Mobile phones are an integral part of our daily communications. All mobile phones have the capacity for voice and simple text messaging services. Their small size, relatively low cost and many uses make these devices invaluable for rights advocates who increasingly use them for communication and organisation.
Recently, mobile devices with many more functions have become available. They may feature GPS, multimedia capacity (photo, video and audio recording and sometimes transmitting), data processing and access to the internet. However, the way the mobile networks operate, and their infrastructure, are fundamentally different from how the internet works. This creates additional security challenges, and risks for users' privacy and the integrity of their information and communications.
It is important to start with the understanding that mobile phones are inherently insecure:
Information sent from a mobile phone is vulnerable.
Information stored on mobile phones is vulnerable.
Phones are designed to give out information about their location.
We will explore these issues, and what a user can do in light of these inherent vulnerabilities.
What you can learn from this guide:
Why communication and storing data on mobile phones is not secure
What steps you can take to increase the security of using mobile phones
How can you minimise the chances of being spied on or tracked via your mobile phone
How can you maximise the chances of remaining anonymous while using your mobile phone
Borna and his son Delir are both line workers in a factory, and are helping to create a workers' union. Their efforts are meeting the resistance of the factory owners, who are also well-connected in their local government. Borna's supervisor has warned him that he may be under scrutiny by management, and to beware of who he talks to. Borna has purchased a mobile phone for his union work. Delir is helping his father to use his new mobile phone safely for some of his organising activities.
We need to make informed decisions when using mobile phones, in order to protect ourselves, our contacts and our data. The way mobile phone networks and infrastructure work can significantly affect users' ability to keep information and communications private and secure.
Mobile networks are private networks run by commercial entities, which can be under the monopoly control of the government. The commercial entity (or government), has practically unlimited access to the information and communications of customers, as well as the ability to intercept calls, text messages, and to monitor the location of each device (and therefore its user).
The Operating Systems used on mobile devices themselves are custom-designed or configured by phone manufacturers according to the specifications of various service providers and for use on these companies' own networks. As a result, the OS may well include hidden features enabling better monitoring by the service provider of any particular device.
The number of functions available on mobile phones has grown in the past few years. Modern mobile phones are in fact internet-connected portable mini-computers with mobile phone functions.
In order to work out which aspects of your communications most need to be protected, it may help to ask yourself a few questions: What is the content of your calls and text messages? With whom do you communicate, and when? Where are you calling from? Information is vulnerable in many ways:
Information is vulnerable when sent from a mobile phone Example: Each mobile phone provider has full access to all text and voice messages sent via its network. Phone providers in most countries are legally obliged to keep records of all communications. In some countries the phone providers are under the monopoly control of government. Voice and text communication can also be tapped by third parties in proximity to the mobile phone, using inexpensive equipment.
Information is vulnerable within the sender's and the recipient's phones Example: Mobile phones can store all sorts of data: call history, text messages sent and received, address book information, photos, video clips, text files. These data may reveal your network of contacts, and personal information about you and your colleagues. Securing this information is difficult, even – on some phones – impossible.
Modern mobile phones are pocket-sized computers. With more features comes higher risk. In addition, phones that connect to the internet are also subject to the insecurities of computers and of the internet.
Phones give out information about their location Example: As part of normal operation, every mobile phone automatically and regularly informs the phone service provider where it is at that moment. What's more, many phones nowadays have [GPS]](/en/glossary#GPS) functions, and this precise location information may be embedded in other data such as photos, SMS and internet requests that are sent from the phone.
The evolution of technology brings more features, but also more risks.
Borna: Son, I have decided only to use this mobile for planning our meetings from now on, because I think they might be listening to the factory floor phone, and maybe even at the house.
Delir: Father, it's great you have finally got a mobile phone, but do you know what it can and cannot do?
Borna: Of course: it is a phone! You call someone, you talk to them, they talk back. You can do this from wherever you are. AND, I can send small messages on it to the others, or to you, and they will show up in your phone.
Delir: This is all true, but it's not all. There are plenty of things you can do these days with these devices. But let's talk about some risks and safety precautions, especially if you think someone might be interested in finding out who you are communicating with, and what you are saying.
The following sections discuss a number of simple steps you can take to decrease the likelihood of security threats arising from using mobile devices.
People often carry mobile phones that contain sensitive information. Communications history, text and voice messages, address books, calendar, photos and many other useful phone functions can become highly compromising if the phone or the data is lost or stolen. It is vital to be aware of the information that is stored, both actively and passively, on your mobile phone. Information stored on a phone could implicate the person using the phone as well as everyone in their address book, message inbox, photo album, etc.
Mobile phones that connect to the internet are also subject to the risks and vulnerabilities associated with the internet and computers, as discussed in our other tactics guides regarding information security, anonymity, information retrieval, loss, theft and interception.
In order to reduce some of these security risks, users should be aware of their phone's potential for insecurity, as well as its set-up options. Once you know what the possible problems may be, you can put safeguards into place and take preventative measures.
Borna: One advantage to the mobile phone is that they won't know where our meetings are if we organise them using our mobiles, while walking in the bazaar, instead of using the normal phones, where they may be overhearing us as we talk.
Delir: Well, did you say they have connections with the phone company?
Borna: Someone was saying that they are bribing phone technicians to get information.
Delir: If you signed up using your own identity and address for this mobile phone subscription, it is traceable to you, and any time you make a call, its record is linked to your phone subscription and identity. Did you sign up with your own ID?
Borna: No, I just got a second-hand phone from your uncle's shop; he says he made sure it is clean and safe to use. He also helped me buy one of those prepaid little chips you put in your phone.
Delir: Yes, it is called a SIM card. The phone company tracks each call or transmission with the phone's number, and the SIM card identification number, AND the phone's identification number. So if they know which phone number, OR phone id number, OR SIM card number belongs to you, they may be able to use their contacts to see your phone-use patterns.
Borna: And I suppose they can listen in to my conversations even on my mobile phone then?
Delir: In your case, and thanks to Uncle, your phone isn't registered to you, and the SIM card is also not connected to you in any way. So even if they track where the SIM card and the phone are they don't necessarily know you are connected to the SIM card, or to the phone.
As is the case with other devices, the first line of defence for the safety of the information on your mobile phone is to physically protect the phone and its SIM card from being taken or tampered with.
Keep your phone with you at all times. Never leave it unattended. Avoid displaying your phone in public.
Always use your phone's security lock codes or Personal Identification Numbers (PINs) and keep them secret (unknown to others). Always change these from the default factory settings.
Physically mark (draw on) the SIM card, additional memory card, battery and phone with something unique and not immediately noticeable to a stranger (make a small mark, drawing, letters or numbers, or try using ultra-violet marker, which will be invisible in normal light). Place printed tamper-proof security labels or tape over the joints of the phone. This will help you easily to identify whether any of these items have been tampered with or replaced (e.g. the label or tape will be mis-aligned, or leave a noticeable residue).
Make sure that you are aware of the information that is stored on your SIM card, on additional memory cards and in your phone's memory. Don't store sensitive information on the phone. If you need to store such information, consider putting it on external memory cards that can easily be discarded when necessary – don't put such details into the phone's internal memory.
Protect your SIM card and additional memory card (if your phone has one), as they may contain sensitive information such as contact details and SMS messages. For example, make sure that you do not leave them at the repair shop when your phone is being serviced.
When disposing of your phone make sure you are not giving away any information that is stored on it or on the SIM or memory card (even if the phone or cards are broken or expired). Disposing of SIM cards by physically destroying them may be the best option. If you plan to give away, sell or re-use your phone make sure that all information is deleted.
Consider using only trusted phone dealers and repair shops. This reduces the vulnerability of your information when getting second-hand hand phones or having your phone repaired. Consider buying your phone from an authorised but randomly chosen phone dealer – this way you reduce the chance that your phone will be specially prepared for you with spying software preinstalled on it.
Back up your phone information regularly to a computer. Store the backup safely and securely - see our guide How to protect the sensitive files on your computer. This will allow you to restore the data if you lose your phone. Having a backup will also help you remember what information might be compromised (when your phone is lost or stolen), so you can take appropriate actions.
The 15-digit serial or IMEI (International Mobile Equipment Identity) number helps to identify your phone and can be accessed by keying *#06# into most phones, by looking behind the battery of your phone or by checking in the phone's settings. Make a note of this number and keep it separate from your phone, as this number could help to trace and prove ownership quickly if it is stolen.
Consider the advantages and disadvantages of registering your phone with the service provider. If you report your phone stolen, the service provider should then be able to stop further use of your phone. However, registering it means your phone usage is tied to your identity.
In order to send or receive any calls or communications to your phone, the signal towers nearest you are alerted by your phone of its presence. As a result of those alerts and communications the network service provider knows the precise geographic location of your mobile phone at any given time.
Borna: Is there anything else about this phone that I need to know?
Delir: I guess yes, but it depends if you really suspect they are trying to track you down.
Borna: I don't think so, but can they do that?
Delir: Well, yes, if you have your phone turned on, AND the technician has access to the network traffic, AND they know which phone on the system is your phone.
Borna: That won't happen because I simply won't make a call on my phone when I go there.
Delir: That doesn't matter father. As long as you have your phone with you, charged and ready to use, it will keep track of where you go, and talk to the towers of the network nearby, simply because it has to. So at any given time, your location is somewhere between the closest towers of the phone network.
Borna: So I should turn it off until I get there?
Delir: Well, of course the best thing to do is not to take it with you. The next best thing is for you to have it switched off AND take the battery out of it before you go, and not turn it on until you get back.
Borna: What? isn't it enough to turn it off?
Delir: Well, to be on the safe side, you should take the battery out, and here's why: this is a transmission device, and as long as the battery is connected, there is a small chance that somehow someone may turn it on without your knowledge.
If you are conducting sensitive phone conversations or sending sensitive SMS messages, beware of the above tracking 'feature' of all mobile phones. Consider adopting the steps below:
Make calls from different locations each time, and choose locations that are not associated with you.
Keep your phone turned off, with the battery disconnected, go to the chosen location, switch your phone on, communicate, switch the phone off and disconnect the battery. Doing this habitually, each time you have to make a call, will mean that the network cannot track your movements.
Change phones and SIM cards often. Rotate them between friends or the second-hand market.
Use unregistered pre-paid SIM cards if this is possible in your area.
Avoid paying for a phone or SIM cards using a credit card, which will also create a connection between these items and you.
Borna: You're telling me my phone might be talking to the towers about my whereabouts, even it looks as though it's switched off?
Delir: Yeah, and that is not the worst case
Delir: Well, they are saying that there are programs that can be installed on your phone to secretly, remotely turn it on, and have it call a number without your knowledge. Then, as you start your meeting, it would start acting like a recording and transmitting device.
Borna: No! really?.
Delir: Well, it is pretty easily done technologically. But none of that can happen if the battery is disconnected, so you will be safe in this unlikely case.
Borna: I guess I will just not take it with me if I want to be super careful. But I wonder if I should use this thing at all then?
Delir: Please, father. You used to tell me not to be afraid of new things. Mobiles are like that, you just have to know what the benefits and risks are. Just be careful. If you know the risks, you can take steps to avoid them.
Your phone can be set to record and transmit any sounds within the range of its microphone without your knowledge. Some phones can be switched on remotely and brought into action in this way, even when they look as though they are switched off.
Never let people whom you don't trust get physical access to your phone; this is a common way of installing spying software on your phone.
If you are conducting private and important meetings, switch your phone off and disconnect the battery. Or don't carry the phone with you if you can leave it where it will be absolutely safe.
Make sure that any person with whom you communicate also employs the safeguards described here.
In addition, don't forget that using a phone in public, or in places that you don't trust, makes you vulnerable to traditional eavesdropping techniques, or to having your phone stolen.
About interception of calls
Typically, encryption of voice communications (and of text messages) that travel through the mobile phone network is relatively weak. There are inexpensive techniques which third parties can use to intercept your written communications, or to listen to your calls, if they are in proximity to the phone and can receive transmissions from it. And of course, mobile phone providers have access to all your voice and text communications. It is currently expensive and/or somewhat technically cumbersome to encrypt phone calls so that even the mobile phone provider can't eavesdrop – however, these tools are expected to become cheaper soon. To deploy the encryption you would first have to install an encryption application on your phone, as well as on the device of the person with whom you plan to communicate. Then you would use this application to send and receive encrypted calls and/or messages. Encryption software is currently only supported on a few models of so-called 'smart' phones.
Conversations between Skype and mobile phones are not encrypted either, since at some point, the signal will move to the mobile network, where encryption is NOT in place.
You should not rely on text message services to transmit sensitive information securely. The messages exchanged are in plain text which makes them inappropriate for confidential transactions.
Borna: What if I never make calls on my mobile, and only send and receive these small messages. They can't listen in on something if no one is saying anything, and it is very quick, no?
Delir: Wait a minute. These messages are also easy enough to intercept, and anyone with access to the traffic from the phone company, or even other people with the right equipment, can capture and read these messages which are moving around the network in plain text, being saved from one tower to the next.
Borna: That's just silly. What should I do? Write in code like we did during the war?
Delir: Well, sometimes the oldest shoes are the most comfortable ones.
Sent SMS messages can be intercepted by the service operator or by third parties with inexpensive equipment. Those messages will carry the phone numbers of the sender and recipient as well as the content of the message. What's more, SMS messages can easily be altered or forged by third parties.
Consider establishing a code system between you and your recipients. Codes may make your communication more secure and may provide an additional way of confirming the identity of the person you're communicating with. Code systems need to be secure and change frequently.
SMS messages are available after transmission:
In many countries, legislation (or other influences) requires the network providers to keep a long-term record of all text messages sent by their customers. In most cases SMS messages are kept by the providers for business, accounting or dispute purposes.
Saved messages on your phone can easily be accessed by anybody who gets hold of your phone. Consider deleting all received and sent messages straightaway.
Some phones have the facility to disable the logging of phone-call or text-message history. This would be especially useful for people doing more sensitive work. You should also make sure that you are familiar with what your phone is capable of. Read the manual!
While some of the earlier mobile phone models have fewer or no internet functions, it is nevertheless important to observe the precautions outlined below on all phones. Also you should find out exactly what the capabilities of your phone are, in order to be certain that you have taken appropriate measures:
Do not accept and install unknown and unverified programmes on your phone, including ring tones, wallpaper, java applications or any others that originate from an unwanted and unexpected source. They may contain viruses, malicious software or spying programmes.
Observe your phone's behaviour and functioning. Look out for unknown programmes and running processes, strange messages and unstable operation. If you don't know or use some of the features and applications on your phone, disable or uninstall them if you can.
Be wary when connecting to WiFi access points that don't provide passwords, just as you would when using your computer and connecting to WiFi access points. The mobile phone is essentially like a computer and thus shares the vulnerabilities and insecurities that affect computers and the internet.
Make sure communication channels like Infrared (IrDA), Bluetooth and Wireless Internet (WiFi) on your phone are switched off and disabled if you are not using them. Switch them on only when they are required. Use them only in trusted situations and locations. Consider not using Bluetooth, as it is relatively easy to eavesdrop on this form of communication. Instead, transfer data using a cable connection from the phone to handsfree headphones or to a computer.
The Mobile Advocacy Toolkit released by The Tactical Technology Collective. Among other things, this contains an extensive range of other tools and examples relating to their use.