Smartphone Surveillance And Tracking Techniques
Understanding Threats, Indices & Protection
The following article is a fusion of substantive summary and selective compilation of various public domain write-ups on smartphone surveillance/ security. All the references are denoted at the end of the article.
“The ‘Enlightenment’, which discovered the liberties, also invented the disciplines.”
― Michel Foucault, Discipline and Punish: The Birth of the Prison
HOW CAN A SMARTPHONE BE SPIED ON?
Smartphones are playing an increasingly central role in our lives. They are ubiquitous, as we carry them nearly everywhere, and entrust them with sensitive and sometimes deeply personal information. We use them to carry out day-to-day tasks from communicating with family members and socialising on social media apps to tracking our health and taking care of our finances on banking apps.
But it is also a device with a camera, a GPS and a microphone that you have next to you at all times. Unfortunately, mobile phones were not designed for privacy and security. Turning this hardware into a surveillance tool is much easier and effective than you think. Not only they do a poor job of protecting your communications, they also expose you to new kinds of surveillance risks.
Surveillance is always an enactment of power in the sense that it is an imparting technique in practices of governance. It is an external influence to an individual, which seeks to control and discipline, entailing a risk of exploitation and privacy invasions.
Here, we will describe all the ways that smartphones can aid surveillance and undermine their users’ privacy. So, prepare yourself for an in-depth read, as we attempt to go over each and every aspect of smartphone surveillance.
1. Mobile Signal Tracking — Cell Tower
How it works
The mobile network/ SIM-card operators themselves have the ability to intercept and record all of the data about visited websites, who called or sent SMS to whom, when, and what they said.
Your Wi-Fi internet provider offers DNS as part of your service, which means your provider can also log your DNS traffic — in essence, recording your entire browsing history.
Any mobile network operator can also precisely calculate where a particular subscriber’s phone is located whenever the phone is powered on and registered with the network. The ability to do this is called triangulation.
One way the operator can do this is to monitor the signal strength that different towers observe from a particular mobile phone, and then calculate where that phone must be located based on the observations. The accuracy with which the operator can figure out a subscriber’s location varies, depending on many factors including the technology the operator uses (2G/3G/LTE) and cell tower numbers in the vicinity.
Normally only the mobile operator itself can perform this kind of tracking, though, these information might be available to local or foreign governments through official or informal arrangements. In some cases, foreign governments have also hacked mobile operators’ systems in order to get secret access to users’ data. Also, Stingrays (explained below) can be used by someone physically nearby you to intercept communication packets.
Ukrainian government used a tower dump, to make a list of all of the people whose mobile phones were present at an anti-government protest.
Another related kind of surveillance request is called a “tower dump”; in this case, a government asks a mobile operator for a list of all of the mobile devices that were present in a certain area at a certain time. Oftentimes, law enforcement agencies (LEAs) use tower dumps to investigate a crime, or to establish criminal relationships.
Preventative Measures
There is no way to “hide” from this kind of tracking as long as your mobile phone is powered on and transmitting signals to an operator’s network. The best way not to get detected? Don’t connect it to the network or to any other computer, a practice known as air-gapping. Though, in a world where practically every machine connects to the internet, this is not easy.
However, for ultra-sensitive files and tasks — like storing Bitcoins or working with confidential blueprints — the inconvenience of working entirely offline can be justified, despite all the trouble. For these situations, the highly cautious rely on Faraday cages or bags. These are essentially metal-lined phone cases that block all radio frequencies. No signal can go in or out. These are easily available on Amazon for relatively cheap.
However, while the cage or bag might block your phone from revealing its location, it doesn’t really prevent it from spying if it is already been hacked with a spyware — before it got air-gapped.
The safest practice is to assume that traditional calls and SMS text messages have not been secured against eavesdropping or recording.
The situation can be different when you are using secure communication apps to communicate (whether by voice or text), because these apps can apply end-to-end encryption (E2EE) to protect your conversations. Such apps with reliable E2EE implementation and strong anti-forensics capabilities can provide more meaningful protection.
The level of protection that you get from using such apps, depends significantly on which apps you use and how they work. One important question is whether there is any way for the app developer to undo or bypass the encryption and what all chat metadata they are collecting.
We recommend Signal, a strongly encrypted chat and voice/ video call app, developed by Signal Foundation.
2. Mobile Signal Tracking — IMSI Catcher
Governments can also snoop on a mobile communication directly with a Cell Site Simulator — a portable device that generates fake cell phone tower to “catch” the particular users’ mobile phone and detect their physical presence and/or spy on their communications, also sometimes called an IMSI Catcher or Stingray. Though, the IMSI catcher needs to be taken to a particular location in order to find or monitor a mobile device at that location.
IMSI Catchers are able to determine the IMSI numbers of mobile phones in its vicinity, which is the trademark capability from which their name is derived. Using the IMSI, they can then identify mobile traffic on the network and target traffic for interception and analysis.
Once the IMSI Catcher has completed the connection to a mobile device, it can try to prevent that mobile device from connecting to another legitimate base station (network tower stations) by transmitting an empty neighbour cell-tower list or a list with neighbouring base stations that are unavailable to the mobile device.
Based on documents leaked by Edward Snowden, there are some advance IMSI Catchers that can locate cell phones even when they were turned off. This was accomplished by wirelessly sending a command, via an IMSI Catcher, to the phone’s baseband chip to fake any shutdown and stay on. The phone could then be instructed to keep just the microphone on, in order to eavesdrop on conversations, or periodically send location pings.
The only hint that the phone is still on is, if it continued to feel warm even though it had been shut off, suggesting that the baseband processor is still running.
This concern has led to some people physically removing the batteries from their devices when having very sensitive conversations.
How it works
Attacks on mobile network include cracking network encryption, passive network interception, and active network interception. IMSI catchers fall into the last category, actively interfering in communications between mobile phones and base stations by acting as a transceiver (simultaneously transmitting and receiving). IMSI catchers use a “man-in-the-middle” attack, by simultaneously posing as the fake mobile phone to the real base station and as the fake base station to the real mobile phone.
Downgrade Attack: This is a form of cryptographic attack on an electronic system or communications protocol that makes it abandon a high-quality mode of encrypted connection in favour of an older, lower-quality mode of encrypted connection that is typically provided for backward compatibility with older systems. An example of such a flaw is SS7 attack.
Signalling System 7 (SS7) — a signalling protocols technology used in telecommunication, is implemented across most of the world’s Public Switched Telephone Network (PSTN). An SS7 attack is an exploit that takes advantage of a weakness in the design of SS7 to enable data theft, eavesdropping, text interception and location tracking.
Preventative Measures
Currently there is no reliable defence against all IMSI catchers. Some apps, e.g. SnoopSnitch for rooted Android device, claim to detect their presence, but this detection is imperfect.
On devices that permit it, it could be helpful to disable 2G support (so that the device can connect only to 3G and 4G networks) and to disable roaming if you don’t expect to be traveling outside of your home network’s service area. These measures can provide some protection against certain kinds of IMSI catchers.
We recommend Orbot for Android; a TOR based proxy app that empowers other apps to use the internet more securely by encrypting and bouncing your internet traffic through a series of relays around the world. Similarly, Onion Browser is the alternative for iOS devices.
3. Wi-Fi and Bluetooth Tracking
How it works
Smartphones also have various other radio transmitters in addition to the mobile network interface, including Wi-Fi and Bluetooth support. Whenever Wi-Fi/ Bluetooth is turned on, the smartphone transmits signals that include the MAC address, a unique serial number of the mobile device, and thus let nearby Wi-Fi/ Bluetooth receivers recognise that — that particular device is present.
Using this, the MAC address can be observed even if a device is not actively connected to a particular wireless network, or even if it is not actively transmitting data. This form of tracking can be a highly accurate way to tell when a person enters and leaves a building.
Also, home Wi-Fi router is a prime target for hackers wanting to infiltrate your network by remotely delivering a payload. A small vulnerability in the home Wi-Fi network can give a hacker access to almost all the devices that connect to that Wi-Fi. Once infected with the malware/ spyware, the router can perform various malicious activities like redirecting the user to fake websites while visiting secure communication services, banking or other e-commerce sites. In addition to stealing personal and financial data, hackers can also infect smart IoT devices connected to the home network.
Preventative Measures
Know Your Network: Before you connect, be sure you know whose network you are connecting to, so you don’t fall prey to Wi-Fi honeypots. Also, check to make sure your smartphone is not set up to automatically connect to some unknown Wi-Fi networks — or set it to ask you before connecting.
Use a VPN: If you use a VPN service, anyone trying to snoop will see only encrypted data, even if you are connecting to some non-secure sites using HTTP.
We recommend TunnelBear VPN or Vyper VPN for both android and iOS devices.
MAC Address Randomization: Certain smartphones with latest android and iOS versions have a function called “MAC Address Randomization” under the Wi-Fi settings. This feature randomly changes the MAC address reported by the phone, making tracking a lot harder, if not impossible.
This feature is not used consistently by all android phone manufacturers, on rooted android devices, though, it is physically possible to change the MAC address so that other people can’t recognise your Wi-Fi as easily over time.
Deactivate AirDrop: AirDrop — a wireless file sharing protocol for iPhone users, when activated, broadcasts an iPhone’s availability to other nearby iOS devices. That makes it simple for any other surrounding iOS devices to request permission to send files.
While convenient, AirDrop is a protocol that has been hacked in the past. Therefore, it is recommended to set the preferences for this protocol to “Receiving Off”, unless required.
For iOS 11 and later: Go to Settings > General > AirDrop.
For iOS 10 and earlier: Swipe up from the bottom of your iOS device to find a shortcut to AirDrop in your Control Center.
Wi-Fi Router Security
Update Router Firmware: Updating your router’s firmware is an important security measure to help protect your router against the latest threats and vulnerabilities. Many routers no longer get firmware/software updates. If the last update for yours was a couple years ago, it is time for a new router.
Change Router Credential: Traditional routers come with a default password (Not a Wi-Fi password) created by the manufacturer. While it may look complex and resistant to hacking, there is a good chance most models of the same router share the same password. These passwords are often easy to trace or find on the internet.
Make sure you change the username and password of your router during setup. Choose a complex alphanumerical password with multiple characters. Don’t use a dictionary word as your password.
Change SSID and Wi-Fi Encryption: If your Wi-Fi network use a default SSID (network name) then change it. Do not pick a name that makes it obvious that the network belongs to you.
For Wi-Fi encryption, use WPA2 with AES. It is perfectly secure as long the password is long, because it is critical that passwords be long enough to fend off brute force attacks. (The German government recommends 20 characters long password.) Also, disable WPS.
Get rid of any risky or unused services: Turning off features you are not using reduces the attack surface. You should probably consider disabling Remote Administration (aka Remote Management, Remote GUI or Web Access from WAN), SNMP, NAT-PMP and Telnet access to the router.
If you’re not connecting any IoT devices, it is safer to turn off UPnP service. UPnP service exposes a router to the Internet at large where, if it is vulnerable, it can be hacked.
Change the entire LAN side subnet: This helps prevent many router attacks. Guide
Setup a guest network for smart home devices: A guest network has its advantages. It provides your guests (IoT devices) with a unique SSID and password and also restricts outsiders from accessing your primary network.
4. Infecting Phones with Spyware/ Malware
Spyware is a specific type of malware designed to track the infected smartphone’s activity. Spyware can use a device’s microphone to listen and record everything else that is happening near the smartphone. These apps can also track your GPS location, instant messages and texts, upload copies of the photos you take, spy on conversations held through other apps like Signal, WhatsApp, Telegram, Wickr, Discord, Viber etc., snoop/ restrict incoming calls from a predefined number, log everything you type, send alerts for various triggers, and even use the camera to spy on you physically. All of the data collected by these apps is then sent to a web portal where the spy can review it.
Phones can get spyware, viruses and other kinds of malware (malicious software), either because the user was tricked into installing malicious software, or because someone was able to hack into the device using a security flaw in the existing device OS/ installed application. These spy apps are often used by loved ones, family members, suspicious employer and political/ business rival or even by law enforcement agencies.
Until now, public’s exposure to mobile phone malware has been dominated by privately run spyware vendors. These commercial smartphone spyware tools reportedly end up in the hands of autocrats who use it to hamper free speech, quash dissent, or worse. But now, several governments with well-established cyber capabilities have also adapted to and exploited the mobile threat landscape.
The ability of governments and state-sponsored APT (Advance Persistence Threat) groups to develop and deploy mobile surveillance campaigns within their existing cyber espionage efforts has outpaced the security industry’s ability to detect and deter these spyware on the smartphones.
How it works (Distribution Mechanism)
Zero-day Attacks
Zero-day is a flaw in software, hardware or firmware that is unknown to the software developer or security team responsible for patching or otherwise fixing the flaw. Oftentimes, zero-day attacks exploit vulnerable software without requiring any interaction from the user.
A recently discovered zero-day buffer overflow vulnerability in the WhatsApp’s VoIP (Voice over Internet Protocol) stack allowed hackers, remote code execution via a specially-crafted series of SRTP (Secure Real-time Transport Protocol) packets sent to a target phone number. Meaning an attacker can manipulate data packets during the start of a WhatsApp call, leading to the overflow being triggered and the attacker commandeering the application. Attackers can then deploy surveillance tools to the device to use against the target.
Although zero-day attacks are relatively rare compared to the larger attack surface seen on desktop machines and servers, their existence demonstrates that even strict adherence to not downloading untrusted applications may not be sufficient to avoid compromise by such attacks.
Recommendation
Protection against a zero-day attack is difficult. Your best line of defence is to immediately install new software updates when they become available from the manufacturer to help reduce the risk of an exploit.
Software updates allow you to install necessary revisions to the software or operating system. Which may include fixing security loopholes that have been discovered.
The presence of SMS messages with incomprehensible numbers and letters may indicate the exploit of that device, as sometimes, they are commands and instructions sent by the hacker to be executed on the targeted device.
Spear Phishing Attacks
Sophisticated spyware infiltration typically begins with Spear Phishing, by sending a tailor-made message to the target’s phone. It can be sent as a tweet, a DM/ text message or an innocent looking email — any electronic message to convince the user to open a URL/ download an attachment.
Once they do, the phone’s web browser connects to one of spyware’s many anonymous servers across the globe. From there, the spyware automatically determines the type of device, then installs the particular exploit remotely and surreptitiously.
Unlike desktop users, mobile users cannot see the entire URL of a site they are visiting. This paves the way for digital crooks to use phishing attacks against unknowing users.
Phishers often prey on the natural fears of targets in order to get them to act quickly, and without caution. These phishing messages will urge you to hurriedly sign into your account or install an update without checking the source — and just like that, the spy now has what they need, to snoop on your device — account credentials or unauthorised admin privilege.
Messaging apps like WhatsApp and other social media (Twitter, IG, Telegram, Wickr, Discord etc.) are also fast becoming the most popular delivery method for mobile surveillance via phishing attacks.
State-sponsored hackers are now adopting to choose increasingly obscure targets in an attempt to daisy chain a complicated sequence of infections that eventually yields valuable data. For example, instead of targeting the CEO, state-sponsored APT groups often choose to target some lesser employee, like a PA or graphic designer, who may not have particularly valuable information on his/her machine but is on the same network as machines with valuable data and could potentially be used as a stepping stone toward infecting valuable machines. To recap: compromise the graphic designer’s machine and use his/her email address to spear-phish the CEO.
Another trend is that a number of phishing sites are utilising HTTPS verification to conceal their deceitful nature. Users perceive HTTPS sites to be secure, so they are less likely to suspect a ‘phish’. Realizing this, hackers use sites like letsencrypt.org to gain SSL certification for their insecure phishing sites.
Also, the growth in the consumer spyware market is concerning because it reflects the trend towards “off-the-shelf” malware that doesn’t require any specialist knowledge to use. Of them, mSpy is one of the most recognisable one, but others you might see are FlexiSPY, WebWatcher and SpyToMobile. Often, this kind of software is used by people who want to monitor the activity of their spouses, providing an easy way to trace every movement.
Recommendation
It is hard for any security measures to guard against phishing, basically because it is often just a phone call you receive, or a dodgy website you visit. The only real barrier against phishing is knowledge and constant vigilance. Considering that, here is a list of 14 types of phishing attacks that you should watch for.
App Store Distribution
Official app stores for the two most popular mobile operating systems — Google Android and Apple iOS — take slightly different approaches to their developer verification and application submission processes, leading to different levels of risk that a user might download a spyware app. While Apple requires developers to register in order to submit their applications to the App Store (including paying a fee), the open source nature of Android is far less restrictive about who can develop for their platform and be featured in the Google Play store.
Although Apple appears to employ a more serious approach to investigating apps for malicious intent, occasionally, malware get submitted successfully and made available to download via the company’s app store, at least for a period of time.
Spyware are uploaded to app stores in large numbers to take advantage of volume distribution in much the same way that spammers rely on a small percentage of respondents from the millions of emails they send.
Spyware authors can also easily decompile legitimate applications and add code to perform malicious actions alongside the normal functionality. To the casual user, the recompiled/ modified apps are often indistinguishable from the originals. Typically, they are added to app stores using slight variations of the legitimate developer’s name to further establish some credibility with users. When this occurs with enough frequency, inadvertent installations of these spyware apps on mobile devices are inevitable.
For example, a spyware app, called Radio Balouch aka RB Music — actually a fully working streaming radio app for Balouchi music enthusiasts, except that it was built on the foundations of AhMyth; an open-source spyware and was stealing personal data of its users. The app snuck into the official Android app store twice, but was swiftly removed by Google both times after getting alerted by security researchers.
In another such example, CrowdStrike Intelligence — a US based cyber security firm, reported on a FANCY BEAR (a Russian cyber espionage group) operation to compromise users of an application designed to facilitate secure communications between groups of people on military service in Ukraine. As, that application was only distributed to a limited number of individuals, it is likely that the adversary gained access to the developer’s computer in order to retrieve source code, so that it could be modified prior to redistribution. The act of redistribution was performed using emails spoofed to look like they came from the original developer, which instructed the recipients to install a new version of the app from an attached file.
A further risk posed to Android users is the availability of third-party app stores that primarily rely on user reviews — which can be easily manipulated. In addition, users may take advantage of the ability to load APK files directly on a mobile device without having to use the Play Store at all. This paves the way for malicious actors to distribute their spyware apps outside the Google Play Store ecosystem.
Recommendation
On Android, block third-party apps from getting installed. Go to Settings > Security and uncheck the Unknown Sources option.
Unless Google improves its safeguarding capabilities, any infected clone of a legitimate application or some derivative of a spyware may appear on Google Play.
While the key security imperative “Stick with official sources of apps” still holds, it alone can’t guarantee security. It is highly recommended that individuals scrutinise every app they intend to install on their devices.
Use sandboxing application:
Android already runs all the apps in a sandbox environment. However, the apps can still ask permissions to access different areas of the phone, including areas where your personal data resides — such as contacts, call logs, and storage, etc. If you really need to use a random/ dodgy app, while not certain about its authenticity, and also don’t want to risk sharing your personal data with it, then you must properly isolate it.
Island is a free and open-source sandboxing app to clone selected apps and isolate them from accessing your personal data outside that sandbox (including call logs, contacts, photos etc.), even if related permissions are granted. Although, device-bound data (SMS, GPS Location, IMEI, Device ID etc.) will be still accessible.
Watering Hole Attack
In more sophisticated operations, the attacker first observes which websites the targeted person or a group often visits and infects one or more of them to host a malicious app. Eventually, the dissemination of mobile spyware can be facilitated through that compromised website. This approach lends an additional layer of legitimacy to the campaign, as potential victims are unlikely to assume that a known legitimate website is attempting to compromise their mobile devices. Such type of attacks are called as Watering Hole.
For example, Google’s “Project Zero” team of security experts discovered a number of websites in early 2019 that were running a total 14 iOS vulnerabilities — including two that were zero-days when discovered. The sites were passively attacking any iOS devices that visited and were able to exploit iOS 10 to iOS 12. The watering holes then deliver a spyware implant that can steal private data like iMessages, photos and GPS location in real time. Given the exploit chains in place, researchers estimated the sites had been quietly hacking visitors with Apple devices for as much as two years prior.
Recommendation
Unfortunately, there is no perfect answer to this inherent mobile device security problem other than keeping sensitive data entirely off of them. That’s an unrealistic proposition for most people to function in their personal and business lives, so the best harm reduction strategy is to rigorously keep on top of security updates.
Loss of Physical Control
Most of the spyware deployment mechanisms described above involve compromise that occurs while the device is in the possession of the user, whether this is through user interaction or remote exploitation. While device compromise through a lack of physical control of the device is an unlikely scenario in many cases, it may still be applicable to individuals or organisations travelling to hostile areas.
However, there may be situations where a malicious actor seeks to leverage a period of time when the device is not in the possession of the user. Scenarios such as monitoring software installed by authorities during a border transit, or a device left unattended in a hotel (a so called “evil maid” attack), are likely to occur only in very specific situations, but could still arise depending on the value of the target.
Recommendation
This class of threat can potentially be avoided through the use of PINs or passwords (unless these are obtained through coercion or through passive monitoring via video surveillance or traditional “shoulder surfing” techniques) in some situations, or through the use of completely clean devices that only carry the minimum of data and are completely reset to their original settings once the user is out of the hostile area.
Install Haven: Haven is a free and open-source surveillance application for Android, designed to monitor activity occurring in the vicinity of a device using its built-in sensors, and to alert the device owner of such activity. Alerts can be sent via SMS, Signal or to a Tor-based website.
SIX WARNING SIGNS OF SPYWARE INFECTION
1. Mysterious incoming/ outgoing phone calls or SMS
Have you noticed any calls or SMSs made or sent from your phone that you know were not made by you? Odds are your phone is infected with a spyware/ malware.
2. Higher than usual rate of data usage
Spyware on your mobile act based on the commands they receive from its CnC (Command and Control Centre); the attacker in a remote location. To do this, they require an active Internet connection, so if you have spyware hiding on your device, odds are that your mobile data usage will increase for a reason that is not known to you. If this happens, there is a good chance that your mobile device is infected.
3. Battery depletes much faster
If you have noticed your device’s battery depleting faster than usual, especially with normal usage, there is a good chance there is a spyware hiding somewhere within the phone. Spyware run in the background of your phone without giving away their presence, and this causes your battery to die faster.
4. Poor performance
Poor mobile performance cannot always be blamed on a spyware or malware. Over time the performance of mobile phones begins to deteriorate and get cluttered with apps over time. However, if you are in the habit of getting rid of unwanted apps, avoiding live wallpapers, and taking all necessary steps to optimise performance and still experiences lags and slowdowns, then the cause is likely due to a spyware infection.
5. Unfamiliar apps installed on your phone
Mobile malware tend to install other malicious apps on your phone so that they can work together to push the infection of your phone further. If you notice apps which have not been installed by yourself or is not a stock app, then is a high chance your phone is infected with a malware.
6. Overheating
It is normal, and sometimes even expected, that your phone overheats while playing games, constant Internet browsing, charging or non-stop calling. However, if you are not on your phone, or your device remains hot most of the time for no reason, there is a good chance that your phone is harbouring a malware infection.
5. Forensic Analysis of Seized Phones
How it works
There is a well-developed speciality of forensic analysis of mobile devices. An expert analyst will connect a seized device to a special forensics machine, i.e. Cellebrite UFED, MSAB XRY, Magnet AXIOM etc., which reads out data stored inside the device, including records of previous activity, phone calls, and text messages via easily bypassing screen locking mechanisms. The forensic analysis may be able to recover records that the user couldn’t normally see or access, such as deleted text messages, which can be undeleted.
JTAG: JTAG (Joint Test Action Group) forensics is a data acquisition method which involves connecting to Test Access Ports (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. When supported, JTAG is an extremely effective technique to extract a full physical image from devices that cannot be acquired with normal tools.
Chip-Off Forensics: Chip-off forensics is an advanced digital data extraction and analysis technique which involves physically removing flash memory chip(s) from a subject device and then acquiring the raw data using specialised equipment. Chip-off forensics is a powerful capability that allows collecting a complete physical image of nearly any device — even those which have suffered catastrophic damage. Typically, when all other forensic extraction options — including JTAG — have been exhausted then this forensic method is preferred to extract the data.
Preventative Measures
Note: Intentional, reckless, or negligent spoliation/ tampering of evidence or obstruction in a criminal or regulatory investigation can be charged as a crime, often with very serious consequences.
- Encrypt your entire data. The best way to encrypt data at rest — rather than messages in motion — is en masse, by encrypting compartments of your storage, or simply encrypting your entire memory.
- Though, keep in mind, disk encryption only protects your phone when it is turned off (i.e., it protects data at rest). Once the device is turned on, data is decrytped transparently, and the decryption key is available on memory.
We recommend Keeper: Password Manager & Secure Vault application, as an added hardening measure, for both Android and iOS devices.
- Set a strong, hard-to-guess passcode, at least six digits long with alphanumeric characters.
- For added security, don’t use biometrics like fingerprint or facial recognition systems, which can be more easily defeated than strong passcodes.
- On Android, don’t use a pattern unlock, which can easily be spotted by someone glancing at your phone or even cracked by analysing your screen smudges.
- Use a digital data shredder to completely wipe out the data that you want to be removed from your mobile device.
We recommend PROTECTSTAR’s iShredder application for both Android and iOS devices.
6. App Data Leaks
How it works
Modern smartphones provide ways for the phone to determine its own location, often using GPS and sometimes using other services like IP location and cell tower location. Apps installed within that device can ask the phone for this information and use it to provide services that are based on location, such as maps, some social media apps, cab and food delivery apps that show you your position on the map.
Some of these apps will then transmit your location over the network to a service provider, which, in turn, provides a way for other people to track you. Developers also embed third-party trackers inside their apps which allows them to collect various other information and behavioural patterns about the users and use it to display targeted advertisements.
Third-party trackers inherit the set of application permissions requested by the host app, allowing them access to a wealth of valuable user data, often beyond what they need to provide the expected service. These trackers can collect personal data like Android IDs, phone numbers, device fingerprints, MAC addresses, live location, usage pattern for various apps, browser history, SMS, call logs, emails, social media chats etc.
On top of that, app stores do not require developers to disclose their use of third-party advertising and tracking services, hence users are in the dark about their presence in their apps. As such, apps do not tell us which of these services they use, and their privacy policy statements are often vague about use of such services. This lack of transparency is not helped by the fact that they regularly end up in the news for sharing or selling large amounts of mobile tracking data.
The app developers might not have been motivated by the desire to spy on users, but they might still end up with the ability to do that, and they might end up revealing sensitive personal information about their users to governments or hackers.
Governments have also become interested in analysing data about many users’ mobile devices in order to find certain patterns automatically. These patterns could allow a government analyst to find cases in which people used their phones in an unusual/ suspicious way.
For example, location tracking is not only about finding where someone is right now. It can also be about answering questions about people’s historical activities, participation in events, their beliefs and personal relationships/ connections. It can also be used to find out whether certain people are in a romantic relationship, to detect when a group of people are traveling together or regularly meeting one another, or to try and identify a journalist’s confidential source.
As smartphones have become ubiquitous and technology more accurate, an industry of snooping on people’s daily habits has spread and grown more intrusive.
Preventative Measures
The apps most popular among data harvesting companies are those that offer services keyed to people’s whereabouts — including weather, transit, travel, shopping deals and dating — because users are more likely to enable location services on them.
Scrutinize app permissions while installing apps. A good privacy practice is to restrict all the apps with a bare minimum access to the personal information. The more permissions requested, the great potential of data sent insecurely to adversaries.
Unlike iPhones, Android phones don’t allow you to restrict an app’s access to your location to just the moments when you are using it. Any app on Android that has your permission to track your location can receive the data even when you are not using it.
Although, on Play Store there is an app called Bouncer, which gives Android users the ability to grant permissions temporarily. The moment an app is closed, Bouncer will automatically remove some permissions associated with that app.
Stop location tracking on iOS:
Open Settings > Privacy > Location Services > you will see a list of apps, along with the location setting for each. Tap on apps you want to adjust. Selecting “Never” blocks tracking by that app.
(The option “While Using the App” ensures that the app gets location only while in use. Choosing “Always,” allows the app to get location data even when not in use.)
Stop location tracking on Android:
Open Settings > Security & location > Location > App-level permissions > to turn off location for an app, slide the toggle to the left.
These instructions are for recent Android phones; Google provides more instructions here.
Monitor and Stop Third Party Apps:
An Android app, called Lumen, helps users identify and block third-party services by monitoring network activities of the apps that are running on their devices. It also tells what sort of data is being collected and which organisations are collecting that particular data.
Blokada is another such tool for Android devices that efficiently blocks ads and trackers. It is also free and an open source project.
Learn more about advanced tricks and settings for better smartphone privacy and security. Check out, Smartphone Security For The Privacy Paranoid. 👇
References:
1. Featured Image: Photo by Simon Prades via NewScientists
2. The Problem with Mobile Phones | Surveillance Self-Defense: https://ssd.eff.org/en/module/problem-mobile-phones
3. Image 1: Photo from Getty Images via Wired.com: https://www.wired.com/2017/02/verizons-unlimited-data-plan-back-heres-compares-carriers/
4. Extreme Security Measures For The Extra Paranoid | WIRED: https://www.wired.com/story/extreme-security-measures/
5. How to Keep Your Bitcoin Safe and Secure | WIRED: https://www.wired.com/story/how-to-keep-bitcoin-safe-and-secure/
6. How to Protect Your Privacy on Public Wi-Fi Networks | Techlicious: https://www.techlicious.com/tip/how-to-protect-your-privacy-on-public-wifi-networks/
7. Image 2: Photo from PLAINPICTURE via bloomberg.com: https://www.bloomberg.com/news/articles/2016-03-10/what-happens-when-the-surveillance-state-becomes-an-affordable-gadget
8. IMSI Catchers and Mobile Security: https://www.cis.upenn.edu/wp-content/uploads/2019/08/EAS499Honors-IMSICatchersandMobileSecurity-V18F.pdf
9. SS7 hack explained: what can you do about it? | The Guardian: https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls
10. SS7 HACKING: How hackers interrupt your call and data | Daily Junkies: https://dailyjunkies.com/ss7-hacking-how-hackers-interrupt-your-call-and-data/
11. Your home wi-fi isn't safe | Economic Times: https://economictimes.indiatimes.com/magazines/panache/your-home-wi-fi-isnt-safe-hackers-know-router-trick-to-access-bank-accounts-card-details/articleshow/70571283.cms
12: Router security: How to setup Wi-Fi router securely | Norton: https://us.norton.com/internetsecurity-how-to-how-to-securely-set-up-your-home-wi-fi-router.html
13. Router Security - Full List: https://routersecurity.org/
14. Image 3: Photo from HOTLITTLEPOTATO via Wired.com: https://www.wired.com/story/router-hacking-slingshot-spy-operation-compromised-more-than-100-targets/
15. How Israeli spyware tried to hack an Amnesty activist's phone | FastCompany: https://www.fastcompany.com/90212318/how-israeli-spyware-tried-to-hack-an-amnesty-activists-phone
16. Mobile Malware and APT Espionage: Prolific, Pervasive, and Cross-Platform | Cylance: https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html
17. Attackers Exploit WhatsApp Flaw to Auto-Install Spyware | Bank of Security: https://www.bankinfosecurity.com/attackers-exploit-whatsapp-flaw-to-auto-install-spyware-a-12480
18. Zero-day vulnerability: What it is, and how it works | Norton: https://us.norton.com/internetsecurity-emerging-threats-how-do-zero-day-vulnerabilities-work-30sectech.html
19. Image 4: Photo from Kaspersky Blog: https://www.kaspersky.com/blog/phishing-spam-hooks/24888/
20. Mobile Security 101 | Norton: https://za.norton.com/internetsecurity-mobile-mobile-security-101.html
21. How to Protect Yourself From Cellphone Phishing Attacks | Digital Trends: https://www.digitaltrends.com/mobile/how-to-protect-yourself-from-cellphone-phishing-attacks/
22. Mobile phishing attacks are moving to messaging and social media apps at an alarming rate | Wandera: https://www.wandera.com/mobile-security/phishing/mobile-phishing-attacks/
23. Phone surveillance in 2017: Are you being watched? | Digital Journal: http://www.digitaljournal.com/tech-and-science/technology/phone-surveillance-in-2017-are-you-being-watched/article/486599
24. What is APT? | Kaspersky: https://www.kaspersky.co.in/blog/apt/2050/
25. 5 smartphone spy apps that could be listening and watching you right now | Komando: https://www.komando.com/tips/362160/5-smartphone-spy-apps-that-could-be-listening-and-watching-you-right-now
26. How to protect against phishing scams | Norton: https://in.norton.com/internetsecurity-online-scams-how-to-protect-against-phishing-scams.html
27. Mobile Threat Landscape Report: 2019 | CrowdStrike: https://www.crowdstrike.com/resources/reports/mobile-threat-report-2019/
28. First‑of‑its‑kind spyware sneaks into Google Play | welivesecurity: https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/
29. How To Sandbox Android Apps For Ultimate Data Privacy | Gtriks: https://www.gtricks.com/android/how-to-sandbox-android-apps-for-privacy/
30. Major Watering Hole Attack on iOS Shows Massive Challenge of Mobile Device Security | CPO Magazine: https://www.cpomagazine.com/cyber-security/major-watering-hole-attack-on-ios-shows-massive-challenge-of-mobile-device-security/
31. Spyware - What Is It & How To Remove It | Malwarebytes: https://www.malwarebytes.com/spyware/
32. Image 5: Photo from Getty Images via Wired.com: https://www.wired.com/story/ccleaner-malware-supply-chain-software-security/
33. Signs That Your Android Could be Infected With a Virus | Cybersponse: https://cybersponse.com/6-signs-that-your-android-could-be-infected-with-a-virus/
34. Image 6: Photo from SEÑOR SALME via Wired.com: https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/
35. JTAG Forensics | Binary Intelligence: http://www.binaryintel.com/services/jtag-chip-off-forensics/jtag-forensics/
36. Chip-Off Forensics | Binary Intelligence: http://www.binaryintel.com/services/jtag-chip-off-forensics/chip-off_forensics/
37. How to Encrypt Your Texts - Calls - Emails and Data | WIRED: https://www.wired.com/story/encrypt-all-of-the-things/
38. Foucault M. Technologies of the self: A seminar with Michel Foucault. Amherst: University of Massachusetts Press; 1988.
39. How to Lock Down Your iPhone - David Koff | Medium: https://medium.com/@TheTechTutor/how-to-lock-down-your-iphone-f81c7bb4f8af
40. Image 7: Photo from Leong Thian FU/Getty Images via Wired.com: https://www.wired.com/story/google-location-tracking-turn-off/
41. How Google Tracks Your Personal Information – Patrick Berlinquette | Medium: https://medium.com/s/story/the-complete-unauthorized-checklist-of-how-google-tracks-you-3c3abc10781d
42. How to Stop Apps From Tracking Your Location | The New York Times: https://www.nytimes.com/2018/12/10/technology/prevent-location-data-sharing.html
43. The ICSI Haystack Project Blog - Abbas Razaghpanah: https://haystack.mobi/wordpress/
