Kit #5. I need to secure my mobile device and communication
I like the convenience of using my mobile device to communicate with friends, family and colleagues alike, but I’m concerned about my privacy. Is there a way I can safely use my personal mobile for sensitive communications?
You are security conscious and want to communicate securely with your mobile device just like you do with your laptop. You might want to have access to your work email on your mobile, to be able to browse the web on your phone anonymously, or even circumvent censorship with your mobile connection. But you’re not sure how to do all of these things in a secure way or what to avoid.
Mobile smartphones are small, expensive and can contain a huge amount of information. Mobiles are not built with security and privacy in mind. Call logs, messages and geographic positions are shared with and stored by the mobile company, whom you must trust to implement good security practices and comply with local laws to protect your privacy. In most countries the government, a possible adversary, can easily gain access to that data. Your mobile provider can block services or censor content, again often at the request of the government.
What you should do
There are a few levels of security that you can apply.
- Avoid standalone applications. Mobile apps such as Facebook and Twitter are not privacy-friendly. To install them, you must give them permission to access, and in some cases control, many other services on your device. You cannot control their method of connection and by default many use insecure HTTP connections, not HTTPS, to connect to the internet. Use your mobile browser instead.
- Protect your media. Its highly advisable not to store any sensitive images or videos on your device in the first place because many common applications have access to your gallery. ObscuraCam is a mobile app that can encrypt your images and videos.
- Lock your device and SIMs. Enable SIM and screen locks on your device. By doing this, it prevents an opportunistic thief or adversary with average technical skill from changing the SIM or accessing your content.
- Encrypt your device. Encrypting your relatively new Android or iPhone device and its data is a very easy and essential step to start with, and it protects the data in case of physical loss or confiscation. You just need to enable encryption and set a good passphrase to make sure your data is private and not accessible if the attacker has physical access to the device. Note that device encryption only protects your data if the device is turned off. Devices that are on are decrypted.
- Browse anonymously. You can use Tor on your mobile by browsing the web with Orweb. Or, you could configure your entire device to route all traffic through a VPN.
- Email with caution. It is advised not to read or write sensitive email with your mobile and to never store your encryption keys (such as OpenPGP) on the device. You could create a separate email and private/public OpenPGP key pair for use exclusively on your mobile.
- Send and receive messages securely. With messaging, you are only as safe as the application you use. Instead of WhatsApp, use TextSecure. You and the people you communicate with can encrypt SMS with TextSecure, too. Instead of Skype or Viber use RedPhone. RedPhone allows you to make encrypted voice calls.
- Speak confidentially. Keep in mind that the mobile’s microphone can be turned on by applications. Even switching off the phone isn’t good enough because mobile phone manufacturing complies with an international standard to allow the provider (or the government via the provider) to remotely activate the device. When talking about sensitive issues, take out the battery or keep the phone far away from you.
- Backup your data. Frequently backup the important data on the device such as your contact list.
- Revoke access. If your device was stolen, lost or confiscated you should immediately use a web browser to change the passphrases of the accounts you were logged into on your device. You can sign out of all active sessions on Facebook, Twitter and Gmail, for example.
- Remote wipe. If your device was stolen, lost or confiscated you might be able to remotely control your mobile device by sending some commands to wipe the data or locate its position, but such tools aren’t always guaranteed to work and they depend on several variables such as the data connection on the mobile, GPS, network strength and whether the device is on. This capability is usually a feature of your device’s operating system so look for setup and execution instructions from Android or iOS.
Where to find more help
- Learn about encrypting your iPhone.
- Read the basic Android security setup guide
- Learn about Android apps such as Orbot and Orweb from The Guardian Project.