CEO of Nethemba - Slovak IT security company founded in 2007, primarily focused on web application security and various penetration tests.
High Time for Smartphone Privacy
Let's talk about . . .
- Random and persistent digital privacy threats
- Why choose Android as a secure privacy platform?
- Encrypted storage
- Encrypted communication
- Privacy-aware searching
- Anonymization techniques (browsing, payments)
- Other privacy recommendations
Digital Privacy Threats
- Unexpected threats caused by various viruses, malware, targeted attackers
- Cyber-terrorism (often a hype and pretext for hugely expensive government IT security projects paid by tax-payers)
- Can be reduced by antiviruses, anti-malware, systems' hardening
- Forced by the government and their legislation
- Can be reduced by end-to-end crypto, anonymization and systems' hardening
Persistent Privacy Threats I
- They need to spy their citizen because of many reasons (usually tax evasion, terrorism, ...)
- Massive legal spying using data-retention law (was valid in the most EU countries including Slovakia) -> all ISP/mobile operators were forced to store headers of all communications for 6-24 months! - it was held unconstitutional by European Court of Justice
- Secret agencies (in Slovakia there is no transparency about their activities - Wikileaks revealed their cooperation with dictatorship companies), they use Galileo from Hacking Team and FinFisher from Gamma Group, both companies support countries with a dictator regime
- eKasa / EET massive financial surveillance
Persistent Privacy Threats II
By Internet corporations
- Spying is a part of their business model
- Google / Apple / Microsoft has a full access to all used wireless networks, your calendars, your contacts, despite the fact they care about security a lot, they ignore their users' privacy (Google applications still do not support end-point encryption, e.g. using PGP)
- All social networks (Facebook, LinkedIn, Twitter, Instagram) consider all their users to be products which are sold for marketing purposes
Persistent Privacy Threats III
By mobile operators
- It's also part of their business and they are forced by legislation
- Full access to your localization data (and sometimes they sell it!), you don't need to have a smartphone to be exactly localized using GSM triangulation
- Legally they CAN NOT provide end-to-end encrypted calls (using ZRTP protocol) for their customers (because of impossibility of legal interception by the government)
- The mobile communication must be terminated at their devices, therefore they have full access to all your calls, text messages, ...
Why you should prefer Android
when you care about your privacy
- It is open source - easily and completely auditable what is crucial for security (iOS, Blackberry, Windows Mobile are proprietary closed-source platforms) - you know there isn't anything hidden that might violate your privacy (e.g. Carrier IQ)
- There is a "privacy-aware" Android distribution - Lineage OS / Replicant that has removed any Google spying functionality & includes incognito mode, torification etc.
- It supports all advanced Linux security features (e.g. SELinux, full disk encryption, etc.)
- iOS marketplace is more conservative, it may contain less malware/trojans than Android app repositaries
Privacy aware Android distributions
- Lineage OS for microG https://lineage.microg.org/#
- mainly old smartphones are supported
- 100% Free Software distribution https://replicant.us/
- mainly old smartphones are supported
- Opensource version of Google Play services https://microg.org/
- Opensource package manager with a lot of opensource applications https://f-droid.org/
- Hardened Android https://copperhead.co/android/ (Google Pixel and Pixel 2 are only supported) - replaced by https://grapheneos.org/
Full disk encryption
- Android >=3.0 supports native full disk encryption
- iOS supports a native hardware encryption
- Use a strong passphrase instead of PIN to encrypt your storage
- Don't forget to encrypted all your external SD cards
- Use at least AES256 storage for your sensitive information (credit card numbers, credentials, private keys, etc)
- KeePassDroid (opensource), B-Folders, Dashlane
- Dashlane supports Dark Web Monitoring, VPN
Encrypted communication I
L2/L3 network encryption & firewall
- IPSEC VPNs - strongSwan VPN client
- SSL VPNs - OpenVPN, ProtonVPN
- SSH tunnel
- NetGuard firewall
Secure & Privacy aware Browsing
Brave browser with
- HTTPS Everywhere support
- integrated Tor & Anonymous Windows
- automated blocking of all advertisements
Encrypted communication II
- PGP encryption based on APG (K9 Mail, Aqua Mail)
- PGP encryption based on PGP KeyRing (Squeaky mail)
- FlipdogSolutions Crypto Plugin (Maildroid)
- Own PGP & S/MIME implementation (r2mail2)
Instant chat encryption
- based on OTR (Chatsecure, Xabber, IM+ Pro with OTR plugin)
- based on Signal protocol (Signal, WhatsApp, Facebook Messenger)
- own proprietary crypto implementation (Threema, Telegram, Wire)
Voice / Video encryption
- based on ZRTP protocol and SIP/TLS (CSimple, Acrobits Softphone, Groundwire)
- based on Signal protocol (Signal, Session)
Encrypted Communication III
https://librem.one/ - privacy aware commercial package from Purism
- Librem Mail
- Librem Chat
- Librem Social
- Librem Tunnel
Encrypted communication IV
Start to encrypt your text & voice communication immediately:
- Install Signal (strongly recommended) or Session
- Avoid Telegram (due to its history of serious security vulnerabilities)
- Consider if it is good idea to use proprietary application with no source code (Threema, Acrobits Softphone, Groundwire, Kryptocall, ...) Can we trust them?
- Check https://www.securemessagingapps.com for privacy comparison of almost all messengers
Session is an end-to-end encrypted messenger that removes sensitive metadata collection, and is designed for people who want privacy and freedom from any forms of surveillance.
Session is open-source, public-key-based secure messaging application which uses a set of decentralised storage servers and an onion routing protocol to send end-to-end encrypted messages with minimal exposure of user metadata. It does this while also providing common features of mainstream messaging applications
Status is a ethereum-based messenger, crypto wallet, and Web3 browser built with state of the art technology.
Whisper uses peer-to-peer dark routing–making it impossible for anyone (including us) to know anything about you or who you're communicating with.
How to have multiple Signal /WhatsApp / Messenger identities at one smartphone without using multiple phones or SIM cards.
This should work on all Androids without rooting, and probably iPhones as well
Get an anonymous mobile number
Install Hushed app and buy a mobile number of any country you want to use for your alter ego identity (I recommend to buy the US number because it supports SMS text messages which are required for SMS verification, it's cheap - $30 per year, and it works with all services mentioned above). If you want to stay as much as anonymous, you can buy this number using crypto https://hushed.com/payment-step-1
Anonymous Signal / WhatsApp / Messenger identity
- Install DualSpace Lite app. If you use 64-bit apps, install Dualspace Lite 64-bit version too.
- Clone your Signal / WhatsApp / Messenger apps to your Dualspace environment if they don't exist there.
- Install Orbot and choose Tor enabled apps and select 'Dualspace Lite app' (and 'Dualspace Lite app 64-bit version' if you use 64-bit version).
- Start the Orbot. In Settings choose 'Start Orbot on Boot'.
- Register your Signal / WhatsApp / Messenger app with your Hushed mobile number - you receive SMS verification message to your Hushed app.
- Voila! Now all your cloned Signal /WhatsApp / Messenger apps will be paired with the anonymous number and available through Tor connection only.
Use DuckDuckgo.com (or startpage.com/ixquick.com) instead of Google
- Google is not a privacy-aware search engine, it tracks everything about you
Disable geolocation services
- Especially if you don't use them
- Be aware the mobile operator can still track you thanks to GSM triangulation
Outgoing connection / browsing anonymization
- Based on Tor, torification of all outgoing connections from smartphone is possible (Orbot, Orweb, Orfox, Orxy)
- Based on i2p (i2p)
- Use Lightning Browser with integrated I2P / Orbot support
- Use Orfox with Orbot support
- Based on Bitcoins or truly anonymous cryptocurrencies (Monero, ZCash, Zcoin,..)
- Use monerujo or Monero Wallet (no view keys privacy)
- Check Wasabi Wallet with CoinJoin (no Android support yet)
- ObscuraCam (Blur Faces and remove camera and location metadata)
Other privacy recommendations
Use the recent Android & iOS version
Use trustworthy software
- Always check application's permission during installation
- Use applications from official Android Market only
- Use antivirus and firewall (NetGuard, DroidWall), Network Log
Consider using of social networks
- They have usually access to all your sensitive informations stored on your smartphone
Avoid using really sensitive applications
Use trustworthy tracking / wiping software
- With the possibility of "remote wipe" and "remote lock"
Other privacy recommendations
Opt out of global data surveillance programs like PRISM, XKeyscore and Tempora.
Stop governments from spying on you by encrypting your communications and ending your reliance on proprietary services.
More information at http://prism-break.org/
- Care about your privacy - privacy intrusions by 3rd parties (government, corporations, your competitors) will be more likely in the future
- You are already tracked (by data retention law, all social networks, Google) and can be easily monitored (by any secret or other government agencies)
- The Internet is a permanent storage - some your sensitive data may be never erased when they are leaked
Thanks for your attention!
High Time for Smartphone Privacy
By Pavol Luptak