Tag: mobile

Some Thoughts on Faraday Bags and Operational Security

Posted November 25, 2015 in security mobile

I recently took a trip to Moscow to interview National Security Agency whistblower Edward Snowden about operational security. In the article I published on The Intercept, I mentioned that I used a faraday bag.

Our first meeting would be in the hotel lobby, and I arrived with all my important electronic gear in tow. I had powered down my smartphone and placed it in a “faraday bag” designed to block all radio emissions.

Continue reading →

Despite Google’s statement, they still have access to your wifi passwords

Posted July 19, 2013 in crypto mobile security

UPDATE: The Android bug tracker isn’t the correct place to ask Google to fix this bug. The backup/restore feature is part of the proprietary Google apps for Android, not the open source Android project. This thread on the Google product forums is the correct place.

Earlier this week Ars Technica covered a bug report I posted on the Android issue tracker about the “Backup and restore” feature not offering encrypted backups.

Because there’s no option to encrypt your backup data on your Android device with a passphrase that you set, Google has the capability to see the plaintext data, including all your saved wifi passwords. Google can then be compelled to give up this data (and any other user data that they store) to the US government when requested to do so.

Continue reading →

Use Android? You’re Probably Giving Google All Your Wifi Passwords

Posted July 11, 2013 in crypto mobile security

Go to your home screen, press the Menu button, select “Settings”, under “Personal” select “Backup and reset”. Is the “Back up my data” checkbox checked? If so, all of the wifi passwords that your phone remembers are being synced to your Google account.

And the passwords are in plaintext, too. When you format an Android phone and set it up on first run, after you login to your Google account and restore your backup, it immediately connects to wifi using a saved password. There’s no sort of password hash that your Android phone could send your router to authenticate besides the password itself.

Continue reading →

Mobile Location Anonymity: Proxying Twitter, IM, and Email through Tor on Android

Posted February 1, 2013 in crypto mobile tor

Each time your computer makes a connection to a server on the internet, you tell the remote server, as well as your ISP and every router in between, your IP address. If you’re using the internet on your phone you might be disclosing the IP of your 3G or 4G connection, or the IP of the wifi network you’re connected to.

If your phone checks for new emails or tweets every couple minutes, or keeps up a consistent connection to your instant messenger server, any of those services is almost definitely logging a history of your IP addresses.

This IP address data could be used to figure out your physical location over time. This is the information that New York City subpoenaed Twitter for, to get the private messages and IP addresses (read: location data) of Occupy protester Malcolm Harris.

Continue reading →