Recent searches
Search options
Administered by:
Every time I log into Fedi, I see another post with a guide called something like "Activist's Guide to Smartphones" or "Phone Security Guide for Protesters," and every single one of these assumes that the threat model is the kind of police force that exists under liberal democracy where the law will afford significant protections to protesters. The world is changing, and these guides not only fail to address the threat of an actively hostile fascistic anti-democratic occupying force (I refer here to the police), but such guides generally are limited to "what" and "how" but miss the more critical "why."
If you believe that you are facing fascism (or even something close to it), can I please please please convince you to read something written by anarchists who have faced serious repression and are trying to convey just how much phones can lead to the imprisonment of you and your friends for even things that are allegedly "legal."
https://opsec.riotmedicine.net/downloads#mobile-phone-security
Overwhelmingly these guides seem to come from InfoSec or civil liberties focused individuals, groups, or NGOs, but bloody hell, the danger they face tends to pale in comparison to what radicals face, and the level of concern they have is likely far lower than it should be. Watching across the pond at this advice circulating, all I can think is that such liberal notions of rights are security are going to get activists killed or imprisoned for life.
(not that my advice is perfect. always get a second source. compare what we/i have written to these liberal guides, and diligently study where and how they diverge.)
>Apple has previously halted plans to encrypted backups in their iCloud following pressure from the FBI, and their backups are unencrypted.
Apple's "Advanced Data Protection" will encrypt most things now. It is of course opt in, and there's a section dedicated to what is not encrypted; including iCloud Mail, Contacts, Calendar, modification time and deduplication hash type stuff metadata. I haven't done a super thorough investigation because I'm not qualified.
https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web
@walnut I have an open PR on this I'm not merging yet as I'd need to do a full rewrite, but I'm away this does need an update and maybe 2025 is the year to write this. https://gitlab.com/hakan-geijer/mobile-phone-security/-/merge_requests/1
@hakan_geijer
I remember Naomi Wu being concerned about your phone's keyboard app years ago, and that is an axis of attack I still don't see addressed in any guides.
Your phone uses an app for your keyboard, and most have a key logger or "AI" or "dictionary learning" feature.
It scans your contacts.
Check it's settings.
But I think the point you're trying to make is that none of this will help you the cops don't care about your rights, if ice doesn't care about your rights, if NSA wants your ass, it's already over.
Your rights won't matter once you're in solitary in a federal building or across state lines.
*edit* It IS addressed in this one, and it's a really good guide!
@Harleck I specifically mention that in the section on IMEs in the text I linked to above. This may be incomplete, which is fair, and if you think that section fails to address all threats (specific ones, general ones), I'm open to feedback and can make updates.
@hakan_geijer
Hell yeah.
I'll go through it again, it's sounds like it's expanded since I read it last!
The revelation to me was that at default, gboard and the apple equivalent have wild ass permissions and sharing, so even if you don't use a3rd party app and have never altered it, it's a whole in the boat.
@Harleck I have not done anything beyond correcting typos or minor clarifications since I published it. This section was in the first version and has not be updated since. https://gitlab.com/hakan-geijer/mobile-phone-security/-/blame/main/src/04-security-basics.md?ref_type=heads#L145-170
@hakan_geijer
Now that I've had my coffee and gone through it again, yes you did address it, and this is a great guide!
Past Me may have skimmed it or gone direct to the Case Studies section (which is really good).
Thank you again for making good resources!
@hakan_geijer @Harleck It's been around for 15+ years and Android won't let users revoke internet permission in most flavors of Android. We should have full firewalling and logging of requested domains at this point.
@hakan_geijer Buy a road atlas to travel to demonstrations instead of using your phone to navigate.
@jhavok Many modern cars have mobile capabilities, and automatic license plate readers capture and incredible amount of data.
@hakan_geijer @jhavok its possible even here in Europe for a *civillian* to get an effective ANPR reader for their mobile phone which sends the registration marks up to the cloud for later use (via an API).
Its main use case is for car park attendants and garage workers, but I literally only had to "pinky swear" I would obey GDPR to get it, and at close range it works as well as the ones the Police have (I tried it on my own car and some fleet cars at work)
and you're not even addressing the manufacturer's spying.
i'm always telling people "it's not your phone - it belongs to the manufacturer, and everything you do is logged by the OS."
no matter how many times the OS providers and other tech megacorps are caught watching and listening in on the users, despite the 'setting,' people still fantasize about 'privacy' on smartphones.
@hakan_geijer I know enough tech to say that there is one fundamental rule of avoiding surveillance on your phone: Don't. There are too many different ways it can be compromised, if you are a person of sufficient importance that someone in government actually cares to try. If you want secure communications, the first rule is to get a Real Computer which runs a software environment you and you alone can control.
@Qybat Why do you think something like Debian or Qubes is significantly different than something like LineageOS or GrapheneOS? (ignoring macOS, Windows, and stock Android for now)
@Qybat @hakan_geijer sorry but this is a really wild take.
while I love linux desktop it is nowhere close to the security you can have on mobile devices (mainly by using graphene).
if (big if) you can really control the whole software environment you also need to audit that. And then we completely disregard physical attack vectors and of course as op mentioned non technical vectors.
you cant use general advice in these cases anyway, assess your threat model and act based on that.
@hakan_geijer and with the techbroligarchy showing their true colors, a lot of these lower risk profile options are outdated. Most important are the tools of assessing risks & staying disciplined. We're not going to get press releases telling us when to be more careful.
@hardleft That may be true, but we still have tried to characterized what the profiles look like and why. Many are still accurate for most of Europe which is my primary audience.
Agreed. Everyone ought to be getting clued-up on operational security (op-sec) and communications security (com-sec).
Top tip - for #2, try Signal - bloody works, does voice, vid, text, and even Signal can never learn what was discussed. For #1, never talk about what you may or may not be about to do online. Ever.
@bytebro @hakan_geijer
@StopTheSweepsPDX
True that. LineageOS : https://wiki.lineageos.org/
From the No Trace Project "Smash All Phones! How To Protect Yourself From the Snitch in Your Pocket. 2017", in this essay they got disovery from the J20 mass arrest at the beginning of Trump's first term, and there was 8,000 pages of meta data from their phone and Google account. Law enforcement used Cellebrite to get the data.
https://www.notrace.how/resources/read/smash-all-phones.html
In the footnotes, some worthwhile info:
"N.T.P. note: Whether or not Cellebrite devices with physical access to a given encrypted phone are able to extract the phone's unencrypted data is a complex issue. It depends on the state of the phone when accessed (turned off, turned on and locked, or turned on and unlocked), the phone operating system (and whether the operating system is up-to-date), the phone model, and the strength of the encryption password. For example, according to leaked internal Cellebrite documents, as of July 2024, if a phone is accessed when turned on and locked…
…and it runs stock Android (the default operating system installed on Android phones), Cellebrite devices can almost always extract its unencrypted data, no matter the strength of the encryption password.
…and it is a recent Google Pixel phone running GrapheneOS (an operating system you can install to replace stock Android), Cellebrite devices cannot extract its unencrypted data.
We recommend using GrapheneOS for phones."
@hakan_geijer
Also from another essay "Confidence, Courage, Connection, Trust: A proposal for security culture. 2019" they propose updating the two nevers from something like:
"Never talk about your or someone else's involvement in illegal activity. Never talk about someone else's interest in illegal activity.”
to “Never talk about your or someone else's involvement in activity that risks being criminalized. Never talk about someone else's interest in criminalized activity.”
but the author recognizes that this framing is inadequate too. https://www.notrace.how/resources/read/confidence-courage-connection-trust.html
@hakan_geijer Nicely put together document. I think western people might care more about opsec in these situations if they acted less like the police are held to some rule of law, and acted instead as the state actors could be a legitimate threat to the activist's life.
More like they're the teens that killed Nazis in the Dutch and French woods. in the 40s -- keeping secrets, planning and effecting direct action.
I'm not an expert but I've always thought things like consumer VPNs, password management software and anti-virus software as increasing your risk, not decreasing it.
The central point is they aggregate your information into the hands of one agent, and agent you don't know - making it easier for them, or those that attack them to get at your data.
This is a question - I'd welcome comments.
@rzeta0 This always comes down to "what's your threat model." For most people, a cloud-based password manager is the best solution. I use an offline one I manually sync between devices. Pen and paper can be your password manager, but unless you're super human, most people can't come up with sufficiently random and different passwords for their hundreds of sites they have to log in to. I don't use anti-virus, but I also use Linux so it's a slightly different model there too. VPNs protect against a narrow set of threats and for those they are useful. When people treat VPNs like Tor, they're gonna have a bad time.
Thanks for taking the time to reply. I have two follow on questions if you or anyone else has the patience to reply.
1. All your passwords in one online service means adversaries (eg the state) have only one place to get your passwords. Perhaps this comes down to threat model as you say
2. Isn't Tor a massive honeypot? It emerged from the US military. If it truly is as effective as people say it is, then it would already be banned already, surely?
> All your passwords in one online service means adversaries (eg the state) have only one place to get your passwords.
Yes, but a well-designed service will not be able to turn it over. For example, 1Password and BitWarden (don't trust LastPass, fuck 'em for their repeated bad security) claim that they cannot hand this data over to cops.
https://1password.com/legal/law-enforcement
https://bitwarden.com/help/bitwarden-security-white-paper/
The cloud is just a relay to sync things effectively. There's a lot of trust yes, but trust always ends somewhere. For most people and most activists even, this is acceptable. I think the pool of those who need security above what a cloud service can offer is growing because of increasing repression, but it's still a fine solution for many.
> Isn't Tor a massive honeypot?
No. It's open source and too many anarchists and libertarians and just plain cryptography nerds can analyze the code and assert that it's not backdoored. Go to the right places and you can meet devs and relay operators yourselves.
> If it truly is as effective as people say it is, then it would already be banned already, surely?
Plenty of things that are effective aren't banned, like even basic e2e encryption for chat. Plus the State still benefits from it working as advertised as it undermines other governments and gives dissidents a means of communication and anti-censorship.
@hakan_geijer @rzeta0 what about keepassxc?
@enby_of_the_apocalypse @rzeta0 it's what I use and I do manual syncs between devices
@hakan_geijer @rzeta0 one thing I’ve been thinking about a lot, pen and paper might actually be a lot less secure when a significant threat is house searches by cops and stuff like that, since you can’t really encrypt it. (But also, paper can’t be hacked, paper doesn’t track your location and stuff)
@enby_of_the_apocalypse @rzeta0 sure but for most people that's not through threat they face. Like one of our parents using that is better than having two passwords they share everywhere.
@rzeta0 @hakan_geijer Specifically password managers are there to improve the entropy of your passwords and gain insights on when a password was leaked (through haveibeenpwned or similar) automatically. If (and that’s a big if) you manage to create good, long, unique passwords and very regularly check such services… you may as well not use one.
Concerning the attack on password managers: You don’t upload your passwords anywhere, but an encrypted blob. Any cryptographic encryption is indistinguishable from random data – you could’ve literally uploaded a random.zip with random bytes to GDrive and it would give the Feds as much knowledge about your passwords as your password manager.
The good thing about them is that they are local first software. Everything crucial already happens on your device: En-/Decryption, deduplication, generation of passwords etc. It’s much easier for feds to just demand the services you are registered at to give them access to your data too.
Thanks - that is helpful, especially the part about uploading encrypted data.
So what remains is the risk of the app on your local device being compromised or backdoor - a much smaller risk I guess -
so it goes back to "what's the threat model" again.
@rzeta0 @hakan_geijer Gladly!
Of course backdooring your device always is an option, but smart phones have great app integrity protection and will refuse running apps with invalid signatures. It’s quite hard to remotely bring up a forged version of your password manager and make it run it. It’s probably much easier to attack you elsewhere and get the passwords in-flight or anywhere else.
For phone security, run GrapheneOS on a modern Pixel or at least iOS with Lockdown and Advanced Protection enabled.
Isn't it more likely that the app provider themselves will release "official updates" with the backdoors ... as a result of direction from the state?
I seem to recall some infosec work I did ages ago and we were very alive to the fact that a day-1 device is not the same as an updated day-2 device.
I would love to use GrapheneOS just to get rid of the commercial-grade ads/tracking and generally lower resource consumption ... but sadly I'm told banking apps dont' run.
@hakan_geijer for people who know us: this is good advice and we endorse it
@hakan_geijer@kolektiva.social
are computers that i installed linux on better
@sour Enormous "it depends." Are you regularly updating? Comparing it to macOS and Windows? or comparing it to something like GrapheneOS for phones? What is your threat model? The CIA or random hackers? I would suggest everyone get on Linux for many reasons, but doing so requires a little attention and tinkering that commercial OSes do not.
@hakan_geijer@kolektiva.social
im regularly updating and surviving trump government
@sour I don't have data to back this but I would assume a frequently updated Linux is more secure
@sour @hakan_geijer Better than smart phones? No way. It’s why the text begins with “use a smart phone”. Mobile security is *way* ahead of general computer security and covers many more threat scenarios. Basically, if your laptop is in the hands of any decent adversary it’s over. At worst they can directly read out anything, at best (for you) they can only modify it in a way that’s not recognizable by you but will effectively covertly give them full access. Modern macBooks may be the only exception here.
Disregarding physical access, things become a lot more tricky. With Linux you usually don’t download a .exe from a website and run it. That closes a big attack vector. You can lock it down quite well to also restrict execution of other binaries – if you know your way about. But in the end, the security model of a PC is very leaky.
My recommendation is to get Pixel phone with GrapheneOS or an iOS device with Lockdown and Advanced Protection enabled. For your laptop, use fedora or ChromeOS (beware, the latter might get discontinued soon), or an ARM macOS with Lockdown etc. enabled, or at least Windows Pro and enable complete BitLocker on there. You can run Qubes for specific tasks if you want to.
@sour @hakan_geijer Absolutely! Security focused live systems are neat for some throwaway work, just do recognize that if the hardware is tampered with, it's hard for the OS to defend against that.
But most attacks that work well against Linux but not so against modern Windows/macOS are attacks targeting the installed OS. With a live system you circumvent that. In theory, you can harden a Linux to a similar degree as Windows BitLocker (i.e., measuring Secure Boot state + long password or fido2 stick, using
signed UKIs, etc.) or perhaps even more than that, but it's not the default and requires quite some knowledge.
@ljrk @sour not that you're wrong but I suspect your level of technicality is maybe too much here. I think maybe the answer is: Tails is good for ephemeral things and is quite anon, but its less commonly use for daily activity.
But to really even answer the question, we need to step back and ask why they want to use Tails in the first place
@hakan_geijer@kolektiva.social @ljrk@todon.eu
im considering tails for deleting files from past activities