By: Jacob MacLeod and Jonathan Hofer
Ever since Edward Snowden publicized the fact that the National Security Agency (NSA) was spying on the text messages and phone calls of private citizens, privacy has been a national concern. This issue has been especially important for millennials, who have large amounts of personal data online from things like social media and online shopping. As trust in both national and local law enforcement agencies diminish, people need to know how to better secure their personal data and protect their privacy and personal information.
Privacy-oriented applications and practices can help address your phone’s natural vulnerabilities. Despite some improvements, which have been the subject of aggressive ad campaigns, the default encryption on both iOS and Android phones is still vulnerable to exploitation. If you are serious about protecting the personal information on your phone, these should be your first steps:
End to End Encrypted Messenger
Standard SMS texts between phones are unencrypted, which means that if texts are intercepted, they can easily be read as plain text by the attacker. SMS has several known vulnerabilities. SS7 protocol, which allows cell phone carriers to coordinate with each other, can be exploited to give an attacker security clearance on the phone, allowing them to read text messages and set up secret call forwarding. Attackers could also “SIM swap” to hijack the target’s cell phone number to redirect messages and calls. Local law enforcement agencies have also been known to fake cell site towers to act as an anonymous middle man, enabling them to hypothetically collect all incoming and outgoing data to phones.
End to end encryption helps ensure that even if a third party intercepts the message, the message would be indecipherable. It should be noted that this only protects messages while they are “in transit” and does not protect the message once decrypted by the recipient. An encryption messenger can take the place of your default SMS application for a seamless experience.
While most are familiar with the idea that reusing passwords is a bad idea, weak passwords are just as compromising. Many websites do not require strong passwords, such as long passwords that include special characters. With current computing power, if your password is “security” for example, it can be brute force attacked in 0.2 milliseconds. Compare that to the 6,6840,417 millennia it would take to crack the password R`E5G%w*RFnR[ with 2019 tech. Realistically, you are probably not going to remember a password like that for all of your accounts. A password manager addresses this problem by generating strong, unique passwords and holding them in encrypted storage. It also takes the pain out of constantly typing in passwords each time.
Remember to regularly log out of your accounts. Staying logged into your accounts largely defeats the purpose of having a password in the first place. A strong password manager will have two-factor authentication to log in. SMS or biometric verification to accompany the master login password is better than nothing, but a physical security key may be a better option than either SMS or biometrics.
Examples: Keeper Password Manager & Digital Vault
Internet Traffic Privacy
Browsing the internet is certainly not a private affair. In addition to your behavior being recorded by your internet service provider, a wide number of other parties can track your browsing through cookies and can trace you even if cached data is deleted. Some mistakenly believe that private windows or “incognito mode” gives them extra security, but these modes do little beyond hiding browsing history on your side of the computer. While private windows do not keep cached data, users’ phones are still entirely visible in these modes.
Given the prevalence of online shopping, mobile banking, and mobile social media applications, you want to make sure that your sensitive information is not under the watchful eyes of eavesdroppers.
Virtual Private Networks (VPNs) can mask IP addresses and generally employ end to end encryption.
While VPNs are preferable, worthwhile VPN services require a subscription and may require some setup. However, you can also use an anonymous web browser with Tor to get many of the same results. These browsers work by sending your traffic through a series of different routers to disguise your traffic and phone. Moreover, they are as simple to use as any web browser.
Examples: Nord VPN, Express VPN, Hotspot Shield, OrBot (Android), RedOnion (iOS), InBrowser
Hard drive encryption encrypts data as it is written to, or read off the disk. New smartphones on the market today will automatically encrypt the hard drive when the phone is locked and a passcode is required to unlock the phone screen. While hard drive encryption is a start, its protection is narrow, especially with a heavy reliance on cloud interactions.
It is better to add an additional layer of encryption that protects multimedia and text files from unauthorized users to protect against some of the blind spots of hard drive encryption. In the event that individual files are exfiltrated or opened, the documents are encrypted. Some phones offer file encryption “out of the box”, but these may be clunky. Third-party file encryption software can make the process of picking out specific files to encrypt more streamlined.
Examples: Kyms, CoverMe
Application Permissions Manager
Upon first opening or prior to installing an application, smartphone application markets ask users to grant permissions for the application. Generally, permissions range from things like the ability to access the phone’s location, microphone or data collection.
While applications like Google Maps understandably require access to the phone’s location, some applications request permissions for things that are not needed for the application to work. In a notable case, a flashlight application caught public ire when the company failed to inform users that their application was data farming personal information from users’ phones.
Without reviewing the specific permissions a given application has, it is difficult to determine if an application is a trojan horse or genuinely requires permission. In a phone’s settings, permissions can be toggled or disabled for a given application. A dedicated permission manager can also allow the user to set in-app permissions for a known amount of time, e.g, allow Facebook to use the camera for 15 mins, or only allow applications to have permissions when actively in use.
A Remote “Kill-Switch”
The unfortunate reality of carrying your phone is that it can be lost or stolen. If your phone falls into the wrong hands, many of the precautions you have taken to protect the transmission of your sensitive data go out the window. Having a passcode to unlock your phone should already be a given, but screen locks, especially facial recognition locks, are not impregnable.
Before a nefarious actor can get access to your phone, you can enable “find my phone features” on your device. Not only does this allow you to track the phone, but it also lets you set off an audible alarm, lock the phone, display messages to the lock screen and erase all the data on the phone as a last resort. It is important to note that these features generally need to be enabled before you lose your phone.
Examples: iOS: Find My iPhone, Android: Find My Device