communication opsec

Phone Security

Cellphones are one of the basis of the modern world, they allow us to communicate our messages, recruit new members, get information fast and connect with far away comrades. At the same time, phones are the easiest surveillance device that we carry daily, creating metadata about our daily routine and mapping our acquaintances.

This article is separated into 3 sections:

We will also dive into some application alternatives (all open source and actively maintained).

Day to Day Security

Operating Systems

Before delving into digital security practices, we wanted to present our analysis on cellphone Operating Systems.

The 2 major ones are iOS and Android. There are many reasons why someone would use one or another and while we defend Open Source software as a practice, iOS devices are used by many activists and we cannot ignore that they also need to harden. In general we suggest the usage of a private-centered Android Distribution (such as Graphene OS) but we will have security advice for either stock Android and iOS in this article.

Encryption

The first thing you should do is enabling Encryption on your device. This will protect your phone’s contents when turned off, creating a bigger work for police to access your device in case it gets seized.

On iOS:

  1. Update your iOS version by:
  • Going to the Settings app;
  • Selecting General in the menu;
  • Going to the Software Update section;
  • If there is any version that you can update to, do it;
  1. Enable Encryption by enabling Passcode:
  • Go to the Settings app;
  • Create a good passcode (you might need to select Passcode Options to switch from the standard 6 digit code to a custom alphanumeric code)

You should deactivate Touch ID & Face ID since those are easier to crack (the police might just point it to your face our your finger).

On Android:

  1. Create a password:
  • Go to the Settings app;
  • Find the Security section;
  • Select Screen Lock and create a Password (mix between numbers and letters, minimum of 8 digits recommended);
  1. Check if Encryption is enabled:
  • Go to the Settings app;
  • Find the Security section;
  • Select Encryption;
    • If phone is Encrypted do nothing;
    • If phone is not encrypted, while charging, select Encrypt;

You should not use Fingerprint or Facial features to unlock the phone.

Encryption Caveats

Encryption only works before the first time you input your password when booting your phone. If you want to “activate it” turn off your phone.

If you get arrested and do not have your phone with you, try to make someone turn it off.

Installed Applications

  1. Reducing the number of applications you use is a practice advised, each app that you have expands the attack vector that Law Enforcement or Private Companies might exploit to get access to your cellphone;
  2. Be wary of the permissions you give to Applications (especially Media Access, you can refuse to give them that access and when you want to share something on that app you go to the File Manager and share the specific file/image with the application);
  3. See the end of this article to find Open-Source and Secure alternatives to everyday apps;
  4. Keep all the applications updated (daily);

You can have secure a secure browser, secure messaging and “private” social media but do not forget to install a Secure and preferably Open-Source Keyboard.

Our Suggestions are:

  • For iOS - use the default keyboard with telemetry (analytics) turned off;
  • For Android - do not use the default keyboard (most of the times filled with telemetry and data-grabbing), you might try:

Connecting and Using the Internet

The main reason why we need smartphones is the capacity to connect to the internet. There are a number of threats that we need to be on the look out for when doing this, namely:

  • Your connection might be unsafe (your logins and what pages you access can be changed/recorded);
  • Your location might be exposed;
  • The device you are using might be exposed;
  • The downloads you make might be malicious;
  • You might access malicious websites;

To deal with this you should:

  • On Public Networks, always use a VPN (see our recommendation in the end);

The usage of a Virtual Private Networks (VPN) creates an encrypted tunnel between your device and the VPN Server (that you should trust for this to work), making the connection inside the Public Network.

  • Activate HTTPS, do not connect to websites using HTTP;
  • If you want to hide your location, either use a VPN or use Orbot / Tor Browser;
  • To hide what your device is use Tor Browser;
  • Always be careful on what you download into your device, try to open documents on the browser and keep your device activated;
  • Do not accept permissions (Download, Media Acess, Location, Camera, Microphone) from websites you do not regularly use/trust;

About Tor Browser and Orbot.

Tor Browser is a Web Browser (just like Firefox/Chrome…) that comes already setup with Fingerprinting Resistance and other technical protections. Besides those protections, it is used to connect to Tor network, a network made by thousands of servers and relays that can hide to what website your are connecting to (from your perspective and from the website’s perspective).

Orbot acts as a VPN on the Tor Network, where your web-request s trough 3 other servers before connecting to the website/service, goes trough 3 other servers before connecting to the website/service, anonymizing your connection and protecting it from snooping.

Secure Communication 101

Firstly, SMS and Phone Calls are always insecure, they can be easily intercepted and modified by the State and you should not use them to contact comrades. Besides the content (data), using SMS will mean that our enemies can paint a map of our networks and militants (metadata).

Secondly, closed-source applications (such as Whatsapp) are generally untrustworthy due to the fact that we cannot check the actual code of the applications

Thirdly, Telegram is not secure by default even though they try to market themselves as such. There is no encryption in group chats and the end-to-end encryption on direct messages has to be activated individually for each chat. Telegram also states in their Privacy Policy that if they recieve a Court Order confirming that you are a Terror Suspect they will disclose your IP Address (location) and Phone Number. It is not an uncommon tactic for enemies of the socio-economic system to be painted as terrorists (see Alfredo Cospito in 41 bis).

Finally, our array of suggestions on instant messaging:

  • Signal / Molly (see our [Signal Hardening] article);
  • Briar;
  • Cwtch;

To understand Briar and Cwtch, and why you might prefer them to Signal, you can read the article called The Guide to Peer-to-Peer, Encryption and Tor.

Before an Action

Our main recommendation, synchronized with many radical groups and activists recommendation, is to leave your phone at home.

Bringing it to the action leaves a digital trail that can connect you with whatever happens there. Bringing it will also mean that it could eventually be seized.

A simple (but possibly expensive) solution is to get a temporary phone (either dumb or smart (if you need to take photographs (aka you are part of a Media Team))).

Besides that, here are some of the main things you should do before leaving your house (with or without your cellphone).

Cleanup

Purpose: removing information that might put you or others in danger.

Cellphone

  • Make a list of photographs, documents, guides, contacts (…) that you have on your phne;
  • Copy them to an encrypted flash drive / laptop;
  • Delete them from your phone;

Signal

Multiple options, depending on threat level.

  • Uninstall Signal;
  • Delete all the messages (Signal > Settings > Storage > Delete Message History);
  • Exit all groups, delete “Direct Messages” and delete “Notes to Self”;

You might mix and match all of these options as well.

Contacts

Imagine if the police gets access to your phone.

  • Do not save contacts as “Name - Collective X” / “Name - Action Y”. Rename those that were written in this format.

Social Media

  • Logout of all Social Media accounts you do not need;
  • Logout of Social Media accounts from other collectives you are part of;
  • Do the same with E-mail accounts;

Browser

  • Delete the browser and internet history;

Lockdown

Purpose: creating more barriers to protect yourself / your device.

Cellphone

  • Deactivate Biometrics (Face ID, Fingerprint …);
  • Create a good password (8-12 numbers and letters);
  • Uninstall applications you do not need during the action (you can reinstall them afterwards);
  • Confirm if you have your files Encrypted (see how here);
  • Update your phone (applications and operating system);
  • Reboot (most mobile malware doesn’t survive a reboot);

Signal

Emergency Situations

There are some scenarios where you should plan ahead what would you do. In times of stress (emergency) it is much harder to think thoroughly therefore you need to have specific protocols on what to do individually and collectively.

  • What happens in case there is a raid/arrest?
    • How will you communicate this with other people?
    • What needs to happen while you are arrested (are there collective accounts that need their password changed (…)?
    • You should not use that phone anymore (especially if it was separated from you), how will you communicate with your comrades in the next months?
    • What will you do and how fast can you do it? (It is a good security policy to uninstall Signal and to shutdown your phone (or even Factory Reset it))
  • How will you find spyware / what will you do in case of suspicion?
    • Do you have any alternative devices?
    • How could you warn your comrades to not message you?
    • Is there any support group that can help you? You might want to check out the Collectives page.

Application Alternatives

Current Application / Service Alternative(s) Notes
Whatsapp Signal / Molly You can also check the PET guide
Proprietary VPNs Calyx VPN / Riseup VPN Donate to the projects if you are able to.
Slack / Discord Matrix (Element / Syphon) Syphon in Open Alpha and not considered ready for everyday use
E-mail App K-9 (Android)

You can find more alternatives here.

Further Reading

Subsections of Phone Security

communication opsec

Signal Hardening

Signal is already very secure by default, but there are specific settings you might want to tinker to et the most of the secure messaging app.

Registration

The biggest downside of Signal is the need for a valid and active phone number. Most people use their personal registered number but if you want to completely compartmentalize your personal life with your anticapitalist militancy, you can get a temporary (Burner) SIM card. To do this, you will need to:

  1. Get cash, do not pay with a Debit/Credit Card;
  2. Go to another zone in your city;
  3. By a cheap burner SIM (in some places you can get them in mini-markets);
  4. Activate it far away from your home, connect it to Signal and dispose the SIM Card;

Lock Screen protections

If someone gets access to your unlocked cellphone, they can instantly read your Signal messages. To mitigate it we want to activate Screen Lock. To do so you will:

  1. Open Signal;
  2. Go to Settings (clicking on your Profile Image);
  3. Scrolling to Privacy;
  4. Find App Security;
  5. Activate Screen Lock;

Do not use patterns to unlock your phone, as they are generally insecure.

The Screen Lock will be the same as your Phone’s Screen Lock. Molly (a Signal Fork) implements a passphrase to protect your messages (separate from the Phone’s Lock Screen).

Registration Lock

If someone gets access to your SIM card, they could just connect to Signal and have access to all the groups and future messages that you would receive (especially if you bought a temporary SIM card that will expire). To address this:

  1. Open Signal;
  2. Go to Settings (clicking on your Profile Image);
  3. Scrolling to Account;
  4. Selecting Registration Lock;
  5. Choosing a PIN and inputting it into a Password Manager to save it;

Incognito Keyboard

Many keyboards (especially in Android devices) store what you wrote in order to train the algorithm. In order to avoid this:

Message Destruction

Signal allows you to:

  • Destroy single messages (just for you);
  • Destroy single messages (for everyone in the group);
  • Automatically destroy messages after a certain time that they were in one group;
  • Automatically destroy messages after a certain time that they were read for every group you create;
  • Destroy all the messages and groups you are in;

To destroy single messages:

  1. Select (long press) the message you want to destroy;
  2. Click on Delete;
  3. Select Delete for me or Delete for everyone;

To automatically destroy messages in a group/conversation:

  1. Open the conversation;
  2. Click on the conversation’s icon;
  3. Select Disappearing Messages;
  4. Select the time frame (how much time after someone has read the message will it auto-delete);

By default between 1 and 4 weeks is acceptable, for any information that might put you or other people in risk we recommend maximum 1 day.

To automatically destroy messages in a group/conversation you start:

  1. Open Signal;
  2. Go to Settings (clicking on your Profile Image);
  3. Scrolling to Privacy;
  4. Find Disappearing Messages;
  5. Select the time frame (how much time after someone has read the message will it auto-delete);

To destroy Everything:

  1. Open Signal;
  2. Go to Settings (clicking on your Profile Image);
  3. Select Account;
  4. Select Delete Acount
  5. Re-register (optional);

Blocking Screenshots

To deactivate Screenshots in Signal, you should:

  1. Open Signal;
  2. Go to Settings (clicking on your Profile Image);
  3. Scrolling to Privacy;
  4. Find App Security;
  5. Select Screen Security;

Exiting and Deleting groups

After an action(s) or any other reason, you might want to exit the groups you were in and delete the remaining contents. This is used to protect you and comrades and even though there shouldn’t be sensitive content (due to message destruction) on the group, you could put people at risk just by having a group with them. Therefore, to do this, you will:

  1. Open Signal;
  2. Select the conversation you want to exit;
  3. Click on the conversation’s icon;
  4. Select Leave group;
  5. In the message navigation, select (long press) the conversation you just exited;
  6. Click on Delete;
  7. Do the 5th and 6th step in every device you are connected with Signal (it exits from the group but you have to manually delete the remaining contents in each one);

iOS and Calls

Signal allows history access to the Phone app in iOS. If you have iCloud it will also share it with iCloud. The history includes with whom did you talk, for how long and when. To deactivate this:

  1. Open Signal;
  2. Go to Settings (clicking on your Profile Image);
  3. Selecting Privacy;
  4. Deactivating Show Recent Calls;