Basic Guide to Phone Security

[SWAT]

Thoughts on some applications.

Facebook Messenger: End to end encryption is opt in and only enabled when you start a secret conversation. Secret conversations not available on web app. FB has a history of all secret conversations, you can not delete it. Deleting something on FB doesn't delete anything from their databases or backups.

Telegram: Very popular and allows for huge groups. Desktop application does not have end to end encryption. End to End encryption is only in secret chats. If using a Televend shop to order drugs then you should use the app on Tails and manually PGP encrypt your address. Telegram stores are throwing buyer OpSec out of the window. Telegram is what people think is safe and it is the de facto drug app in many countries. Use something else.

Wickr Me: Wickr does not have phone activation and it does not require an email to sign up. It is encrypted by default and it has a self destruct on messages that you can set up. A lot of vendors and other people in the drug trade trust Wickr. wickr.com/security/ Wickr does not hide who you are (IP address) or who you talk to. It is up to you to protect your identity. If the people you talk to fail to protect themselves then that can come back to bite you in the ass. You shouldn't on the same account talk to people you order drugs from, people you sell drugs to and then your real life friends too. All of this should be separate.

WhatsApp: Has end to end encryption. It is Facebook. Facebook wants to gather as much information as possible so they can better advertise to you. Probably not the best choice.

Instagram: Like facebook it is hostile towards Tor. Might be a lucrative place for advertising. It does not have end to end encryption for the chat.

Reddit and Twitter: Hostile towards Tor users. Reddit just doesn't work if you use a Tor exit node. They will shadowban you account. Twitter will lock your account if you use it with Tor and they'll ask for phone verification. These are still important platforms for getting a message out (DarkDotFail on Twitter, DreadAlert on Reddit).

SnapChat: Why do people post **** that incriminates them or you and expect SnapChat to actually delete what they post? SnapChat does not delete anything. It is a good place to advertise drugs.

TikTok, Tinder, Grindr: Might be a good places to advertise drugs, depends how you work them.

Signal: Signal is the most promising of all IM apps. Good security and privacy. Only thing kept in logs is your phone number. Phone number requirement is what is keeping me from recommending it to everyone. You can activate Signal with a temporary number and prevent account getting stolen signal.org/blog/signal-pins/ If you and who you are talking to are willing to go through with buying a phone number then use Signal.

Encrochat & Sky ECC: LE found the servers and pushed an update that broke the encryption and identified the users. Users of the services were hiding among other criminals. The service was not any better than a free solution. It was a giant honeypot and the effects of it will be felt for years. Use something that is widely used by regular people. Information that is critical should be manually PGP encrypted.
All centralized services have useful data to hand over to LE. All of them can be forced to start logging data that they normally don't.

Data that is logged:

1. Contacts and historical contacts on the app
2. Contacts on your phone
3. Contents of messages
4. Encrypted messages
5. Sent files
6. Deleted messages
7. Original EXIF data of sent photos
8. Phone models used with the app
9. Phone IMEI and other uniquely identifying data
9. IP addresses used with the
10. Your phone number
11. Contents or metadata of files on your phone
12. Location data
13. Contents of your SMS messages
14. Your browsing history
15. And more

Number 9 is how the police attaches real names to pseudonyms in IM (instant messaging) applications. Most people also use their real phone number on Telegram/Signal. Those that do have burner phones/numbers have non existent OpSec (operational security) beyond that. They use their burner at their home or at work, at their friends place. They have their burner turned on while their regular phone is turned on like while driving down a highway or in a bar. Sitting in a restaurant, turning off your phone and turning on the burner is not sufficient OpSec either.

When the company does not have to comply with law enforcement the process of identifying a person behind an account is more involved but perfectly doable.
Process looks roughly like this:

1. Identify account you want to investigate.
2. Identify IP addresses of the servers that IM app clients connect to.
3a. Start conversation with account under investigation. Each message the suspect sends to you corresponds with upload traffic from a phone to the server identified in step 2. The timestamps of them sending a message and you receiving a message will correlate. Do this however many times needed and you have a match.
3b. Each message you send will correlate with a download by the suspect's phone. These will be time correlated if the suspect is currently online.
3b. Send a file of known size to suspect. This will stand out among all of the other single message uploads/downloads.
3c. Start a video/voice connection with suspect. This will correspond with a data stream of known duration and size.
3d. If suspect is not talking to you then you can use "message read" notifications that will be uploaded by the suspect or "person is writing a message" notifications that will be downloaded by the suspect. Initiating a voice or video connection request can also be correlated. You sending a message will not work if the person is not currently online but it can be used if you use the "message read" notification on your side and the corresponding download of the message by the suspect.

The more people that the suspect gets to hide in the more data you need to identify the suspect. Of course you try to narrow down the geographic location of the suspect to make this process quicker.


TEMPORARY PHONE NUMBER

This will be used to activate an account. Beware that this number is temporary and you get it for just a few minutes. After that it is gone and you can not get it back. People can use it to steal your account. Some services want to verify you with the phone number again when you log in from a new place (happens if you use Tor), set up a 2FA authentication with those services. Use the Google authenticator app if available. Second option is e-mail authentication. Remember that every process must be done through tor. If you use the service through Tor but used the email without it at any point then you are screwed forever.

1. Set up tails. The DNM Bible is down right now but you can find the offline version here as a PDF dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/40c86816505155c1a0d8
2. Buy Monero. If you need to then buy BTC with Monero (also in the bible). You must send the crypto transactions over Tor.
3. You can buy phone numbers here textverified.com or here 5sim.net or any other service that you'd prefer. They must accept crypto.

You might tie all of your activated accounts together that you activate with purchases with the same account on one of these websites. Same if you make purchases with BTC from the same Bitcoin account, the BTC connection is across websites and their accounts. This depends on the website keeping these logs but you can not assume or trust that they don't. If an account on one of these number selling websites is ever identified as yours then all activations that you do with it in the future will be tied to you.


TOR HOSTILE WEBSITES

This is for completeness sake. I don't know exactly how to do it just that it is possible. You need to route your traffic like this you->tor->proxy->website.

You'll have to buy a proxy server with Monero. Or buy a VPS and configure a proxy yourself. If anyone has a good guide on how to do this then I'd appreciate it.


PHONE IMEI and SIM

All phones have a unique identification number, IMEI. It gets sent when you connect to a cell tower. You can't change IMEI on most phones anymore, you need to develop a custom solution for every phone. Mobile service providers keep track of IMEI numbers. When they saw them, the geographic location and the SIM that was present. IMEI ties together different SIM cards used on a phone. Some people are under the impression that the SIM is important and throwing out or changing the SIM is what saves them. The SIM is tied to your name and it is what enables service providers to bill people.

Some apps on your phone will have access to your IMEI. If the network operator knows the IMEI and through some app an IMEI is identified as belonging to you the suspect then that might lead to an arrest.

If you do not want an IMEI being associated with you then buy your phone with cash in some place that you are not easily identified. NEVER connect to a cell tower. If you make an emergency call then that will broadcast your IMEI. Airplane mode is a software switch, it doesn't actually turn off the antenna. There is no guarantee that your phone will not try to connect to a cell tower even with no SIM in phone. Same goes for airplane mode.


SMARTPHONE APPS

There are many problems with the secure use of phones that are difficult to mitigate. The apps are convenient and a lot of people use them.

I have broken it into 3 different OpSec needs: LOW, MEDIUM and HIGH. You decide where you land.
There is no way to route your traffic through Tor on iOS without routing all of the traffic on the phone through another device. You are stuck using the apps without hiding your IP. You can use TorBox with iOS, torbox.ch
Guide is only for Android.

LOW

1. Download "Orbot" from the Play Store. You use Orbot to route traffic through Tor.

2. Open Orbot and set it up. Don't change anything.

3. Download your IM client if you do not have it yet.

4. On your phone go to Settings->Apps->Manage Apps->YourIMApp->Permissions and remove all permissions from the app. Just because your app is Tor routed does not mean it can not grab your geographic location or anything else and store it in its servers.

5. If you already have an account then open the app and log out. If you don't then go to the next step.

6. Open Orbot. Tap on the grey onion with "START" written on it, it will turn yellow and then green with "STOP" written on it.
Turn on "VPN mode".
Click on the cog in "Tor-Enabled Apps"
Select your IM application and nothing else. Mixing your regular internet activities and activities you wish to keep anonymous on Tor defeats the purpose. Only use Orbot with the IM app.
You can use a bridge to hide your Tor use from your mobile service provider/ISP. Sometimes bridges are very slow.
Orbot will only work while it is running. If you use the app while Orbot is not running you will expose your IP to the service. This will burn your account.
Orbot should open by itself on every phone reset. Just in case set it to open on boot. On your phone go Settings->Apps->Mange Apps->Orbot turn on Auto Start.
Orbot might not be connected on a restart, always check.

6. Open your IM app and make a new account. You have used your existing account with your real IP and should consider it burnt.

Do not accidentally use the app with Orbot not running.
Do not use your old account, thereby tying the two together. Only way to use your old account is to log out, disable Orbot and log in. The app might have a cache file that keeps track of all accounts used on the phone.
Hope that the app does not gather identifiable metadata from your phone. Disable all permissions for the app to make this less likely.
Sometimes who you talk to can be used to identify you. Just because you take care to keep yourself anonymous does not mean your friends will.


MEDIUM

1. Buy a burner phone with cash.

2. Never put a SIM in your phone.

3. Never connect to a cell tower.

4. Keep your phone on airplane mode. Keep Bluetooth off. Location services off. GPS off. Turn on wifi as needed. Keep in mind that the airplane switch is just a software switch. It does not mean the radio chip is turned off or that it can not in any way send signals. Some phones allow emergency calls with airplane mode.

5. Install the IM app or apps. If you can then grab the .apk without going through the Play Store. Beware of downloading a .apk from an unofficial source, it could have malware. Otherwise make a new Google account. You can make your first email on protonmail.com (through tor browser), I've found that protonmail does dot ask for phone verification or a bitcoin donation when using Tor in Brave browser. That is because Brave browser has a unique signature for every user and it does not trigger bot protections as often. Use the protonmail account as recovery e-mail for the Google account and it should not ask for a phone number to verify. You can use a service like textverified.com for numbers. Google might give you grief for making an account through Tor, use a public wifi or buy a Google account from somewhere.

If you make a Google account through a public wifi and that account is ever identified as belonging to you then your geographic location will be narrowed down. This might be unacceptable for certain people.

6. Uninstall all apps that you are not using. Turn off all app permissions that you can for all apps.

7. Follow the LOW guide. In step 6 "Tor-enabled apps" don't select anything. This will route everything on your phone through Tor. It will say "Full device VPN".

8. On your phone go to Settings->VPN-> Orbot (cog icon). Turn on "Always-on VPN" and turn on "Block connections without VPN."

9. Orbot is not perfect. I can not predict the behavior of every phone but I think that your phone might leak your IP while it is booting up. This is because Orbot does not have root privileges and uses a hacky way to achieve what it is doing. Orbot does not start before your phone might try to connect to a server somewhere. A lot of care is taken on Tails/Whonix to ensure that there are no IP leaks, I can not give this guarantee with Orbot.

If you want to ensure that there are no IP leaks on boot, no possible DNS leaks or any other unforseen protocol leaks then you need to ur TorBox. TorBox.ch for the guide. There is a portable version that you can throw into your backpack and use discreetly while on the move.


HIGH

I would not trust airplane mode to work in all situations. The OS should ensure that no app is allowed to make transmission but malware can get around that. There are bugs in software. Just because nothing is being transmitted does not mean that it isn't listening. I think I remember some version of iPhone logging all of the wifi SSIDs it saw when wifi was switched off. High value targets also need to worry about their phones being targeted with malware. If you must use one of these devices then I suggest the following.

1. Use an iPad or and Android tablet that does not have LTE capabilities. Use it in conjunction with a TorBox.
2. Physically remove chips from the phone that are responsible for LTE and Bluetooth. You'll need a heat gun to melt the adhesive and solder. You'll need replacement adhesive to put phone back together. Buy phone that uses screws. Search for your phone schematic on the internet to identify the chips.
3. You can use an Android or iOS emulator to run the apps. I recommend Android Studio for Android and Xcode for iOS. Android studio is available on Windows, Linux, Mac and ChromeOS. Xcode is only available on Mac. You can do pretty much anything on a virtualised phone that you can on a real phone.

Of course you should do this on a device that is routed through a TorBox. The device itself should have full drive encryption on boot.

BURNER PHONE OPSEC

Many people are very loose with their burners.

They use them in their home, work, where they are seen by cameras, at friends houses, near their home.
They make phone calls and send SMS.
They travel with their real phone and burner turned on.

You should never send SMS, these are uencrypted and saved for years by your service provider.
You should not make phone calls. Your service provider has the ability to listen in on those calls. Meta data about calls is saved for years. Info saved is who called who, call duration and geographic locations of callers.
If you must use cellular data then only do that if you have the use of an anonymous SIM available to you. It better be worth it because I suggest you get a new phone at least every few weeks. Cheap phones cost 20-40 USD/EUR.
Proper way to use a burner that uses cellular data is to use it a long way from your home, nowhere near where your real phone is. You do not have to turn off your real phone, leave it on at home.


PHONE ENCRYPTION AND DATA PROTECTION

There is a misconception that your data is encrypted when the phone is locked. That is not true. Some data of some apps might be encrypted while the apps are closed. Some data on your phone might be encrypted while it is locked but not all of it. If you get a message notification and a small snippet of it on your lock screen then it is clearly not encrypted. Your data is only encrypted when you have full disk encryption on and your phone is turned off. The weakness of that is that after decrypting on boot the key is kept in RAM and some or all files might be decrypted while the phone is rnning. Starting from Android 10 full disk encryption is not supported, only file based encryption. This reddit post explains some of the pitfalls of Android FBE old.reddit.com/r/Android/comments/kzs15v/how_law_enforcement_gets_around_your_smartphones/

If no decryption keys are in RAM or files are not decrypted then what LE often does is they dump the data and just bruteforce the encryption. People use 4-6 number pins on their phones, that is trivial to break.

To keep your sensitive data safe on your phone:

1. Set a strong unlock passphrase. This being your phone unlock password you should be able to remeber it. It also can not be too cumbersome to enter every time you unlock your device. I'd make it well over 10 characters using numbers and letters and symbols. Since this is a password you use multiple times a day you can make it more complex.
2. Do not use biometrics. The police will punch you in the mouth and unlock the phone whether you like it or not. The police break the law and lie all the time.
3. Do not keep incriminating data on your phone. No documents, pictures or anything else.
4. Use self destructing messages in IM applications. Other people get busted and unlock their phones.
5. Do not use cloud syncing of any kind. Cloud backups have put people in jail.
6. There are always critical moments where if something bad will happen it will most likely be then. Keep your phone turned off if you can.