure external

storage device.

Unlock the screen and connect the computer using

USB.

Swipe down the status bar, click on USB for

charging and then select Transfer files.

Note! Mac OSX will require a third party application

(Android File Transfer).
WITHOUT ENCRYPTION

You can use your Färist Mobile for regular SMS/MMS

messages and mobile calls as long as your organization
policy allows it.

These services are not encrypted.

For security reasons, the following functions are disabled

in Färist Mobile
• Internet sharing via Bluetooth.
• Debug mode
• Using Bluetooth headset during encrypted calls

Regular SMS
and MMS
TROUBLESHOOTING

If it does not work to make an encrypted call:

1) Verify that the device has Internet access. If you are

abroad, please check the settings for roaming:

App launcher ➞ Settings ➞ More ➞ Wireless &

networks ➞ Mobile networks ➞ Data roaming

2) Verify that the VPN-tunnel is active. If it is not, try

rebooting the phone.

3) Try calling the echo test number +999 9196. If that

works, the problem is with the counterparty.