Mobile Security Risks for Activists

Mobile Risks: An Intro
How To Use The Mobile Risk Overview
General Mobile Risks
What Mobile Operators Know About You
Protect Yourself
Physical and Remote Access to Your Phone
Protect Yourself II
Specific Mobile Use Risks: Voice, SMS, Web, Email, Photo/Video
Voice
SMS/Text Messaging
Web Browsing
Mobile Email
Photos, Videos, and MMS
Security for Smartphones

SMS/Text Messaging

Like voice, SMS, also referred to as text messaging, can be used between individuals - for conveying short information, getting someone to call you back, or just keeping in touch.

Automatic systems for one-to-many texting are also useful, for example, in mobilizing a large group or getting news out. Many-to-one/data collection systems are also popular to help aggregate incident reports, solicit opinions, or collect some kinds of routine data.

SMS messages are sent in plain text. They are not encrypted, so the content isnot hidden or disguised in any way. Anyone who intercepts the messages (with the help of the mobile network operator or by listening for traffic in a particular network cell) can read your SMS.

Mobile network operators keep records of SMSs sent through their network. This includes details of date and time sent, details about the sender and recipient, as well as the unencrypted contents of the message.

Sent or received messages stored on a phone or SIM are vulnerable if the phone or SIM is lost or stolen.

It is possible for mobile apps to access sent and received text messages that are stored on your phone.

Protect Yourself

Keep the content of your messages to a minimum - expect that it can be read, and that the reader will know the date and time it was sent as well as the location of the sender.

If you must use text messaging, do so from a basic phone and not a phone with apps.

Set SMS storage to very low or none. Turn off the option to save outbound messages. Delete messages regularly. For more details on how to lock down your phone, review the (link to guide).

Consider using an encrypted messaging app instead of SMS. Many of these apps require a data connection, and you will need a phone on which apps can be installed. There are several encrypted messaging apps that run on Java phones and many for smartphone operating systems like Android, iPhone OS (iOS), and Blackberry. Which one works for you will depend on your phone’s operating system. Note that many encrypted messaging apps require that both the sender and receiver use the same app (and therefore the same kind of phone), so this strategy probably works best for small group communications.

If you are setting up an SMS messaging system for mass-texting SMS to recipients, make sure your servers and infrastructure are secure. If you are sending SMSs in to a system run by another organization, evaluate their security precautions as best you can, and especially check how they plan to share your data. Ushahidi, for example, can be set up to make all incoming reports publicly available on the Internet. This may be helpful for disseminating disaster information widely, but could be problematic in a situation of political upheaval.