diff --git a/README.md b/README.md index 89c5303..20c1b17 100644 --- a/README.md +++ b/README.md @@ -220,33 +220,40 @@ This section covers how you connect your devices to the internet securely, inclu ## Mobile Devices -Smart phones are an amazing tool, they've revolutionized so many aspects of life, and brought the world to our fingertips. For many of us, smart phones are our primary means of communication, entertainment and access to knowledge. But while they've brought convenience to whole new level, there's some ugly things going on behind the screen. +Smart phones have revolutionized so many aspects of life and brought the world to our fingertips. For many of us, smart phones are our primary means of communication, entertainment and access to knowledge. But while they've brought convenience to whole new level, there's some ugly things going on behind the screen. -Geo-tracking is used to trace our every move, and we have little control over who has this data- your phone is even able to [track your location without GPS](https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371). Over the years numerous reports that surfaced, outlining ways in which your phone's [mic can eavesdrop](https://www.independent.co.uk/life-style/gadgets-and-tech/news/smartphone-apps-listening-privacy-alphonso-shazam-advertising-pool-3d-honey-quest-a8139451.html), and the [camera can watch you](https://www.businessinsider.com/hackers-governments-smartphone-iphone-camera-wikileaks-cybersecurity-hack-privacy-webcam-2017-6)- all without your knowledge or consent. And then there's the malicious apps, lack of security patches and potential/ likely backdoor. +Geo-tracking is used to trace our every move, and we have little control over who has this data- your phone is even able to [track your location without GPS](https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371). Over the years numerous reports that surfaced, outlining ways in which your phone's [mic can eavesdrop](https://www.independent.co.uk/life-style/gadgets-and-tech/news/smartphone-apps-listening-privacy-alphonso-shazam-advertising-pool-3d-honey-quest-a8139451.html), and the [camera can watch you](https://www.businessinsider.com/hackers-governments-smartphone-iphone-camera-wikileaks-cybersecurity-hack-privacy-webcam-2017-6)- all without your knowledge or consent. And then there's the malicious apps, lack of security patches and potential/ likely backdoors. + +Using a smart phone generates a lot of data about you- from information you intentionally share, to data silently generated from your actions. It can be scary to see what Google, Microsoft, Apple and Facebook know about us- sometimes they know more than our closest family. It's hard to comprehend what your data will reveal, especially in conjunction with other data. + +This data is used for [far more than just advertising](https://internethealthreport.org/2018/the-good-the-bad-and-the-ugly-sides-of-data-tracking/) - more often it's used to rate people for finance, insurance and employment. Targeted ads can even be used for fine-grained surveillance (see [ADINT](https://adint.cs.washington.edu)) + +More of us are concerned about how [governments use collect and use our smart phone data](https://www.statista.com/statistics/373916/global-opinion-online-monitoring-government/), and rightly so, federal agencies often [request our data from Google](https://www.statista.com/statistics/273501/global-data-requests-from-google-by-federal-agencies-and-governments/), [Facebook](https://www.statista.com/statistics/287845/global-data-requests-from-facebook-by-federal-agencies-and-governments/), Apple, Microsoft, Amazon, and other tech companies. Sometimes requests are made in bulk, returning detailed information on everybody within a certain geo-fence, [often for innocent people](https://www.nytimes.com/interactive/2019/04/13/us/google-location-tracking-police.html). And this doesn't include all of the internet traffic that intelligence agencies around the world have unhindered access to. **Security** | **Priority** | **Details and Hints** --- | --- | --- -**Turn off connectivity features that aren’t being used** | Recommended | When you're not using WiFi, Bluetooth, NFC or anything else, turn those features off. These are commonly used to easily hack individuals. +**Encrypt your Device** | Recommended | In order to keep your data safe from physical access, use file encryption. To enable, for Android: `Settings --> Security --> Encryption`, or for iOS: `Settings --> TouchID & Passcode --> Data Protection`. This will mean if your device is lost or stolen, no one will have access to your data +**Turn off connectivity features that aren’t being used** | Recommended | When you're not using WiFi, Bluetooth, NFC etc, turn those features off. There are several common threats that utilise these features **Keep app count to a minimum** | Recommended | Uninstall apps that you don’t need or use regularly. As apps often run in the background, slowing your device down, but also collecting data. -**Don’t grant apps permissions that they don’t need** | Recommended | If an app doesn’t need access to your camera, don’t grant it access. Same with any features of your phone, be wary about what each app has access to. -**Only install Apps from official source** | Recommended | Applications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them less likely to be malicious. Avoid downloading .apk or .ipa files from unverified source. Also check the reviews before downloading a new application. -**Only Charge your Device from a Trusted Source** | Recommended | When you charge your device via USB in a public space, it is possible for malicious actors to gain full access to your device, via [AT Commands](https://en.wikipedia.org/wiki/Hayes_command_set). You can read more about this at https://atcommands.org/ or from [this seminar](https://www.usenix.org/node/217625). To protect yourself, either only charge your phone from trusted sources, or use a [USB Data Blocker](https://amzn.to/30amhja). A Data blocker allows your phone to charge, while blocking the data transfer wires, blocking this exploit or any file transfers to run. ([PortaPow](https://portablepowersupplies.co.uk/) is recommended, since it still allows for fast-charge.) Available in both [USB-A](https://amzn.to/309kPh3) and [USB-C](https://amzn.to/39Wh5nJ). -**Set up a mobile carrier PIN** | Recommended | [SIM hijacking](https://securelist.com/large-scale-sim-swap-fraud/90353/) is when a hacker is able to get your mobile number transferred to their sim (often through social engineering your mobile carrier). This then allows them to receive 2FA SMS codes (enabling them to access your secure accounts, such as banking), or to pose as you. The easiest way to protect against this is to set up a PIN through your mobile provider, thus disallowing anyone without this PIN to make any changes to your account. The PIN should not be easily guessable, and it is important that you remember it, or store is somewhere secure. Using a non-SMS based 2FA method will reduce the damage that can be done if someone is able to take control of your SIM. [Read more](https://us.norton.com/internetsecurity-mobile-sim-swap-fraud.html) about the sim swap scam. -**Opt-out of Caller ID Listings** | Optional | When one of your friends or colleagues has your number in their contacts, and also has a caller ID app (such as TrueCaller, CallApp and Caller ID), then your Name, Phone Number and any other saved contact details will be uploaded. To keep your name and number private, you can unlit it here: [TrueCaller](https://www.truecaller.com/unlisting), [CallApp](https://callapp.com/how-to/unlist-phone-number), [SyncMe](https://sync.me/optout), [cia-app](https://cia-app.com/self-service/delist-number), [Hiya](https://hiyahelp.zendesk.com/hc/en-us/requests/new?ticket_form_id=824667). It's possible to opt-out, even before your number has been added, and this will prevent your details being uploaded in the future. +**App Permissions** | Recommended | Don’t grant apps permissions that they don’t need. For Android, [Bouncer](https://play.google.com/store/apps/details?id=com.samruston.permission) is an app that allows you you to grant temporary/ 1-off permissions. +**Only install Apps from official source** | Recommended | Applications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them less likely to be malicious. Avoid downloading .apk or .ipa files from unverified source, unless you know it is safe. Also check the reviews, and app info before downloading a new application. +**Be Careful of Phone Charging Threats** | Optional | [Juice Jacking](https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations) is when hackers use public charging stations to install malware on your smartphone or tablet through a compromised USB port. You can mitigate this, either by using a power bank or AC wall charger, or by using a simple data blocker device (See [USB Condom](https://shop.syncstop.com/products/usb-condom?variant=35430087052) or [PortaPow Blocker](http://portablepowersupplies.co.uk/)) +**Set up a mobile carrier PIN** | Recommended | [SIM hijacking](https://securelist.com/large-scale-sim-swap-fraud/90353/) is when a hacker is able to get your mobile number transferred to their sim (often through social engineering your mobile carrier). This then allows them to receive 2FA SMS codes (enabling them to access your secure accounts, such as banking), or to pose as you. The easiest way to protect against this is to set up a PIN through your mobile provider, thus disallowing anyone without this PIN to make any changes to your account. Using a non-SMS based 2FA method will reduce the damage, [Read more](https://us.norton.com/internetsecurity-mobile-sim-swap-fraud.html) about the sim swap scam. +**Opt-out of Caller ID Listings** | Optional | When one of your friends or colleagues has your number in their contacts, and also has a caller ID app, then your Name, Phone Number and any other saved contact details will be uploaded. To keep your details private, you can unlist it here: [TrueCaller](https://www.truecaller.com/unlisting), [CallApp](https://callapp.com/how-to/unlist-phone-number), [SyncMe](https://sync.me/optout), [cia-app](https://cia-app.com/self-service/delist-number), [Hiya](https://hiyahelp.zendesk.com/hc/en-us/requests/new?ticket_form_id=824667). Note that it is possible to opt-out, even before your number has been added, and this will prevent your details being uploaded in the future. **Opt-out of personalized ads** | Optional | In order for ads to be personalized, Google collects data about you, you can slightly reduce the amount they collect by opting-out of seeing personalized ads. See [this guide](https://www.androidguys.com/tips-tools/how-to-disable-personalized-ads-on-android/), for Android instructions. **Erase after too many login attempts** | Optional | To protect against an attacker brute forcing your pin, if you lose your phone, set your device to erase after too many failed login attempts. See [this iPhone guide](https://www.howtogeek.com/264369/how-to-erase-your-ios-device-after-too-many-failed-passcode-attempts/). You can also do this via Find my Phone, but this increased security comes at a cost of decreased privacy. **Monitor Trackers** | Optional | A tracker is a piece of software meant to collect data about you or your usages. [εxodus](https://reports.exodus-privacy.eu.org/en/) is a great service which lets you search for any app, by its name, and see which trackers are embedded in it. They also have [an app](https://play.google.com/store/apps/details?id=org.eu.exodus_privacy.exodusprivacy) which shows trackers and permissions for all your installed apps. -**Install a Firewall** | Optional | To prevent applications from leaking privacy-sensitive data, you can install a firewall app. This will make it easier to see and control which apps are making network requests in the background, and allow you to block specific apps from roaming when the screen is turned off. For Android, check out [NetGuard](https://www.netguard.me/), and for iOS there is [LockDown](https://apps.apple.com/us/app/lockdown-apps/id1469783711), both of which are open source. Alternatively there is [NoRootFirewall](https://play.google.com/store/apps/details?id=app.greyshirts.firewall) *Android*, [XPrivacy](https://github.com/M66B/XPrivacy) *Android (root required)*, [Fyde](https://apps.apple.com/us/app/fyde-mobile-security-access/) *iOS* and [Guardian Firewall](https://guardianapp.com/) *iOS*. -**Use secure, privacy-respecting apps** | Optional | Mainstream apps have a reputation for not respecting the privacy of their users, and they're usually closed-source meaning vulnerabilities can be hidden. [Prism-Break](https://prism-break.org) maintains a list of better alternatives, see [Android](https://prism-break.org/en/categories/android/) and [iOS](https://prism-break.org/en/categories/ios/). +**Use Mobile a Firewall** | Optional | To prevent applications from leaking privacy-sensitive data, you can install a firewall app. This will allow you to block specific apps from making data requests, either in the background, or when on WiFi or mobile data. Consider [NetGuard](https://www.netguard.me/) (Android) or [LockDown](https://apps.apple.com/us/app/lockdown-apps/id1469783711) (iOS), or see more [Firewalls](/5_Privacy_Respecting_Software.md#firewalls) +**Reduce Background Activity** | Optional | For Android, [SuperFreeze](https://f-droid.org/en/packages/superfreeze.tool.android) makes it possible to entirely freeze all background activities on a per-app basis. Intended purpose is to speed up your phone, and prolong battery life, but this app is also a great utility to stop certain apps from collecting data and tracking your actions while running in the background +**Sandbox Mobile Apps** | Optional | Prevent permission-hungry apps from accessing your private data with [Island](https://play.google.com/store/apps/details?id=com.oasisfeng.island). It is a sandbox environment to clone selected apps and isolate them from accessing your personal data outside the sandbox (including call logs, contacts, photos and etc.) even if related permissions are granted +**Tor Traffic** | Advanced | [Orbot](https://guardianproject.info/apps/orbot/) provides a system-wide [Tor](https://www.torproject.org/) connection, which will help protect you from surveillance and public WiFi threats **Avoid Custom Virtual Keyboards** | Optional | Android and iOS allow you to download and use third-party keyboard apps. These apps will be able to access everything that you type on your phone/ tablet: passwords, messages, search terms etc. It is recommended to stick with your devices stock keyboard. If you choose to use one of these apps, ensure it is reputable, block internet access (can be done with a [firewall app](/5_Privacy_Respecting_Software.md#firewalls)), don't grant it permissions it does not need, and turn off analytics or other invasive features in it's settings. [This article](https://zeltser.com/third-party-keyboards-security) by Lenny Zelster explains things further **Restart Device Regularly** | Optional | Over the years there have vulnerabilities relating to memory exploits (such as [CVE-2015-6639](https://www.cvedetails.com/cve/CVE-2015-6639) + [CVE-2016-2431](https://www.cvedetails.com/cve/CVE-2016-2431)). Restarting your phone at least once a week will clear the app state cached in memory. A side benefit is that your device may run more smoothly after a restart. -**Avoid SMS** | Optional | SMS may be convenient, but it's [not particularly secure](https://www.fortherecordmag.com/archives/0315p25.shtml). It is susceptible to many threats, including interception, sim swapping (see [this article](https://www.forbes.com/sites/kateoflahertyuk/2020/01/21/the-surprising-truth-about-sms-security)), manipulation and malware (see [this article](https://www.securitynewspaper.com/2019/09/13/hack-any-mobile-phone-with-just-a-sms)). SMS should not be used to receive 2FA codes, (as demonstrated in the video in [this article](https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin)), instead use an [authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication). SMS should not be used for communication, instead use an [encrypted messaging app](/5_Privacy_Respecting_Software.md#encrypted-messaging), such as [Signal](https://signal.org) -**Avoid using your real phone number when signing up for an account or service** | Optional | Where possible, avoid giving out your real phone number while creating accounts online. You can create phone numbers using services such as [Google Voice](https://voice.google.com) or [Skype](https://www.skype.com/en/features/online-number/). For temporary usage you can use a service like [iNumbr](https://www.inumbr.com) that generates a phone number that forwards messages and calls to your main number. +**Avoid SMS** | Optional | SMS may be convenient, but it's [not particularly secure](https://www.fortherecordmag.com/archives/0315p25.shtml). It is susceptible to threats, such as interception, sim swapping (see [this article](https://www.forbes.com/sites/kateoflahertyuk/2020/01/21/the-surprising-truth-about-sms-security)), manipulation and malware (see [this article](https://www.securitynewspaper.com/2019/09/13/hack-any-mobile-phone-with-just-a-sms)).
SMS should not be used to receive 2FA codes, (as demonstrated in the video in [this article](https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin)), instead use an [authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication). SMS should not be used for communication, instead use an [encrypted messaging app](/5_Privacy_Respecting_Software.md#encrypted-messaging), such as [Signal](https://signal.org) +**Keep your Number Private** | Optional | [MySudo](https://mysudo.com/) allows you to create and use virtual phone numbers for different people or groups. This is great for compartmentalisation. Alternativley, use a VOIP provider like [Google Voice](https://voice.google.com) or [Skype](https://www.skype.com/en/features/online-number/), or for temporary usage you can use a service like [iNumbr](https://www.inumbr.com). Where possible, avoid giving out your real phone number while creating accounts online. **Watch out for Stalkerware** | Optional | This is a malware that is installed directly onto your device by someone you know (partner, parent, boss etc.). It allows them to see your location, messages and other app data remotely. The app likely won't show up in your app draw, (but may visible in Settings --> Applications --> View All). Sometimes they can be disguised as a non-conspicuous app (such as a game, flashlight or calculator) which initially don't appear suspicious at all. Look out for unusual battery usage, network requests or high device temperature. If you suspect that stalkerware is on your device, the best way to get rid of it is through a factory reset. See [this guide](https://blog.malwarebytes.com/stalkerware/2019/10/how-to-protect-against-stalkerware-a-murky-but-dangerous-mobile-threat/) for more details. -**Sandbox Mobile Apps** | Advanced | Prevent permission-hungry apps from accessing your private data with [Island](https://play.google.com/store/apps/details?id=com.oasisfeng.island). It is a sandbox environment to clone selected apps and isolate them from accessing your personal data outside the sandbox (including call logs, contacts, photos and etc.) even if related permissions are granted. -**Consider Orbot** | Advanced | [Orbot](https://guardianproject.info/apps/orbot/) provides a system-wide [Tor](https://www.torproject.org/) connection. Although more secure than a VPN, it will be slower- see [Networking](#networking) section for more details. -**Consider running a custom ROM if you have an Android device** | Advanced | Your default OS tracks information about your usage, and app data, constantly. Consider a privacy-focused custom ROM, such as [Lineage](https://lineageos.org) or [CopperheadOS](https://copperhead.co/android/). +**Consider running a custom ROM if you have an Android device** | Advanced | For Android users, if your concerned about your device manufacturer collecting too much personal information, consider a privacy-focused custom ROM, such as [Lineage](https://lineageos.org) or [CopperheadOS](https://copperhead.co/android/) - [see more](/5_Privacy_Respecting_Software.md#mobile-operating-systems) **Recommended Software** - [Mobile Apps, for Security + Privacy](/5_Privacy_Respecting_Software.md#mobile-apps)