Mobile Security Risks for Activists

Mobile Risks: An Intro
How To Use The Mobile Risk Overview
General Mobile Risks
What Mobile Operators Know About You
Protect Yourself
Physical and Remote Access to Your Phone
Protect Yourself II
Specific Mobile Use Risks: Voice, SMS, Web, Email, Photo/Video
Voice
SMS/Text Messaging
Web Browsing
Mobile Email
Photos, Videos, and MMS
Security for Smartphones

Mobile Email

Mobile email can be accessed in two ways.

Through your phone’s browser using a webmail provider (Gmail, Hotmail and Yahoo, for example). Everything we’ve said about secure web browsing above also applies to email access through you phone browser.

Using a dedicated email app that you might install or that might come pre-installed on the phone. The way these apps work can vary quite a bit and so can their security.

If you access your email through the phone’s browser and do not use HTTPS, your message is sent in plain text and can be read by the mobile network operator and potentially by malicious attackers on the open Internet.

Even if you use HTTPS, the network operator can see the site you are accessing, as well as the date and time of the transaction, your location at the time, and identifying information about your phone. This information may also be logged/stored.

Email headers - email addresses of the sender and recipient, email subject - are never encrypted even when using an encrypted email protocol like PGP.

The recipients of your email may have security vulnerabilities on their side, and the message content and your identity may be revealed by them.

Protect Yourself

When accessing your email through a webmail service, use HTTPS throughout the transaction. If possible, use Tor as well.

If you are using a smartphone, consider using open PGP email. PGP is a data encryption protocol widely used around the world for encrypting e-mail messages and securing files.

There are also PGP webmail services, but note that because these store your private key on the server, they are less secure. Use only if you trust the provider’s security, and are aware of the circumstances in which they may be forced to hand over your email to law enforcement. More information on PGP webmail security issues is available on RiseUp.net and in an article by Bruce Schneier

Since your subject line is not encrypted when using PGP-enabled email, keep your subject line generic, and consider switching between several email addresses if you don’t want anyone watching your communication to notice a pattern.

Talk to the recipients of your correspondence about their security practices, and, if you feel they may not know enough to protect themselves, consider communicating a different way.