Use your smartphone as securely as possible
Updated4 June 2018
Table of Contents...Loading Table of Contents...
All mobile phones support voice and text communication. These days, most of them do a great deal more. Mobile phones are an integral part of our daily lives, in part because of their small size, versatility and relatively low cost. These same qualities make them invaluable to human rights defenders, who often rely on them to exchange and store sensitive data in ways that previously required access to a trusted computer.
This guide is primarily about smartphones: Android and iOS devices with access to a mobile phone network that handles voice communication, text messaging and (often) Internet connectivity. Along with an ever expanding list of additional features, smartphones tend to incorporate cameras, digital storage capacity, motion detection sensors, global positioning system (GPS) hardware, WiFi support and easy access to a diverse collection of software. Much of the advice in this guide is relevant to other mobile devices, as well. Some of it applies to feature phones (basic, old-fashioned mobile phones) and some of it applies to tablets, which are often just larger, more powerful smartphones that lack access to a mobile phone network.
What you can learn from this guide
- How to deal with the risks that come from making sensitive data extremely portable
- Why mobile voice communication and text messaging are particularly vulnerable to surveillance
- Steps you can take to improve your security when using your smartphone to communicate, store data, take photos and visit webpages, among other activities
- How to improve your chances of remaining anonymous, if necessary, while using a mobile phone
Introduction to mobile phones
Smartphones are one of the most empowering technologies to which most people in the world have access. At the same time, they are bristling with sensors, nearly always within arms reach and usually connected to some network or another. In short, they face most of the security challenges we associate with computers, plus a number of additional threats related to portability, ubiquity, insecure network architecture, location tracking, media capture and other such considerations.
Most smartphones run one of two operating systems: Google's Android or Apple's iOS. Android devices are sold by many different companies. Their software is often modified by their manufacturers and by service providers who hope — and sometimes require — that their owners will rely on (and pay for) access to their mobile phone networks. iOS works only on Apple devices and makes it much more difficult to run applications that have not been approved by Apple.
The reliability of operating system updates is one of the most important considerations when buying an Android smartphone. Some cheaper models do not provide access to updates that are needed to fix important security flaws. This could leave you vulnerable to malware or other attacks.
Branded and locked smartphones
Smartphones are often sold locked to a specific carrier or mobile network operator. This means that the specific smart phone will only work with that company's SIM card. Mobile network operators often customise the operating system and install additional software on locked smartphones. They may also disable some functionality. This could leave you with apps on your smartphone that you cannot uninstall or prevent from accessing your information, including your contacts and storage.
For these reasons, it is usually safer to buy an unlocked smartphone that is not locked to a particular mobile provider. Unfortunately, these are often more expensive.
Basic security setup
Smartphones have a number of settings that can help you manage the security of the device. It is important to pay attention to how your smartphone is set up. The Tool Guide below suggests a few specific Android settings and applications:
Installing, evaluating and updating applications
The easiest — and typically the safest — way to install new software on your smartphone is to use Google's Play store for Android or Apple's App Store for iOS devices. Sign in from your device and you can download and install applications.
You can find Android apps in various places online, but you should generally avoid installing them. Some of these apps contain malware. You can learn more about malware in the Tactics Guide on how to Protect your device from malware and phishing attacks. Only install software that comes from a source you trust. And keep in mind that trusted individuals may inadvertently spread malware without realising it. Applications in the Play Store and in the App Store benefit from a limited review by Google and Apple, respectively. This provides some protection against overtly malicious software.
For experienced Android users, and for those who are unable or unwilling to rely on Google's Play Store, F-Droid is one possible exception to this rule. It is an alternative app center that only distributes FOSS applications. If you need access to F-Droid, you can install it from a trusted source and then use it to install other apps. You can also install Android Application Packages (.apk files) directly if you enable your device's Install Unknown Apps setting. Again, this is risky, but if you have no other way to install an application you need, you can have someone you trust give you the .apk file on a flash memory card.
Even "official" apps sometimes behave poorly. On Android devices, each application must ask your permission before it will be permitted to do certain things. You should pay close attention to what permissions are requested. If they do not make sense for the app in question, have a look at the reasons provided and consider declining and uninstalling the app. If you are testing out a "news reader" app, for example, and it asks for permission to send your contacts over a mobile data connection to a third party, you should be suspicious. (Some app developers collect lists of contacts and sell them or use them for marketing.)
Remember to keep all of your apps up-to-date and to uninstall apps that you no longer use. App developers sometimes sell their apps to other people. A new owner could alter an app that you have already installed and push a malicious update.
Mobility and the vulnerability of information
The mobile phones we carry around with us often contain sensitive information. Call logs, browser histories, text and voice messages, address books, calendars, photos and other useful functions can become liabilities if the device on which they are stored is lost or stolen. It is important to be aware of the sensitive information on your mobile phone as well as the online data to which it grants automatic access. These data have the potential to endanger not only the device's owner, but everyone who appears in their address book, inbox or photo album.
Once you have thought through the possible risks and familiarised yourself with the privacy and security features supported by your device, you can start putting safeguards in place.
Storing Information on your Smartphone
Modern smartphones have a lot of room to store data. Depending on the device, however, it may be quite easy for anyone with physical access to extract that information.
Device and data encryption
Recent iOS devices have strong encryption turned on by default, as long as you set a strong passcode. Android supports device encryption as well, and you should enable it if you can. Remember to back up the contents of your smartphone before turning on full disc encryption in case there is a problem while the phone is encrypting itself.
Android also allows you to encrypt the data on any flash memory cards (such as MicroSD cards) if you use them.
When you turn on an encrypted phone and enter your passcode, it allows you to access and modify the content on it. This means that someone with physical access to your encrypted smartphone, while it is powered on and unlocked, can still access your data. For the strongest protection — when crossing a border, for example, or passing through airport security — you should turn your device off completely.
As usual, there are trade-offs. If you believe you might need the ability to make an emergency call on short notice, for example, it might be worth taking the risk of leaving your phone powered on and just locking the screen.
If you are not able to activate full disk encryption, or if you need extra security for particular files, you might want to install a few additional Android tools. Some apps encrypt their own data, and the OpenKeychain app allows you to encrypt other files. If you use it alongside K-9 Mail, you can also send and receive encrypted email. (There is no free equivalent to these tools on iOS.) Apps like these can help you protect your sensitive data, but you should still enable device encryption if possible.
It is also important to minimising the amount of sensitive information you store on your device, especially if device encryption is not an option. Some phones have the ability to disable the logging of phone calls and SMS text messages, for example. You could also adopt a policy of deleting sensitive entries from your call and message history.
Recording passwords safely
You can store most of your passphrases in a single, encrypted file on an Android device by installing a FOSS tool called KeePassDroid. This app allow you to remember a single, strong master passphrase and use it to lookup your other passphrases. This, in turn, makes it possible to choose strong, unique passphrases, for all of your accounts, without having to memorise them. KeePassDroid also provides a random password generator you can use when creating new accounts.
If you use KeePassXC or KeePassX on your computer, as discussed in our Tool Guide on how to Create and maintain secure passwords, you can copy your encrypted (.kdbx) database file onto your mobile device.
There is a similar tool for iOS devices called MiniKeePass.
Best practices for physical phone security
Restricting physical access to your mobile phone is the first line of defence for the information it contains. You should keep it on you at all times, except where doing so presents a specific security risk. This applies to SIM cards and flash memory cards, as well. Even if you are concerned about malware or advanced surveillance, it may be safer to remove the battery and keep the device with you rather than leaving it unattended.
In addition to turning on encryption and keeping your phone nearby, below are a some additional steps you can take to maintain the physical security of your mobile device and limit the damage if it is lost or stolen.
Always set a strong screen lock code and avoid sharing it with others. If you are using a basic phone that came with a default lock code, change it.
Avoid storing sensitive information, including phone numbers, on a SIM card, as they cannot be encrypted.
Regularly backup important data from your phone on your computer or on an external storage device. Store these backups securely as described in How to protect the sensitive files on your computer. Having a backup will help you remember what information is on your phone and make it easier for you to restore it to its factory settings in an emergency.
Phone numbers are often linked to important accounts, and it is sometimes possible for an attacker to take over your phone number to gain access to those accounts or to impersonate you. Some mobile network providers allow you to set a PIN or password on your account to prevent unauthorised people from making changes to your account or stealing your phone number. You should take advantage of this feature if it is available.
If you are concerned about malware, consider placing a small, removable sticker over your phone's cameras.
Steps related to loss and theft
Mobile phones have a 15-digit International Mobile Equipment Identity (IMEI) number that helps identify them on mobile networks. Changing SIM cards does not change your IMEI. This number is often printed behind the battery, and most phones will display it in their Settings or if you dial
*#06#. Make a note of this number, as it could help you prove that you are the owner if your phone is stolen.
Consider the advantages and disadvantages of registering your phone with your service provider. If you report a registered phone stolen, your service provider can usually disable it. However, registering your phone may associate it more strongly with your actual identity.
Most Android phones and iPhones have a built-in anti-theft or "Find my Phone" feature that allows you to track or disable your phone if it is stolen. There are also third party tools that do the same thing. These tools involve trade-offs, but if you trust those who operate the service (and the quality of their software), you might want to enable one and practice using it.
Steps to take when giving your device to someone else
When disposing of, giving away or selling a phone, make sure you do not also hand over the information stored on its SIM card or on a flash memory card. These storage devices may contain information even if they are expired or no longer working. Dispose of SIM cards by physically destroying them. Remove and keep (or destroy) flash memory cards. The best way to protect data on the phone itself is make sure it is encrypted and then reset the device to its "factory settings."
Try to use trusted phone dealers and repair shops. This reduces the vulnerability of your information when getting second-hand hand phones or having your phone repaired. If you think someone might have the access, resources or motivation to target you by pre-installing malware on your device before you buy it, consider choosing an authorised phone dealer at random.
Remove your SIM card and flash memory cards if you take your phone to a repair shop to be serviced.
Mobile infrastructure, tracking, surveillance and eavesdropping
Mobile phones and mobile phone networks are inherently less secure than we tend to realise. In order to send and receive calls and messages, your phone is constantly communicating with the nearest cell towers. As a result, your service provider knows — and keeps a record of — your phone's location whenever it is powered on.
About the interception of phone calls and text messages
Mobile networks are typically private networks run by commercial entities. Sometimes your service provider owns the mobile network infrastructure and sometimes it resells mobile service that it rents from another company. SMS text messages are sent unencrypted, and phone calls are either unencrypted or weakly encrypted. Neither are encrypted in a way that would protect them from the network itself. As a result, both your service provider and the owner of the cell towers you are using have unlimited access to your calls, text messages and location. In many cases, the local government has the same access, even in places where it does not own the infrastructure itself.
Many countries have laws or policies that requires service providers to maintain a long-term record of all SMS text messages sent by their customers. And most service providers keep such logs anyway, for business, accounting or dispute resolution purposes. Similar regulations exist for call records in some places.
Furthermore, the operating systems that run on mobile phones are often built or modified to the specification of one or more service providers. As a result, the operating system itself may include hidden features that make this kind of monitoring even more invasive. This applies to basic mobile phones and smartphones alike.
In some cases, voice and text communication can also be intercepted by a third party. If an attacker is able to place an inexpensive piece of equipment — an IMSI catcher — within range of a target's mobile phone, they can fool it into communicating with that device as if it were a legitimate cell tower. (IMSI catchers are sometimes referred to as Stingrays, which is a well known brand name under which they are marketed to law enforcement.) In a few known cases, third party attackers were even able to gain access to mobile networks from across the globe by exploiting vulnerabilities in Signalling System Number 7 (SS7), which is an international exchange for voice calls and SMS text messages.
Finally, even when connecting through WiFi rather than using a mobile network, smartphone and tablet operating systems are designed to encourage the sharing of personal data through social networking platforms, cloud storage services, aggressive use of the global positioning system (GPS) and other such features. While many people enjoy this aspect of Android and iOS, it can easily lead to the exposure of sensitive information.
When thinking about how to protect your sensitive communications, you can start by asking yourself a few questions:
- With whom do you communicate, when and how often?
- Who might be interested in the fact that you are speaking with this person?
- How confident are you that the other party is who they claim to be?
- What is the content of your calls and messages?
- Who might be interested in that content?
- Where are you calling from, and where is the other party?
If the answer to these questions gives you cause for concern, you should think about how to minimise the associated risks. To do so, you might have to help the other party adopt a new tool or technique. And, in some cases, you might have to avoid using a mobile phone when communicating with them.
Protecting the content of your calls and messages can sometimes be challenging, but remaining "anonymous" when using a mobile phone is even more difficult. In particular, it is rarely possible to hide the fact that you are communicating with a given individual when placing a call or sending an SMS text message. Using a secure messaging app through a mobile data or WiFi connection can help, but there are no guarantees for this kind of thing. Often, the closest you can get is to choose which third party has access to this information and hope that they are unlikely to cooperate with those from whom you are trying to hide your communication.
In order to achieve a greater level of anonymity, people sometimes choose to use disposable phones and short lived accounts. This technique remains effective in some situations but is far more difficult to pull off than it might seem. The simplest approach is for both parties to buy basic, pre-paid phones and use them to make calls and send SMS text messages for a very limited period of time before disposing of them. There is no way for them to encrypt their communication, however, and the effectiveness of this technique rests on quite a long list of assumptions. That list includes, at a minimum:
- That both parties purchase phones and SIM cards with cash,
- That they are not observed or tracked via their real phones while doing so,
- That they can activate their SIM cards without showing identification to register them,
- That they remove the batteries from their phones when they are not in use,
- That they are able to exchange phone numbers without being observed,
- That they use their phones in locations where they do not usually spend time,
- That they leave their smartphones elsewhere while doing so, and
- That voice recognition technology is not more advanced than we think.
Managing all of this for a pre-paid smartphone would make it possible to place encrypted voice calls and send encrypted messages while hiding the link between the two parties. Doing so effectively would demand even more care and attention, however, in part because smartphones and secure messaging apps require account registration. There is little value in using an "unlinkable" phone to access services that are already associated with your real identity. Creating anonymous email accounts and signing up for single-use online services can be quite time consuming and require additional knowledge and discipline. Both parties would need to understand how IP addresses work, what browser fingerprinting is and how to use the Tor Browser or Tails, among other things. They would have to spend more money and more time at random Internet cafes without their real phones.
Phones can be set to store or transmit data from their microphones, video cameras and global positioning sensors without notifying the user. This is true of both basic mobile phones and smartphones. Malware is responsible for most such attacks, but service providers are also believed to have engaged in this kind of surveillance against devices connected to their network. Some phones can even be switched on remotely and used to spy on their owners while appearing to remain off.
Avoid giving people you do not trust physical access to your phone. This is often how malware ends up on mobile devices.
Don't forget that using a mobile phone in public, or in a location that you think might be monitored, leaves you vulnerable to traditional eavesdropping techniques. It may also put your phone at risk of being stolen.
Encourage those with whom you communicate about sensitive matters to adopt the same tools and tactics you deem appropriate for yourself.
If you are conducting a private, in-person meeting, switch your phone off and disconnect the battery. To avoid revealing the location of the meeting, it is best to do this before departing for that location. If you cannot remove your battery, leave your phone somewhere safe.
Communicating over the Internet on your mobile phone
As discussed in our Tactics guides on how to keep your online communication private and on how to remain anonymous and bypass censorship on the Internet, sending information to and receiving data from the Internet can leave traces that identify who you are, where you are and what you are doing. Nevertheless, some Android and iOS tools that rely on the Internet to communicate are far safer than using the mobile network to place a voice call or send an SMS text message.
Smartphones allow you to control how you access the Internet. Typically, you can connect through WiFi or through a mobile data connection offered by your service provider. Using a WiFi connection may reduce the traces accessible to your service provider, but it reveals that same information to the operator of the wireless access point you are using and to their Internet service provider (ISP). In some countries, mobile service providers are subject to different regulations than internet service providers, which can result in different levels of surveillance by the relevant companies and by government agencies.
However you choose to connect your smartphone to the Internet, encryption and anonymity tools can help you protect the information you send and receive.
Using secure messaging apps
As mentioned above, phone calls and SMS text messages are quite insecure. Voice over IP (VoIP) is a way of making voice calls using an Internet connection rather than a mobile phone network. Text communication can also be sent over the Internet, and there are a number of modern messaging apps that use encryption to do both securely.
Signal is a FOSS app that encrypts individual and group text messages to and from other people who use Signal. It also offers encrypted voice and video calls between two Signal users. It is easy to install, easy to use and integrates itself with your existing list of contacts. Signal is available for both Android and iOS and can be used on a Windows, Mac or Linux computer, as well, once you have it running on a smartphone.
For the sake of simplicity, Signal uses your mobile phone number as a way to identify you to your contacts. Unfortunately, this makes it difficult to use Signal without a functioning mobile service plan, even on WiFi-enabled devices. This also means that you have to share your phone number with people you want to connect with over Signal. If those restrictions are problematic for you, there are a handful of other reputable secure messaging apps. Wire is one popular alternative (Android, iOS).
Below are some criteria that you might consider when choosing a mobile messenger app:
- What do digital security experts say about it?
- Is it Free and Open Source Software?
- Does it support end-to-end encryption one-on-one communication?
- Does it support end-to-end encrypted group text communication?
- Does it support end-to-end encrypted group voice communication?
- Are file transfers end-to-end encrypted?
- Can you set your messages to "self destruct?"
- Will it work over a low bandwidth network connection?
- Who are the developers, and do you trust them?
- Who operates the server and what information do they claim to store about your calls and messages?
- Does it work on
- Can you use the same account on multiple devices?
- Does it work on all major operating systems?
- Does it allow you to register with an email or a username, rather than an phone number, so that you can separate your contact information from your actual identity?
- Can you use it without giving it access to the list of contacts on your device?
- Can you use it on a mobile device that is not a phone?
- Can you or someone you trust run your own server and use it to communicate?
Sending and receiving email on your smartphone
If you choose to access a potentially sensitive email account on a mobile device, you should make sure that device encryption is enabled, as discussed in the basic Security for Android guide. (Recent iPhones should have it turned on by default as long as you set a strong passcode.) This will not protect your emails in transit but it will prevent someone who finds or steals your device from reading them. You might also want to read the Tactics Guides on how to keep your online communication private.
The above guide covers GPG email encryption on Windows, Mac and Linux computers. There are ways to send and receive encrypted email on Android devices, as well, but they come with trade-offs. (There are currently no free GPG encryption tools for iOS.)
Most security experts advise against storing your private encryption key anywhere but on your primary computer. (To say nothing of carrying it around in your pocket.) And you will need that private key to read encrypted emails on your mobile device. Android devices are more secure than they used to be, however, and your private key is itself be protected by a strong passphrase. As such, if you must send and receive sensitive email on your Android device — and if switching to a secure mobile messaging app is not an option — you might want to install GPG on it.
To do so, you will need to:
- Install and configure a GPG and key management app like OpenKeychain;
- Copy your encrypted private key to the device; and
- Install and configure an email app, like K-9 Mail, that works with OpenKeychain.
Beyond calls and messages
Mobile phones are full featured computing devices, complete with their own operating systems and downloadable applications that provide various services to the user. Much of what you can do on a computer, you can now do on a smartphone. And, of course, there are plenty of things you can do on a smartphone that you cannot do on a computer.
Browsing the Web on your mobile phone
While some basic mobile phones still lack Internet connectivity, this is increasingly rare. If you use the Web browser on your Android device to visit potentially sensitive websites, consider installing a virtual private network (VPN) or Orbot, which is the Android version of the Tor Browser.
Using a VPN on an Android device
A VPN provides an encrypted tunnel from your device to a VPN server somewhere on the Internet. VPNs help protect traffic to and from your mobile device, especially when that traffic passes through an insecure local or national network. Because all of your traffic goes through the VPN provider, however, those who operate it can see anything that your local network or Internet service provider would see without it. As a result, it is important to use a VPN service that you trust and to remain vigilant about using only HTTPS services for sensitive information.
VPNs are illegal or restricted in some places, so make sure you are familiar with local policies and practices. Using a VPN does not hide the fact that you are using a VPN.
To use a VPN, you will need to install a "client" application and create an account with a VPN provider. The Riseup Collective offers a FOSS Android VPN client called Bitmask and runs a free VPN service called Riseup Black. (If you already have a Riseup Red account, and are comfortable configuring your VPN manually, you can also use the FOSS OpenVPN for Android app (Play Store, F-Droid) with your Riseup Red username and password.
Using Tor on an Android device
To access online content anonymously, you can use a pair of Android apps called Orbot and Orfox. Orbot channels Internet traffic through Tor's anonymity network and Orfox is a mobile version of Firefox that uses Orbot and provides additional privacy protections. Together, they allow you to circumvent online filtering and browse anonymously, much like Tor Browser on a Windows, Mac or Linux computer.
You can learn more about anonymity and censorship circumvention in the corresponding Tactics Guide.
Capturing media with your smartphone
Taking pictures, recording audio and filming video with your smartphone are all powerful ways to document and share important events. However, it is important to be respectful of the privacy and safety of those who appear in the media you capture. If you document a sensitive event and your phone falls into the wrong hands, for example, it could spell trouble for you and for those who appear in your recordings. To help manage risks like this, you might consider:
- Finding a secure way to upload recorded media files, as quickly as possible, and removing them from your device.
- Using tools that blur the faces of those who appear in the images and videos you capture or that scramble the voices you record.
- Familiarising yourself with tools and device settings that remove metadata from media files. These metadata might include the GPS coordinates at which photos are taken, revealing device identification data or other potentially sensitive data.
If you need to retain the faces, voices and metadata in the media you capture, then it is even more important that you make sure your device is encrypted and that you take care to encrypt the relevant files when storing them elsewhere or sending them to others. With that in mind, the Guardian Project has also developed a tool called Proof Mode that does the opposite of what ObscuraCam does. It collects as much metadata as possible as a way to help prove the validity of an images or videos. These metadata are stored separately from the images and videos they describe, and should only be shared through secure means.
General purpose best practices for mobile phones
- Only connect your phone to a computer if you are sure it is free of malware. See our Tactics Guide on how to protect your computer from malware and phishing attacks.
- Just as you would when using a computer, be wary when connecting to a WiFi access point that does not ask for a password.
- Disable WiFi, Bluetooth, and Near Field Communication (NFC) when you are not using them. Switch them on only when they are required and use them only on trusted networks and when interacting with trusted devices. Transfer data using a cable connection when possible.
- Observe your phone's behaviour and functioning. Look out for unknown programmes and running processes, strange messages and unstable operation. If you don't know or use some of the features and applications on your phone, disable or uninstall them if you can.