Guide to Smartphone Security

Originally by Jonah Aragon (January 2025) link to IG Post

For most protesters activists and journalists, your smartphone is an essential tool you depend on for organizing with your peers, accessing and distributing information, and helping others. It also represents a great risk as a tool that easily appropriated by authorities or bad acting third parties for targeted mass surveillance.

The perennial question when it comes to protests is whether you should bring your phone at all. If you leave your phone at home that is probably the safest your data will get, and you will be at very low risk of being tracked by mass surveillance tools. ON the other hand, your phoneis a critical resource when it comes to coordinating with others, getting updates on the protest form social media, or simply documenting what is going on with your phone's camera. If possible, bringing a separate devices like a “burner phone,” an old phone you can reset, or even a regular old-fashioned camera is a much better option than bringing your primary phone. Any data you don't bring with you can't betaken from you at the scene. However getting access to or affordign devices like these aren't a realistic option for many people. Whether you decide to take your smartphone or a secondary smartphone with you to the event, this guide will cover how to maximize that device's security and minimize risks to your privacy.

There are plenty of risks you should consider if you use your smartphone at a protest. We are going to try and cover the following in this guide:

1. Losing your device.
2. Authorities confiscating your smartphone.
3. Service disruption, either due to intentional interference by authorities or caused by networks being overloaded by large groups of people.
4. Targeted surveillance:
   • Disrupting your service
   • Blocking delivery of calls/SMS to your number.
   • Monitoring your unencrypted traffic.
   • Monitoring communications over local radios like walkie-talkies, etc.

1. Mass Surveillance:

• Interference with web services. Popular communication platforms like Twitter or TikTok could be throttled or blocked.
• Interference with messengers and voice services like Signal or WhatsApp.
• Authorities could use public Wi-Fi networks in the area to monitor traffic and identify nearby devices.
• Cell Phone companies could provide records to authorities or devices near cell towers in the area to track and identify protesters.

Like all of our guides, we are going to cover the general best practices and provide helpful tips, but your individual situation may be different. You should always research and plan according to what you specifically are doing, ad if you need legal advice you should always consult a qualified and licensed attorney.

Cell Phones are generally tracked by law enforcement and third parties using two identifiers:

• Your IMSI (International Mobile Subscriber Identity), which uniquely identifies your SIM card
• Your IMEI (International Mobile Equipment Identity), which uniquely identifies your phone or physical device.

Thus simply using a prepaid SIM in your primary/personal device is not a fool proof method of avoiding tracking, because your IMEI is still correlatable between networks. Buying a secondary, disposable device is an option that will provide you with much greater protection than bringing your personal device. However, if the threat you face is serious enough that you feel the need to do this, you should strongly consider not bringing a phone at all. Properly securing a disposable/burner phone is fairly challenging and may not be worth it. If you do buy a secondary device for this purpose, you should buy it in- person, with cash.

The location of a phone is tracked by network carriers for at least a year, but you should assume that location history is just kept forever. Therefore, you should activate and set up the device in a very public place that is not significant to your daily life, then always keep it powered off at locations associated with you. You don't want the phone's location to ever be recorded at your home or workplace.

If possible, you should try to purchase and set up this phone well in advance. This certainly depends on your plans, but spreading out your purchase, activation, and use of the device makes it less easy to detect. also makes it less likely that the store you bought the phone from still has security footage of your purchase. You will also want to make sure you do not identify yourself when purchasing a cellular plan. This is highly dependent on your country, but many prepaid plans will not require any identification to activate. There are also some global eSIM providers which will accept payment without need to identify yourself to them.

Your secondary device should still be a reasonably modern smartphone. The security measures we cover below regarding hardware and software security still apply. Smartphones are more secure against the sort of threats that activists are likely to face-such as someone trying to crack into your device's data-than a simple/feature/“dumb” phone will be. They also have many more options for secure & encrypted communication methods that we'll cover below as well. Using a secondary device only at the protest allows you to leave your primary device powered on and at home. This potentially provides some plausible deniability, if someone requests the location of your phone during the time of the event later.

If your phone falls into the wrong hands, the information on it could be hugely damaging to yourself or others. Make sure you've taken the necessary steps to prevent it from being broken into.

At a bare minimum, you should use a 6-digit PIN, but ideally you should protect your phone with an alphanumeric passphrase. This prevents people from trivially accessing your data, and additionally protects your data with strong encryption.

Barring a massive security exploit (more on this later), most law enforcement tools work by essentially brute-forcing your PIN, running tons of guesses until it gets one right. This makes a long and unique passphrase your strongest protection against your data being stolen by people in possession of your device.

In the United States and many other countries it is legal to refuse to unlock your phone or provide your passcode to law enforcement. Know your rights wherever you're located before attending a protest, so you aren't blindly following orders later.

We commonly recommend using biometric features like Face ID or Touch ID to prevent “shoulder surfing” attacks, where an attacker steals your PIN by discreetly watching you enter it, or where your PIN is recorded by surveillance cameras in the area.

However, in this situation it may make more sense to disable biometric authentication. Authorities are trained and known to use biometrics quickly to forcefully unlock your device, so you should be mindful of this

fact when deciding what to do. If you disable biometrics, be wary of shoulder surfing attacks and prying eyes by obscuring or covering your phone whenever you unlock it. Whatever you do, make sure you know how to quickly shut down your

phone or disable biometrics at a moment's notice. Many phones have begun replacing the standard “hold down the power button” function with voice assistants or other features, so practice performing the actual shutdown method beforehand to familiarize yourself.

Modern iPhones require you to hold down the side button and either volume button before the power-off slider appears. Even if you don't get a chance to slide to power off, getting to this screen will at least disable biometric authentication, making your phone a bit more secure than it otherwise might be.

In the United States, it is still a legal gray area when it comes to whether

law enforcement can force you to use biometrics, but many court decisions have leaned toward saying they can compel you to use your fingerprint. Using a passphrase and disabling biometrics gives you more robust 5th Amendment rights. In other countries you should again familiarize yourself with your rights in this scenario, so that you can make the most informed decision.

Even with your device locked, law enforcement can see everything you're up to simply by scrolling through your notifications. Reducing the amount of information accessible on the lock screen improves your security and the security of those you're messaging, so make sure your notifications are only visible when your device is unlocked.

On an iPhone:

1. Open Settings

2. Navigate to Notifications

3. Navigate to Show Previews

4. Select Never (or, When Unlocked)

On Android:

1. Open Settings

2. Navigate to Notifications

3. Touch Notifications on lock screen

> Select Don't show any notifications

4. Switch Sensitive notifications to off

The best way to protect your data is to not have it on your phone in the first place. If you're using a secondary device, simply don't install anything other than what will be absolutely necessary during the protest, like a secure messenger.

Otherwise, delete any cloud storage apps you don't need access to during the protest. If you're able to delete an app and then download it later and log in without experiencing any data loss, then that app probably doesn't need to be on your phone all the time.

Some password managers' have the option to temporarily remove

certain vaults from your devices, 1Password calls this Travel Mode for example. You can do this manually as well, by having a separate password manager or vault with only the essentials you will need at the time, and removing your primary password manager from your device for the duration of the event.

In a similar vein, any functionality you have enabled while your device is unlocked can pose a security risk. It is always best practice to reduce your attack surface by disabling these options whenever possible. Even though these features are typically designed to not pose a security risk to your data, they have been known to be exploited in the past to bypass lock screens and other security features.

1. Open Settings

2. Navigate to Face ID & Passcode

3. Scroll to the Allow Access When Locked section

4. Switch all features you don't need off

On Android, disabling functionality while the phone is locked will vary widely by manufacturer. Some like Samsung provide more flexible options in their lock screen settings, but others like Google do not provide the option to disable the quick settings panel or other similar features.

Your Android phone might have the option to store files or photos on a microSD card, but these cards are not always subject to the same encryption standards as your phone's built-in storage. You should check whether your microSD card can be encrypted in your phone's settings, although this will prevent it from being read by other devices like your

computer later. Additionally, even if it's encrypted, it still won't benefit from the same security protections that your phone's built-in storage provides, such as advanced brute-force protections. Ideally you should remove all external storage devices from your phone during the event, and save photos, videos, and other files to your phone's encrypted internal storage.

Consider Your Phone's Security Patches

Exploits against smartphones are discovered on a very regular basis, and spyware companies that work with law enforcement-like Cellebrite- abuse these exploits to crack into stolen devices. If your phone is no longer receiving regular updates from its manufacturer, you are in a very dangerous position as you may be vulnerable to the exploits used.

In general, we consider the latest iPhone and latest Google Pixel to be the most secured against this sort of threat. You can increase your security further by using a hardened alternative operating system on your Google Pixel.

Robust security information about phones from other manufacturers is less common. If you use a different device you may still consider the risks to be worth it, but if confiscation is of particular concern to you, or especially if your phone no longer receives security patches, you may want to consider leaving the phone at home.