A Guide to Mobile Security For Citizen Journalists

Transcription

1 A Guide to Mobile Security For Citizen Journalists Your Citizen journalism, and with it the rise of alternative media voices, is one of the most exciting possibilities for mobile phones in activism. Mobile phones are used to compose stories, capture multi-media evidence and disseminate content to local and international audiences. This can be accomplished extremely quickly, making mobile media tools attractive to citizens and journalists covering rapidly unfolding events such as protests or political or other crises. The rise of mobiles has also helped extend citizen journalism into transient, poor or otherwise disconnected communities. However, for those working under repressive regimes, citizen journalism can be a double-edged sword. Anything you create and disseminate can be used against you, whether through the legal system or in other more sinister forms of suppression. Bloggers and online activists have various tools at their disposal to provide anonymous browsing, encryption, and privacy protection when working from a PC. For mobiles, the options are far fewer. Currently, anonymous browsing (through Tor) requires an Android phone, but encrypted content uploads over https are possible with many of the newer feature phones. At the same time, we know that security depends as much on setting (and sticking to) good protocols as on the communication tools you use. You can minimise risk by using a phone that cannot immediately be traced to you, or by capturing notes, images and video on a phone but uploading from a securely-configured PC.

2 Mobile Technologies and Threats (Or: Knowing Your Enemy) In our Mobile Surveillance Primer, we discussed the security and privacy threats inherent in mobile communications, and offered some suggestions on how to avoid surveillance. Here's a quick recap. We encourage you to read the entire article, however! SMS and MMS (multi-media messages/pictures and are transmitted unencrypted across the GSM network. Anyone with access to the network (a hacker with some fairly inexpensive encryption cracking technology, the mobile network operator itself, or anyone who is able to co-opt them) can see the content of your message as well as a slew of identifying information: unique numbers identifying the phone and SIM card, the time of the message and approximate location of the sender, and the phone number of the recipient. Voice calls are similarly vulnerable, with the added danger of identifying you by your voice (if recorded). You could also be overheard by someone in close physical proximity. Mobile Internet connections reveal all the identifying information of the phone, as well as the address of the site being visited. Unless you are using an encrypted (https) connection, all your data is also transmitted in plain text. This leaves you vulnerable not only to hackers on the GSM network and network operators, but also to anyone who is able to watch your traffic on the Internet. In general, third party applications have access to all of the above as well. They may also contain malicious code that can access and transmit data from your phone without your knowledge. Avoid installing third party apps on a phone you want to use securely. Once you upload data to a website, you are bound by the terms of service of that site. The site owners may hand over any identifying information (such as your IP address) they have about you, or be compelled to do so. This doesn't sound very promising - it's not. There are very few tools available for secure mobile communications, and none that are ideal in their current state. However, there are some options for users of feature phones, and more for

3 smartphones. When combined with a careful strategy, apps for encrypted communication and anonymous browsing can improve the security of your mobile journalism work. Doing Secure Internet Research: Anonymous Browsing on Android with Tor If you're looking to invest in secure mobile communication, Android phones are a good bet. Smartphone platforms in general are better able to perform the 'heavy lifting' required for secure communication. Android itself is largely open source, making it harder to hide malicious code. The rise of the widely-supported open source smartphone platform also opens the way for the development of an Android version with security built in at operating system level - the goal of the ongoing Guardian Project. Right now, there are many applications in development, but few with viable releases for immediate use. TorProxy, an Android application that provides anonymous routing of Internet traffic through the Tor network, comes closest. After installing TorProxy and Shadow, an anonymous web browser, it is possible to browse without revealing the source or destination of your Internet traffic. Tor also provides encryption for all but the final communication stage between the last Tor server in the chain (the Tor 'exit node') and the destination. The major weakness of the TorProxy/Shadow approach is that, because of a bug in the Android platform, it is not currently possible to use Shadow to communicate over https. Https is the encrypted version of the hypertext transfer protocol (http) used to browse the web. Sites that require the user to log in before they can add content - web services, twitter, photo sharing sites such as flickr, major blogging platforms - often use https for authentication, and cannot be accessed without it. Without https, the Tor exit node can also access the unencrypted contents of your communication. If the exit node is malicious, this can be a critical security risk.

4 The TorProxy/Shadow is good for maintaining anonymity while researching or reading online, but unless the https bug is fixed, critically restricted when it comes to disseminating content. In our tests, it was also extremely slow on unreliable mobile networks (3G was usable, but EDGE/GPRS was not). Even when used for browsing, Tor can be vulnerable in certain situations. For example, Flash video (such as YouTube) is blocked by default because it could compromise your privacy. You are strongly advised to read more about how Tor works to understand when you are and are not protected. It's also worth noting that there is some concern about the security of the original Java library(onioncoffee) from which TorProxy was developed. We're hoping to see improvements and other implementations in the coming months. If you're interested in a more robust implementation of Tor for Android, you should follow developments on Orbot, which is part of the Android Guardian project. In Short: TorProxy and Shadow provide a version of Tor for Android phones Good for: research and browsing - Tor provides anonymous browsing Major weakness: Shadow does not currently support https. Sites that require you to log in won't work, and Tor exit nodes can see your traffic. Orbot is another implementation of Tor for Android. It looks promising, but is currently still under development. How to do it: Download TorProxy and Shadow from the Android marketplace, and configure following these instructions. There's also an illustrated setup guide. Resources: How Tor works: technical overview or layman's guide What Tor does and does not do OrBot, a possible future alternative to TorProxy, is currently in development as part of the Guardian project. Keep an eye out for updates!

5 Secure Content Uploading: Browsing and with https Even if you aren't able to use Tor to browse anonymously, browsing with https - the encrypted version of http, the protocol used to access websites - can still protect the content you upload. Although https versions of sites such as gmail ( and twitter ( do not protect you from having the source, destination, size and time of your upload recorded, the content itself is encrypted while in transit. Most smartphone browsers support https, so if you have a smartphone, you should be able to access https sites out of the box. You could also try Opera Mobile (not Mini), a secure alternative to the default browser available for Nokia and Windows Mobile smartphones. It's also possible to use Opera Mini to access sites over https from many other phones. There are two caveats here, both related to the browser's use of an intermediary server to optimize sites for display on mobile devices. If you have a very old phone and are using Opera Mini Basic, your connection between the phone and Opera Mini's optimization server is not encrypted at all, and should not be considered secure. Most people should be using Opera Mini Advanced, which encrypts both the connection between you phone and the optimization server and the onward connection to the destination site. However, both versions allow the optimization server to access the data unencrypted. If an adversary were to gain control of the Opera Mini optimization server, they would be able to observe your communication. Again, this isn't a perfect solution. For content uploading, https has two major problems: Not many mobile sites are fully https-enabled. Mobile sites like m.wordpress.com are only https-enabled during log-in. This means that

6 your username and password are not revealed to the network. However, after the log-in page, the site switches back to using regular http, which means that all the content you are uploading are available to the network. is one of the only content uploading sites that has site-wide support for https on the mobile web. While browsing https sites, the network can still see the source, destination, size, and times of your uploads. Looking at upload sizes and times of content on the websites themselves, adversaries may be able to link you to the content you upload. And since they know the source of the upload, they will be able to figure out which SIM and phone you used to upload the content, as well as the location of that SIM and phone on the network. To avoid these issues, we suggest the following tactics: If you find https-enabled sites for uploading content, make sure to change the publicly viewable upload time of content you upload. While this may not help you if the uploading site's server logs are compromised, there will be less publicly available information linking you and your phone to the content you uploaded. You should also consider using only sites that are commonly used in your location, so that you aren't the only person accessing the site at a particular time. Use https-enabled as an intermediate step rather than uploading your content directly from you phone. If you are able to connect with a trusted contact who can access the Internet anonymously from a PC running Tor, ing your content to this person to upload will make it harder to trace its origin. Alternatively, many sites allow you to upload content to an existing account (which you need to have created previously, ideally from a PC running Tor or an anonymous proxy) via . Wordpress.com offers upload functionality, as doyoutube and flickr. Both gmail and hushmail offer https webmail, although gmail does not encrypt messages stored on its servers. An attacker who is able to breach gmail's security could view your messages.

7 Hushmail stores messages in encrypted form, but is still vulnerable to attackers who are able to guess a user's passphrase. They also warn that they will cooperate with subpoenas issued by Canadian courts. Because of the way hushmail works (the recipient must visit the hushmail site to decrypt a message), it is not suited for uploads. In the free version, total storage is also limited to 2MB, so you'll need to reduce the size of image, video and sound files before uploading if you want to use the service with large attachments. Gmail's message storage is much more generous. In Short: Browsing over https encrypts the content of your communication, but not the source or destination. Most smartphone browsers support end-to-end encryption over https, as does Opera Mobile. Opera Mini basic isn't secure. Opera Mini Advanced encrypts your content everywhere except the Opera Mini optimization servers Many content uploading platforms allow you to submit content using an submission address. Consider sending to such as address (or a trusted human being) using https-enabled webmail. How to do it: Download Opera Mobile here or by browsing to m.opera.com/mobile on the phone Download Opera Mini for your phone model here or by browsing to m.opera.com on the phone. If you're not sure which version you're using (basic or advanced) you can check by looking at the startup screen: when you launch the advanced version, you'll see the opera mini logo, while the basic version shows only text.

8 Resources: A review of the security features of popular webmail services, from lifehacker. Only gmail and hushmail are reasonable options. A Guide to Anonymous Blogging using Tor, by Ethan Zuckerman at Global Voices. Although the first part of the article is about how to install Tor on a Windows PC, it's worth reading for tips on accessing Wordpress.com anonymously. If you're planning to ask a trusted contact to upload content on your behalf, they should definitely be using Tor! Bruce Schreiner's security analysis of encrypted webmail services Coordinating and Uploading without Security: Anonymous Throwaway Phones Even if your phone isn't capable of running special software to allow you to browse and upload content, you can still take practical steps to improve your security. Purchasing an anonymous phone - one which cannot immediately be traced to you - and a prepaid SIM card is a good way to prepare for situations where the timing and content of your message is important enough that you are willing to discard the phone after use. An anonymous phone can be used to capture and disseminate information via the mobile web, SMS, or MMS, or to increase mainstream media coverage of an event by tipping off sympathetic journalists. MobileActive's Surveillance primer has some general information about how to avoid surveillance, and this guide from FreeB.E.A.G.L.E.S deals with buying and maintaining an anonymous phone. As more and more countries require SIM registrations, however, buying a SIM anonymously is becoming harder to do. It bears repeating that SMS and MMS are transmitted completely unencrypted, and that the network operators of the sender and recipient have access not only to the identitifying number of the phones and SIMs involved, but also to a reasonably accurate location estimate. If you suspect that an adversary is co-operating with the network operator, you should be extremely careful using these services at all.

9 In Short: Sometimes, you message might be so important that you're willing to send it unencrypted Try these tips to buy and use a phone anonymously Never re-use a phone or a SIM that could have been linked to suspicious activity