by Kenna Warsinske
Oh, smartphones. It’s your bank, it’s your calendar, it’s your tv. For many younger, lower income Americans, it’s your only internet connection. The ‘phone’ part has faded into a powerful mini computer and personal assistant robot.
It’s a little silly to ask if we should trust our phones with our personal lives. Phones are just part of our reality. We want our little personal assistant robots. We want safe access to internet. It’s reasonable to want to use our phone for day-to-day tasks without being tracked or hacked.
At least, that’s the goal. Realistically, if someone really, really wants to hack you, they’ll find a way to do it, and user tracking is why services like Facebook and Google are free. So think hard about your personal risk.
Do you have a stalker? You probably don’t want to let social media apps access your location.
Are you an activist? You probably want to encrypt your phone.
Are you a public figure? Lock down your social media with two-factor authentication (2FA).
Have you been hacked before? Time to change your iCloud or Google password.
Think about your risk as you go through this article and decide what’s best for you.
The Three Basics
I run small workshops to help people with personal security, and I always start everyone with three steps. We all begin with these steps, then we personalize a plan of action. I also spoke with Cora Borradaile, a computer scientist at Oregon State University who developed a “Digital Security for Activists” program for the Civil Liberties Defense Center, to help fill in the blanks for high risk users.
If you’re truly high risk, Cora says be advised: Your best bet is to avoid cell phones entirely. “Basically, just don’t use them.”
Update your phone
This is the easiest thing you can do for your security. Take advantage of the security updates that developers have already taken care of for you. If you don’t have the space to accept updates, make space by deleting photos, unused apps, and podcasts. For high-risk users, Cora says, “If your phone is too old to accept new updates, you should consider getting a newer phone.”
- Android apps: Google Play app > menu > settings > Auto-update at any time
- Android system updates: Settings > system updates > check for system updates
- iOS apps: Settings > iTunes & App store > make sure “updates” is turned on (if it’s green, you’re good)
- iOS software update: Settings > General > software update
This just adds an extra ‘step’ for logging in. Step one is you enter your password like normal. Step two is a unique one-time code that you enter from elsewhere. For most people, that’s a special code sent to your phone. Other people like to use Google’s authenticator app. If you’re a high risk user, you might consider a special USB ‘key’. They run about $30 and Yubikey is a popular brand.
Cora says, “Two-factor authentication will always give you additional security because it’s relying on two completely separate things to authenticate who you are; Something you know (password) and something you have (cell phone). So for someone to overcome that, they’d need access to both things. You might be worried about someone brute forcing your password, but then they’d also need access to your cell phone.“
- Android: log into your phone’s Google account on a desktop and go to My Account > Sign in & Security > then scroll down to 2-step verification and follow the instructions
- iOS: settings > Apple id > password & security > 2-step verification
No more memorizing hundreds of unique passwords! This is the number one thing that will make your life easier and also more secure. A password manager is a secure, digital password notebook that can only be opened with a master password. There are a lot of options out there. Some are open source, some can be unlocked with your face, some do auto-fill, some can share passwords with family (if that’s something you need). It doesn’t matter which one you use, but try to find one with a mobile app that syncs easily. I like LastPass, myself.
Four Optional Steps
Security is a moving target and this is where you should start to personalize your plan of action. Are you a public figure with a strong and curated social media presence? Are you using your phone to track down your next job with a gig economy app like TaskRabbit? Do you use your phone instead of a computer to surf the internet? Are you an activist who’s worried about safe organizing?
When you’re thinking about your security needs, be realistic about how you use your device and don’t give in to paranoia. I promise you don’t need all of these. You should have some familiarity with the concepts, however.
Cora says, “You should be careful about what apps you download to your phone. There’s a famous example of a flashlight application that turned on video and didn’t let you know. There are apps that do things they’re not supposed to do.” (https://www.wired.com/2014/10/iphone-apps/)
Check your app permissions to make sure you’re only giving out private data when you want to. Some apps might have more access to your private data than you meant to give.
- iOS: settings > privacy
- Android (6.0 and up):
- Settings > privacy & emergency > app permissions
- Settings > applications > Application Manager > (pick app) > scroll down to ‘permissions’
Good rule of thumb: if it makes you uncomfortable, turn off the permission or don’t use the app. Also, uninstall apps you don’t use anymore.
Android also allows for installing 3rd party apps, but only if you turn on a special setting. Popular apps like HumbleBundle and TaskRabbit’s ‘Taskers’ app both require you to go into your settings and ‘allow’ 3rd party apps–even when installing updates. This is not great security. If you can’t avoid these apps, only turn on ‘allow 3rd party apps’ when updating the app and turn it off again as soon as you can.
Also, Android users, turn off tracking on your Google account if you don’t use it.
This is a very hot topic right now. It seems like every day there’s another news article about some group using fancy encrypted messaging. It all sounds very sexy and many activists treat secure messaging apps like a silver security bullet. Unfortunately, they’re not a magic solution. End-to-end encrypted messaging apps mostly only protect against a very specific attack–they keep your text messages from being read by your cell carrier or fake cell towers, known as “cell-site simulators” or by their brand name “Stingray”. That’s about it. That said, if you’re having secret conversations, say, with your lawyer or an intrepid reporter, then you should think about both parties using end-to-end encryption.
Cora has a lot to say about cell-site simulator surveillance systems. They’re mostly used by law enforcement to monitor cell phones, “There are 70 agencies in 24 states that have access to Stingrays and employ them. This would affect anyone going to a protest. … The way they work is the mimic a cell phone tower in a region. They either have a stronger signal than any of the local towers in the region or they somehow make it seem like they have the strongest signal, and since phones always connect to the strongest signal first, then any phone in the area would connect to a stingray instead of a true cell tower. So they’ll sweep up all of the information and then pass it on to a true cell tower so people don’t know that it’s being used.”
There are two heavy hitters in end-to-end encryption apps: Signal and WhatsApp. They both replace your SMS app that comes by default with the phone. When you message someone who also has the same app, the message is encrypted and sent over 4G or wifi. If you message someone who doesn’t have the app, the message is sent over SMS. Signal and WhatsApp also support encrypted phone calls and video chat and they have other fancy spy movie features like disappearing messages and passphrases.
The biggest security risk is at the end-point. I once recommended Signal to a client with a possessive partner, but they refused to install Signal because the partner would notice the new icon and ‘freak out’. (We finally settled on Facebook Messenger, which also supports some end-to-end encryption and disappearing messages) Also, keep in mind that screen capture can’t be turned off in iOS, so these apps are not a good solution for sending sexy pictures without them being leaked.
Cora agrees, “You can do end to end encryption like Signal, but your endpoint security is usually your weak spot.”
Some differences: WhatsApp keeps logs of the ‘metadata’ of your conversations and Signal doesn’t. The metadata is the Who and When of the conversation, but not the What. WhatsApp knows that you spoke to your divorce lawyer, a fellow WhatsApp-user, on Monday at 3pm, but it doesn’t know what you said. That might be a risk. But WhatsApp has many, many more users. There’s something like 1.2 BILLION users globally, so you’re more likely to accidentally have an encrypted conversation with WhatsApp.
I personally like Signal best. The interface is minimalist, I can set up a second password for my messages, and it finally supports gifs. My biggest complaint is that changing to a new phone is a bit of a headache, but not awful. Also, the desktop app is easy to use.
HTTPS Everywhere and Ublock Origin give you the most bang for your buck when it comes to browser security. HTTPS Everywhere does its level best to force sites to serve you HTTPS instead of HTTP. Ublock Origin blocks trackers and ads that all websites use to trace your activity–and it blocks malicious ads that trick you into installing malware. Important note: your favorite sites probably depend on ad revenue, so be kind and disable Ublock Origin on your favorite blogs, vlogs, and news sites.
These are both add-ons and extensions, so you’ll need to switch from the default browser to Chrome or Firefox. When it comes to browsers, Firefox does a better job protecting your search history from Google, but Chrome has a better reputation for protecting users from hackers. Other ‘secure’ browsers like Ghostery and Dolphin browser are fast and don’t take much space on your system, but they’re basically just browsing in ‘private’ mode1 by default and can’t accept extensions, so you don’t get the benefits of HTTPS Everywhere and Ublock Origin. But consider the options and choose what’s right for you.
If you’re paranoid about Google tracking your searches, don’t sign into your Google account on your Chrome browser, if you use Chrome. Also, consider using DuckDuckGo as a search engine instead of Google.
If you worry about someone checking your physical phone for your search history, use private mode and clear your search history from your browser when you’re done. It won’t hide your searches from Google or your ISP, but it will hide your search history from a nosy roommate.
Encrypt Your Device
If you’re worried about someone stealing and breaking into your physical device, you need device encryption. This will keep people from plugging your phone or microSD card into a computer and reading your data.
First, you’ll need to set a passcode or a PIN or a pattern for your device. The encryption won’t work with thumbprints on older operating systems, so stick with the non-biometric options. Look up ‘most common passwords’ or ‘most common patterns’ and be sure you don’t use those.
Second, turn on encryption. For most Android users, this takes about an hour, as advertised. Make sure your device is plugged in. Oh, and Android power users? Unroot your phone beforehand.
- Android (2.x – 5.x): Settings > Security > Encrypt Phone (also hit ‘Encrypt SD card while you’re there)
- Android (6.x and up): Settings > Lock Screen and Security > Encrypt SD card
(think about hitting ‘secure startup’ while you’re in there. It just makes it so your phone won’t restart without your pin/pass/pattern)
- iOS: As soon as you’ve turned on a passcode, encryption is on by default. (Yay!)
A note for high risk users: you might be doing this because you’re worried about your phone being illegally searched. If you’re an activist and you’re worried about bringing your phone to a protest, Cora has this advice: Leave it at home.
The Three Duds
In these cases, there’s almost no payoff and the security risks are huge if you don’t know what you’re doing. These are not worth the time for your phone.
VPN (Virtual Private Network)
People are going to argue with me on this one, but in a post-Snowden world, VPNs just don’t do much for regular users anymore. Back in the day, a nefarious person could sit in a cafe with their favorite network diagnostic tool and soak up stranger’s passwords and email messages. A savvy computer user would use a VPN to pass their traffic from the scary open coffee shop server to the VPN’s server. Now, most major sites use HTTPS and encrypt traffic by default. Nefarious persons (or nosy ISPs) can only really collect the name of HTTPS-using sites and not much else.
Twitter security personality SwiftOnSecurity put it best: “A VPN is just a second ISP.” It’s just wrapping up your traffic and sending it to someone else’s ISP. It doesn’t disguise your data, it just moves it. If you’re worried about your ISP spying on you, a VPN will keep your traffic from your ISP. That’s true, but it hands that same data over to your VPN service and sometimes those services are actually just doing data mining. Not to mention that some of the free apps are flat-out malware, not VPNs at all.
If you can spin up your own VPN, go for it. That can be a fun project if you’re into that kind of thing. Some people need VPNs for work or for very, VERY specific activities, and if you already know why you need one, you probably have one. But a VPN isn’t going to help protect the privacy of the normal user.
Tor & Tor Browser
This one is also gonna cause drama, but nope. Tor is not for your phone. Just like above, it mostly only hides your location. Your activity can even be traced back to you if you use plugins, download and open files, log in to websites, or use your credit card. Tor can’t even be installed in iOS. Just avoid it, unless you already know how to use Tor and you really, really love it.
Unique Cell phone id (GUID)
I don’t have experience here, but the idea is that each cell phone has a unique id and that id can be used to track users and identify users personally. So I spoke with Yori Kvitchko, an app developer with a background in security.
“It’s something an app can easily get, but it isn’t easily associated with a physical phone or person. And actually, it looks like Apple beefed things up a bit. Instead of getting the unique device ID, you can get a device id that’s unique to that app on that device. Marketing people can’t track your device across apps. For example, if I was an ad network that had my ads installed in multiple apps from multiple vendors, I couldn’t track the same player across all of them. ….On iOS. Android you can get the ‘pure device ID’.”
But still. Even if you’re tracking a specific device, it would take a lot of work to track that device back to an actual person. “Unless you had access to other databases that also used the same device id, you having it wouldn’t do you much good.”
Major data brokers like Google and Apple can have access to this information, app developers have limited access, but its primary use is marketing, so don’t worry about it.
A few final thoughts
It’s tempting to completely ditch your smartphone and dig out your old trusty ‘dumb’ phone. I asked Cora about this. She says that won’t help. “(Flip phones) still have all of the same security vulnerabilities with stingrays and their ability to intercept information easily from a phone, and you don’t get the benefit from say, Google Maps.”
It’s also tempting to go overboard here and lock your phone down to the point that the phone is all but unusable. If unlocking your phone and opening your email feels like opening a high-security vault, you’ll eventually become frustrated and turn all of those security features completely off. Use security features that work quietly in the background or that you know you can live with.
So… moderation. Breathe. Don’t panic. Hit the update button on your phone. Turn on basic 2-factor on your most important accounts. Save a few passwords in your password manager. When in doubt, leave the phone turned off and at home. That’ll take care of the majority of threats that are out there. The rest is icing on the paranoid security cake.
Kenna Warsinske runs basic digital security workshops for her friends, family, and local political groups.
- Private mode, sometimes known as a ‘private window’ or ‘incognito’, is a special browser window that doesn’t keep your browsing history or download history. Private mode also asks websites and cookies to not track you, but it’s up to the individual website to honor that request. It’s good for hiding some of your browsing history from someone snooping on your phone, but it’s about as effective as clearing your browser data after your search session. All major browsers offer Private mode or private windows. ↩