9d98 Mobile Anonymity - Telecomix Crypto Munitions Bureau

Mobile Anonymity

From Telecomix Crypto Munitions Bureau

Jump to: navigation, search

License: https://trac.torproject.org/projects/tor/wiki/WikiStart#LegalStuff (X11 license)

Mirrors of this page:

August 2012

Mobile devices (mobile phones, tablets, pads, etc.) are cheap and widespread. People want privacy and anonymity on their mobile devices. This is difficult and there are many pitfalls.

Similar articles about "mobile privacy" (or "Android without Google") exist. Only this article has a strong orientation on Tor, security, privacy, anonymity, encryption and Open Source software at once.

Contents

[edit] Privacy Problems

Unfortunately there are very few embedded/mobile devices, which are really free as in speech. Many vendors bundle their devices with a lot bloatware, which can not be easily uninstalled (needs root or custom firmware). Also sometimes spyware (really spyware by definition, Carrier IQ, which logged keystrokes, short messages, phone calls, etc.) and other privacy problematic software (ex: upload, sync by default your contacts). Often, when you want to take control over your device (rooting, cleaned firmware, etc.), you'll loose warranty. Many devices have even looked bootloaders, to make it even harder to get control over the hardware. All currently available phones contain proprietary firmware/basebands and ARM devices generally do not have free 3d graphic drivers available yet (ARM Mali / Lima might change that).

Using a TransparentProxy can lead to Transparent Proxy Leaks. Learn what Protocol Leaks are. (For example Orbot for Android supports transparent proxying (local redirection).) Also understand first, Modes Of Anonymity.

[edit] Providers

Most providers log for billing reasons and/or are obligated to log due to data rentation laws. They log who you called, with whom you've spoken, when and how long, whom you've send messages with, (in some countries, the content of your messages), when you went online, for how long, how much data transmitted, (in some countries they store which websites you visited and censor certain websites), your location information (cell), when you done anything of that. (In some countries or after court order, they even trace you permanently.)

[edit] GPS

There are different "sorts" of GPS. AGPS uses internet, speeds up the initial GPS fix, but not so privacy friendly. Network-based mobile phone tracking is also used to speed up the initial fix, it shouldn't leak more information to the provider, as it's only listening. The "normal" GPS alone is a listening only service and therefore does not leak anything.

[edit] Mobile Malware

Malware on your mobile device can be even more serious than malware on your computer because phones have access to a greater deal of privacy relevant information. Once malware is on your device:

  • All phone calls, messages, mails, notices, calendar entries and anything else on that device are compromised.
  • The microphone can be used wiretap even while you are not having phone calls. (Most people have their devices very close to them at all times.)
  • If the device has GPS, it can be enabled and used to pinpoint the location.
  • Even if there is no GPS, the network connection can be used to pinpoint the location.
  • And even if there is no GPS and no network connection, also with WiFi only enabled it can be used to pinpoint the location. (Google uses already WiFi to enhance their Google maps application, other institutions may have access to such data as well.)
  • When the device gets connected with a computer it can try also to infect the computer.
  • You won't even notice any of those actions.

Your best bet is to completely abstain from using Google or any other synchronization service, where you have no control over the servers. It is less comfortable to use your phone without Google, but it is possible. We will discuss alternatives to the Google apps, which you can not use anymore.

Use a after market firmware, such as CyanogenMod (Open Source), a custom ROM from xda-developers, etc. Those modded firmwares to sometimes not contain any bloat- or spyware. And of course, do not install any Google addon packs.

Best is also to abstain from any closed source software or adware. Carefully read their permissions, privacy policy and recherche about any privacy implications.

[edit] Android

Although Android itself is Open Source, it does not mean much. Practically all devices require non-free binary drivers ("blobs") you can not simply download the source code, compile yourself, flash and done. If you flash a custom software you'll in most cases void the warranty.

The privacy problems described above are valid for Android as well. See http://replicant.us/ for an effort to change that.

By default on most Android devices, Google apps are preinstalled. With default settings, contacts, mail and calendar will be synced with your Google account. So everything you stored in those three applications, Google also knows. That will be done as soon as you have a working mobile internet or WiFi connection.

Even worse, a market service runs by default in background. When you are logged into the Google Market (now called Google Play), you can install apps with just one click and they will be pushed to your device. What sounds great from view of user experience is very bad for security. Google could also simply push any other app they want. They could silently push malware. This could happen, in case Google gets hacked (already happened, if a employee turn malicious, or due to law enforcement. For more information on this see donttrack.us (ignore the DuckDuckGo related stuff and follow their sources). They can also remotely delete apps from your device. Who does need to have control over your device if you want privacy and anonymity?

Not that this can be disabled and equally applies to every OS that supports software updates and is set to automatically apply them.

[edit] Getting Apps / App Market

To get apps the Google Market (now called Google Play) can not be used anymore. You need an alternative app market or you need to download the apps from the vendor directly. Sometimes they don't offer a public download link, in this case you can try to mail them.

F-Droid (Open Source), The FDroid Repository is an easily-installable catalogue of FOSS applications for the Android platform.

Alternatively try getjar.com (TODO: untested).

[edit] Linux

Generally, if you don't find a privacy friendly Android app, you can go another way. Install a Linux Distro on top of your Android phone. It is possible for some devices. The kernel will be shared and you will have access to the linux distribution's software repository. The applications will not be the most comfortable ones, as they are made for use on computer, not on mobile devices.

[edit] Firewall

Use DroidWall (Open Source) in White List modus and give only relevant apps access to the internet.

[edit] Permissions

For CyanogenMod (Open Source): Settings -> CyanogenMod -> Apps -> enable Permissions. Then go to settings -> Apps -> Manage Apps -> choose an app and remove unnecessary permissions.

[edit] Tor

Orbot on torproject.org, Orbot guardianproject.info (Open Source) is Tor for Android. Orbot supports transparent proxing (local redirection). Orbot, if used on a rooted phone, can proxy all traffic from a phone through the Tor network. see Privacy Problems above before using it!

[edit] Browser

Orweb (Open Source) is an alternative for the Tor Browser for Android.

Abstain from browsers, which process your requests on an external server, such as Opera mini (closed source). It is tempting, because it is much faster, but they are a mitm and can also wiretap https protected websites.

[edit] Instant Messenger

Gibberbot (Open Source) Jabber client, which supports Orbot and Off-the-Record encryption.

Beem (Open Source) Jabber client, supports Off-the-Record encryption as well.

Abstain from any short messages alternative services, such as WhatsApp, as it will upload all your phone numbers to the server.

[edit] Full Disc Encryption

LUKS Disk Encryption by guardianproject.info (Open Source, ready for FDE?

LUKSManager (Open Source), only folders, no FDE?

TODO: encrypt whole internal storage and whole external storage

[edit] Synchronization for Contacts, Calendar, Memo, Photo

SyncML is probable the way to go.

Funambol (Open Source). TODO: BR

  • Needs own server? - If yes, could be a personal computer.
  • Over USB cable also supported?
  • Encrypted transmission to the server? - If no, not so important, when done in trusted WiFi. In doubt use Wiki Ad Hoc (direct connection without router).
  • Encrypted database on the server? - If no, not so important, when stored on encrypted computer.

[edit] Text Messages

TextSecure (Open Source), encrypted database, encrypted transmission, TODO: untested.

[edit] Phone Calls

Unfortunately, only closed source apps available. If you are still interested search the market for terms like "ZRTP", "phone encrypt" "gsm encrypt", or "call encrypt".

If you know an Open Source app, please share. - Redphone!?

[edit] Voip Calls (Voice over IP)

Unfortunately, Voip Calls are not always possible. They work best over WiFi and depending on the network, also over mobile internet. Use ZRTP.

CSipSimple (Open Source), TODO: untested, with proper ZRTP voice verification? article on guardianproject.info

Linphone (Open Source) for Android supports only SRTP (client to server) encryption ZRTP (end-to-end encryption) not supported ZRTP yet.

sipdroid (Open Source) does not support ZRTP yet. Although there is a ticket.

[edit] E-Mails

No encryption possible yet. Last AGPG from 2010 and no source code. guardianproject wants to bring GPG to Android, they are not done yet.

K-9 Mail (Open Source)

[edit] Camera

ObscuraCam (Open Source), secure camera.

[edit] Notes

NoteCipher (Open Source), encrypted notes

[edit] CA Cert Manager

CACertMan (Open Source), manger for (SSl) certificates

[edit] Remote Storage (WebDAV)

cryptonite (Open Source), EncFS and TrueCrypt on Android, TODO: untested

TODO free service, open source app to encrypt stored content on a remote location

[edit] OpenVPN

OpenVPN Installer (Open Source) and android-openvpn-settings (Open Source), TODO: both untested.

[edit] Maps / Navigation

There are several alternatives to Google Maps, a few Open and closed source alternatives can be found in the openstreetmap wiki. Some even with offline features, offline navigation. (Offline is more privacy friendly.)

[edit] Missing Stuff

Add here, if you are missing any privacy friendly Open Source android apps.

[edit] Also See

Personal tools
< 7 /html> 0