safermobile

Tool Review: Vibe Messaging

Posted by MelissaLoudon on Dec 22, 2011

Vibe burst onto the scene following reports that protesters were using it to coordinate with each other at the recent Occupy Wall Street demonstrations and camps.

As a smartphone app for anonymous broadcast messaging, Vibe is going after an important idea. In fact, it’s been promoted as an anonymous version of Twitter. Anyone with the app can post - there are no accounts - and users are able to limit the lifetime of the messages (from a few minutes to a few days) and the location to which they are broadcast (from a few meters to anywhere).

Vibe is clearly a useful tool. Some of the ways it has apparently been used include asking anonymous questions at a conference, and communicating with neighbours about local events. The ‘anonymity’ of not having to create an account may be perfectly adequate for these situations. However, when it comes to its use by activists - where it is being promoted as an appropriate tool for people with serious security implications should their identify be revealed - we need to delve deeper into promises of anonymity.

In the case of Vibe, our analysis revealed some serious concerns. Some of these have come up in other reviews as well.

Gibberbot

Posted by ccarlon on Oct 14, 2011
Gibberbot data sheet 988 Views
Organization that developed the Tool: 
Main Contact: 
info@guardianproject
Problem or Need: 

Gibberbot is designed for people who need to chat securely. If you and the person you are communicating with are both able to use it, secure chat can be used as a replacement for email and text messaging.

Gibberbot should work on any Android phone. It’s probably best for users who are reasonably comfortable chatting and handling their phone, and it’s only currently available in English.

Main Contact Email : 
Brief Description: 

Gibberbot is an instant messaging app for Android phones, developed by The Guardian Project. Gibberbot implements off-the-record messaging (OTR). Off-the-record messaging is a way to conduct an instant messaging conversation with the following attributes

  • Encryption. An eavesdropper cannot read your messages
  • Authentication. You can verify the identity of the person you’re chatting to - or at least of the account they are using.
  • Deniability. It is not possible for a third party to prove that a particular user sent or received a particular message.
  • Perfect forward secrecy. It is not possible for an attacker to decrypt a previous conversation, even if he/she obtains the encryption keys used to encrypt it.

Gibberbot can also use Orbot to route your chats over the Tor network. This prevents an observer from following the source and destination of your messages (effectively, from knowing you are chatting) and provides a way to circumvent web censorship that may involve chat servers being blocked.

Off-the-record messaging only works when both parties in the conversation are using it. This means both parties need to use Gibberbot, another mobile app, or chat software that supports it. Currently Gibberbot is the only option we know of for mobile phones. Off-the-record plugins are available for several PC chat programs, including Pidgin (Windows and Linux), Adium (Mac), Trillian (Windows) and Miranda (Windows).

Tool Category: 
App resides and runs on a mobile phone
App resides and runs on a server
Key Features : 
  • When used with Orbot, Gibberbot combines the security, privacy and anonymity provisions of off-the-record messaging with the additional anonymous browsing and circumvention protection of the Tor network.
  • Gibberbot is currently the only implementation of off-the-record messaging for mobile phones that we are aware of.
  • The code for Gibberbot is open source and freely available for download - there are no costs involved except your airtime while chatting.
  • The project encourages user feedback through a mailing list, feedback form on their website, twitter account and IRC channel.
Main Services: 
Other
Tool Maturity: 
Currently deployed
Platforms: 
Android
Program/Code Language: 
Java/Android
Is the Tool's Code Available?: 
Yes
Is an API available to interface with your tool?: 
Yes
Global Regions: 
Featured?: 
Yes

SaferMobile: Mobile Email Security, Data Protection, and Anonymous Browsing Guides

Posted by ccarlon on Oct 14, 2011

For many, mobile devices are an indispensable tool for storing and sharing increasingly sensitive information. Contacts, emails, and mobile browsing history can easily be compromised without taking the proper measures to ensure that that information is safely in the right hands... and out of the wrong ones. Newly added to our mDirectory are the following how-to guides on securing mobile email, mobile anonymity, backups, and data deletion from our SaferMobile team: 

  • Securing Your Mobile Email - This guide catalogs the different tactics you can take to keep mobile email safe. It covers email security basics, TLS/SSL enabling, and email encryption. The guide also provides customized tactics and suggestions for Android, Blackberry, iPhone, and Nokia/Symbian phones.
  • Mobile Tools for Backups, Data Deletion and Remote Wipe - Anyone who has ever had their phone stolen knows how frustrating and potentially dangerous that can be. Here we have a comprehensive review of some of the tools out there for data backup and restore, data deletion, and remote wipe.

For all other materials produced by the SaferMobile team, check out this complete list (and watch for a new SaferMobile site soon!)

Mobile Tools for Backups, Data Deletion and Remote Wipe

Posted by MelissaLoudon on Oct 14, 2011
Mobile Tools for Backups, Data Deletion and Remote Wipe data sheet 1819 Views
Author: 
SaferMobile
Abstract: 

Anyone who has had a phone stolen knows the frustration of trying to rebuild your contact list, not to mention data on the phone that is unrecoverable. Worse, the data stored on your phone can be dangerous in the wrong hands. In addition to being able to impersonate you to your mobile contacts, consider the risk of an attacker who has access to some of all of the following:

  • Your saved contacts - names, phone numbers, perhaps also email addresses and physical addresses
  • Call logs - calls made and received
  • Stored text messages
  • A calendar with your appointments, or a task list
  • Your mobile email
  • Your web browser with stored passwords
  • Photos, video and sound recordings stored on the phone and memory card
  • Data stored by applications - notes, social networking contacts and posts

Three kinds of tools can lessen the pain of losing your mobile data, and limit your risk should your phone be lost or stolen.

  • Backup and restore tools allow you to save a backup of contacts and other data stored on your phone
  • Data deletion tools can be used to ‘clean’ a phone completely before disposing of it, giving it away or travelling to a location where you are worried it could be stolen or confiscated
  • Remote wipe tools are set up so that if your phone is lost or stolen, you are able to clean it remotely, deleting sensitive data. Many remote wipe tools also allow you to track the phone provided it has not been turned off.

Anyone who has had a phone stolen knows the frustration of trying to rebuild your contacts list, not to mention data on the phone that is unrecoverable. Worse, the data stored on your phone can be dangerous in the wrong hands. In addition to being able to impersonate you to your mobile contacts, consider the risk of an attacker who has access to some of all of the following:

  • Your saved contacts - names, phone numbers, perhaps also email addresses and physical addresses
  • Call logs - calls made and received
  • Stored text messages
  • A calendar with your appointments, or a task list
  • Your mobile email
  • Your web browser with stored passwords
  • Photos, video and sound recordings stored on the phone and memory card
  • Data stored by applications - notes, social networking contacts and posts

Three kinds of tools can lessen the pain of losing your mobile data, and limit your risk should your phone be lost or stolen.


Securing your Mobile Email

Posted by MelissaLoudon on Oct 14, 2011
Securing your Mobile Email data sheet 2092 Views
Author: 
SaferMobile
Abstract: 

Email wasn’t designed with security in mind. Unless you take steps to protect your communication, emails are sent in plain text - and so are your email account username and password.

At the same time, if you and your recipient are taking the appropriate security precautions, mobile email can be a secure and reliable alternative to other forms of mobile communication. If you have data service for your mobile, encrypted email can replace text messaging, and if you aren’t able to access a website securely to upload content - photos or videos for example - getting it to a trusted contact as an email attachment can be a safer alternative.

Email wasn’t designed with security in mind. Unless you take steps to protect your communication, emails are sent in plain text - and so are your email account username and password.

At the same time, if you and your recipient are taking the appropriate security precautions, mobile email can be a secure and reliable alternative to other forms of mobile communication. If you have data service for your mobile, encrypted email can replace text messaging, and if you aren’t able to access a website securely to upload content - photos or videos for example - getting it to a trusted contact as an email attachment can be a safer alternative.

This article suggests the following tactics for improving the security of your mobile email:

Email security basics

Even if you’re not using encrypted email, you can take some basic precautions to improve your email security. For example


Blacknoise: Low-fi Lightweight Steganography in Service of Free Speech

Posted by ccarlon on Oct 13, 2011
Blacknoise: Low-fi Lightweight Steganography in Service of Free Speech data sheet 1046 Views
Author: 
Paik, Michael
Publication Date: 
Jan 2010
Publication Type: 
Report/White paper
Abstract: 

Censorship of communications is a widespread, current practice in various countries with repressive governments in order to prevent or restrict speech; political speech in particular. In many cases state-run telecommunications agencies including those providing internet and phone service, actively filter content or disconnect users in defense of incumbents in the face of widespread criticism by citizens.

In this paper I present Blacknoise, a system which uses commodity low-cost mobile telephones equipped with cameras, and takes advantage of their lowfidelity, noisy sensors in order to enable embedding of arbitrary text payloads into the images they produce. These images can then be disseminated via MMS, Bluetooth, or posting on the Internet, without requiring a separate digital camera or computer to perform processing.


Mobile Anonymity and Censorship Circumvention: How to Browse the Web Anonymously On Your Phone

Posted by MelissaLoudon on Oct 13, 2011
Mobile Anonymity and Censorship Circumvention: How to Browse the Web Anonymously On Your Phone data sheet 3461 Views
Author: 
MelissaLoudon
Abstract: 

If you don’t want someone to know that you were accessing a particular web site (or that you were accessing it at a particular time, such as when inflammatory content was posted), you need to anonymize your mobile browsing. Depending on how your network is set up, the site you are accessing may be able to see and keep a record of your IP address. Your network administrator, Internet Service Provider and/or Mobile Network Operator can see and keep records of the IP addresses of both your Internet-connected mobile device and the sites you are accessing. IP addresses can nearly always be linked to a geographic location, whether a zip code or a city, and your ISP or mobile network provider can link your IP to your individual device.

The first part of this article - Using HTTPS for Secure Mobile Browsing - describes how mobile browsing over HTTPS provides:

  • encryption for you data during transmission
  • verification of the identity of the remote site

However, using HTTPS does not hide your identity. If you don’t want someone to know that you were accessing a particular  web site (or that you were accessing it at a particular time, such as when inflammatory content was posted), you need to anonymize your mobile browsing. Depending on how your network is set up, the site you are accessing may be able to see and keep a record of your IP address. Your network administrator, Internet Service Provider and/or Mobile Network Operator can see and keep records of the IP addresses of both your Internet-connected mobile device and the site you are accessing. IP addresses can nearly always be linked to a geographic location, whether a zip code or a city, and your ISP or mobile network provider can link your IP to your individual device.

Organisations and countries that block websites can do so by blocking communication to and from specific IP addresses. For this reason, anonymizing your browsing is also the first step to circumventing Internet censorship.

This article describes two tactics for anonymous browsing and censorship circumvention - using a proxy, and using a mobile version of the circumvention tool Tor. Both are used on cpmputers as well as mobile devices. Specific tools for mobile phones are described in the second part of the article.

Mobile Tools: 

A User Guide to Orbot - Anonymized Tor Browsing on Your Mobile Phone

Posted by MelissaLoudon on Oct 13, 2011
A User Guide to Orbot - Anonymized Tor Browsing on Your Mobile Phone data sheet 3126 Views
Author: 
SaferMobile
Abstract: 

Orbot is an anonymizing and circumvention app that connects Android phones to the Tor network. Developed by The Guardian Project, it is currently the only way to use Tor on a mobile phone.

Orbot is for Android users who need to browse anonymously or circumvent blocked sites. It should work on both older and new model Android phones, and does not require a rooted phone (although there are some advantages to using it with one). Orbot is designed for proficient Android users.

Orbot is an anonymizing and circumvention app that connects Android phones to the Tor network. Developed by The Guardian Project, it is currently the only way to use Tor on a mobile phone.

Who should use it?

Orbot is for Android users who need to browse anonymously or circumvent blocked sites. It should work on both older and new model Android phones, and does not require a rooted phone (although there are some advantages to using it with one). Orbot is designed for proficient Android users.

How does it work?

Orbot sets up a connection to the Tor network and makes it available to apps through a local proxy.


The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers, and Users

Posted by ccarlon on Oct 12, 2011
The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers, and Users data sheet 777 Views
Author: 
Cavoukian, Ann and Marilyn Prosch
Publication Date: 
Dec 2010
Publication Type: 
Report/White paper
Abstract: 

Privacy by Design is a concept that is virally spreading around the globe. The powerful concept of engineering privacy directly into the design of new technologies, business practices and networked infrastructure, in order to achieve the doubly-enabled pairing of functionality and privacy, has gained significant adoption by governments, researchers and industry, in any number of sectors. Now that the PbD paradigm has achieved this high level of acceptance, the next major question to be addressed is – how can PbD best be operationalized?


In this guidance document, we focus on the solutions presented by the panellists – in particular, the parties to which responsibility for the implementation of each were assigned. Distinct trends were noted in the types of solution associated with each party, and it became clear that the panellists’ responses could be collected into a practical tool for developers, service providers and users – a Roadmap for Privacy by Design.


Here, we begin by describing the necessity for such a tool in the mobile industry, and then detail the Roadmap, which begins with the Device Manufacturer, travels through the OS/Platform Developer, Service Provider, and Application Developer, and ends with the responsibilities assigned to Users themselves.


We Need Your Help: Building a SIM Card Registration Database

Posted by KatrinVerclas on Jul 27, 2011

We are developing a global database of SIM cards registrations by country, and we need your help. Please fill out this short survey. We ask you a few questions about a particular country's requirements.

Note: This survey will not track identifying information. We will publish the complete database on the site shortly with the data that we have gathered to date. The survey is here. Thanks!

Photo courtesy flickr user bfishshadow.

Using HTTPS for Secure Mobile Browsing

Posted by MelissaLoudon on Jul 11, 2011

HTTP, the Hypertext Transfer Protocol, is the data communication protocol you use when you broswe the web - as you probably know if you've noticed that website addresses usually begin with http://. HTTPS is the secure version of HTTP, which you might have seen being used for sensitive transactions like online banking and online shopping. When you are using the secure part of a site, the web address will begin with https://.

When using your mobile phone for sensitive communications, it is important to ensure that your online activities - whether researching or reading about an issue, sending an email, writing a blog post or uploading photos - are done over a secure connection. There are three elements of secure web browsing:

Are Your Apps Trustworthy? 6 Questions to Ask

Posted by MelissaLoudon on Jun 30, 2011

Smartphones (iPhone, Android, Blackberry, Windows Mobile, Symbian) and many feature phones allow you to download and install mobile applications (“apps”). Apps do many useful things. However, some apps (and other types of software, such as your mobile operating system) can also present security risks. These include:

  • Apps and other software may have access to information stored on or generated by your phone.

  • Apps and other software may have the ability to transmit this information using your phone’s Internet connection.

Malicious apps or other mobile software installed on your mobile device can expose you to the following risks:

  • Your conversations may be listened to or recorded without your knowledge.

  • Your text messages, emails and web traffic may be monitored and logged.

  • Data stored on your phone (contacts, calendar entries, photos and video) may be accessed or copied.

  • Passwords stored or entered on your phone may be stolen and used to access your online accounts.

  • Your locationmaybetracked, even when your phone is switched off.

With smartphones gaining market share, malicious apps are beginning to pose a serious threat. In an article titled “Your Apps Are Watching You”, the Wall Street Journal tested popular iPhone and Android apps, and found that of 101 apps tested, 56 transmitted a unique identifier for the phone without informing the user or asking for consent. 47 apps also transmitted the phone’s location, while 5 sent age, gender or other personal details to various companies. The App Genome Project reports that 28% of all apps in the Android Market and 34% of all free apps in the Apple App Store have the capability to access location, while 7.5% of Android Market apps and 11% of Apple App Store apps have the capability to access users’ contacts.

It can be very difficult to tell which apps are safe and which are not. App behaviours that might not bother most users, such as transmitting the phone’s location to an advertising server, can be unacceptable to people with higher privacy and security requirements.

This article offers suggestions on how to assess risks to security and privacy posed by apps.

SaferMobile LockDown Guides

Posted by SaferMobile on Jun 29, 2011

Despite the smartphone craze of the past 5 years, featurephones are still king in much of the world. From the perspective of activists, rights defenders, and journalists, they cannot be ignored. And feature phones have plenty of built-in capability to help users stay safer. During the course of our research, we've uncovered valuable features that even the most experienced users may not be aware of.

As a part of SaferMobile, a project of MobileActive.org, we've focused on documenting the most important ways that a user can lock down a mobile handsets. No external apps or special tools are required, just a charged battery. We've condensed these tips into single-page, device-specific reference guides for a variety of makes & models that get straight to the point. And yes, we made sure to cover smartphones and featurephones.

Mobile Application Security

Posted by VivianOnano on Jun 29, 2011
Mobile Application Security data sheet 1812 Views
Author: 
Dwivedi, Himanshu, Chris Clark, David Thiel.
ISSN/ISBN Number: 
2147483647
Publication Date: 
Jan 2010
Publication Type: 
Report/White paper
Abstract: 

A discussion on mobile application security must address the current issues facing mobile devices and the best way to mitigate them. This chapter aims to provide content on the following subjects:

  • Top issues facing mobile devices
  • Tips for secure mobile application development

The issues covered in this chapter are not exhaustive and appear in no particular order; however, they can be used to begin the conversation on mobile application security in your organization.


Safer Twitter

Posted by SaferMobile on Jun 17, 2011
Safer Twitter data sheet 6001 Views
Author: 
Melissa Loudon
Abstract: 

This article contains information to help you understand and mitigate mobile security risks related to Twitter. As always, remember that risks are context-specific, and depend on the environment you work in as well as whether you are communicating sensitive information. For more information on risk assessment, please review the Guide to Mobile Security Risk Assessment.

Twitter is a way to get your messages to a wider audience.  However, you should know that from any platform (computer or mobile phone), it is not a secure method of communicating sensitive information. Consider the following guidelines: 

  • Your Tweets should only contain information you want to widely and publicly share. This should be public information that can be freely distributed by you, your organization, and your supporters, without any risk to individuals or organizational operations.
  • Even if you protect your tweets so that only followers can see them, followers can easily retweet your messages, or access them over an insecure connection.

June Mobile Tech Salon, NYC: Our Mobile Data Exhaust

Posted by MarkWeingarten on Jun 14, 2011

According to the Wall Street Journal, “[Data produced by the use of mobile phones] generates immense commercial databases that reveal the ways we arrange ourselves into networks of power, money, love and trust.” As mobile phone use increases and applications become increasingly sophisticated, the volume of mobile data we create continues to grow at an incredible rate, creating new possibilities and posing new challenges to notions of privacy.

Businesses want this data for marketing. Congress wants to regulate it. Activists and privacy advocates want to ensure that it is not used to compromise their safety or freedoms. Meanwhile, projects such as UN Global Pulse want to use information gleaned from mobile phone use to detect and prevent slow-onset humanitarian crises. We invite you to join us on the evening of June 30th for our next New York City-based Mobile Tech Salon as we explore these tough questions:

  • How do we determine socially beneficial uses for mobile data?
  • How can the safety, security, and privacy of individuals be respected while using mobile data to benefit them?
  • How can our mobile data be effectively aggregated and anonymized? Or can’t it?

A Guide to Mobile Security Risk Assessment

Posted by SaferMobile on Jun 10, 2011
A Guide to Mobile Security Risk Assessment data sheet 4272 Views
Author: 
SaferMobile
Abstract: 

You are an activist, rights defender, or journalist. You use a mobile device. And you work in sometimes risky situations in your country. This guide will help you implement mobile security practices in your work. It will help you assess the particular risks that face you and then assist you in developing a plan to mitigate those risks.

Location

safetyicon

You are an activist, rights defender, or journalist. You use a mobile device. And you work in sometimes risky situations in your country.

This guide will help you implement mobile security practices in your work. It will help you assess the particular risks that face you and then assist you in developing a plan to mitigate those risks. First, we'll cover some of basic concepts. Then, in the second part of this guide, we'll take you through developing your own risk assessment in 5 steps.

We have previously published a Mobile Risk Primer that describes general security vulnerabilities associated with mobile technology and communication. Read it!

Throughout this guide, we'll also highlight the fictitious case of Asima, a blogger and activist in Egypt. Examples of how Asima might complete the assessment worksheet and create a security plan for her work are highlighted in this guide.

Asima lives in Cairo, Egypt and is a blogger and an activist. She used to maintain a blog on Blogspot, but now mostly uses Facebook and Twitter to follow current events, to share information, and to communicate with colleagues. She tweets from her mobile phone while in traffic and at cafes and protests and from her computer when she is at work or at home.


The Bug in Your Pocket: Remote Listening Applications for Mobile Phones

Posted by MarkWeingarten on Jun 10, 2011

We've heard much recently about information that is being tracked by mobile phone companies (see our recent post) and app developers. However, there are more overt security threats that are potentially more dangerous.

One of these threats is referred to as either a “roving bug” or a “remote listening” application. It is essentially the same concept as a conventional audio bug, except that it requires no hardware other than a smartphone. Once installed, remote listening software enables a 3rd party to call a phone, activate its speakerphone capabilities, and secretly transmit any sounds picked by its microphone to another phone number, where it can be monitored and recorded.

SMSTester for Android

Posted by MarkWeingarten on May 24, 2011
SMSTester for Android data sheet 1656 Views
Organization that developed the Tool: 
Main Contact: 
Katrin Verclas
Problem or Need: 

There are plenty of anecdotal stories of seemingly random delays lasting multiple hours or even days in many countries where we work. While network congestion and growing infrastructure are often to blame for SMS unreliability, there are also legitimate concern that delays may be an indication of deliberate message filtering and monitoring.

What has emerged is an environment in which activists and human rights defenders are unable to clearly understand what networks - and what behavior - is safe or hazardous for themselves or their contacts. The end goal of this research, put simply, is to change this paradigm. Rumors of keyword filtering are not helpful; what is helpful is any evidence of surveillance.

 

Main Contact Email : 
Brief Description: 

SMSTester is a simple Android app that allows a user create a set of keywords to be sent as SMS messages. This allows the user to explore differences in latency for any type of message - from basic, everyday text like ‘milk’ or ‘newspaper’ to politically inflammatory text such as ‘revolution.’

We then set up a logging mechanism to timestamp and record each SMS as it is sent (from the sender side) or received (on the receipt side). By comparing the sent and received timestamps, we’re very easily able to calculate message latency from one SIM to another.

 

Tool Category: 
App resides and runs on a mobile phone
Key Features : 

The application is designed to be installed on both sides of a single SMS conversation: a sender uses the app to automatically transmit a series of messages to the receiver, where incoming messages are logged upon receipt. Diagnostic data from the send side can be optionally included in the message payload itself such that the receive side can parse, analyze and display test results without needing access to data from the send side. This feature drastically improves flexibility and enables effective testing without requiring physical co-location.

Each message sent is coded with a unique GUID by the application so that data sets from both sides can be later combined if necessary. The output of the data is stored on the device SDCard in comma separated value (CSV) format, which makes it easy to import and parse in any office spreadsheet application.

 

Main Services: 
Other
Display tool in profile: 
Yes
Tool Maturity: 
Currently deployed
Release Date: 
2011-04
Platforms: 
Android
Program/Code Language: 
Java
Organizations Using the Tool: 

MobileActive.org

Support Forums: 
https://lab.safermobile.org/wiki/SMSTester
Languages supported: 
Any
Handsets/devices supported: 
SMSTester is currently availble as an Android application only. However, as the application itself does not require a large amount of computational power or high-end hardware, it can be deployed on virtually any Android handset with SMS capabilities, including low-cost options.
Is the Tool's Code Available?: 
Yes
URL for license: 
https://github.com/safermobile/smstester
Is an API available to interface with your tool?: 
No
Countries: 

SMSTester for Android: Project and Source Now Open

Posted by SaferMobile on May 18, 2011

One of the main goals of the SaferMobile project is to release software tools that allow activists and rights defenders to use their mobile phones as network monitors and sensors. The goal is to help them, and the mobile developers, human rights organizations and people on the street they work with, to monitor network performance and proactively detect blocking, filtering and censorship. SMSTester is the first tool we are publicly releasing within this category, and it is free, freely licensed and open-source. Our first trial run with Short Message Service Tester (SMSTester) was completed in April 2011. The results are written up here.

Introducing SaferMobile: Mobile Security for Rights Defenders, Activists, and Journalists

Posted by SaferMobile on May 16, 2011

Activists, rights defenders, and journalists use mobile devices for reporting, organizing, mobilizing, and documenting. We have written about many of these uses for years now, describing how mobile phones provide countless benefits to activists and rights defenders. Mobile tech is relatively low cost and allows for increased efficiencies and vast reach, for example. But, there is a darker side.

Mobile Phones present specific risks to rights defenders, journalists, and activists. We believe that is is critically important to know that mobile communication is inherently insecure and exposes rights defenders and those working in sensitive environment to risks that are not easy to detect or overcome. (We provide an overview of those risks in this Primer, for instance)

To address mobile safety and security for rights defenders, we are introducing SaferMobile, to help activists, human rights defenders, and journalists assess the mobile communications risks that they are facing, and then use appropriate mitigation techniques to increase their ability to organize, report, and work more safely.

What is SaferMobile? 

  • Online and offline educational and tactical resources (risk evaluation tools, case studies, how-to guides, security tool reviews); 
  • Trainings and curricula for use in various countries and with different constituencies; 
  • Specific mobile security software focused on the needs of rights defenders, activists, and journalists.

As will all that we do, we believe that there certain values and principles that are paramount in this work. For SaferMobile, we are following these principles:

  • We believe that skilled, trained, and knowledgeable activists, journalists, and rights defenders are key to democratic changes. We also believe that the smart and effective use of technology constitutes an integral piece of their skill set.
  • The better activists, journalists, and rights defender are able to work, the more safely they are able to organize and communicate, the more likely it is that their work is effective and heard. 
  • We are committed to accessible, useful, actionable, and technically accurate and secure content, materials, and software. 
  • We are also committed to describing technological vulnerabilities in terms that non-technical users can easily understand. 
  • We work with activists on the ground to ensure that the content we produce addresses real uses and risks. 
  • We also seek responsive connections between activists and security professionals so that both are more able to assess and respond to changing risks.  
  • Lastly, we are maintaining information that reflects current security risks and technological vulnerabilities and is vetted for security and technological accuracy by knowledgeable experts.

Roadmap and Process

The SaferMobile project is just beginning its second Phase. Phase 1 included needs assessment with users and peers – activists, rights defenders, journalists, technologists, security experts, and mobile developers. Through this research, we outlined plans for web content, training curriculum and tools (software) and are now creating these pieces in Phase 2 of the project (May-August 2011). 

Our approach is iterative and open – we work as a team to develop ideas and welcome review and comments from peers. We maintain a wiki for this initial phase that will act as a living lab for content and code as we develop both. 

Who Cares Where I Am, Anyway? An Update on Mobile Phone Location Tracking

Posted by MarkWeingarten on May 10, 2011

Apple’s release of version 4.3.3 of its iOS operating system “..kills iPhone tracking”, according to a recent article. After nearly three weeks of public attention on this issue, this news will perhaps appease some iPhone fans but is not likely to end the debate over what users should know and control about their smartphones’ location tracking abilities. Like Apple, Google’s Android and Microsoft’s Windows Phone systems have also recently come under fire, though important differences exist in the way each company collects and uses location-based information.

We have reviewed recent articles and research on each of these mobile operating systems’ location tracking capabilities and will describe the various claims made and the research undertaken to test these claims.

SMSTester - Monitoring SMS Delivery (and Keyword Filtering, Possibly)

Posted by SaferMobile on Apr 25, 2011

NOTE: This article was updated with an addendum and additional data.

Inspired by Michael Benedict's original blog post on monitoring SMS delivery reliability in Tanzania and recent reports of SMS keyword blocking in Uganda, MobileActive.org set out to replicate Michael's work - and add to it. SMS is such a crucial part of many mobile projects and just day-to-day life across the developing world, yet there’s a lack of public knowledge of mobile network operator interdependency, latency, and reliability (how mobile network operators work together to transmit SMS, the lag time between sending and receiving a message, and the guarantee that a message will reach its recipient).

Michael's post got us thinking: Can this type of experiment be replicated without extra hardware required (GPRS modems, etc.)? After a few quick brainstorming sessions at the OpenMobile Lab in New York, we created an alpha version of a mobile application that recreates a number of latency tests. It’s far from perfect - and there is still plenty of work to be done - but we’re confident that this project will lead us to extremely valuable data about the transparency and reliability of SMS on mobile networks.

SMSTester - The App

SMSTester is a simple Android app that allows a user create a set of keywords to be sent as SMS messages. This allows the user to explore differences in latency for any type of message - from basic, everyday text like ‘milk’ or ‘newspaper’ to politically inflammatory text such as ‘revolution.’ We then set up a logging mechanism to timestamp and record each SMS as it is sent (from the sender side) or received (on the receipt side). By comparing the sent and received timestamps, we’re very easily able to calculate message latency from one SIM to another.

Initial Deployment

We deployed SMSTester in a test in Egypt a few weeks ago. As this was the initial trial for a fully untested application, we were careful.  While we did run our tests across a number of local mobile operator networks, we kept the test volume small enough to keep us under the radar (for now!). Our test methodology included:

  1. Testing across all three major mobile operator networks in Egypt: Etisalat, Mobinil, and Vodafone
  2. Consistent keyword test bed containing both ‘safe’ and ‘political’ terms, where ‘safe’ refers to everyday vocabulary and ‘political’ refers to politically sensitive words
  3. Language coverage across both English and Arabic
  4. Roughly 270 messages successfully sent, received and analyzed

What We Looked For And Why

The main focus of our analysis was SMS delivery latency, delay, or more generally, delivery failures. There are plenty of anecdotal stories of seemingly random delays lasting multiple hours or even days in many countries where we work. While network congestion and growing infrastructure are often to blame for SMS unreliability, there are also legitimate concern that delays may be an indication of deliberate message filtering and monitoring. What has emerged is an environment in which activists and human rights defenders are unable to clearly understand what networks - and what behavior - is safe or hazardous for themselves or their contacts. The end goal of this research, put simply, is to change this paradigm. Rumors of keyword filtering are not helpful; what is helpful is any evidence of surveillance.

This small experiment is just a start, of course. Our hypothesis is that keyword filtering and other malicious behavior on the part of mobile network operators may manifest in the form of increased message latency or overt message blockage. If we could detect any sign of a correlation between message content and delivery with just some initial testing in-country, this would be a great first step towards our overall goal. However it’s very important to note that while message latency or failure may be indicative of bad behavior on the part of the carries, it could be due to any number of contributing factors and is by no means an implication of foul play. For now we’re merely hypothesizing.

Results

Despite the minor bugs discovered, we gathered very valuable information about message latency in Egypt during this trial. The most valuable data was on the Etisalat network (also known as the Emirates Telecommunications Corporation), based in the UAE. The majority of the data we recovered from this trial was between an Etisalat SIM and other Egyptian networks. (Note: This was the result of inadvertent data loss for other test scenarios and we did not specifically target Etisalat).

Main Conclusions

Big Caveat (READ THIS!): Given the small sample size of this test, it should be noted that none of these conclusions are definitive. In fact, the very nature of such a small sample size warrants much further investigation.

(1) Delivery between Etisalat & Mobinil networks warrants further investigation. As shown below, the delivery time for English language text messages from Etisalat to Mobinil is significantly greater than delivery time to any other network, for both English and Arabic texts. This may be due to any number of network delays, and it may also be indicative of English language filtering by one or both of the mobile network operators.

 (2) Delivery time of politically sensitive English messages on Etisalat warrants further investigation. The chart below shows that politically sensitive English messages sent across the Etisalat network were delivered with significantly more latency than others, with the possible exception of politically sensitive Arabic messages. In addition, each of the three messages that were delivered out of order fell into this category. Similar to the above conclusion, this may be indicative of specific filtering on behalf of Etisalat.

SMSTester - Monitoring SMS Delivery (and Keyword Filtering, Possibly) data sheet 6538 Views
Countries: Egypt

"Don't be fooled" Mobile Security Hackday, April 1, NYC

Posted by KatrinVerclas on Mar 29, 2011

Please join us on Friday, April 1 in NYC!  To celebrate April Fools Day and to highlight mobile phone & digital network insecurities, the Guardian Project  and MobileActive.org are hosting "Don't be Fooled", part of the new SaferMobile initiative. This hackday will showcase mobile tools to enhance security, profile GP's open-source tools and feature a room for face-to-face conversations about mobile security.

Do to the intimate size of the venue, we are caping RSVPs at 30: 20 "developers / hackers" who want to learn about developing secure mobile phone services and 10 practitioners who want to root their phones / learn about mobile security. Please put your name here!

Location: Open Mobile Lab, 127 W 27 St, Suite 702, NYC
Time: Friday, 1 April 2011 from 9:30 till 5:00. Beer O'Clock from 5:00 till 7:00.
Hashtag: #safermobile

The Guardian Project (@guardianproject) aims to create easy to use apps, open-source firmware MODs, and customized, commercial mobile phones that can be used and deployed around the world, by any person looking to protect their communications and personal data from unjust intrusion and monitoring.

MobileActive.org (@MobileActive) connects people, organizations, and resources using mobile technology for social change. Our global network of practitioners and technologists are working

Photo Courtesy flickr user juli ryan

Safer Photos: How to Remove Location Information from Mobile Images

Posted by MelissaUlbricht on Mar 10, 2011
Safer Photos: How to Remove Location Information from Mobile Images data sheet 12774 Views
Author: 
Melissa Ulbricht
Abstract: 

This article and screencast shows you how to remove location information from photos taken on a mobile phone.

Location

In a previous post, we described how to add location information to mobile content, including images and stories. For some reports, location information adds value, context, and interest to venue-specific reports. But today, we talk about how to remove that same location information. This is also detailed, step by step, in this screencast.