* Large segments of text cut and pasted from the above sites - thank you to the experts for sharing your knowledge!
The General Problem with Mobile Phones
- Two parties (Adam and Eve) need to communicate via SMS in a confidential manner
- Confidential means no one other than the two parties can decipher (or de-steganogriphise) the message
The users have no exclusive control over the smart phone, meaning:
- The carrier can update it any time they like
- The user has little to no control on what happens at the low levels of the stack (below kernel), or separate firmware running on CPUs, such as the modem
- The chip manufacturer may introduce back doors
- There are third party solutions that are integrated in the ROM image of the smart phone which are not easy to detect, let alone disable. Even if disabled, the carrier can detect the change and deprive the phone of service or update the phone with a new image either over the air, or other mechanisms, for example a backup persistent image that reinstalls the “spyware”.
The only possible way to ensure security on the device would be to have total assured control and complete awareness, which is not present. The same problems are generally present for computers too i.e. we trust firmware, O/S, all kinds of third parties and so on that are responsible for supposed security.
Interception of Calls
Typically, encryption of voice communications (and of text messages) that travel through the mobile phone network is relatively weak. There are inexpensive techniques which third parties can use to intercept your written communications, or to listen to your calls, if they are in proximity to the phone and can receive transmissions from it. And of course, mobile phone providers have access to all your voice and text communications. It is currently expensive and/or somewhat technically cumbersome to encrypt phone calls so that even the mobile phone provider can't eavesdrop - however, these tools are expected to become cheaper soon. To deploy the encryption you would first have to install an encryption application on your phone, as well as on the device of the person with whom you plan to communicate. Then you would use this application to send and receive encrypted calls and/or messages. Encryption software is currently only supported on a few models of so-called 'smart' phones.
Conversations between Skype and mobile phones are not encrypted either, since at some point, the signal will move to the mobile network, where encryption is NOT in place.
Text-based Communications: SMS Text Messages
You should not rely on text message services to transmit sensitive information securely. The messages exchanged are in plain text which makes them inappropriate for confidential transactions (we'll come to encrypted apps below).
Sent SMS messages can be intercepted by the service operator or by third parties with inexpensive equipment. Those messages will carry the phone numbers of the sender and recipient as well as the content of the message. What's more, SMS messages can easily be altered or forged by third parties.
Consider establishing a code system between you and your recipients. Codes may make your communication more secure and may provide an additional way of confirming the identity of the person you're communicating with. Code systems need to be secure and change frequently.
SMS messages are available after transmission:
- In many countries, legislation (or other influences) requires the network providers to keep a long-term record of all text messages sent by their customers. In most cases SMS messages are kept by the providers for business, accounting or dispute purposes.
- Saved messages on your phone can easily be accessed by anybody who gets hold of your phone. Consider deleting all received and sent messages straightaway.
- Some phones have the facility to disable the logging of phone-call or text-message history. This would be especially useful for people doing more sensitive work. You should also make sure that you are familiar with what your phone is capable of.
Various anonymity/privcy options are available depending on how badly you don't want the feds to listen in to your conversations and/or work out your identity.
Other Smartphone Risks
A typical smartphone user may find some of the above in higher quantities, and in some cases much more valuable items:
- Pictures of loved ones (~100 pictures)
- Email applications and their passwords
- Emails (~500 emails)
- Videos (~50 videos)
- Social networking applications and their passwords
- Banking applications (with access to the bank accounts)
- Sensitive documents
- Sensitive communication records
- A live connection to your sensitive information
Therefore, you should take the following actions to reduce your risk:
- Do not store confidential files and photos on your mobile phone. Move them, as soon as you can, to a safe location
- Frequently erase your phone call records, messages, address book entries, photos, etc
- If you use your phone to browse the internet, follow safe practices similar to those you use when you are on the computer (e.g. always send information over encrypted connection like HTTPS)
- Connect your phone to a computer only if you are sure it is malware free
- Do not accept and install unknown and unverified programmes on your phone, including ring tones, wallpaper, java applications or any others that originate from an unwanted and unexpected source. They may contain viruses, malicious software or spying programmes
- Observe your phone's behaviour and functioning. Look out for unknown programmes and running processes, strange messages and unstable operation. If you don't know or use some of the features and applications on your phone, disable or uninstall them if you can
- Be wary when connecting to WiFi access points that don't provide passwords, just as you would when using your computer and connecting to WiFi access points. The mobile phone is essentially like a computer and thus shares the vulnerabilities and insecurities that affect computers and the internet
- Make sure communication channels like Infrared (IrDA), Bluetooth and Wireless Internet (WiFi) on your phone are switched off and disabled if you are not using them. Switch them on only when they are required. Use them only in trusted situations and locations. Consider not using Bluetooth, as it is relatively easy to eavesdrop on this form of communication. Instead, transfer data using a cable connection from the phone to handsfree headphones or to a computer
Risks of Emailing from Smartphones
In the first instance, consider if you really need to use your smartphone to access your email. Securing a computer and its content is generally simpler than doing so for a mobile device such as a smartphone. A smartphone is more susceptible to theft, monitoring and intrusion.
If it is absolutely vital that you access your email on your smartphone, there are actions you can take to minimize the risks:
- Do not rely on smartphone as your primary means for accessing your email. Downloading (and removing) emails from an email server and storing them only on your smartphone is not advised. You can set up your email application to use only copies of emails
- If you use email encryption with some of your contacts, consider installing it on your smartphone, too. The additional benefit is that encrypted emails will remain secret if the phone falls into wrong hands
Storing your private encryption key on your mobile device may seem risky. But the benefit of being able to send and store emails securely encrypted on the mobile device might outweigh the risks. Consider creating a mobile-only encryption key-pair (using APG - see further below) for your use on your smartphone, so you do not copy your encryption private key from your computer to the mobile device. Note that this requires that you ask people you communicate with to also encrypt emails using your mobile-only encryption key.
STEPS TO CREATING A MORE SECURE MOBILE PHONE PLATFORM
If you are faced with the purchase of a mobile peripheral and security is essential, then you face many problems. The most common smartphones in use are Apple's iPhone and Google's Android, followed by Blackberry and Windows phones.
The key difference between Android and other operating systems is that Android is, mostly, an Open Source (FOSS) system, which allows the operating system to be audited independently to verify if it properly protects users' information and communication. It also facilitates development of security applications for this platform. Many security-aware programmers develop Android applications with user safety and security in mind.
Based on the fact that Blackberry runs proprietary code (ditto for the iPhone) - they can't be trusted due to no independent verification of the code. Blackberry phones have been presented as “secure” messaging and email devices. This is because messages and emails are securely channeled through Blackberry servers, out of the reach of potential eavesdroppers. Unfortunately, more and more governments are demanding access to these communications, citing need for guarding against potential terrorism and organised crime. India, United Arab Emirates, Saudi Arabia, Indonesia and Lebanon are examples of governments which have scrutinized the use of Blackberry devices and demanded access to user data in their countries. Also, encrypted messaging and other apps available on Blackberry platforms fail the EFF security test.
Therefore, an Android phone may be the best option if you must own a mobile - running a version of GNU/Linux and allowing for the phone to be 'rooted' (the setting of root administration level access). With root access, you can remove bloatware that came on your phone, use an app permissions manager, run a firewall, enabling tethering even if your carrier is blocking it, manually back up your installed app settings, and use a variety of other tweaks that require low-level system access.
Apps that require root aren’t hard to find — they’re available in Google Play, but they won’t work until you gain root access. Some essential apps for privacy and security have features that only work on a rooted device (see further below).
Risks with Rooting an Android Phone
Rooting either requires taking advantage of “exploits” in a device or unlocking its bootloader and modifying your system partition. It’s not officially supported. You could also install a custom ROM that comes rooted — again, this isn’t officially supported. For instance if you’re already using a custom ROM, this may be integrated directly into your device’s settings e.g. the popular CyanogenMod is often used by many people to get an up-to-date Android operating system on devices no longer updated by their manufacturers — has this built in. There are several downsides to this approach:
- Security: rooting breaks apps out of Android’s normal security sandbox. Apps could abuse root privileges you’ve granted and snoop on other apps, something which isn’t normally possible. In the past, Google has recommended against using the Google Wallet mobile payments app on a rooted device for this reason
- Warranty: Some manufacturers assert that rooting voids your device’s warranty. However, rooting will not actually damage your hardware. You can “unroot” your device and manufacturers won’t be able to tell if it’s been rooted
- Bricking: As usual, you do this at your own risk. Rooting should generally be a very safe process, but you’re on your own here. If you mess something up, you can’t just expect free warranty service to fix it. If you’re worried, do a bit of research first and see if other people report success rooting your device with the tool you’re planning on using
WARNING: In the following discussion, never assume that successful attacks are impossible. For instance, even encrypted end-to-end apps only protect you against passive eavesdroppers, and you hope no successful attacks on your Android or other hand-set, your firmware or your hardware are made. That's a considerable number of threats ranging from low to medium talent.
Based on Snowden disclosures we know that all good smart phones are easily subverted by government level agencies at the firmware level and/or use plenty of 0-days (unpatched vulnerabilities) in the source code that isn't written with highest security standards in mind.
The NSA slides confirm they could own every type of phone, typically via 0-days, subversion, or physical attacks. The thing to remember is that this isn't just an NSA thing. NSA mostly buys their 0-days from private parties that produce them by digging into code for the mistakes. There are both black hats and defense contractors doing this.
Still, security experts seem to favour the Android phone as a least-worst option, but nothing is "NSA-proof" as even Blackberry admits.
STEPS FOR LOW-MODERATE LEVEL MOBILE/CELL PHONE SECURITY
1. Using Cyanogenmod as Alternative Android Firmware
Consider Cyanogenmod as a firmware alternative to further enhance your control of the phone. Note that in order to install alternative firmware, you need to root your phone.
Cyanogenmod allows, for example, the uninstallation of applications at the system level of your phone i.e. those installed by the phone's manufacturer or your mobile network operator. By doing so, you can reduce the number of ways in which your device can be monitored, such as data that is sent to your service provider without your knowledge.
In addition, Cyanogenmod ships by default with an OpenVPN application, which can be tedious to install otherwise. VPN (Virtual Private Network) is one of the ways to securely proxy your internet communication (also possible through Firefox settings).
Cyanogenmod also offers an Incognito browsing mode in which history of your communication is not recorded on your smartphone. Cyanogenmod comes with many other features. However, it is not supported by all Android devices, so before proceeding, check out the list of supported devices.
2. Branded Versus Unlocked Smartphones
Smartphones are usually sold branded or locked. Locking smartphones means that the device can only be operated with one carrier, whose SIM card is the only one that will work in the device. Mobile network operators usually brand a phone by installing their own firmware or software. They may also disable some functionalities or add others. Branding is a means for companies to increase revenue by channelling your smartphone use, often also collecting data about how you are using the phone or by enabling remote access to your smartphone.
For these reasons, it is recommended that you buy an unbranded smartphone if you can. A locked phone poses a higher risk since all your data is routed through one carrier, which centralises your data streams and makes it impossible to change SIM cards to disseminate the data over different carriers. If your phone is locked, ask someone you trust about unlocking it.
3. Suitable Network/Messaging/Chat/VOIP apps
Firstly, install OpenVPN for Android, which requires the phoneset be rooted. This will allow you to tunnel your apps that connect to the internet over OpenVPN based VPNs, protecting you from monitoring i.e. you can use an AirVPN account, as 3 devices can be simultaneously connected for each account. This wil be automatically achieved by replacing the firmware with the alternative outlined above.
Next, install Orbit and Orweb which when used in combination will send all your web browsing and internet activity over the Tor network. You now have VPN + Tor for mobile browsing - awesome!
Thirdly, we utilise the EFF guidelines with respect to suitable messaging/VOIP applications. Only applications which meet all 7 critieria are recommended below (Blackberry's apps fail BTW):
- Encrypted in transit?
- Encrypted so the provider can’t read it?
- Can you verify contacts’ identities?
- Are past comms secure if your keys are stolen?
- Is the code open to independent review?
- Is security design properly documented?
- Has there been any recent code audit?
Suitable applications that meet the entire EFF checklist:
- Chat Secure + Orbot: An Instant Messaging client that lets you organize and manage your different Instant Messaging (IM) accounts using a single interface. It will also attempt to encrypt your conversations using OTR when chatting with contacts who also use IM clients that support OTR.
- Cryptocat: Encrypted instant messaging within your web browser.
- OTR: Off The Record Messaging allows you to have private conversations over instant messaging by providing encryption (no one else can read your instant messages); authentication (you are assured the correspondent is who you think it is); deniability (the messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified); and perfect forward secrecy (if you lose control of your private keys, no previous conversation is compromised).
- Signal/RedPhone: Allows you to make encrypted phone calls over the internet. A valid phone number is required to register.
- Silent Phone/Text: Calls and texts made from one Silent Phone user to another are fully encrypted, whether they're on iOS, Android, or Silent OS. Encryption keys are stored only on the users' devices (not on any central server) and are destroyed at the end of each call, ensuring complete privacy, every time. Silent Phone includes features such as video chat and conference calling capability as well as unlimited encrypted texts with burn self-destruct functionality on any Silent OS, iOS or Android device,
- TextSecure: An app to send encrypted text messages (SMS) via your phone provider and encrypted messages over WiFi and your phones internet connection as well as storing all SMS and messages in an encrypted container on your phone.
4. Optional Apps for Privacy/Security
Seriously consider installing one or more of the following apps:
* = Requires rooted Android device.
- APG: Lets you encrypt and decrypt single files or emails, for personal use or to share with others, using either public key cryptography or a passphrase.
- K9: K-9 Mail is a mail client that integrates with APG to allow you easily send and receive GnuPG encrypted emails.
- KeePassDroid: A secure and easy-to-use password management tool which will store your passwords in an encrypted database on your phone.
- Obscuracam: A free camera application for Android devices that has the ability to recognize and hide faces. It allows you to blur or delete the faces of those you photograph in order to protect their identities.
- AfWall+: A firewall for your android device that allows you to control what apps can access the internet.*
- CryptFS: Lets you to change your Android disk encryption password meaning you can have a one passphrase to decrypt the phone when you turn it on and a different one to unlock the phone during normal use.*
- Cryptonite: Allows you to create encrypted, passphrase protected, containers on your Android device that you can store sensitive files in.*
- SnoopSnitch: An Android app that collects and analyses mobile radio data to make you aware of your mobile network security and to warn you about threats like fake base stations (IMSI catchers), user tracking and over-the-air updates.*
- X-Privacy: An app that will prevent your Android device from leaking sensitive information (such as your phone number, contacts, location, etc) to other installed apps on your phone.*
- LUKS Manager: Allows easy, on-the-fly strong encryption of volumes with an user-friendly interface. You should install this tool before you start storing important data on your Android device and use the encrypted volumes that the Luks Manager provides to store all your data.*
5. General Android Security Settings
Access to your Phone:
- Enable Lock SIM card, found under Settings -> Personal -> Security -> Set up SIM card lock. This will mean that you must enter a PIN number in order to unlock your SIM card each time your phone is switched on, with out the PIN no phone calls can be made
- Set up a Screen Lock, found under Settings -> Personal -> Security -> Screen Lock, which will ensure that a code, pattern or password needs to be entered in order to unlock the screen once it has been locked. We recommended using the PIN or Password option, as these are not restricted by length. You can find more information on creating strong passwords in How to create and maintain secure passwords
- Set the security lock timer, which will automatically lock your phone after a specified time. You can specify a value which suits you, depending on how regularly you are willing to have to unlock your phone
- If your device uses Android version 4.0 or newer, you should turn on device encryption. This can be done in Settings -> Personal -> Security -> Encryption. Before you can utilise device encryption, however, you will be required to set a screen lock password (described above)
- Note: Before starting the encryption process, ensure the phone is fully charged and plugged into a power source
- Turn off Wi-Fi and Bluetooth by default. Ensure that Tethering and Portable Hotspots, under Wireless and Network Settings, are switched off when not in use. Settings -> Wireless & Networks -> More -> Tethering & Mobile hotspot
- If your device supports Near Field Communication (NFC), this will be switched on by default, and so must be switched off manually
- Switch off Wireless and GPS location (under Location Services) and mobile data (this can be found under Settings -> Personal -> Location)
- Note: Only turn on location settings as you need them. It is important not have these services running by default in the background as it reduces the risk of location tracking, saves battery power and reduces unwanted data streams initiated by applications running in the background or remotely by your mobile carrier
- If you want to hide your caller-ID, go to Phone Dialler -> settings -> Additional Settings -> Caller ID -> hide number
To ensure that you phone remains secure it is strongly recommended to keep your software updated. There are two types of updates that need to be checked:
- The phone operating system: go to: settings -> About phone -> updates -> check for updates
- Apps you have installed: Open the Play store app, from the side menu select My Apps
- Note: When updating your phones software it is important to do it from a trusted location such as your internet connection at home instead of somewhere like an internet cafe or coffee shop
HIGH LEVEL MOBILE SECURITY - IS IT EVEN POSSIBLE?
Yes. It all depends on on how badly you want it and how critical your communications are. However, be aware that some of these measures may actually erode your operational security (see further below).
OPTION A - Communicating Critical Information Securely with a Burner Phone - the Easy Way:
There are plenty of little shops filled with "second hand" units, that nobody is going to blink twice at you paying cash for an older phone and one of those pre-pay cards.
When buying the burner phone, do like the drug dealers do and have someone do it for you to avoid showing up on the security tapes. A kid or a homeless person would do it if you paid them double what the phone cost (so a $10 prepaid phone will set you back $30) and not be able to provide much help to investigators.
Use it once or twice (nowhere near your house, business, normal places you visit), wipe it down for fingerprints and touch DNA, and either chuck it in the street trash or leave it on a public transport or pub/bar seat/bench. There is a high chance it will be used by either the person that finds it or someone they know till the credit's gone, and then it'll probably end up in another shop to be sold on again "no questions asked". It might even end up in Africa, the Middle East or west Asia...
Why go to the grief and hassle of buying a new phone which requires CC/Photo ID/Address? Even if they are "legally required" in most places, this requirement is only enforced so they can sell your details on for $10 to the personal data aggregators...
There are multiple places in any city where "cash no questions" pre pay phone cards were on sale, and most of those places had or could get second hand phones, do repairs and unlocking. Further, the ratio of cameras in stores falls dramatically in these areas.
OPTION B - Communicating Critical Information Securely with a Burner Phone - the Hard Clandestine Way:
1. Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren't changing locations);
2. Leave your daily cell phone behind during dormant periods and purchase a prepaid no-contract cell phone ("burner phone");
3. After storing burner phone in a Faraday bag, activate it using a clean computer connected to a public Wi-Fi network;
4. Encrypt the cell phone number using a onetime pad (OTP) system and rename an image file with the encrypted code. Using Tor to hide your web traffic, post the image to an agreed upon anonymous Twitter account, which signals a communications request to your partner;
5. Leave cell phone behind, avoid anchor points, and receive phone call from partner on burner phone at 9:30 p.m. -- or another pre-arranged "dormant" time -- on the following day;
6. Wipe down and destroy handset.
WARNING: Even if you use the above measures, be aware that intelligence and police agencies have mass surveillance voice print recognition systems in operation (for all phone/VOIP). Therefore, unless the voice channels are encrypted you could still theoretically be identified in spite of your attempts to obscure your identity. If you can't get a hold of a machine to distort your voice-print, then a clandestine network would be better off texting each other over OTR/TextSecure etc using pre-arranged code words to verify each other's identity.
The "one time use" of phones is considered particularly suspicious by authorities, as is using phones with odd electronic ID numbers (SIM or hardware phone serials). Therefore, electronic systems ARE ALREADY IN PLACE to search for this behaviour and mark it as a red flag. Tracing is fairly simply - using the databases telcos are required to keep by law - to find phones that have not been moving, or where calls are placed/network connected for the past few hours/days/weeks etc.
Therefore, it can be concluded that use of burner phones may potentially reduce your OpSec.
A 'rooted', non-branded Android phone running Cyanogenmod with a host of security/privacy apps installed will put you miles ahead of the i-phone dummies (PS is there an i-dildo yet for the i-zombies?).
Nevertheless, mobiles remain hopelessly compromised and insecure. They are best thought of as a glorified tracker/mobile voice-video recorder/general snooper which also happen to make phone calls (bonus!).
In the final solution, it is best not to play the game and feed the Borg.
Simply put, ditch this horrible peripheral and remember how you lived 20 years ago before techno-narcissism became a societal virtue.