High Time for Smartphone Privacy

Let's talk about . . .

  • Random and persistent digital privacy threats
  • Why choose Android as a secure privacy platform?
  • Encrypted storage
  • Encrypted communication
  • Privacy-aware searching
  • Anonymization techniques (browsing, payments)
  • Other privacy recommendations

Digital Privacy Threats

Random

  • Unexpected threats caused by various viruses, malware, targeted attackers
  • Cyber-terrorism (often a hype and pretext for hugely expensive government IT security projects paid by tax-payers)
  • Can be reduced by antiviruses, anti-malware, systems' hardening

 

Persistent

  • Forced by the government and their legislation
  • Can be reduced by end-to-end crypto, anonymization and systems' hardening

Persistent Privacy Threats I

By governments

  • They need to spy their citizen because of many reasons (usually tax evasion, terrorism, ...)
  • Massive legal spying using data-retention law (was valid in the most EU countries including Slovakia) -> all ISP/mobile operators were forced to store headers of all communications for 6-24 months! - it was held unconstitutional by European Court of Justice
  • Secret agencies (in Slovakia there is no transparency about their activities - Wikileaks revealed their cooperation with dictatorship companies), they use Galileo from Hacking Team and FinFisher from Gamma Group, both companies support countries with a dictator regime
  • eKasa / EET massive financial surveillance 

Persistent Privacy Threats II

By Internet corporations

  • Spying is a part of their business model
  • Google / Apple / Microsoft has a full access to all used wireless networks, your calendars, your contacts, despite the fact they care about security a lot, they ignore their users' privacy (Google applications still do not support end-point encryption, e.g. using PGP)
  • All social networks (Facebook, LinkedIn, Twitter, Instagram) consider all their users to be products which are sold for marketing purposes

Persistent Privacy Threats III

By mobile operators

 

  • It's also part of their business and they are forced by legislation
  • Full access to your localization data (and sometimes they sell it!), you don't need to have a smartphone to be exactly localized using GSM triangulation
  • Legally they CAN NOT provide end-to-end encrypted calls (using ZRTP protocol) for their customers (because of impossibility of legal interception by the government)
  • The mobile communication must be terminated at their devices, therefore they have full access to all your calls, text messages, ...

Why you should prefer Android

when you care about your privacy

Why yes:

  • It is open source - easily and completely auditable what is crucial for security (iOS, Blackberry, Windows Mobile are proprietary closed-source platforms) - you know there isn't anything hidden that might violate your privacy (e.g. Carrier IQ)
  • There is a "privacy-aware" Android distribution - Lineage OS / Replicant that has removed any Google spying functionality & includes incognito mode, torification etc.
  • It supports all advanced Linux security features (e.g. SELinux, full disk encryption, etc.)

Why not:

  • iOS marketplace is more conservative, it may contain less malware/trojans than Android app repositaries

Privacy aware Android distributions

 

Encrypted storage

 

Full disk encryption

  • Android >=3.0 supports native full disk encryption
  • iOS supports a native hardware encryption
  • Use a strong passphrase instead of PIN to encrypt your storage
  • Don't forget to encrypted all your external SD cards

 

Application-specific encryption

  • Use at least AES256 storage for your sensitive information (credit card numbers, credentials, private keys, etc)
  • KeePassDroid (opensource), B-Folders, Dashlane
    • Dashlane supports Dark Web Monitoring, VPN

Encrypted communication I

 

L2/L3 network encryption & firewall

  • IPSEC VPNs - strongSwan VPN client
  • SSL VPNs - OpenVPN, ProtonVPN
  • SSH tunnel
  • NetGuard firewall

Secure & Privacy aware Browsing

  • Brave browser with
    • HTTPS Everywhere support
    • integrated Tor & Anonymous Windows
    • automated blocking of all advertisements

Encrypted communication II

Email encryption

  • PGP encryption based on APG (K9 Mail, Aqua Mail)
  • PGP encryption based on PGP KeyRing (Squeaky mail)
  • FlipdogSolutions Crypto Plugin (Maildroid)
  • Own PGP & S/MIME implementation (r2mail2)

Instant chat encryption

  • based on OTR (Chatsecure, Xabber, IM+ Pro with OTR plugin)
  • based on Signal protocol (Signal, WhatsApp, Facebook Messenger)
  • own proprietary crypto implementation (Threema, Telegram, Wire)

Voice / Video encryption

  • based on ZRTP protocol and SIP/TLS (CSimple, Acrobits Softphone, Groundwire)
  • based on Signal protocol (Signal, Session)

Encrypted Communication III

 

https://librem.one/ - privacy aware commercial package from Purism

  • Librem Mail
  • Librem Chat
  • Librem Social
  • Librem Tunnel

 

 

 

Encrypted communication IV

Start to encrypt your text & voice communication immediately:

  • Install Signal (strongly recommended) or Session
  • Avoid Telegram (due to its history of serious security vulnerabilities)
  • Consider if it is good idea to use proprietary application with no source code (Threema, Acrobits Softphone, Groundwire, Kryptocall, ...) Can we trust them?
  • Check https://www.securemessagingapps.com for privacy comparison of almost all messengers

Session https://getsession.org/ 

Session is an end-to-end encrypted messenger that removes sensitive metadata collection, and is designed  for people who want privacy and freedom from any forms of surveillance.

 

Session is open-source, public-key-based secure messaging application which uses a set of decentralised storage servers and an onion routing protocol to send end-to-end encrypted messages with minimal exposure of user metadata. It does this while also providing common features of mainstream messaging applications

Status https://status.im/ 

Status is a ethereum-based messenger, crypto wallet, and Web3 browser built with state of the art technology.

Whisper uses peer-to-peer dark routing–making it impossible for anyone (including us) to know anything about you or who you're communicating with.

How to have multiple Signal /WhatsApp / Messenger identities at one smartphone without using multiple phones or SIM cards.

This should work on all Androids without rooting, and probably iPhones as well

 

Get an anonymous mobile number

Install Hushed app and buy a mobile number of any country you want to use for your alter ego identity (I recommend to buy the US number because it supports SMS text messages which are required for SMS verification, it's cheap - $30 per year, and it works with all services mentioned above). If you want to stay as much as anonymous, you can buy this number using crypto https://hushed.com/payment-step-1

Anonymous Signal / WhatsApp / Messenger identity

  1. Install DualSpace Lite app. If you use 64-bit apps, install Dualspace Lite 64-bit version too.
  2. Clone your Signal / WhatsApp / Messenger apps to your Dualspace environment if they don't exist there.
  3. Install Orbot and choose Tor enabled apps and select 'Dualspace Lite app' (and 'Dualspace Lite app 64-bit version' if you use 64-bit version).
  4. Start the Orbot. In Settings choose 'Start Orbot on Boot'.
  5. Register your Signal / WhatsApp / Messenger app with your Hushed mobile number - you receive SMS verification message to your Hushed app.
  6. Voila! Now all your cloned Signal /WhatsApp / Messenger apps will be paired with the anonymous number and available through Tor connection only.

Privacy-aware searching

 

Use DuckDuckgo.com (or startpage.com/ixquick.com) instead of Google

  • Google is not a privacy-aware search engine, it tracks everything about you

 

Disable geolocation services

  • Especially if you don't use them
  • Be aware the mobile operator can still track you thanks to GSM triangulation

Anonymization techniques

Outgoing connection / browsing anonymization

  • Based on Tor, torification of all outgoing connections from smartphone is possible (Orbot, Orweb, Orfox, Orxy)
  • Based on i2p (i2p) 
  • Use Lightning Browser with integrated I2P / Orbot support
  • Use Orfox with Orbot support

 

Payment transactions

  • Based on Bitcoins or truly anonymous cryptocurrencies (Monero, ZCash, Zcoin,..)
  • Use monerujo or Monero Wallet (no view keys privacy)
  • Check Wasabi Wallet with CoinJoin (no Android support yet)

Face obscure

  • ObscuraCam (Blur Faces and remove camera and location metadata)

Other privacy recommendations

Use the recent Android & iOS version

Use trustworthy software

  • Always check application's permission during installation
  • Use applications from official Android Market only
  • Use antivirus and firewall (NetGuard, DroidWall), Network Log

Consider using of social networks

  • They have usually access to all your sensitive informations stored on your smartphone

 

Avoid using really sensitive applications
Use trustworthy tracking / wiping software

  • With the possibility of "remote wipe" and "remote lock"

 

Other privacy recommendations

 

Opt out of global data surveillance programs like PRISM, XKeyscore and Tempora.

Stop governments from spying on you by encrypting your communications and ending your reliance on proprietary services.

More information at http://prism-break.org/ 
 

Conclusion

 

  • Care about your privacy - privacy intrusions by 3rd parties (government, corporations, your competitors) will be more likely in the future
  • You are already tracked (by data retention law, all social networks, Google) and can be easily monitored (by any secret or other government agencies)
  • The Internet is a permanent storage - some your sensitive data may be never erased when they are leaked

Thanks for your attention!

Contact me: