SMARTPHONE APPS
There are many problems with the secure use of phones that are difficult to mitigate. The apps are
convenient and a lot of people use them.
I have broken it into 3 different OpSec needs: LOW, MEDIUM and HIGH. You decide where you land.
There is no way to route your traffic through Tor on iOS without routing all of the traffic on the phone
through another device. You are stuck using the apps without hiding your IP. You can use TorBox with
iOS, torbox.ch
Guide is only for Android.
LOW
1. Download "Orbot" from the Play Store. You use Orbot to route traffic through Tor.
2. Open Orbot and set it up. Don't change anything.
3. Download your IM client if you do not have it yet.
4. On your phone go to Settings->Apps->Manage Apps->YourIMApp->Permissions and remove all
permissions from the app. Just because your app is Tor routed does not mean it can not grab your
geographic location or anything else and store it in its servers.
5. If you already have an account then open the app and log out. If you don't then go to the next step.
6. Open Orbot. Tap on the grey onion with "START" written on it, it will turn yellow and then green with
"STOP" written on it.
Turn on "VPN mode".
Click on the cog in "Tor-Enabled Apps"
Select your IM application and nothing else. Mixing your regular internet activities and activities you
wish to keep anonymous on Tor defeats the purpose. Only use Orbot with the IM app.
You can use a bridge to hide your Tor use from your mobile service provider/ISP. Sometimes bridges are
very slow.
Orbot will only work while it is running. If you use the app while Orbot is not running you will expose
your IP to the service. This will burn your account.
Orbot should open by itself on every phone reset. Just in case set it to open on boot. On your phone go
Settings->Apps->Mange Apps->Orbot turn on Auto Start.
Orbot might not be connected on a restart, always check.
6. Open your IM app and make a new account. You have used your existing account with your real IP
and should consider it burnt.
Do not accidentally use the app with Orbot not running.
Do not use your old account, thereby tying the two together. Only way to use your old account is to log
out, disable Orbot and log in. The app might have a cache file that keeps track of all accounts used on
the phone.
Hope that the app does not gather identifiable metadata from your phone. Disable all permissions for
the app to make this less likely.
Sometimes who you talk to can be used to identify you. Just because you take care to keep yourself
anonymous does not mean your friends will.
MEDIUM
1. Buy a burner phone with cash.
2. Never put a SIM in your phone.
3. Never connect to a cell tower.
4. Keep your phone on airplane mode. Keep Bluetooth off. Location services off. GPS off. Turn on wifi as
needed. Keep in mind that the airplane switch is just a software switch. It does not mean the radio chip
is turned off or that it can not in any way send signals. Some phones allow emergency calls with airplane
mode.
5. Install the IM app or apps. If you can then grab the .apk without going through the Play Store. Beware
of downloading a .apk from an unofficial source, it could have malware. Otherwise make a new Google
account. You can make your first email on protonmail.com (through tor browser), I've found that
protonmail does dot ask for phone verification or a bitcoin donation when using Tor in Brave browser.
That is because Brave browser has a unique signature for every user and it does not trigger bot
protections as often. Use the protonmail account as recovery e-mail for the Google account and it
should not ask for a phone number to verify. You can use a service like textverified.com for numbers.
Google might give you grief for making an account through Tor, use a public wifi or buy a Google
account from somewhere.
If you make a Google account through a public wifi and that account is ever identified as belonging to
you then your geographic location will be narrowed down. This might be unacceptable for certain
people.
6. Uninstall all apps that you are not using. Turn off all app permissions that you can for all apps.
7. Follow the LOW guide. In step 6 "Tor-enabled apps" don't select anything. This will route everything
on your phone through Tor. It will say "Full device VPN".
8. On your phone go to Settings->VPN-> Orbot (cog icon). Turn on "Always-on VPN" and turn on "Block
connections without VPN."
9. Orbot is not perfect. I can not predict the behavior of every phone but I think that your phone might
leak your IP while it is booting up. This is because Orbot does not have root privileges and uses a hacky
way to achieve what it is doing. Orbot does not start before your phone might try to connect to a server
somewhere. A lot of care is taken on Tails/Whonix to ensure that there are no IP leaks, I can not give this
guarantee with Orbot.
If you want to ensure that there are no IP leaks on boot, no possible DNS leaks or any other unforseen
protocol leaks then you need to ur TorBox. TorBox.ch for the guide. There is a portable version that you
can throw into your backpack and use discreetly while on the move.
HIGH
I would not trust airplane mode to work in all situations. The OS should ensure that no app is allowed to
make transmission but malware can get around that. There are bugs in software. Just because nothing is
being transmitted does not mean that it isn't listening. I think I remember some version of iPhone
logging all of the wifi SSIDs it saw when wifi was switched off. High value targets also need to worry
about their phones being targeted with malware. If you must use one of these devices then I suggest the
following.
1. Use an iPad or and Android tablet that does not have LTE capabilities. Use it in conjunction with a
TorBox.
2. Physically remove chips from the phone that are responsible for LTE and Bluetooth. You'll need a heat
gun to melt the adhesive and solder. You'll need replacement adhesive to put phone back together. Buy
phone that uses screws. Search for your phone schematic on the internet to identify the chips.
3. You can use an Android or iOS emulator to run the apps. I recommend Android Studio for Android and
Xcode for iOS. Android studio is available on Windows, Linux, Mac and ChromeOS. Xcode is only
available on Mac. You can do pretty much anything on a virtualised phone that you can on a real phone.
Of course you should do this on a device that is routed through a TorBox. The device itself should have
full drive encryption on boot.
BURNER PHONE OPSEC
Many people are very loose with their burners.
They use them in their home, work, where they are seen by cameras, at friends houses, near their
home.
They make phone calls and send SMS.
They travel with their real phone and burner turned on.
You should never send SMS, these are uencrypted and saved for years by your service provider.
You should not make phone calls. Your service provider has the ability to listen in on those calls. Meta
data about calls is saved for years. Info saved is who called who, call duration and geographic locations
of callers.
If you must use cellular data then only do that if you have the use of an anonymous SIM available to you.
It better be worth it because I suggest you get a new phone at least every few weeks. Cheap phones cost
20-40 USD/EUR.
Proper way to use a burner that uses cellular data is to use it a long way from your home, nowhere near
where your real phone is. You do not have to turn off your real phone, leave it on at home.
PHONE ENCRYPTION AND DATA
PROTECTION
There is a misconception that your data is encrypted when the phone is locked. That is not true. Some
data of some apps might be encrypted while the apps are closed. Some data on your phone might be
encrypted while it is locked but not all of it. If you get a message notification and a small snippet of it on
your lock screen then it is clearly not encrypted. Your data is only encrypted when you have full disk
encryption on and your phone is turned off. The weakness of that is that after decrypting on boot the
key is kept in RAM and some or all files might be decrypted while the phone is rnning. Starting from
Android 10 full disk encryption is not supported, only file based encryption.
If no decryption keys are in RAM or files are not decrypted then what LE often does is they dump the
data and just bruteforce the encryption. People use 4-6 number pins on their phones, that is trivial to
break.
To keep your sensitive data safe on your phone:
1. Set a strong unlock passphrase. This being your phone unlock password you should be able to
remember it. It also can not be too cumbersome to enter every time you unlock your device. I'd make it
well over 10 characters using numbers and letters and symbols. Since this is a password you use multiple
times a day you can make it more complex.
2. Do not use biometrics. The police will punch you in the mouth and unlock the phone whether you like
it or not. The police break the law and lie all the time.
3. Do not keep incriminating data on your phone. No documents, pictures or anything else.
4. Use self destructing messages in IM applications. Other people get busted and unlock their phones.
5. Do not use cloud syncing of any kind. Cloud backups have put people in jail.
6. There are always critical moments where if something bad will happen it will most likely be then.
Keep your phone turned off if you can
There are many problems with the secure use of phones that are difficult to mitigate. The apps are
convenient and a lot of people use them.
I have broken it into 3 different OpSec needs: LOW, MEDIUM and HIGH. You decide where you land.
There is no way to route your traffic through Tor on iOS without routing all of the traffic on the phone
through another device. You are stuck using the apps without hiding your IP. You can use TorBox with
iOS, torbox.ch
Guide is only for Android.
LOW
1. Download "Orbot" from the Play Store. You use Orbot to route traffic through Tor.
2. Open Orbot and set it up. Don't change anything.
3. Download your IM client if you do not have it yet.
4. On your phone go to Settings->Apps->Manage Apps->YourIMApp->Permissions and remove all
permissions from the app. Just because your app is Tor routed does not mean it can not grab your
geographic location or anything else and store it in its servers.
5. If you already have an account then open the app and log out. If you don't then go to the next step.
6. Open Orbot. Tap on the grey onion with "START" written on it, it will turn yellow and then green with
"STOP" written on it.
Turn on "VPN mode".
Click on the cog in "Tor-Enabled Apps"
Select your IM application and nothing else. Mixing your regular internet activities and activities you
wish to keep anonymous on Tor defeats the purpose. Only use Orbot with the IM app.
You can use a bridge to hide your Tor use from your mobile service provider/ISP. Sometimes bridges are
very slow.
Orbot will only work while it is running. If you use the app while Orbot is not running you will expose
your IP to the service. This will burn your account.
Orbot should open by itself on every phone reset. Just in case set it to open on boot. On your phone go
Settings->Apps->Mange Apps->Orbot turn on Auto Start.
Orbot might not be connected on a restart, always check.
6. Open your IM app and make a new account. You have used your existing account with your real IP
and should consider it burnt.
Do not accidentally use the app with Orbot not running.
Do not use your old account, thereby tying the two together. Only way to use your old account is to log
out, disable Orbot and log in. The app might have a cache file that keeps track of all accounts used on
the phone.
Hope that the app does not gather identifiable metadata from your phone. Disable all permissions for
the app to make this less likely.
Sometimes who you talk to can be used to identify you. Just because you take care to keep yourself
anonymous does not mean your friends will.
MEDIUM
1. Buy a burner phone with cash.
2. Never put a SIM in your phone.
3. Never connect to a cell tower.
4. Keep your phone on airplane mode. Keep Bluetooth off. Location services off. GPS off. Turn on wifi as
needed. Keep in mind that the airplane switch is just a software switch. It does not mean the radio chip
is turned off or that it can not in any way send signals. Some phones allow emergency calls with airplane
mode.
5. Install the IM app or apps. If you can then grab the .apk without going through the Play Store. Beware
of downloading a .apk from an unofficial source, it could have malware. Otherwise make a new Google
account. You can make your first email on protonmail.com (through tor browser), I've found that
protonmail does dot ask for phone verification or a bitcoin donation when using Tor in Brave browser.
That is because Brave browser has a unique signature for every user and it does not trigger bot
protections as often. Use the protonmail account as recovery e-mail for the Google account and it
should not ask for a phone number to verify. You can use a service like textverified.com for numbers.
Google might give you grief for making an account through Tor, use a public wifi or buy a Google
account from somewhere.
If you make a Google account through a public wifi and that account is ever identified as belonging to
you then your geographic location will be narrowed down. This might be unacceptable for certain
people.
6. Uninstall all apps that you are not using. Turn off all app permissions that you can for all apps.
7. Follow the LOW guide. In step 6 "Tor-enabled apps" don't select anything. This will route everything
on your phone through Tor. It will say "Full device VPN".
8. On your phone go to Settings->VPN-> Orbot (cog icon). Turn on "Always-on VPN" and turn on "Block
connections without VPN."
9. Orbot is not perfect. I can not predict the behavior of every phone but I think that your phone might
leak your IP while it is booting up. This is because Orbot does not have root privileges and uses a hacky
way to achieve what it is doing. Orbot does not start before your phone might try to connect to a server
somewhere. A lot of care is taken on Tails/Whonix to ensure that there are no IP leaks, I can not give this
guarantee with Orbot.
If you want to ensure that there are no IP leaks on boot, no possible DNS leaks or any other unforseen
protocol leaks then you need to ur TorBox. TorBox.ch for the guide. There is a portable version that you
can throw into your backpack and use discreetly while on the move.
HIGH
I would not trust airplane mode to work in all situations. The OS should ensure that no app is allowed to
make transmission but malware can get around that. There are bugs in software. Just because nothing is
being transmitted does not mean that it isn't listening. I think I remember some version of iPhone
logging all of the wifi SSIDs it saw when wifi was switched off. High value targets also need to worry
about their phones being targeted with malware. If you must use one of these devices then I suggest the
following.
1. Use an iPad or and Android tablet that does not have LTE capabilities. Use it in conjunction with a
TorBox.
2. Physically remove chips from the phone that are responsible for LTE and Bluetooth. You'll need a heat
gun to melt the adhesive and solder. You'll need replacement adhesive to put phone back together. Buy
phone that uses screws. Search for your phone schematic on the internet to identify the chips.
3. You can use an Android or iOS emulator to run the apps. I recommend Android Studio for Android and
Xcode for iOS. Android studio is available on Windows, Linux, Mac and ChromeOS. Xcode is only
available on Mac. You can do pretty much anything on a virtualised phone that you can on a real phone.
Of course you should do this on a device that is routed through a TorBox. The device itself should have
full drive encryption on boot.
BURNER PHONE OPSEC
Many people are very loose with their burners.
They use them in their home, work, where they are seen by cameras, at friends houses, near their
home.
They make phone calls and send SMS.
They travel with their real phone and burner turned on.
You should never send SMS, these are uencrypted and saved for years by your service provider.
You should not make phone calls. Your service provider has the ability to listen in on those calls. Meta
data about calls is saved for years. Info saved is who called who, call duration and geographic locations
of callers.
If you must use cellular data then only do that if you have the use of an anonymous SIM available to you.
It better be worth it because I suggest you get a new phone at least every few weeks. Cheap phones cost
20-40 USD/EUR.
Proper way to use a burner that uses cellular data is to use it a long way from your home, nowhere near
where your real phone is. You do not have to turn off your real phone, leave it on at home.
PHONE ENCRYPTION AND DATA
PROTECTION
There is a misconception that your data is encrypted when the phone is locked. That is not true. Some
data of some apps might be encrypted while the apps are closed. Some data on your phone might be
encrypted while it is locked but not all of it. If you get a message notification and a small snippet of it on
your lock screen then it is clearly not encrypted. Your data is only encrypted when you have full disk
encryption on and your phone is turned off. The weakness of that is that after decrypting on boot the
key is kept in RAM and some or all files might be decrypted while the phone is rnning. Starting from
Android 10 full disk encryption is not supported, only file based encryption.
If no decryption keys are in RAM or files are not decrypted then what LE often does is they dump the
data and just bruteforce the encryption. People use 4-6 number pins on their phones, that is trivial to
break.
To keep your sensitive data safe on your phone:
1. Set a strong unlock passphrase. This being your phone unlock password you should be able to
remember it. It also can not be too cumbersome to enter every time you unlock your device. I'd make it
well over 10 characters using numbers and letters and symbols. Since this is a password you use multiple
times a day you can make it more complex.
2. Do not use biometrics. The police will punch you in the mouth and unlock the phone whether you like
it or not. The police break the law and lie all the time.
3. Do not keep incriminating data on your phone. No documents, pictures or anything else.
4. Use self destructing messages in IM applications. Other people get busted and unlock their phones.
5. Do not use cloud syncing of any kind. Cloud backups have put people in jail.
6. There are always critical moments where if something bad will happen it will most likely be then.
Keep your phone turned off if you can
