How can I use my mobile phone more securely?

Updated:July 2016

How can I use my mobile phone more securely?

“You are carrying a tracking device in your pocket” is a line often tossed around by digital security experts when referring to mobile phones. It may smack of fear mongering, but it’s essentially true.

The mobile has become an essential part of a freelancer’s toolkit, and smart phones can now be used for nearly every aspect of reporting. But there’s another side to all this convenience; The more you use your mobile, the more it could be used against you. Mobiles collect an immense amount of data about your activity, and so long as you have the device with you, it's doing something. It's a very difficult task to use a mobile without it becoming associated with your identity or transferring data outside of your control

Below are some ways you can mitigate the inherent security risks of your mobile. Remember: NO MOBILE PHONE IS EVER 100% SECURE. If you’re unsure about what data is being sent via your phone, or think that using it for a specific task could seriously put you or the person you’re contacting at risk, then arrange  an alternative way of doing that task.

GET STAR​TED:

  1. What's your mobile saying about you?
  2. Ditch your smart phone for a 'dumb' phone
  3. Use more than one phone
  4. Use more than one SIM card
  5. Minimize the data your mobile is transmitting
  6. Use encryption
  7. Leave your phone behind, or send it on a walk
  8. Other resources

What's your mobile saying about you?

WHAT THE SERVICE PROVIDER COLLECTS

All mobile phones collect data in order to connect calls, deliver texts, send and receive data, and charge you for service. Your service provider keeps this information on record for billing or other purposes. But others may have an interest in this information as well. Many countries also have laws requiring companies to keep data on record for a specific amount of time (sometimes up to six months or longer), in case they want to access it through legal channels. Other groups or adversaries may resort to hacking in order to access it. Here's how your phone identifies you:

  • The IMEI number: This uniquely identifies the hardware of your mobile.
  • The IMSI number: This uniquely identifies the SIM card.
  • Contract information: If you have a contract with a mobile service provider, then these two numbers are tied to your identity.
  • The device's location: This is determined in relation to the nearby mobile service towers. Smart phones also have GPS functionality. When this is active, your phone transmits a much more specific location.
  • Meta data: This is a record about your mobile's activity. MNO logs, for example, include information about who you call and receive calls from, who you send and get text messages from, how much data has been used, and the time and location that each communication takes place.
  • The content: This can also be captured through any number of means. An interception attack gives the invader the ability to inspect search queries, locally stored files or images, text messages or emails, contact details and so forth. 

WHAT YOUR SMART PHONE'S OPERATING SYSTEM COLLECTS

Android mobiles by default share most of their user data with Google. If you're using an Android phone with Google Services, you can catch a glimpse of this in your account history page. iPhones transmit a similar amount of user information back to Apple. Design preferences aside, there are few differences between the two in this regard. But there are some differences worth considering:

  • Android is open source. Anyone can access and review the source code and find out what it's doing. There are also a larger number of privacy-helping open source apps to choose from. The iPhone operating system (iOS) and Apple's own apps are proprietary and closed. There's no way to independently confirm any security claims or how data is stored or transmitted.
  • Android is available on a number of different models, each with their own features and drawbacks. Apple only allows the iOS on its own devices. 
  • If you want to change SIM cards, remove the battery, or get access to install Apps that aren't in their official shops, then Android is the better choice. Unlocking an iPhone gets more complicated with each new version, and it's not designed for customisation. Removing an iPhone SIM is more difficult than with most Android phones, and the iPhone isn't built to remove the battery, which is the only foolproof way to make sure your mobile is powered off.
  • According to The Electronic Frontier Foundation Apple has a higher transparency rating than Google for user data disclosures (in the U.S.).

WHAT YOUR SMART PHONE'S APPS COLLECT

Aside from your mobile's operating system, each extra third-party application installed on your mobile is storing and transmitting data. Each of these have their own data requirements, terms of use and possible security weaknesses. Overloading your mobile with lots of software exponentially increases your risks. You need to manage more settings, and your mobile takes more time to update each app.  All this data can be cross-referenced and correlated to create a more complete picture of you as a mobile phone user.

There is no one trick or tactic to create a secure mobile phone. What follows are strategies and tools that may be helpful, but these should be considered in the context of your activity.

 

Ditch your smart phone for a 'dumb' phone

A simple phone has some advantages. There’s limited personalisation, and you won’t be too much out of pocket if you have to dispose of it in a hurry. It’s still transmitting to towers, so your call logs and location are possibly identifiable, but there are no apps working against you. These phones are also easier to purchase in cash without having to hand over a lot of personal information, making them ideal 'burner' phones. A burner phone is one that you don't plan to use for long, and we'll get more into that in the section below on having more than one mobile.

The downside of this option is that with enough usage, this phone will still give a pretty complete view of its user: Call data is still kept in all the same places and locations can also be figured out by looking at which towers the phone has contacted. A basic phone also offers fewer security alternatives. Text messages will be insecure, and phone calls as easy to monitor. Some applications available for smart phones can encrypt the content of your text messages and voice calls. Check these out below.  
 


Use more than one phone

Keep one as your official phone and the other for your confidential tasks. And keep them separate! The second phone should be bought with cash (or donated), and used only for contacts that you don't want associated with your work or identity. It may that contacting her or him will put you in greater risk, or because they can't be seen talking with a journalist. It may be someone you don't want knowing your personal number.

Don’t store any personal information on this one, and avoid using both devices in the same location. It’s not difficult to identify a relationship between mobiles if they’re both making calls from the same places. After a while, you'll want to retire this one, as over time it will start to look like a phone tied to your work, so don't invest a lot in this one. Pre-paid mobiles make good burner phones.

For a detailed guide on buying and using a burner phone, see this section on mobiles at the ‘Tips and Whistleblowers’ website.
 


Use more than one SIM card

Use a different SIM card for each phone. Because both SIMs and phones have unique numbers, each time you make a call, the service provider records both. If you switch SIMs in the same phone, the company simply records that both cards belong to the same phone.

All contract SIMs are effectively registered SIMs, because they link to a record of your identity, billing address, bank details and more. To counter this, your other SIMs should be bought with cash in a separate shop from where the burner phone was purchased.  Some countries have different laws around purchasing mobiles and SIMs. In UK, for example, it's still possible to find both for cash, and without showing ID. In Nigeria, getting a SIM can include being fingerprinted, providing photos, and a proof of address. Be careful about someone else purchasing a SIM or phone for you as it could put them or yourself at risk Read up on the local laws.

You can better protect your confidential sources by saving their contact details on a separate SIM card which you don’t keep inside your phone unless contacting them. This will help in the event that your phone is stolen or confiscated, but it won't stop the phone from being tied to theirs if you've called them with it. Create false names in the SIM for these people for some further protection, but if someone should gain access and call it, the real person may answer. Make sure you and your contacts have a plan in place to determine the actual person is calling, and how you'll alert one another in case of an emergency.
 


Minimise the data your mobile is transmitting

Your mobile is transmitting a location whenever it's on. But the more often it needs to send or receive data, the more precisely it's recording your travels. Example: Smartphone can access wireless internet. If you want to see how this could impact you, use the WiFi Watchdog Android app for a day and see what it shows later that evening.

Gain more control by turning things off: Turn off the WiFi antenna when not using it. Turn off the all the geo-broadcasting options. Make sure your social media apps aren’t updating information you don’t intend to go public. Or, go one step further and delete all those social networking applications entirely.  Disable all auto updates — by checking for new updates, your phone automatically connects to the nearest tower. Instead, just let your mobile check for software updates when you're at home using your own internet connection. 

Below, we have non-technical ways to minimise the risk
 


Use encryption

Although no mobile app can make your communications 100% secure, encryption is the best way to keep your conversations private. For more information about general encryption, take a look at our resource "How can I send use encryption?'.

If you’re using a smart phone, there are a growing number of applications that can help you send and receive private messages. Take a look at the list below for some of the possible options. Remember though, end-to-end encryption only works if both parties are using the same software, so make sure you work out a strategy with your source for confidential communication in advance! Before selecting your software, see how it measures up. For instant messaging apps, see EFF's old chart for a starting point - bear in mind an updated one will be available soon.

Open Source Apps for Encryption:


Simple ways to make your mobile give you some space

These are strategies that don't involve changing or adjusting your mobile's settings, and can be useful for any number of situations.

  • Turn it off. Some mobiles are actually still active when  turned off. If you're not sure about yours, remove the battery. 
  • Leave it behind when you go visit your confidential contact. If you bring your mobile, and your contact brings their's as well, then there is likely an electronic record that both mobiles were in the same place. If you bring your mobile, then it's not a confidential meeting.
  • In a variation of the above, leave your phone with someone you trust when going on that meeting, and make sure it is sending and receiving data, trying to connect to WiFi signals and so forth. The trail it makes will be different from your own.
  • Invest in a Faraday bag. These are used by digital forensics professionals to block all incoming or outgoing signals from a device. Popping yours in one of these will keep it from connecting to any signals until it's out of the bag again. Make sure the one you buy is certified.
  • Be smart about when you turn your mobile on. For example, when landing at an airport, leave your mobile off until after you're through border control and are outside. Some countries use what's called an IMSI-catcher to snap up identifying details about your mobile. When you then hand over your passport, it makes correlating your identity to the phone much easier. In some countries, these also may be used in other areas as well.

Resources

Take a look at some of the links below for further information about mobile security:

Special thanks to mobile security researcher Bernard Tyers for contributing to this section. Some information here comes from Level-Up.ccThe image of the mobile is by Lirne Asia. Image credit: Clive Darra.

Created: April 2014

Help us be a better resource!

Give us feedback about this page. What was helpful here, or what could be included to make it more useful?

Create a comment
Create a Comment
  • Security code
News letter sign up