Using Phones and Mobile Devices Securely
[Image credits: dreams time]
This blog post will introduce the concept of end-to-end encryption and will discuss adding an additional level of security to passwords through the use of two-step verification or two-factor authentication. We also discuss basic tips to use mobile devices securely, as well as useful applications that can be downloaded on smartphones for improved mobile security including: secure text messaging; phone calls and video conferencing; sharing of images/photos; and sending secure and synchronized alarm messages to your network when you’re in danger.
The key to secure communication online is open source “end-to-end encryption”. The Freedom of the Press Foundation in its publication “Encryption Works” defined encryption as:
[T]he process of taking a plaintext message and a randomly generated key and doing mathematical operations with the two until all that’s left is a scrambled, ciphertext version of the message. Decryption is taking the ciphertext and the right key and doing more mathematical operations until the plaintext is recovered.
Thanks to the hard work of citizen cryptographers and the open source community, it is now possible to have adequate security online (even when using our phones) due to a decent selection of free open source applications. However, ensuring your privacy when using encrypted applications requires that your network of friends and colleagues are also using the same digital protection measures. This needs discipline and education of your network about safer alternatives.
Basic steps to mobile phone security
Your phone is a tracking device. Even when it is switched off it is sending signals to the service towers around you allowing your mobile provider to geo-locate you easily. The only way to stop this tracking is to switch off your phone and take the sim card and battery out (or wrap your phone in aluminum foil if the battery is not removable). If you are tweeting (or facebooking) sensitive information with your phone or smartphone, such as live-tweeting during a protest, make sure to:
- disable the geolocator on your smartphone;
- create a new anonymous social media account; and
- assume that your phone can be lost, stolen or confiscatedby the authorities and make sure that: 1. your phone has a complex pin code; and 2. you log out of your social media accounts (and other sensitive applications) after each use.
Tightening the grip on passwords through two-step verification
If you are wondering if your password is strong enough, Passfault is an online platform that evaluates the strength of your passwords by calculating the time it takes to crack each password. All you have to do is plug in your password and you will get an analysis of the extent of its strength or weakness. Passfault does not save passwords tested by users of its website.
Other than using long and complex passwords that are at least 20 characters long and considering the use of a password database, such as KeePass or LastPass, using two-step verification (or two-factor authentication) can offer great added protection. This is particularly true if the password to your email or social media accounts is compromised. Two-step verification ensures that it is actually you–the owner of the account–who is accessing the account. A code is either sent to your mobile phone or is generated by a smart-phone application like google authenticator and you then have to enter the code in order to access your account. This feature is becoming increasingly popular and is available with Google, Facebook (Facebook calls it login approvals), Twitter, Microsoft and others.
Encrypted applications for mobile phones
The Electronic Frontier Foundation (EFF), a leading organization in the fight for digital rights, including digital privacy, has scrutinized more than 40 messaging tools and applications and created a scorecard to tell users how secure these messaging applications are. Some of the most commonly used messaging tools and applications such as Facebook chat, Google hangout, WhatsApp, Viber and Skype ranked poorly when it came privacy and security. Below are six phone messaging apps that got a full score or an almost full score according to the EFF’s evaluation of their safety and security.
Encrypted text messaging
– Cryptocat: is a free open source chat, file and photo-sharing application that can be used on your computer’s browser and iPhones (there is no android application yet but one is planned for release). Additionally, Cryptocat can be used with Facebook to ensure secure chatting via Facebook messenger.
Not only does Cryptocat use end-to-end encryption, it also ensures that messages are encrypted from the user’s side so everything entering Cryptocat’s servers is already encrypted. Hence, even the developers of Cryptocat can’t read your messages.
You can download a plugin for Cryptocat on a number of browsers including: Safari, Chrome and Firefox. Another allure of Cryptocat is that you can chat anonymously. It is very easy to use and does not require that you open an account. To start a chat you have to log in through your browser or phone application; choose a “conversation name” and “nickname”; and then share the conversation name with people you’d like to talk to, via encrypted email or any other safe method. Each time you use Cryptocat you can choose a different “conversation name” and “nickname”. There is no saved record of your chat. The moment you close the conversation it’s all gone.
– Sure Spot: is a free open source encrypted messaging application that works on both iPhones and android. It permits texting, voice messaging and the exchange of images. Sure Spot allows you to have multiple identities on one device. For added security, each time you open the application you will have to input your password.
Encrypted phone calls and voice chatting
– RedPhone: is a free open source application that allows end-to-end encrypted phone calls for android phones. RedPhone uses your phone number to make calls so you don’t need to create another identifier. It allows you to use the main dialer on your phone and call using a wi-fi connection or your phone data plan. The calls are encrypted as long as you are calling someone who is also using Red Phone or its equivalent for the iPhone, Signal.
– Signal: is the first free open source and encrypted voice call app for the iPhone (released in mid-2014). It is compatible with Red Phone (both Signal and Red Phone are made by the same company, Open Whisper Systems).
– Silent Phone: is made by the company Silent Circle, which makes high-end encrypted applications for corporate clients. Silent phone is therefore not a free application. It works with both android and iPhones; and each subscriber gets a 10-digit number. When calling those not using Silent Phone, only one side of the conversation is encrypted.
– Jitsi: is a free, encrypted Off-the-Record (OTR) chat and video conferencing tool that completely replaces voice and instant messaging programs such as, Google hangouts and Skype. It supports many popular instant messaging and telephony protocols including: SIP, Jabber/XMPP (and hence Facebook and Google Talk), AIM, ICQ, MSN and Yahoo! Messenger.
Jitsi’s video conferencing option on your phone or computer’s browser can be accessed at: https://meet.jit.si. You don’t even need to open an account to use Jitsi. Jisti creates a unique URL once you login that you may share with any number of people you want to include in the call. Remember to use encrypted email/messaging when you share the unique URL with others you are inviting. You can also protect the conversation by setting a password (use the lock icon on the top). Jitsi allows complete sharing of documents and attachments. It also works well in settings where the internet is slow. Jitsi can be downloaded as a software for PCs and Macs.
In mid-2014 Amnesty International released Panic Button, which is an app targeted at human rights defenders and activists at risk of sudden arrests, kidnapping or torture. Panic Button is an android application that sends an SMS alert message and your location to a network of up to three contacts to let them know that you’re in danger. However, to work well the alert message that Panic Button sendsneeds to be set up in advance and your “emergency contacts” need to be notified ahead of time so they can act swiftly. To trigger an alarm message, users of Panic Button have to rapidly press the phone’s power button five times in five seconds until they feel a vibration.