Advances in technology now mean that mobile phones can provide the same services and features as desktop or laptop computers. These smartphones offer many new ways to communicate, capture and transmit media. To provide these new functionalities, smartphones not only use the mobile network, but also connect to the internet via a WiFi connection (similar to a laptop in an internet café) or a data connection through the mobile network operator. So, although you can make phone calls with a smartphone, it is better to view the smartphone as a small computing device. This means that the other material in this toolkit is relevant to your use of your smartphone as well as your computer.
Smartphones typically support a wide range of functionality – enabling web browsing, email, voice and instant messaging, capturing, storing and transmitting audio, video and photos on the internet, social networking, multi-user games, banking and many other activities. However, many of these tools and features pose new security problems, or increase existing risks. For example, some smartphones have built-in geo-location (GPS) functionality, which means they can provide your precise location to your mobile network operator by default and to many of the applications you use on your phone (such as social networking, mapping, browsing and other applications). As mentioned earlier, mobile phones already relay your location information to your mobile network operator (as part of the normal functions of the phone). However, the added GPS functionality not only increases the accuracy of your location information, it also increases the amount of locations to which this information can be distributed.
It is worth reviewing all the risks associated with mobile phones, which are discussed in our guide ‘How to use a mobile phone as safely as possible’, as these are all relevant to smartphone use as well. This guide also covers eavesdropping, preventing SMS or phone calls, SIM card-related issues and best practices. In this guide we will take a look at the additional security challenges posed by smartphones.
1. Purses, Wallets, Smartphones
We have an intuitive understanding of the importance of keeping our purses or wallets safe, as they store a lot of sensitive information, and losing them will compromise our privacy and security. People are less aware of the amount of personal information they contain in their smartphones, and consider losing a phone a hassle rather than a risk. If you also think that a smartphone is a computing device that is always connected to the network and is constantly carried around, this also highlights the important difference between a holder of discrete, passive information (such as a wallet) and an active and interactive object such as a smartphone.
A simple exercise can help make this clear: Empty the contents of your wallet or purse, and take care of sensitive items. Typically you might find: – Photos of loved ones (~5 photos) – Identification cards (driver license, membership cards, social security card) – Insurance and health information (~2 cards) – Money (~5 bills) – Credit/debit cards (~3 cards)
Now examine the contents of your smartphone. A typical smartphone user may be carrying a large quantity of the above, and in some cases much more valuable, items: • Photos of loved ones (~100 photos) • Email applications and their passwords • Emails (~500 emails) • Videos (~50 videos) • Social networking applications and their passwords • Banking applications (with access to bank accounts) • Sensitive documents • Sensitive communication records • Live connection to your sensitive information The more you use a smartphone, the more you need to be aware of the risks involved and take appropriate precautions. Smartphones are powerful amplifiers and distributors of your personal data. They are designed to provide as much connectivity as possible and connect to social networking services by default. This is because your personal data is valuable information that can be collected, searched and sold.
If you lose your phone without backing up your most important data (such as your contacts) to a safe place it can be devastating. In addition to backing up your data, make sure you know how to restore the data. Keep a hard copy of the steps you need to take so you can do it quickly in an emergency. In this chapter we’ll start by introducing some smartphone basics – an overview of the different platforms and some basic setup procedures for securing your information and communications. The remainder of this chapter will cover specific precautions related to normal smartphone use.
1. Platform and Operating System: At the time of writing, the most common smartphones in use are Apple’s iPhone and Google’s Android, followed by BlackBerry and Windows Phone. The main difference between Android and other operating systems is that Android is, for the most part, an open source (FOSS) system, which allows the operating system to be independently audited to verify whether it properly protects users’ information and communications. This also facilitates the development of security applications for this platform. Many security-conscious programmers develop Android applications with user security in mind.
Regardless of the type of smartphone you are using, there are some issues you should be aware of when you use a phone that connects to the Internet and comes with features such as GPS or wireless networking capability. In this chapter we focus on devices with the Android platform, because, as mentioned above, it is easier to secure data and communications. However, basic setup guides and some applications for devices other than Android phones are also provided. BlackBerry phones are presented as “secure” messaging and email devices. This is because messages and emails are transmitted securely through BlackBerry servers, and are out of reach of potential eavesdroppers. Unfortunately, more and more governments are demanding access to these communications, citing the need to protect against potential terrorism and organized crime. India, the United Arab Emirates, Saudi Arabia, Indonesia and Lebanon are examples of governments that have scrutinized the use of BlackBerry devices and demanded access to user data in their countries.
2. Feature Phones: Another category of mobile is often called ‘feature phones’. Recently, feature phones have expanded their functionality to include some smartphones. But generally, feature phone operating systems are less accessible, so opportunities for security applications or improvements are limited. We do not specifically discuss feature phones, although many of the measures discussed here are also relevant for feature phones.
3. Branded and Locked Smartphones: Smartphones are usually sold branded or locked. Locking a smartphone means that the device can only be operated with one carrier, whose SIM card is the only carrier that will work in the device. Mobile network operators usually brand the phone by installing their own firmware or software. They may also disable some functionality or add others. Branding is a means for companies to increase revenue by controlling your smartphone use, often including collecting data about how you are using the phone or enabling remote access to your smartphone. For these reasons, we recommend that you buy an unbranded smartphone if possible. A locked phone poses a greater risk because all your data is sent through one carrier, which centralizes your data stream and makes it impossible to change SIM cards to transmit data through different means
4. General setup: Smartphones have many settings that control the security of the device. It is important to pay attention to how your smartphone is set up. In the practical guides below we will alert you to some smartphone security settings that are available but not activated by default, as well as those that are activated by default and make your phone vulnerable.
5. Installing and updating applications: The usual way to install new software on your smartphone is to use the iPhone AppStore or Google Play Store, log in with your user credentials, and download and install the desired application. By logging in you associate your use of the online store with the logged-in user account. The application store owners keep a record of this user’s browsing history and application choices.
The applications that are offered in the official online store are supposedly verified by the store owners (Google or Apple), but in reality this provides weak protection against what the applications will do once they are installed on your phone. For example, some applications may copy and send your address book after installing it on your phone. Each application on an Android phone must request during the installation process what it will be allowed to do when in use. You should pay close attention to which permissions are requested, and whether these permissions are appropriate for the function of the app you are installing. For example, if you are considering a “news reader” application and you discover that it requests rights to send your contacts over the mobile data connection to a third party, you should look for an alternative application with appropriate access and rights to third party sites. Some users may want to consider these alternative sites to reduce online interaction with Google. One of the alternative stores is F-Droid (‘Free Droid’), which only offers FOSS applications. However please remember that you should trust the site before downloading any app from it. For inexperienced users we recommend that you use the Google Play store. If you don’t want to go online to access apps (or are unable to do so), you can transfer apps from someone else’s phone by sending .apk files (short for ‘Android Application Packages’) via Bluetooth. Alternatively you can download the .apk file to your device’s micro SD card or use a USB cable to move it there from a PC. When you find the file, simply long-tap on the file name and you’ll be prompted to install it. (Note: be particularly careful when using Bluetooth.
1. Secure voice communication
Basic telephony For any call or communication to be sent or received on your phone, the signal towers nearest to you are alerted by your phone to its presence25. As a result of those alerts and communications the network service provider knows the exact geographical location of your mobile phone at any given time. About anonymity: If you are having sensitive phone conversations or sending sensitive SMS messages, be wary of the above tracking ‘feature’ of all mobile phones. Consider adopting the steps below:
2. About eavesdropping
Your phone can be set to record and transmit any sound within range of its microphone without your knowledge. Some phones can be remotely turned on and used this way, even if they appear to be turned off.
3. About call interception
Generally, the encryption of voice communications (and text messages) traveling through the mobile phone network is relatively weak. There are inexpensive techniques that third parties can use to intercept your written communications or listen to your calls, if they are in close proximity to the phone and can receive transmissions from it. And of course, mobile phone providers have access to all your voice and text communications. Encrypting phone calls is currently expensive and/or technically somewhat cumbersome, so that even the mobile phone provider cannot listen to you – however, these tools are expected to become cheaper soon. To deploy encryption you must first install an encryption application on your phone, as well as on the device of the person you plan to communicate with. You will then use this application to send and receive encrypted calls and/or messages. The encryption software is currently only supported on certain models of so-called ‘smart’ phones.
Conversations between Skype and a mobile phone are also not encrypted, as at some point the signal will go over the mobile network, where encryption does not exist26. Using the internet via your smartphone over a mobile data connection or WiFi can provide more secure ways to communicate with people, such as using VoIP and using tools to secure this channel of communication. Some smartphone tools can extend this security beyond VoIP to mobile phone calls as well.
Skype: The most popular commercial VoIP application, Skype, is available for all smartphone platforms and works well if your wireless connectivity is reliable. It is less reliable on mobile data connections. Skype is non-open-source software, which makes it very difficult to independently verify its level of security. Additionally, Skype is owned by Microsoft, which has a business interest in knowing when and where you use Skype. Skype may also allow law enforcement agencies retroactive access to your entire communication history.
Other VoIP Tools: Using VoIP is usually free (or significantly cheaper than mobile phone calls) and leaves very little trace of data. In fact, a secure VoIP call may be the most secure way to communicate.
RedPhone is a free and open-source software application that encrypts voice communication data sent between two devices running this application. It’s easy to set up and very easy to use, too, as it integrates into your normal dialing and contact plan. But the people you want to talk to will also need to install and use RedPhone. For ease of use, RedPhone uses your mobile number to identify you to your contacts. Unfortunately, this makes it more difficult to use RedPhone without a working mobile service plan, even on devices capable of using WiFi to connect to the Internet. RedPhone also uses a central server, which puts the service’s administrators in a powerful position by allowing them to see most of the meta-data related to your encrypted VoIP calls.
CSipSimple is a powerful VoIP client for Android phones that is well maintained and comes with several easy set-up wizards for various VoIP services.
The server provided by the Open Secure Telephony Network (OSTN) and the Guardian Project, ostel.co, currently provides one of the most secure means to communicate via voice. Knowing and trusting the organisation that operates the server for your VoIP communication needs is an important consideration.
When using CSipSimple, you never communicate directly with your contact, instead all your data is routed through the ostel servers. This makes it very hard to trace your data and find out who you are talking to. Additionally, ostel does not retain any of this data, except for the account data you need to log in. All your speech is securely encrypted and even your meta data, which is usually very hard to hide, is obfuscated as the traffic is proxied through the ostel.co servers. If you download CSipSimple from ostel.co it also comes pre-configured for use with ostel, making it very easy to set up and use. Tool guides for CSipSimple and Ostel.co will be available soon. In the meantime, more information can be found by following the links above.
You should exercise caution when sending SMS, instant messaging or chatting on your smartphone.
SMS: SMS communication is unsecured by default. Anyone with access to the mobile telecommunications network can easily intercept these messages and in many situations this is an everyday occurrence. Do not rely on sending unsecured SMS messages in critical situations. There is also no way to authenticate SMS messages, so it is impossible to know if the content of the message was altered during delivery or if the sender of the message is really the person they claim to be.
Securing SMS: TextSecure is a FOSS tool for sending and receiving secure SMS on Android phones. It works for both encrypted and non-encrypted messages, so you can use it as your default SMS application. This tool must be installed by both the message sender and recipient in order to exchange encrypted messages, so you will need to encourage people you regularly communicate with to use it as well. TextSecure automatically detects when an encrypted message is received from another TextSecure user. It also allows you to send encrypted messages to more than one person. Messages are automatically signed, making it nearly impossible to tamper with the message content. In our TextSecure hands-on guide we explain in detail the features of this tool and how to use it.
Secure Chat: Sending instant messages and chatting on your phone can generate a lot of information that is vulnerable to interception. These conversations can later be used against you by adversaries. That’s why you should be extremely careful about what you reveal when you’re writing on your phone during instant messaging and chatting. There are many ways to chat and send instant messages securely. The best way is to use end-to-end encryption, as this will allow you to be sure that the person on the other end is who you want them to be. We recommend ChatSecure as a secure text chat application for Android phones. ChatSecure provides easy and strong encryption for your chats with the Off-the-Record messaging protocol. This encryption provides both authenticity (you can verify that you are chatting with the right person) and independent security of each session so that even if the encryption of one chat session is compromised, other past and future sessions will remain secure.
ChatSecure is designed to work in conjunction with Orbot, so that your chat messages are routed through the Tor anonymizing network. This makes it much harder to trace it or even find out that it happened. For iPhone, the ChatSecure client offers similar features, although it is not as easy to use with the Tor network. Whichever application you will use, always consider which account you use to chat. For example, when you use Google Talk, your credentials and the time of your chatting session are known to Google. Also agree with your conversation partners not to save chat histories, especially if they are not encrypted.
Smartphones come with large data storage capacities. Unfortunately, the data stored on your device can be easily accessible by third parties either remotely or with physical access to the phone. You can take steps to encrypt any sensitive information on your phone using specific tools.
Data encryption tools: Android Privacy Guard (APG) allows OpenGPG encryption for files and emails. This can be used to keep your files and documents secure on your phone as well as when emailing.
Recording passwords securely: You can keep all your essential passwords in a secure, encrypted file using Keepass. You only need to remember one master password to access all the others. With Keepass you can use very strong passwords for each of your accounts, as Keepass will remember them for you, and it also comes with a password generator to create new passwords. You can synchronize the Keepass password database between your phone and computer. We recommend that you only synchronize the passwords you will actually use on your mobile phone. You can create a separate small password database on the computer and synchronize it instead of adding the entire database with all the passwords you use on your smartphone. Also, since all passwords are protected by your master password, it is important to use a very strong password for your Keepass database.
In this section we will briefly discuss the use of email on a smartphone. First, consider whether you really need to use your smartphone to access email. Securing a computer and its contents is generally easier than doing so for a mobile device such as a smartphone. Smartphones are more vulnerable to theft, surveillance and intrusion. If it is absolutely necessary that you access your email on your smartphone, there are steps you can take to minimise the risk.
Capturing pictures, video, or audio with your smartphone can be a powerful tool for documenting and sharing important events. However, it is important to be careful and respectful of the privacy and security of the people featured in the pictures, filming, or recording. For example, if you take pictures of an important event or record video or audio, this could be dangerous to you or those who appear in the recording if your phone fell into the wrong hands. In this case, these tips may be helpful:
As discussed in our guide on how to keep your Internet communications private and our guide on how to stay anonymous and bypass censorship on the Internet, accessing content on the Internet, or publishing content online such as photos or videos, leaves many traces of who and where you are and what you are doing. This can put you at risk. Using your smartphone to communicate with the Internet increases this risk.
Via Wi-Fi or mobile data: Smartphones allow you to control how you access the Internet: via a wireless connection provided by an access point (such as an Internet café), or via a mobile data connection such as GPRS, EDGE or UMTS provided by your mobile network operator. Using a Wi-Fi connection reduces the data traces you leave with your mobile phone service provider (by not connecting it to your mobile phone subscription). However, sometimes a mobile data connection is the only way to get online. Unfortunately, mobile data connection protocols (such as EDGE or UMTS) are not open standards. Independent developers and security engineers cannot examine these protocols to see how they are being implemented by mobile data carriers. In some countries, mobile access providers operate under different laws than Internet service providers, which can result in more direct monitoring by governments and carriers. Regardless of which route you take for digital communications with a smartphone, you can reduce your risk of data exposure through the use of anonymization and encryption tools.
Anonymity of your smartphone: To access online content anonymously, you can use an Android app called Orbot. Orbot channels your Internet communications through Tor’s anonymity network. Another app, Orweb, is a web browser with privacy-enhancing features, such as using proxies and not keeping a local browsing history. Together, Orbot and Orweb bypass web filters and firewalls, and allow for anonymous browsing.
Proxy: The mobile version of Firefox – Firefox Mobile can be equipped with a proxy add-on, which directs your traffic to a proxy server. From there your traffic goes to the site you are requesting. This is helpful in cases of censorship, but can still reveal your requests unless the connection from your client to the proxy is encrypted. We recommend the Proxy Mobile addon (also from the Guardian Project, which makes proxying with Firefox easy. It is also the only way to access Firefox Mobile communications to Orbot and use the Tor network.
1. Get full access to your smartphone: Most smartphones are capable of performing more functions than their installed operating system, manufacturers’ software (firmware) or mobile operators’ programs allow. Conversely, some functionalities are ‘locked in’, so the user is not able to control or change these functions, and they remain out of reach. In most cases these functionalities are unnecessary for smartphone users. However, there are certain applications and functionalities that can enhance the security of data and communications on a smartphone. In addition there are other existing functionalities that can be removed to avoid security risks. For this, and other reasons, some smartphone users choose to manipulate the various software and programs running the smartphone, so that they can gain the appropriate privileges to install advanced functionalities, or remove or reduce others. The process of overcoming limitations imposed by mobile carriers, or the manufacturers of the operating system on the smartphone, is called rooting (in the case of Android devices), or jailbreaking (in the case of iOS devices such as the iPhone or iPad). Generally, successful rooting or jailbreaking will result in you having all the privileges needed to install and use additional applications, modify otherwise locked-down configurations, and have full control over the smartphone’s data storage and memory.
2. Warning: Rooting or jailbreaking may not be a reversible process, and requires experience with software installation and configuration. Consider the following: • There is a risk of your smartphone becoming permanently inoperable, or even being ‘bricked’ (i.e. turning into a ‘brick’). • The manufacturer’s or mobile carrier’s warranty may be voided. • The process may be illegal in some locations. But if you’re careful, a rooted device is a straightforward way to gain more control over your smartphone, making it more secure.
3. Alternative firmware: Firmware refers to programs that are closely related to the particular device. They collaborate with the device’s operating system and are responsible for the basic operation of your smartphone’s hardware, such as speakers, microphones, cameras, touchscreen, memory, keys, antennas, etc. If you have an Android device, you may want to consider installing firmware alternatives to further increase your control over the phone. Keep in mind that installing alternative firmware will require you to root your phone. One example of alternative firmware for Android phones is CyanogenMod, which, for example, allows you to uninstall applications from the system level of your phone (i.e. those installed by the phone’s manufacturer or your mobile network operator). By doing so, you can reduce the number of ways in which your device can be monitored, such as the data that is sent to your service provider without your knowledge. Additionally, CyanogenMod comes with the OpenVPN application by default, which can be difficult to install otherwise. VPN (Virtual Private Network) is one of the ways to securely proxy your internet communications (see below). CyanogenMod also provides an incognito browsing mode in which the history of your communications is not recorded on your smartphone.
4. Full Device Encryption: If your phone is rooted you may consider encrypting its entire data storage or creating volumes on the smartphone to protect certain information on the phone.
Looks Manager allows easy, on-the-fly strong encryption of volumes with a user-friendly interface. We highly recommend that you install this tool before you start storing important data on your Android device and use the encrypted volumes provided by Looks Manager to store all your data.
5. Virtual Private Network (VPN) Protection: A VPN provides an encrypted tunnel through the internet between your device and the VPN server. It is called a tunnel because, unlike other encrypted traffic such as https, it hides all services, protocols, and content. The VPN connection is established once, and terminates only when you decide to. Note that since all your traffic goes through the proxy or VPN server, an intermediary only needs access to the proxy to analyze your activities. It is therefore important to choose carefully between proxy services and VPN services. It is also advisable to use different proxies and/or VPNs because distributing your data stream reduces the impact of a compromised service.
1. Find out more about jailbreaking on the Internet. 2. Find and use the “off-the-record” option feature in your chat application and see what difference it makes. 3. Download and use Skype to video call your friend. 4. Find out more about ObscuraCam on the Internet.
Read Also:
The number of internet users in India is more than 560 million, which is the…
Cyber crime is a crime that involves computers and networks. Finding any computer at a…
As the world is moving forward in the field of digitalization, the threat of cyber…
Digital world creates conditions where nothing remains confidential or secret.’ Has the present world really…
‘Cybercrime in India’ is the term used to describe criminal activities involving a computer or…
Police is an organization of the government, which has to work promptly to maintain law…