Two quick notes on this post. One is that I stick to Android phones. That’s because it’s what I use and what I know. Part of the reason that I use them is because of security issues. iPhones are more locked down, and while that can make them harder to break as far as software goes, it also means it’s harder to customize as far as security. It’s not a snob thing, it’s a technical thing.
The other note is that I talk about some mid-level technical procedures, things a bit beyond entry-level. Things like changing a phone’s ROM or recovery software. I don’t include step by step directions because it varies from phone to phone. If you want to attempt these things, be aware of the risks and look up instructions that apply directly to your phone. I’m recommending these things for a reason, but I’m also recommending you do them safely.
Phone safety is a huge issue. People now live a huge portion of their online lives through their phones. Social media, GPS, photos, countless apps, messaging, and even the occasional phone call. All of these things are done through your phone, and that means if your phone is vulnerable then you are too.
Before reading further you should know there are some things that these things won’t protect you from, and that’s because the data being broadcast is part of the core function of your device. Even if you follow every step on this page your carrier, and therefore the police or others with access to the right resources, can track your physical location. That’s because when your phone is operating as a phone it is talking to cell towers. Your phone’s job is to announce itself and then get signals for calls and data. No matter how secure the data, that announcement is still out there.
There are some things you can do to protect yourself from even this fundamental data leak. One is to turn your phone off, or remove the SIM card. In both these cases you can no longer use your phone as a phone. In the case of removing your SIM card, you are still able to connect to your wifi connections. So if you’re in a situation where keeping your location a secret is of the utmost importance, those are your fastest options. If you plan ahead, you have the option of using a burner phone, which is a pay-as-you-go phone, often purchased with cash, to get a temporary number. While this phone also announces its location, it’s not directly tied to you so it’s much harder to connect you to the phone’s whereabouts.
Now let’s go back to two topics that we’ve covered before. In the first security post I mentioned supercookies, which is data that can be injected into traffic to track online behavior on the carrier level, rather than just on a site-by-site basis. If this sounds a bit paranoid, know that AT&T and Verizon have been doing this for years without telling customers. So even if you’re not connected to an open wifi network, and using your phone’s data instead, you’re still vulnerable. But then we covered VPNs and, you should be relieved to know, these tracking injections can’t penetrate encryption or HTTPS. So you’re browsing safely on this site, and if you took my advice about VPNs then you’re safe everywhere. The trick is to actually use it. The same way that your home network needs a VPN to protect from the now legal intrusions, your 4G connection needs one too. If you subscribe to a VPN service, most will have instructions for setting up your service with an OpenVPN client (I can recommend the open-source OpenVPN for Android or OpenVPN Connect, the Android version of the client mentioned in the last post), or will even have their own app to make things easy.
Now that your data is encrypted, lets take care of your communication as well. Your texts can be read by your phone carrier, or taken from the recipients side if they’re not as security conscious as you are. Likewise with voice communications. As far as encrypted texting and voice, Whatsapp is probably the most ubiquitous. However, there are some concerns as to how it deals with certain technical aspects. I recommend Signal. Both of these actually use the same encryption scheme from Open Whispers, but they handle things a bit different at times. If a user changes their SIM card, the chip that gives your phone its identity on the cellular network, Whatsapp will still send messages to that phone with the new SIM card, while Signal will cancel the message and alert the send in case they want to send it anyway. It’s just a little thing that errs on the side of caution rather than convenience, and the messages are still encrypted with the same method when being sent. The other thing that Signal has over Whatsapp is that it isn’t as common an app. That means someone using Signal with you has probably put more thought into their security than someone using Whatsapp. It’s not a technical point, and no guarantee, but it is a social signal (no pun intended) about your security.
Of course, none of that will make a bit of difference if your phone itself is not secure. The easiest thing to do there is to lock your phone. That means using PIN, password, or pattern. Fingerprints are good and all, but if you want to be a hero when it comes to security, the police are allowed to force you to unlock your phone with a fingerprint scanner. Between passwords/PINs and a pattern, the easiest thing for security is to avoid patterns. While they can be more secure, they often aren’t. The fact of the matter is that people are terrible about gauging the security of their patterns, and unless you make a conscious effort your password will be a better option.
But there’s still another thing you can do to make your phone safer, even if it is physically compromised, and that’s to encrypt it. This can ensure that even if someone finds your phone, or steals it, they won’t be able to access the data on it. If you can’t get to your personal information, at least no one else can either. It’s a simple process that requires you to go into your phone settings → security → encrypt phone. You’ll face a number of prompts to ensure that you’re aware of what you’re doing before your phone restarts and begins the process. So make sure you know what you’re doing. First of all, the process is irreversible. If you encrypt and then run into an issue, the only way to have your phone be unencrypted is by performing a factory reset, and that means losing any data that’s not backed up. You will also want to unroot your phone in the case that it’s already rooted. Encrypting a rooted phone can cause all sorts of problems, so unroot, encrypt, and then re-root to be safe.
Now beings the varsity level portion of our post. All of that just secures your connection and encrypts (some) transmissions. Your phone is a security liability. Verizon recently announced the launch of AppFlash, an app that would collect tons of data about users and their online activities, before quickly backtracking after public outcry. In the past, Apple, AT&T, Sprint, Samsung, and HTC have all used Carrier IQ, software that sits in the core of a phone and has access to everything. Whether they were actually collecting constant data isn’t for sure, but they certainly had access to it. There’s a way to get around that, and that’s the first step I recommend taking: install a custom ROM on your Android phone. Stock ROMs, the version of Android that come on your phone, are often branded and include carrier software marked as system software that cannot be uninstalled. Unless you’re getting a phone straight from Google, you probably have a branded phone. So get a new ROM. To see which ones you can choose from, check your phone against each ROM’s compatibility list. Here are a few options.
LineageOS is probably the most widely compatible ROM out there, and open-source to boot. They used to be called CyanogenMod until recently, when they rebranded due to issues Cyanogen Inc. But see what your options are and compare features.
Something you’ll want, or need, to do when you’re changing ROMs is to install a custom recovery. The recovery is a bit of software that can run before your phone gets to the main operating system. You know when you turn on your computer and it quickly gives you some text before the Windows or Linux logo come up? That’s your BIOS and it’s similar. From your phone’s recovery you can usually reboot, wipe partitions, or install and update over ADB. With a custom recovery you can do all that and more. Those additional options include creating backups, recovering from said backups, mounting as storage. and flashing zip file updates and ROM images. Even if you aren’t using it to install a new ROM, mounting as storage may let you get to files on your phone, even in the event that it can’t boot. The two most popular recovery options are TWPR and ClockworkMod. To install a custom recovery, you’ll need to unlock your bootloader.
When people talk about getting control over their iPhones they talk about jailbreaking. With an Android phone there are actually two levels of control you can take. One is your bootloader, the other is root. Unlocking your bootloader gives you control over the phone itself. Root gives you total control over Android, which is your operating system. The bootloader is a much more fundamental part of the phone, but also one you won’t directly interact with as often. Root will give you permission to run things within your phone’s desktop that you normally wouldn’t be allowed to.
You also don’t necessarily have to have both. You can unlock your bootloader but not use root. This can be useful if you want to change your phone’s ROM, or gain access to those sweet backup and recovery options, without messing with advanced apps. Some apps, like Android Pay, will refuse to run if you have root access because it could be a security risk if you don’t know what you’re doing. But having an unlocked bootloader won’t bother it at all.
Conversely, you can likely gain root access without unlocking your bootloader. This can be useful if you just want to add a few extra features to your phone but don’t want to, or can’t, mess around with the bootloader. Something else to be aware of is that unlocking your bootloader with reset your phone to factory new. So if you do go down that route, it’s best to do it as soon as you get a new phone. And if that’s not where you are at, then make sure you have everything backed up before beginning the process.
As always, if you have further questions, or need help finding more information on any of these processes, comment below. Also feel free to ask for certain topics to be covered in the future.