Protecting Your Privacy if Your Phone is Taken Away
Your phone is your life. It’s where you communicate, get your news, take pictures and videos of your loved ones, relax and play games, and find a significant other. It can track your health, give you directions, remind you of events, and much more. It’s an incredibly helpful tool, but it can also be used against you by malicious actors. It’s important to know what your phone contains and how it can also make you vulnerable to attacks.
Your threat model is unique and personal. And you will have to decide which solutions are the best for you. The best protection is to avoid creating the opportunity for an attacker to gain physical access to your phone or its metadata. The safest solution would be not to bring your phone to high-risk activities, such as protesting, but this might not be feasible for everyone.
What could someone without access to your phone know about you?
Without any physical access to your phone by an attacker, you might think your privacy is safe. However, your phone constantly communicates with cell towers to be able to transfer data (for your browsing or apps), or receive and send text messages or calls. To do this, the network needs to know which cell phone tower is giving you coverage. In other words, the network knows where you are. This allows parties with access to location data held by your service provider to discover your location and movements.
To protect against this:
- Airplane mode will disable communication with the cellular network. If your phone is not talking to the cellular network, its location can’t be tracked that way. Make sure WiFi and Bluetooth are also disabled since they could also leak information. However, this will also mean you won’t be able to use data or get messages or calls.
- Avoid using SMS or regular phone calls. These aren’t encrypted and, along with your location, can be seen by your service provider and be intercepted with the use of IMSI catchers. Use secure messaging instead, like Signal.
What can someone with physical access to your phone know?
With physical access to your phone, an attacker can get all of the data stored in it. This contains your messages, photos, browsing history, and apps. But it also contains much more like:
- Phone call history
- Messages: This includes SMS/MMS and any other messaging apps that you have.
- Calendar and notes
- Passwords, if stored insecurely, or if the attacker also has access to your password manager (This could be possible if you used a weak master password, thumbprint, or Face ID, or your password manager was unlocked when the police seized your device.)
- Account logins
- Cloud data and backups
- Deleted data: Even if you deleted something from your phone, it can still live in many places in the memory and logs, and it can be recovered. Do not rely on something being deleted.
- App switching screenshots: When you switch or close an app, many devices offer you an overview of the apps running and what they are or were doing. To achieve this, what they do is create a screenshot of the last thing happening on screen within the app. That screenshot is stored and it can be retrieved by an attacker. Some apps will obfuscate this, but most will not. This can expose encrypted messages, passwords, or other private information.
- Location: Your phone constantly logs many details that reveal your movements, such as WiFi access points you’ve joined, logs from your cell phone service, coordinates when you take a photo. Many apps use your current location to provide “relevant” results to searches, weather updates, or for a multitude of reasons.
- Logs: Your phone and apps have all sorts of files logging what it did, errors, and crashes. All of this information is stored and can reveal how you used your phone, who you contacted, and where you were. It’s a vast list that provides a wealth of information to an attacker.
Needless to say, you need to protect your data and access to your phone. The best way to do so is with full disk encryption enabled and with a strong password. Not all devices are equal and you need to verify your device offers full disk encryption. The latest versions of Android and iOS offer full disk encryption by default. To make sure it’s enabled you will have to add a strong password. Do not use passcodes (only numbers) or weak passwords, since there are many tools that can break them easily. If your phone has an SD Card this can also contain information that might not be encrypted by your device.
Some courts have found that you can be forced to unlock a phone protected with a biometric such as face or fingerprint identification without your consent, so it is advised to not enable either option. If this is not feasible, turning your device off will on most devices require the password when turned back on.
Be careful with cloud backups. Although useful to restore your apps and backup messages and images, they can also provide an avenue for an attacker to get your data. Or, if the attacker already has access to your phone, they could use your backups to recover old information like backups of photos and messages. If you can, disable access to them during high risk scenarios.
- Enable full-disk encryption on your device with a strong password.
- Disable Face ID and Fingerprint ID
- Disable cloud backups
- Turn off your phone
To know more on how to secure your digital life we have compiled advice at ssd.eff.org.
What if you get your phone back?
Suppose your phone was taken by the attacker and you managed to recover it at a later stage. What should you do?
If you can afford it and your threat model includes it: get a new phone.
- Change all of your passwords.
- Verify if there’s been access to your accounts. (Some email providers and social media sites show the list of IPs that accessed your account.)
- Factory reset your phone. Make sure to verify what it means for your particular device. Some will wipe the master key for the encryption, others will keep some data. You need to wipe all of the data.
- Sign into your phone with a new Apple ID/Google account to avoid loading potentially compromised cloud backups.