Get 100% security for your mobile

News & Articles
, ,
1

There are many problems with the safe use of phones that are difficult to mitigate. The apps are
convenient, and a lot of people use them.
I have broken it into three different OpSec needs: LOW, MEDIUM and HIGH. You decide where you land.
There is no way to route your traffic through Tor on iOS without routing all of the traffic on the phone
through another device. You are stuck using the apps without hiding your IP. You can use TorBox with
iOS, torbox.ch
The guide is only for Android.

LOW

  1. Download “Orbot” from the Play Store. You use Orbot to route traffic through Tor.
  2. Open Orbot and set it up. Don’t change anything.
  3. Download your IM client if you do not have it yet.
  4. On your phone, go to Settings->Apps->Manage Apps->YourIMApp->Permissions and remove all
    permissions from the app. Just because your app is Tor-routed does not mean it can not grab your
    geographic location or anything else and store it in its servers.
  5. If you already have an account, open the app and log out. If you don’t, then go to the next step.
  6. Open Orbot. Tap on the grey onion with “START” written on it; it will turn yellow and then green with
    “STOP” is written on it.
    Turn on “VPN mode”.
    Click on the cog in “Tor-Enabled Apps.”
    Select your IM application and nothing else. Mixing your regular internet activities and activities you
    wish to keep anonymous on Tor defeats the purpose. Only use Orbot with the IM app.
    You can use a bridge to hide your Tor use from your mobile service provider/ISP. Sometimes bridges are
    very slow.
    Orbot will only work while it is running. If you use the app while Orbot is not running, you will expose
    your IP to the service. This will burn your account.
    Orbot should open by itself on every phone reset. Just in case, set it to open on boot. On your phone, go
    Settings->Apps->Mange Apps->Orbot turn on Auto Start.
    Orbot might not be connected on a restart; always check.
  7. Open your IM app and make a new account. You have used your existing account with your real IP
    and should consider it burnt.
    Do not accidentally use the app with Orbot not running.
    Do not use your old account, thereby tying the two together. The only way to use your old account is to log
    out, disable Orbot and log in. The app might have a cache file that keeps track of all accounts used on
    the phone.
    I hope that the app does not gather identifiable metadata from your phone. Disable all permissions for
    the app to make this less likely.
    Sometimes who you talk to can be used to identify you. Just because you take care to keep yourself
    anonymous does not mean your friends will.

MEDIUM

  1. Buy a burner phone with cash.
  2. Never put a SIM on your phone.
  3. Never connect to a cell tower.
  4. Keep your phone in aeroplane mode. Keep Bluetooth off. Location services off. GPS off. Turn on wifi as
    needed. Keep in mind that the aeroplane switch is just a software switch. It does not mean the radio chip
    is turned off or that it can not in any way send signals. Some phones allow emergency calls with aeroplane
    mode.
  5. Install the IM app or apps. If you can, grab the .apk without going through the Play Store. Beware
    of downloading a .apk from an unofficial source, as it could have malware. Otherwise, make a new Google
    account. You can drive your first email on protonmail.com (through the tor browser); I’ve found that
    protonmail does not ask for phone verification or a bitcoin donation when using Tor in the Brave browser.
    That is because the Brave browser has a unique signature for every user and does not trigger bot
    protections as often. Use the protonmail account as a recovery email for the Google account, and it
    should not ask for a phone number to verify. You can use a service like textverified.com for numbers.
    Google might give you grief for making an account through Tor, using public wifi or buying a Google
    account from somewhere.
    If you make a Google account through public wifi and that account is identified as belonging to
    you, then your geographic location will be narrowed down. This might be unacceptable for certain
    people.
  6. Uninstall all apps that you are not using. Turn off all app permissions that you can for all apps.
  7. Follow the LOW guide. In step 6, “Tor-enabled apps” don’t select anything. This will route everything
    on your phone through Tor. It will say “Full device VPN”.
  8. On your phone go to Settings->VPN-> Orbot (cog icon). Turn on “Always-on VPN” and turn on “Block
    connections without VPN.”
  9. Orbot is not perfect. I can not predict the behavior of every phone but I think that your phone might
    leak your IP while it is booting up. This is because Orbot does not have root privileges and uses a hacky
    way to achieve what it is doing. Orbot does not start before your phone might try to connect to a server
    somewhere. A lot of care is taken on Tails/Whonix to ensure that there are no IP leaks, I can not give this
    guarantee with Orbot.
    If you want to ensure that there are no IP leaks on boot, no possible DNS leaks or any other unforseen
    protocol leaks then you need to ur TorBox. TorBox.ch for the guide. There is a portable version that you
    can throw into your backpack and use discreetly while on the move.

HIGH
I would not trust airplane mode to work in all situations. The OS should ensure that no app is allowed to
make transmission but malware can get around that. There are bugs in software. Just because nothing is
being transmitted does not mean that it isn’t listening. I think I remember some version of iPhone
logging all of the wifi SSIDs it saw when wifi was switched off. High value targets also need to worry
about their phones being targeted with malware. If you must use one of these devices then I suggest the
following.

  1. Use an iPad or and Android tablet that does not have LTE capabilities. Use it in conjunction with a
    TorBox.
  2. Physically remove chips from the phone that are responsible for LTE and Bluetooth. You’ll need a heat
    gun to melt the adhesive and solder. You’ll need replacement adhesive to put phone back together. Buy
    phone that uses screws. Search for your phone schematic on the internet to identify the chips.
  3. You can use an Android or iOS emulator to run the apps. I recommend Android Studio for Android and
    Xcode for iOS. Android studio is available on Windows, Linux, Mac and ChromeOS. Xcode is only
    available on Mac. You can do pretty much anything on a virtualised phone that you can on a real phone.
    Of course you should do this on a device that is routed through a TorBox. The device itself should have
    full drive encryption on boot.
    BURNER PHONE OPSEC
    Many people are very loose with their burners.
    They use them in their home, work, where they are seen by cameras, at friends houses, near their
    home.
    They make phone calls and send SMS.
    They travel with their real phone and burner turned on.
    You should never send SMS, these are uencrypted and saved for years by your service provider.
    You should not make phone calls. Your service provider has the ability to listen in on those calls. Meta
    data about calls is saved for years. Info saved is who called who, call duration and geographic locations
    of callers.
    If you must use cellular data then only do that if you have the use of an anonymous SIM available to you.
    It better be worth it because I suggest you get a new phone at least every few weeks. Cheap phones cost
    20-40 USD/EUR.
    Proper way to use a burner that uses cellular data is to use it a long way from your home, nowhere near
    where your real phone is. You do not have to turn off your real phone, leave it on at home.

PHONE ENCRYPTION AND DATA

PROTECTION
There is a misconception that your data is encrypted when the phone is locked. That is not true. Some
data of some apps might be encrypted while the apps are closed. Some data on your phone might be
encrypted while it is locked but not all of it. If you get a message notification and a small snippet of it on
your lock screen then it is clearly not encrypted. Your data is only encrypted when you have full disk
encryption on and your phone is turned off. The weakness of that is that after decrypting on boot the
key is kept in RAM and some or all files might be decrypted while the phone is rnning. Starting from
Android 10 full disk encryption is not supported, only file based encryption.
If no decryption keys are in RAM or files are not decrypted then what LE often does is they dump the
data and just bruteforce the encryption. People use 4-6 number pins on their phones, that is trivial to
break.

To keep your sensitive data safe on your phone:

  1. Set a strong unlock passphrase. This being your phone unlock password you should be able to
    remember it. It also can not be too cumbersome to enter every time you unlock your device. I’d make it
    well over 10 characters using numbers and letters and symbols. Since this is a password you use multiple
    times a day you can make it more complex.
  2. Do not use biometrics. The police will punch you in the mouth and unlock the phone whether you like
    it or not. The police break the law and lie all the time.
  3. Do not keep incriminating data on your phone. No documents, pictures or anything else.
  4. Use self destructing messages in IM applications. Other people get busted and unlock their phones.
  5. Do not use cloud syncing of any kind. Cloud backups have put people in jail.
  6. There are always critical moments where if something bad will happen it will most likely be then.
    Keep your phone turned off if you can
6 Likes