Mobile Security Risks for Activists

Mobile Risks: An Intro
How To Use The Mobile Risk Overview
General Mobile Risks
What Mobile Operators Know About You
Protect Yourself
Physical and Remote Access to Your Phone
Protect Yourself II
Specific Mobile Use Risks: Voice, SMS, Web, Email, Photo/Video
Voice
SMS/Text Messaging
Web Browsing
Mobile Email
Photos, Videos, and MMS
Security for Smartphones

Web Browsing

The mobile web isn’t just for browsing, although looking for information or news reports is one of its main uses. If you are using the web version of an online service (such as Gmail, Twitter, Facebook), or if you are blogging or tweeting from your phone, you may also be using the mobile web. Certain smartphone apps also use the web to send or receive data.

Unless you are using HTTPS (you can tell by looking at the site address - it shouldbegin with https:// and not just http://), your traffic is not encrypted. A curious attacker on the network can use a packet sniffing tool to see:

What sites you are accessing
Content you are uploading/downloading

Some mobile web browsers don’t support HTTPS at all, meaning your account credentials (user name and passwords) and any queries are transmitted in the clear and unencrypted all the time.

Your web access sessions are recorded, with time and date, by the mobile network operator.

Unless you are using a traffic anonymizing service like Tor, the network operator can see both the source (your phone) and destination (the website you are visiting) of all your browsing. This information may also be logged (stored) by the network operator.

Some mobile web browsers - notably Opera Mini - route the pages you see through their server to optimize them for mobile viewing. Even if your connection to the page is secure, they see data you send and receive in plain text. Opera Mini on the iPhone has the same problem. Older versions of Opera Mini (prior to Opera Mini Basic v.3) also send data in plain text between their server and the website you are browsing.

If you use the browser on your phone to save passwords to websites you use often, remember that anyone with physical access to your phone can potentially see those passwords and access these same websites on your behalf.

Remember that websites, as well as the Internet service provided by your mobile network, can be unavailable at times. This could be because of technical problems or a malicious attack.

Protect Yourself

Use HTTPS for sensitive browsing, and make sure that all the pages you see, from the login page onward, are encrypted. Look for a padlock icon or https:// in the address line to indicate that your are browsing securely. Note that some mobile browsers hide the address bar.
If available for your phone, use Tor to anonymize the source and destination of your browsing. At the moment, the only official mobile client for Tor is Orbot on Android# - see instructions here.

If you use Opera Mini as your mobile browser, make sure you have the latest version. Also, familiarize yourself with how security works for this browser and remember that by using it, you are allowing Opera Software to see browsing you do over https in plain text.

Be aware of changes to familiar sites. Even with HTTPS, there have been cases where a fake site has been put up to impersonate a real log-in page to steal account passwords. If you suspect anything, abandon a potentially compromised account and get a new one.

If certain sites are commonly blocked but suddenly become available, be wary. There could be a greater degree of surveillance of these sites.

Avoid relying on just one site or one mobile network. If you have multiple SIM cards and multiple secure email accounts, you are more likely to be able to communicate even if one network operator or website is down.