Encrypt: Be anti-forensic friendly to protect your Android a
Source: Darlene Storm
Happy texters, did you know encrypting SMS messages can help protect against mobile malware targeting Android smartphones? There are Trojans and malware-tainted apps that are intent on stealing text messages or worse. 'Good apps' are often repurposed and crafted to deliver a wicked payload to take over the phone, gain access to text messages and email, or to steal financial data like bank login information.
While mobile malware targeting the hugely popular Android is on the rise, the NSA would never consider approving the Android OS for use on 'secret' military networks if Android were truly a cyber menace. Yet at the mobile security conference TakeDownCon, Moxie Marlinspike said, "Google has done the absolute bare minimum to secure the Android platform."
Marlinspike (@moxie) and Stuart Anderson (@emblem__) are the developers and founders of Whisper Systems and have been working on tools to fill a security "void in the Android OS" for both businesses and people interested in privacy. One such app that encrypts texts on Android is TextSecure. A short 18 months after TextSecure was first released, and then Twitter acquired Whisper Systems, Twitter took a giant step toward making it "harder for governments to snoop" on your Android smartphone. The Twitter Developers blog announced, "The whispers are true.... We're happy to announce our plan to open source some of the Whisper Systems software on Github."
While announcing the open source release on the Whisper Systems blog, Marlinspike and Anderson wrote, "We hope that as an open source project, TextSecure will be able to reach even more people, with an even larger number of contributors working to make it a great product."
Twitter seems intent upon fully releasing "Whisper Systems' code to the public in the coming months," after making "sure it meets legal requirements and is consumable by the open source community." Other Android mobile security Whisper software tools include WhisperCore for "device and data security," WhisperMonitor's network security, and encrypted backups via Flashback. There has been some debate as to whether RedPhone, software that encrypts voice on Android, will be continued after Twitter's acquistion.
Whisper Systems is so highly regarded that the EFF recommended the add-on software WhisperCore to protect Android devices. According to the EFF's Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices: "WhisperCore also supports making a networked backup of a phone's contents, securely erasing them, and re-downloading them later."
The EFF included the following case scenario for activists:
Vera has lots of friends who are involved in controversial activism, and some of them have had their laptops seized at the U.S. border. Vera isn't an activist herself, but worries that the government will take an interest in her if it learns that she's friendly with people who are activists. She takes a travel laptop on an international trip with the minimum information necessary, leaving most of her data at home. Before she enters the United States, she signs out of her Gmail, Twitter and Facebook accounts and makes sure that the passwords aren't stored in her browser. She also uses WhisperCore's full disk encryption app to secure the contacts, text messages, and other content stored on her Android phone. If asked for the passwords, she intends to say no. She knows this might cause the agents to seize the devices, but they are unlikely to break the passwords, which are very strong. If that happens, Vera will still be able to access all the information on the devices because she has stored it remotely.
Make no mistake by jumping to conclusions that the desire to protect your privacy with encryption somehow automatically implies that a person is an activist or friendly with activists; nor does it imply your "anti-forensic" activities are trying to hide something illegal. As stated earlier, encrypting helps protect against mobile malware targeting smartphones.
To those who might grumble about advocating mobile phone encryption, take a quick look around, sons of grinches, and you'll see a huge list of reasons to circumvent attempts at smartphone forensics, e-evidence cellular information harvesters, or the plethora of other forensic SIM tools recommended to forensic investigators and law enforcement. For example, the ACLU tangled with the Michigan State Police after discovering the Cellebrite 'Universal Forensic Extraction Device' (UFED), which is compatible with over 2,500 mobile phones, could suck the data out of a cell phone in under two minutes. There's Fernico ZRT, marketed as "nothing escapes" since it supports "all phones every time;" MOBILedit! Forensic, Oxygen Forensic Suite 2011, Paraben's SIM Card Seizure, and other cell phone forensics such as open source BitPIM, DataPilot Secure View, and GSM .XRY. A slight twist to that is WindowsSCOPE Live which "provides memory analysis of Windows computers on a network from Android phones and tablets."
If you find mobile device forensic tool testing interesting, then National Institute of Standards and Technology (NIST) has a geeky read about it.
| }
|