Mobile Device Security - State of Surveillance

⚠️ Critical Disclaimers

Mobile devices are inherently insecure - They constantly broadcast identifying information
Perfect mobile privacy is nearly impossible - Focus on reducing exposure rather than elimination
Convenience vs. security trade-offs - More security often means less convenience
We do not endorse specific devices or services - Research current options independently
Laws vary by jurisdiction - Some security measures may be restricted in your location

📊 Mobile Threat Landscape

Why Mobile Devices Are Surveillance Goldmines

Location tracking: GPS, cell towers, WiFi, and Bluetooth constantly reveal your position
Always connected: Constant internet connection enables real-time monitoring
Sensors galore: Camera, microphone, accelerometer, gyroscope can be remotely accessed
App ecosystem: Third-party apps often have excessive permissions and poor security
Operating system backdoors: Both iOS and Android have built-in surveillance capabilities
Carrier tracking: Phone companies track and sell your location and usage data

🎯 Threat Actors and Their Capabilities

🏛️

Government Surveillance

Capabilities: Cell tower simulation (IMSI catchers), lawful intercept, location tracking
Targets: Real-time location, call/SMS content, app data
Mitigation: Limited - avoid carrying phone to sensitive locations

🏢

Corporate Data Mining

Capabilities: App tracking, advertising IDs, cross-app correlation
Targets: Behavioral patterns, interests, purchasing habits
Mitigation: App permissions, tracking protection, ad blockers

📡

Telecom Providers

Capabilities: Cell tower data, call metadata, internet traffic monitoring
Targets: Location history, communication patterns, browsing habits
Mitigation: VPN, encrypted communications, burner phones

💻

Malicious Apps/Malware

Capabilities: Data theft, remote access, cryptocurrency mining
Targets: Personal files, credentials, financial information
Mitigation: App vetting, permissions audit, antimalware tools

🛡️ Operating System Hardening

iOS Security Configuration

🔒

Privacy Settings

Settings > Privacy & Security:

Location Services > System Services > Disable all non-essential
Analytics & Improvements > Disable all data sharing
Apple Advertising > Disable Personalized Ads
Tracking > Disable "Allow Apps to Request to Track"

☁️

iCloud Configuration

Settings > [Your Name] > iCloud:

Disable iCloud sync for sensitive apps
Turn off iCloud Backup or use encrypted backup
Disable Find My iPhone for maximum anonymity
Consider avoiding iCloud entirely

🎯

Siri & Search Limits

Settings > Siri & Search:

Disable "Listen for 'Hey Siri'"
Disable Siri on Lock Screen
Disable Search & Siri Suggestions
Clear Siri & Dictation History

Android Security Configuration

🔐

Privacy Dashboard

Settings > Privacy:

Permission Manager > Review all app permissions
Privacy Dashboard > Monitor app access
Special App Access > Restrict device admin apps
Ads > Opt out of Ads Personalization

📍

Location Controls

Settings > Location:

Turn off location for non-essential apps
Disable Google Location History
Turn off WiFi and Bluetooth scanning
Disable Emergency Location Service

🔍

Google Services

Settings > Google:

Ads > Reset advertising ID, disable personalization
Backup > Disable automatic backups
Personal info & privacy > Disable activity controls
Consider de-Googling entirely

📱 Alternative Operating Systems

Privacy-Focused Mobile OS

🟢

GrapheneOS

Compatibility: Google Pixel devices only
Features: Hardened Android, enhanced permissions, no Google services
Pros: Maximum security and privacy
Cons: Limited device support, app compatibility issues
Best for: Security professionals, privacy advocates

🟡

CalyxOS

Compatibility: Pixel and select devices
Features: Privacy-focused with microG for app compatibility
Pros: Good balance of privacy and usability
Cons: Some Google service dependencies
Best for: Users needing app compatibility

🟡

LineageOS

Compatibility: Wide range of devices
Features: Clean Android without OEM bloatware
Pros: Broad device support, active community
Cons: Requires manual privacy configuration
Best for: Technical users with older devices

🔴

/e/OS

Compatibility: Select devices
Features: De-Googled Android with privacy focus
Pros: User-friendly, built-in privacy features
Cons: Smaller development team, limited support
Best for: Non-technical users seeking privacy

Installation Considerations

⚠️ Custom ROM Risks

Warranty void: Installing custom ROMs typically voids manufacturer warranty
Banking apps: Many financial apps detect custom ROMs and refuse to work
Security updates: Delayed or community-dependent security patches
Hardware features: Some features (camera, NFC, etc.) may not work properly
Brick risk: Improper installation can permanently damage your device

🔧 App Management and Permissions

Permission Auditing

📷 Camera Access

High Risk Apps: Social media, photo editors, QR scanners
Recommendations:

Deny camera access to unnecessary apps
Use permission toggles when needed
Cover camera physically when not in use
Review photos for metadata before sharing

🎤 Microphone Access

High Risk Apps: Voice assistants, games, social media
Recommendations:

Deny microphone to non-essential apps
Disable "Hey Google" and "Hey Siri"
Use push-to-talk instead of always-listening
Monitor microphone usage indicators

📍 Location Access

High Risk Apps: Social media, weather, retail apps
Recommendations:

Use "While Using App" instead of "Always"
Deny location to advertising and social apps
Turn off location history and sharing
Use precise location only when necessary

📇 Contacts and SMS

High Risk Apps: Social media, dating apps, games
Recommendations:

Deny contact access to unnecessary apps
Disable SMS reading for non-messaging apps
Be cautious with contact syncing features
Use separate contact lists for different purposes

App Store Security

🏪

Official App Stores

Apple App Store / Google Play:

Check app permissions before installing
Read recent reviews for privacy concerns
Verify developer identity and reputation
Avoid apps with excessive permissions

🔓

Alternative App Stores

F-Droid, Aurora Store, APKMirror:

F-Droid: Open source apps only
Aurora Store: Google Play without Google account
Verify APK signatures when sideloading
Higher risk but more privacy-focused options

🌐 Network Security

Cellular Network Protection

📡

IMSI Catchers (Stingray)

Threat: Fake cell towers that intercept communications
Detection:

CellTower app (Android) - Monitor tower changes
SnoopSnitch - Detect fake base stations
Sudden signal strength changes
Unexpected battery drain

Mitigation: Limited - use Faraday bags, avoid sensitive locations

🔐

VPN on Mobile

Benefits: Encrypt traffic, hide browsing from carrier
Mobile Considerations:

Always-on VPN to prevent leaks during reconnection
Kill switch to block traffic if VPN disconnects
Split tunneling for local network access
Battery impact and data usage considerations

WiFi Security

🏠 Home WiFi Security

Use WPA3 encryption (WPA2 minimum)
Change default router passwords
Disable WPS and guest networks if unused
Regular firmware updates
Consider separate IoT network

🏢 Public WiFi Risks

Always use VPN on public networks
Forget networks after use
Disable auto-connect to open networks
Verify network names with staff
Use cellular data when possible

🛡️ Privacy-Focused Apps

Communication Apps

🟢

Signal

Features: E2E encryption, disappearing messages, voice/video calls
Privacy: Excellent - minimal metadata collection
Cons: Phone number required for registration
Best for: Most users seeking secure messaging

🟢

Briar

Features: Peer-to-peer, works offline via Bluetooth/WiFi
Privacy: Excellent - no central servers
Cons: Limited features, smaller user base
Best for: High-risk activists, areas with poor connectivity

🟡

Element (Matrix)

Features: Federated, bridges to other platforms
Privacy: Good - depends on server choice
Cons: Complex setup, server dependency
Best for: Tech-savvy users, organizations

Browsers and Search

🦊

Firefox Mobile

Features: Extension support, tracking protection
Configuration: about:config for advanced hardening
Extensions: uBlock Origin, ClearURLs, Cookie AutoDelete

🧅

Tor Browser

Features: Onion routing, strong anonymity
Mobile: Available for Android, limited iOS support
Considerations: Slower speeds, some sites may block

🦆

DuckDuckGo Browser

Features: Built-in tracking protection, email protection
Privacy: Good default settings
Limitations: Webkit-based on iOS (limited customization)

Email and Productivity

🔐

ProtonMail

Features: E2E encryption, zero-access architecture
Mobile apps: Full-featured with offline access
Considerations: Free tier limitations, paid features

📄

OnlyOffice/LibreOffice

Features: Open source office suite
Privacy: No cloud sync by default
Alternatives: Avoid Google Docs, Microsoft 365

🗂️

Cryptomator

Features: Client-side encryption for cloud storage
Compatibility: Works with all major cloud providers
Use case: Secure existing cloud storage accounts

🔒 Device Hardening

Physical Security

🔐 Lock Screen Security

Use strong PIN (6+ digits) or passphrase
Enable biometrics as secondary (not primary) authentication
Disable lock screen notifications for sensitive apps
Set short auto-lock timeout (30 seconds - 2 minutes)
Disable USB debugging and developer options

📵 Surveillance Protection

Use Faraday bags for complete signal blocking
Physical camera/microphone covers
Remove battery (if possible) for complete isolation
Leave phone at home for sensitive meetings
Use airplane mode + WiFi for network isolation

💾 Data Protection

Enable full device encryption
Disable automatic cloud backups
Use secure deletion apps for sensitive files
Regular encrypted backups to external storage
Remote wipe capabilities for theft/loss

🔄 Regular Maintenance

Install security updates promptly
Audit installed apps quarterly
Clear browser data and caches regularly
Review and revoke app permissions
Factory reset if device behavior seems suspicious

📊 Operational Security (OPSEC)

High-Risk Scenarios

🚨 When to Leave Your Phone Behind

Sensitive meetings: Legal consultations, activist planning, confidential business
Protests and demonstrations: Risk of mass surveillance and device seizure
Border crossings: Devices can be searched and cloned by authorities
Sensitive locations: Places you don't want associated with your identity
Interviews and journalism: Protecting source confidentiality

Burner Phone Strategy

📱

Hardware Selection

Recommendations:

Buy with cash from different locations
Choose popular models to blend in
Avoid phones requiring ID verification
Consider basic phones for voice/SMS only

💳

Service Activation

Best Practices:

Use prepaid plans paid with cash
Activate away from home/work locations
Use false identity information if legal
Avoid services requiring credit checks

⏰

Usage Patterns

OPSEC Guidelines:

Never use near your primary phone
Turn off when not needed
Use different locations for activation and usage
Dispose of properly when no longer needed

🛠️ Technical Tools

Security and Privacy Apps

🔍

Privacy Auditing

Exodus Privacy: App tracker analysis
ClassyShark3xodus: Local app analysis
SnoopSnitch: Network security monitoring
NetGuard: Firewall for Android

🛡️

Security Tools

Orbot: Tor proxy for Android
Shelter: Work profile isolation
SecondSpace: App cloning and isolation
AFWall+: Advanced firewall (requires root)

🔐

Encryption Tools

VeraCrypt: Full disk encryption
DiskCryptor: Alternative encryption
AxCrypt: File-level encryption
OpenKeychain: PGP encryption for Android

📱 Mobile-Specific Threats

Location Tracking

📍

GPS Tracking

Mitigations:

Turn off location services entirely
Use airplane mode in sensitive locations
GPS signal blockers (Faraday bags)
Remove battery if possible

📡

Cell Tower Triangulation

Mitigations:

Airplane mode (but WiFi still trackable)
Faraday bags for complete isolation
Leave phone at home
Use different phones in different locations

📶

WiFi/Bluetooth Beacons

Mitigations:

Turn off WiFi and Bluetooth when not needed
Randomize MAC addresses
Don't auto-connect to known networks
Clear WiFi history regularly

⚖️ Legal Considerations

🚨 Device Searches and Seizures

Know Your Rights (US Context):

Border searches: Devices can be searched without warrant at borders
Police encounters: You generally cannot be forced to provide biometric unlock, but may be compelled to provide PIN/password
Arrest situations: Police can search your device if it's unlocked during arrest
Fifth Amendment: May protect against being forced to provide passcodes
Warrant requirements: Generally needed for device searches (with exceptions)

Legal protections vary significantly by jurisdiction. Consult local legal experts for specific advice.

Protective Measures

🔒 Before Police Contact

Power off device completely
Use alphanumeric passcode (not biometrics)
Enable auto-wipe after failed attempts
Know emergency lockout procedures

✈️ Before Border Crossings

Backup and wipe device before travel
Use throwaway device for travel
Upload encrypted data to cloud for retrieval
Document serial numbers and ownership

📚 Further Resources

📖 Recommended Reading

EFF Surveillance Self-Defense: Mobile security guide
ACLU Know Your Rights: Digital privacy rights
GrapheneOS Documentation: Advanced mobile security
Mobile Security Research: Academic papers and whitepapers

🔧 Practical Exercises

Audit all app permissions on your current device
Set up a privacy-focused browser with extensions
Practice using airplane mode and Faraday bags
Test emergency device lockout procedures

🎯 Start with What You Have

You don't need a new phone or custom ROM to improve your mobile security. Start by auditing app permissions, adjusting privacy settings, and being more conscious of when and where you use your device. Small changes can make a big difference in your digital privacy.

Back to Protection Guides