Effective Mobile Security in the Post-Snowden Era
The revelation in October 2013 that the US National Security had monitored the mobile phone calls of Germany’s Chancellor Angela Merkel started alarm bells ringing around the world.
Over the last few years we have become familiar with the threats to personal and corporate security posed by online criminals and hackers, but with smartphone usage continuing to accelerate, this incident has placed mobile devices firmly under the spotlight of concern.
Smartphones now have the screen size, processing power and storage capacity that make them viable for workers to use in virtually any environment. Although the big security software companies have started to pay more attention to the mobile market by extending their PC applications to work on mobile devices (anti-virus tools, authentication technologies, download screening, etc.), few have extended their ambitions to protecting the actual content of mobile communications. Meanwhile the mobile network operators and telecommunications companies have also made relatively little effort in this area so far.
So where does this leave companies and/or individuals, who for legitimate reasons feel the need to protect their security and privacy beyond just the basic security settings available on standard mobile devices?
Well the first thing to realize is that the next step is not going to be easy and requires a significant investment in time, effort and money. In her highly entertaining book “Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance” (Times Books, February 2014), former Wall Street Journal investigative reporter Julia Angwin documents how difficult it is for the average citizen to maintain digital privacy.
So here are a few simple security basics before we look at more advanced options:
- Build stronger passwords (but ones you can still remember).
- Use different search engines (basically do not use just Google all the time).
- Severely limit postings to social media sites.
- Use ‘burner’ pay phones for some purposes.
- Use internet cafes plus ‘hot spot shields’ for others.
- Turn on encryption settings where available on mobile devices.
- Turn off location services on phones and mobile apps.
- For maximum privacy, switch off your phone and remove the battery.
These measures are a good start, but not enough if you are really serious about privacy. For this you need to define your personal ‘threat model’. As there is no single solution for staying safe in a mobile world, the key to success is to understand what potential threats you actually face, what you need to protect, and who you need to protect it from.
The answers will differ from company to company and from individual to individual based on your work, your devices, your geographical location, who you work with, etc…
Privacy and security threats come from many directions: governments, industrial spies, computer hackers, common criminals, advertisers, retailers and data aggregators:
- Governments want to monitor people who could be a danger to the state.
- Industrial spies are after your trade secrets and Intellectual property.
- Hackers want to gather credit card details, passwords and identities.
- Criminals run internet scams, financial frauds and ‘get rich quick’ schemes.
- Advertisers want your buying habits and location data to target personalized ads.
- Retailers monitor devices in-store for promotional and sales purposes.
- Data aggregators track you digitally 24/7, collect your personal data from various sources, analyze it, and then sell it on to third parties.
Once you know exactly what areas of privacy and security you are concerned about, you can decide the key content areas you need to protect: phone calls, texts, e-mails, web browsing, internet searches, online transactions and payments, location information, file storage, etc…
It is outside the scope of this short article to cover all the different types of privacy and security solutions currently available to companies and individuals. At minimum you should at least be considering an encrypted voice, text and messaging application to secure your cellular and Wi-Fi communications, plus access to a virtual private network (VPN) to shield your public online and hotspot activity.
Voice, Text and Messaging Encryption
Encryption applications protect the content of your personal communications. They take the form of either software or hardware solutions, ranging from basic to fully-featured services, or varying levels of encryption from ‘pretty good’ to ‘military grade’. Most of the software applications are user-friendly, easy to set up and available as simple downloads.
VPNs
When connecting to the Internet through a VPN, you establish an encrypted connection from your mobile device to the VPN service. The service decrypts your information and passes it on to the requested location (i.e. website) on the Internet. Information from the contacted website is then passed back to you through your encrypted connection with the VPN service. Neither the websites you connect to, nor the public hotspots you use to do this know who you are because all they see is an encrypted connection from the VPN service.
Below is a list of a few representative applications in these two key categories with links to further information.
Encryption:
Silent Circle – Android/iPhone/PrivatOS, encrypted calls: http://www.silentcircle.com
Seecrypt – Android/iOS/BlackBerry, encrypted calls: http://www.seecrypt.com
Cellcrypt – Android/iPhone/Blackberry/Nokia, encrypted calls: http://www.cellcrypt.com
Sirran – Android/iPhone, encrypted calls: http://www.sirran.com
Koolspan – Android/ iPhone, encrypted calls: http://www.koolspan.com
CoverMe – Android/iPhone, encrypted calls, text messages: http://www.coverme.ws
Surespot – Android/iPhone , texts, pictures, messages: http://www.surespot.me
VPNs:
F-Secure: http://www.f-secure.com
Hotspot Shield: http://www.hotspotshield.com
Hidemyass: http://www.hidemyass.com
Enterprise-focused Solutions:
Airwatch: http://www.air-watch.com
Centrify: http://www.centrify.com
Anchorfree: http://www.anchorfree.com
There is of course no absolute guarantee that any particular app or service will work on any one device. The service providers spend considerable time testing their software against individual makes of handset, but the speed at which the smartphone market is advancing makes it difficult to keep up with all the new models, latest versions and operating system updates.
In conclusion, in today’s increasingly connected world the widespread collection of personal data by interested third parties has become practically inevitable. However the technologies are available to enable you to control this if you are prepared make the effort. It all comes down to your individual threat model to determine how secure and private you want to be.
Contributed by Jules Trocchi.
Jules Trocchi is CEO of Security Direction International Ltd., a specialist consultancy focusing on the hottest sectors and latest technologies in the security industry: [email protected]
http://www.sdinternational.co.uk
The story was inspired by much input from members of the OPSEC Professional Society and thrashed out and expanded by Jules Trocchi. Many thanks for a great article.