I carry my smartphone with me everywhere. It does everything from Facebook and email to keeping me in the loop with SMS, instant messaging, and real, live phone calls. There’s just one problem — what happens if my cell phone is stolen and I can’t remote wipe it? What happens if I’m stopped at the border of a foreign country and my mobile devices are searched, or what if I’m on a GSM network and am kept under surveillance that includes the decryption of my normally encrypted GSM phone calls and text messages?
You may think that these scenarios are some sort of Orwellian science fiction but they are all very possible and in some cases easy to perform. If you find yourself in a position of power or trust, you have a real need to encrypt your data from prying eyes and sticky fingers (especially with laptops and cell phones — prime targets for identity thieves and social engineers).
The following is a list of free or nearly-free utilities that you can use in your day-to-day life to secure everything from your mobile phone* to the data on your thumb drive without too much fuss.
*You may notice that blackberry is missing from this list — my research showed them to be incapable of making convenient user-friendly SMS encryption, and their connection is controlled and encrypted from the Blackberry Enterprise Server and the client device (usually BES is for business users). I also wanted to focus on more consumer-oriented smartphones. If you’re looking for a enterprise level view, check out this chart from Infoworld that contrasts control between the major smartphone OSes.
APG + K-9 Mail (free): APG acts as a keyring manager, generator, file encrypter/decrypter and email encrypter/decrypter all in one, and it interfaces with the K-9 mail program to allow you to easily use your PGP keys to send and receive emails. In my tests it was incredibly simple to set up and use keys through K-9 Mail and APG. You don’t need to use K-9 Mail with APG if you don’t want to, however. AGP allows you to select from many different algorithms and protects your keys as well.
Encrypted Phone Services:
RedPhone (free):This free android program by whispersys.com will use VOIP technology to encrypt the phone calls that you make to other RedPhone users. It keeps the connection secure and your call log and contacts encrypted and private and integrates well with the android system, where you can select phone numbers to be called using the regular phone or RedPhone at your whim.
TextSecure: Another gem created by whisper systems this program encrypts the text messages using known secure algorithms (unlike many other applications in the android app store using weak encryption). Not only does this application encrypt the text messages, it can import and encrypt your entire SMS archive and password-lock it so that nobody else can access your text message history or contacts but you. I highly recommend this to anyone seeking a modicum of privacy in their communications.
LokPixPro (Paid): The only paid application on the list for Android, this application allows you to encrypt photos in your photo gallery, and will even allow you to encrypt pictures directly from the camera device itself before it’s stored on the phone according to their http://closecrowd.com/. The program even uses AES encryption algorithms (Though it doesn’t disclose what key strength is being used.)
Additional Security Features:
Lookout Mobile (free): I personally use Lookout Mobile on my Android device. It allows me to perform remote wipes, locate my phone, even make it yell so I can find it if I lose it. It also protects me from potentially malicious applications with a built-in antivirus and remote backups to the Lookout Mobile website automatically! This is a must-have for any android user. The only gripe with this program is the feature it has for enumerating all of the access features each app asks for. This feature is for paying members only (and is the only feature one gets for paying) but you can easily do this yourself by going through the android settings. Other than this, it’s one of the best and most useful applications in the android market.
Disappointingly I could not find any (trustworthy) applications on the Apple app store that were able to securely encrypt phone calls (for free and not as a paid monthly service) or SMS messages, or even email. If you use an iPhone application that provides encryption capabilities, please contact me (@crypt0s on twitter or Bryan@crucialpointllc.com). The lack of secure device encryption on the iPhone is something of a well-known problem, illustrated here in this wired.com article. Also, unless the database of text messages and the phone call history can be encrypted, then the messages and your privacy are at risk. Even a search through several jailbreak software repositories didn’t turn up any promising applications.
Other Security Features:
The iPhone does support remote wipe and a few other interesting security features, but to get these you need to connect the phone to a Microsoft Exchange server and be or get an administrator-level user account. If you are connecting to your corporations network and planning on keeping secret data on the phone, be sure to understand your companies usage rules, some may stipulate that they can seize your phone for security investigations.
:::Windows Mobile/Phone 7:::
WMKits (paid): WMKits has a very comprehensive SMS encryption application for Windows Mobile as well as an application to encrypt photos on Windows Mobile phones, however it’s not compatible with the new Windows Phone 7 operating system, which unfortunately does not have any encryption built into the phone at this time (including email). You can check out the WMKits software at their website, http://www.wmkits.com
Other Security Features:
Windows Mobile versions under version 7 have great interaction with Microsoft Exchange server and you can set all sorts of security policies for these phones from there. For Windows Phone 7, this is not currently the case, as Windows Phone 7 is not integrated with Microsoft Exchange Server. It’s the opportunity cost of owning a next-generation Windows Phone (for now).
Firefox has a few extensions that will attempt to use HTTPS connections instead of HTTP connections:
Force TLS (for versions of firefox below 4)
STS-UI for Firefox 4.0 and above (Still in beta at the time of writing.)
HTTPS-Everywhere — HTTPS-Everywhere was created by the EFF to force websites to serve HTTPS websites.
Chrome currently has several extensions that force HTTPS connections, however they currently leak information (unless running in incognito mode) when first determining if a target website has HTTPS, which can put your personal information at risk if the website has stored cookies (like for auto-login or “remember me” features).
There is a HTTPS-redirect extension in Opera, however it does load the insecure page first, which can potentially leak sensitive information to everyone on your network (esp. wireless). If you have to use it, be aware of this.
As of the time of writing, there is no way to consistently load HTTPS pages in IE through redirects or otherwise.
:::Chat and Instant Messaging:::
Generally the best way to secure your instant messaging is to use Off The Record messaging plugins inside your chat client. Perhaps the easiest client to set up (and the one I reccomend to people) is a combination of Pidgin and Off The Record.
Pidgin can be downloaded from pidgin.im
OTR Plugins can be downloaded from cypherpunks.ca/otr/
Pidgin should support your instant messaging service of choice, be it AIM, MSN, or ICQ or more obscure services.
:::Operating Systems and Data Storage:::
Windows (all versions):
Truecrypt is perhaps the best single solution you can have on Windows because it allows for free system-level encryption on every version of Windows. You can also create encrypted volumes, use stenography, or encrypt entire drives like USB thumb drives. http://www.truecrypt.org/downloads
Whole disk encryption isn’t available for Mac from TrueCrypt, but it is available from pgp.com. The rest of the Truecrypt features are available to Mac OSX users, including stenography.
You can easily set up encryption at install time on Linux, selecting either whole disk encryption or just the home directory during the install process. To encrypt your main drive even after you have installed linux, look into using LUKS and dm-crypt. That combination of software is currently the preferred encryption method of many Linux flavors, including Fedora and Ubuntu. If you don’t want to go down that road for a removable or secondary drive, Truecrypt is available for Linux as well.
If Truecrypt doesn’t do what you want on Windows, Mac, or Linux, you can find a large list of disk encryption software and their features at this Wikipedia article.
Have something to say or add? Contact me on twitter: @crypt0s and I’ll add it to this article!
- Android: Disruptive? Not enough info to say
- Android Apps Reviewed and Used Here
- OpenSolaris for the Small Office / Home Office