Mobile Security Risks for Activists

Mobile Risks: An Intro
How To Use The Mobile Risk Overview
General Mobile Risks
What Mobile Operators Know About You
Protect Yourself
Physical and Remote Access to Your Phone
Protect Yourself II
Specific Mobile Use Risks: Voice, SMS, Web, Email, Photo/Video
Voice
SMS/Text Messaging
Web Browsing
Mobile Email
Photos, Videos, and MMS
Security for Smartphones

Voice

Voice is used for person-to-person calling and personal voicemail (if available), but can also be part of an automated system. For example, Interactive Voice Response (IVR) systems might operate a hotline for reporting incidents of police corruption.

Security risks

All voice communications can expose you, whether it is by simple eavesdropping by someone physically near to you or by tracking call recipients and times at the network level. Here are some risks to consider and ways to minimize these risks.

Eavesdropping/recording calls

As with any conversation, you could be overheard or recorded by someone nearby.

Your conversation could be eavesdropped or recorded by an app installed on your phone without your knowledge.

Voice calls are encrypted between the handset and the cell tower. However, various sophisticated attacks are possible against mobile networks, particularly older standards (the GSM standard, still the predominant standard in the world, is more vulnerable than 3G). For example, hardware that impersonates a GSM base station is commercially available.

Persistent records

The details of your call (whom you called, at what time, for how long) are stored by the network even if the content is not. Unless you have taken specific precautions, you and the person you call are using phones that have been linked to you by both the IMEI number (the handset identifier) and the IMSI (the SIM card identifier).

Voicemail messages are stored by the mobile network operator and should not be considered secure, even when protected by a personal PIN.

Interactions with an Interactive Voice Response (IVR) system are only as secure as the system itself. Be sure that the organization or entity running the system is trustworthy, technically competent, and will not allow your calls to be monitored or recorded.

Any phone use reveals your location to the network operator. The stored record of your activity (calls, texts, data use) places you in a particular place at a particular time.

Protect Yourself

Use a basic phone, without apps, rather than a smartphone.

If you must use a smartphone, use an encrypted VOIP application instead of calling through the mobile network.

Buy your phone and SIM card without identifying yourself, if possible in your country, and change both regularly. Use a prepaid SIM card.

Consider making sensitive reports from public phones, or, if you feel you are recognizable, asking someone else to do it.

Delete call logs (understanding that they may be able to be retrieved even if deleted by someone with specialized knowledge and forensic tools).

Be careful how you store contacts in your address book - be aware that your phone or SIM may be stolen and call records associated with callers and receivers.

A virtual phone number such as Skype Online Numbers (“Skype In”) or Google Voice provides one level of protection by de-linking the caller and you and by allowing you not to expose your mobile number. However, using Skype In or Google Voice for calls places some trust in Skype, Google, or whichever service you choose. This might not be a good idea in some countries where these services might be compromised.