Hacker 10 – Security Hacker

Category: Mobile Phone

Mobile phone security

  • Bypass Internet censorship in Android with Psiphon

    Bypass Internet censorship in Android with Psiphon

    Psiphon is free open source application from a Canadian company helping out millions of people from all over the world bypass Internet filtering. The software acts like a proxy and hides your computer IP from websites you visit but it was not built to make people anonymous on the Internet, the reason for Psiphon’s existance is to bypass filtering in countries which Internet Service Providers block websites.

    The software can only be used in Android and Windows, if you are an Apple user this is not for you, the lack of iOS support perhaps is because Psiphon is targeted at users in the Middle East where few iPhones and Mac computers are sold.

    Psiphon anonymous Internet browsing
    Psiphon anonymous Internet browsing

    Although my ISP does not have filtering I was thinking of using Psiphon in my smartphone because it is free and my current VPN charges me extra if I add a mobile phone device to the package, I also liked that registration and configuration are not necessary and there are multiple proxy locations. I don’t use my smartphone for banking or shopping of any kind hence even low security is enough for what I want to do, stop marketers tracking me online.

    Psiphon for Android comes with its own browser, built-in adblocker and set to a homepage that can not be changed. The homepage contains a small ad banner, that is how the company makes money, I did not find it too intrusive, the are no adverts while you surf the Internet, I was only shown them when I launched the browser and if it really bothers you, a paid for Psiphon Pro version gets rid of all advertising. But since my main reason for using Psiphon was price, i.e. free, I would never pay for the Pro version, anybody willing to do that will be better off with a specialised VPN provider.

    What Psiphon is good for

    • Access georestricted content
    • Bypass ISP filters and unblock Facebook and Twitter
    • Protect your data in public Wifi access points

    What Psiphon is not recommended for

    • Hide from the NSA or law enforcement
    • Filesharing or bandwidth intensive activities
    • Wishleblowing and other high security needs

    The app has four easy to navigate tabs, my favourite, the Stats tab, displays how much data is being sent and received. If you are on a tight data metered plan you might want to download Psiphon for this feature alone. Another tab displays connection logs, another one has settings and the Home tab lets you stop and start Psiphon. Everything nicely organised.

    The main problem I had with Psiphon is that most websites I visited using the Psiphon browser did not identify I was on a mobile device and they showed me the desktop version of the site which made it very hard to read. The way to solve this is going into options tick the “tunnel the whole device” box, and use your own smartphone browser e.g. Brave, Firefox, etc instead of the one that comes with Psiphon.

    I also felt the speed was low and pages were taking a bit too long to load. Because of this I have decided to uninstall Psiphon, I would recommend this application if you are inside a country that blocks access to websites but otherwise, I believe it might be better a free VPN, I specially did not like the embedded Psiphon browser, I like to use my own.

    Visit Psiphon homepage

  • List of mobile apps to film incidents with the police

    List of mobile apps to film incidents with the police

    The following mobile apps allow you to record casual encounters and conversations you have with police officers. In a court of justice the word of a law enforcement agency is worth more than the word of a civilian, without a witnesses or a full recording of the encounter the judge will not believe you, the evidence gathered by these apps will protect you from misunderstandings.

    Before recording the police, make sure that this is legal to do in your country, it will greatly vary from place to place but, as a rule of thumb, you are not normally allowed to record inside private property unless it is your own or you have permission, but you are allowed to film in the street, parks and roads.

    Hands Up App: With the phone placed on your car’s dashboard, after being pulled over by the police, a single click recording button can be activated to capture video and audio of the car stop. The phone’s main window goes black after the first 10 seconds to give the impression that the phone is switched off. Videos will be tagged with GPS coordinates and they can be automatically saved online to your YoutTube or Dropbox account every 2 minutes.

    Handsup4Justice mobile phone police recording
    Handsup4Justice mobile phone police recording

    I Am Getting Arrested: Inspired by the Occupy Wall Street protest movement, this app can be used to broadcast an SMS message to the contact list of your choice letting them know with a single click that you are have been arrested and the GPS coordinates of where it happened. Recording of the incident is not available.

    Unlawful Stop: Integrated with Google +, this app can stream live footage of your interaction with the police to Google Hangouts, placing a video call to up to 10 friends for them to be able to watch the police stop in real time. A copy of the recording can also be saved online to help out the police remembering facts when their cameras have stopped working or evidence has been accidentally destroyed. This is a paid app with prices depending on the level of features you need.

    Stop and Frisk Watch: Made by the American Civil Liberties Union in New York, this mobile application can start audio recording with a single trigger on the phone’s frame. After you have been stopped by the police, an alert function will send a warning to other app users in the area to let them know of this and where it happened. Police misconduct can be reported to ACLU from within the app.

    Mobile phone police app Stop And Frisk
    Mobile phone police app Stop And Frisk

    Mobile Justice: Made by ACLU in Oregon, this app captures exchanges in between police officers and community members and emails the videos directly to ACLU Oregon to preserve the evidence. Optionally, it can alert other app users nearby that a police interaction has just taken place, useful in demonstrations to ask for witnesses. The app includes a Known Your Rights legal guide for Oregon.

    The SWAT App: Currently in development, this app will allow you to record police encounters with a single click and stream it live to the Internet or keep a save on the cloud. It will also have basic legal information on what your rights are when stopped by police and allow you to fill in an incident report that can be saved on your phone or send it directly to a police department using your phone’s location services.

  • Best apps to encrypt mobile phone calls

    Best apps to encrypt mobile phone calls

    The following apps allow you to make free worldwide calls to other people that have the same app installed. Security wise, not only are your calls encrypted,  additionally, VoIP apps bypass data retention laws, calls made with a calling app are not recorded by your network provider.

    The best apps to make a secure call are those that are open source, available for Android and iPhone and encrypt your call with keys you only hold, you should also try to go with a company that does not have servers or offices in a country where mass surveillance is known to take place.

    RedPhone: Free worldwide end to end encrypted calls implementing the open standard ZRTP, app source code is open to review, there is no need for another ID, this app will use your everyday phone number to make and receive secure calls.

    Simlar: Developed in Germany, open source app to establish end to end encrypted calls with the ZRTP protocol, a cryptographic key agreement for VoIP calls, not even Simlar developers can listen in to the calls. To protect from man-in-the-middle attacks, Simlar shows a small code on the screen that can be read to your contact to confirm that you are both looking at the same.

    Secure voice calls Simlar app
    Secure voice calls Simlar app

    Wiper: This app keeps no logs of the encrypted calls, it can also be used to send messages with a wipe option that will erase them from the wiper server, your phone and your friend’s handset, making later recovery impossible. An integrated Bitcoin wallet in Wiper lets you receive or send payments without leaving the encrypted chat, transactions will show on the same screen.

    Zoiper: Encrypted VoIP calls with TLS/SRTP and ZRTP protocols, this softphone can be used in Windows and Linux desktop computers as well as mobile phones, it appears to be targeting the business market. The program can be used in a call centre, hooking up remote workers with a business telephone system.

    CoverMe: Full mobile phone communications suite securing calls, messages, files and phone storage. CoverMe encrypts your calls, sends selfdestructing text messages and creates an encrypted vault in your phone where to store private data. A decoy password can be set up in the event that you are forced you to reveal it, the app also assigns you a US phone number that can be used to receive calls.

    CoverMe secure Android calls
    CoverMe secure Android calls

    CryptTalk (subscription): Peer to peer encrypted calls using standard algorithms and perfect forward secrecy without any server involved in the process, only communicating parties have access to the encryptions keys, third party decryption of text messages is not possible. A monthly subscription is required to use this service after the trial period but you can use it for free indefinitely in receiver mode.

    Signal: Compatible with the Redphone app in Android from the same developers. Signal is open source, using ZRTP for secure voice communications. Calling somebody who has not installed Signal will be trigger an SMS link prompting them to download it. The company plans to add secure text messaging that will be compatible with TextSecure and a future release of an Android version.

  • Android encrypted video recording app Strongbox

    Android encrypted video recording app Strongbox

    Strongbox is a free open source app for human rights and privacy activists to be able to record video with their phones without having to worry about the device being lost or seized, although in some countries you can be charged for not revealing your password to law enforcement.

    The app is really simple to use, when you launch it for the first time you will be prompted to compose a passphrase to locally encrypt the videos, if you forget the passphrase, all data will be unrecoverable and lost.

    Straight away after login you enter the video mode with two big buttons at the bottom of the screen, the one represented by a camera logo starts the recording when tapped, the other button represented by a memory card logo gives you access to the video library.

    Stored videos have timestamps next to them, you can view the video on your phone, delete it or upload it to a server. Strongbox gives an internal IP address where the video should he uploaded, I found it confusing, being an internal IP many people will not realise it is their own computer IP, another thing is that when you erase a video no confirmation is asked for and files can be deleted by mistake.

    Android encrypted video recorder Strongbox
    Android encrypted video recorder Strongbox

     

    Footage is encrypted on the fly as you film, files never touch the memory card, videos are stored inside the encrypted container in Strongbox. The encryption algorithm used is AES256bit in GCM mode, this provides confidentiality and integrity, a lock allows you to instantly close down the app preventing access to the videos with one tap.

    I would use this app to keep my own videos private and not much more, I found the sharing options lacking, that is a problem if your phone is seized. An oppressive law enforcement agency will not be able to view the recordings but you will have lost access to what could be indispensable footage of abuse, I wish there was an easy way to quickly get the videos out of the phone.

    This is a basic app with basic functions using standard encryption that can be checked for bugs and backdoors, probably useful to keep video clips of your girlfriend intended for personal viewing encrypted.

    Visit Strongbox in Google Play

  • Zendo a One Time Pad encryption messaging app

    Zendo a One Time Pad encryption messaging app

    Zendo is a free iPhone and Android app for encrypted chat, users communicate directly with each other using One Time Pad encryption keys that will have previously exchanged in person.

    After installing the app you will see two options on the screen, one displaying a QR code and a second button to scan other people’s codes. Pointing your camera phone to the QR code seen on the screen of your friend’s phone authenticates both devices via Wi-fi direct and encrypts the connection with AES256, it then exchanges multiple One Time Pad encryption keys (o.5MB). If anybody listened nearby and captured the exchange you would not have to worry as the connection was initially encrypted.

    The strength of One Time Pad encryption is that a new key is used for each one of your messages, this is why you need multiple keys, and why if anybody managed to crack one of the keys they would only be able to read a single message, to be able to decipher a whole conversation taking place your adversary would have to crack hundreds or thousands of encryptions keys.

    smartphone encrypted chat Zendo
    smartphone encrypted chat Zendo

    Another security feature is that the messages and photos you send are encrypted before they leave your phone, to extend the longevity of One Time Pad encryption keys, photos are encrypted with AES256bit.

    In advanced settings an “Out-of-Band Messaging” option enables you to send encrypted Zendo messages via email or SMS, you are not required to use Zendo servers to deliver messages to other users you have exchanged keys with, another option deletes all messages on close, ticking the box will automatically erase all messages and photos when you close the app while keeping your contacts and encryption keys you have exchanged, and a third option steps up security to paranoid level allowing you to exchange large encryption keys, this choice will reduce phone performance in low end devices.

    For privacy, Zendo servers do not log any IP, they are quickly erased, and you never facilitate the company any email address or phone number, contact list, messages and photos remain in your phone and not in Zendo servers. The company can’t spy or help anybody spy on you with the information and capabilities they have.

    One Time Pad encryption app Zendo
    One Time Pad encryption app Zendo

    When you run out of One Time Pad encryption keys you will have to meet again in person and top up, this will seem annoying to many people but it is a good excuse to have a face to face meeting with somebody, there is a certain social element in Zendo. This is an app to communicate with people you know in real life and are close to you. The biggest downside of high security is usability as Zendo proves, you can’t use this app to chat with people you just met, keys can not be sent over the Internet.

    Zendo is a niche app where the person you are chatting with will be as overtly suspicious about privacy and security as you are, I see next to zero options to convince my friends to use it otherwise. The app is not open source but the code was opened for an independent audit. The developers say that Zendo will always be free, monetization will be made in the form of premium features to be added in the future.

    Before using this app remember that, no matter how secure your messaging app is, if somebody manages to introduce a virus in your smartphone, they will be able to read everything, security has to be implemented all over the device.

    Visit Zendo in the Apple Store or Visit Zendo in Google play

  • Open source mobile phone app SureSpot for encrypted chat

    Open source mobile phone app SureSpot for encrypted chat

    SureSpot is an Android and iPhone open source app for encrypted end to end chat, you can send pictures and text,nobody can decrypt the messages, not even the app delelopers. AES256 bit encryption keys are created in your phone and the Diffie-Hellman key agreement protocol is used to exchange them securely without having to grant private keys access to a third party, only the person you are communicating with is able to read the messages and view the photos you send.

    An spy agency attempting to wiretap Surespot will find that there is not a single server they can attack for mass surveillance, they would have to hack all the end point phones to listen in, this would be impossible to do if Surespot became popular. For further privacy, Surespot can create multiple identities to chat with different contacts, your identity can be backed up, restored or permanently erased and the paranoid person can create new encryption keys as often as needed.

    Another nifty feature is that you can delete the messages you have sent from the receiver’s inbox and lock attached images to stop them from being saved outside the app,  Surespot also locks itself after a few minutes of inactivity to stop impersonation in case your phone is taken while still on.

    SureSpot encrypted mobile phone chat
    SureSpot encrypted mobile phone chat

    Unlike WhatsApp and other privacy invasive chat apps, people in your contact list will not get automatically notified when you install Surespot, before a chat can take place you need to know the nickname of the person you would like to communicate with and that person will have to accept the invitation. The app is free for chat, paying a small fee will add voice messaging so that instead of typing in you can talk to your mic, record a message and send it encrypted to your contact, another tab in the app allows you for an optional Paypal or Bitcoin donation.

    This privacy app earned of the highest marks in the Electronic Frontiers Foundation score card, the only downside the EFF highlighted were that Surespot code has not been audited and the possibility of somebody getting access to your phone. The common auditing problem comes down to raising enough money, it is not the developers fault, and the danger of having your phone stolen, it can be partially fixed fully encrypting the phone.

    I liked this app a lot, it has all I want from a secure mobile chat app, the most important factors being that Surespot is based on trusted encryption algorithms, it is open source which allows experts to peek in and check for bugs or backdoors, and the app does not use your phone number as a contact, the person you are chatting will not find it out unless you tell him, the only missing feature is that you can’t set up a group chat, which I don’t currently use. I am adding Surespot to my list of favourite apps.

    Visit Surespot homepage

  • Kali NetHunter, mobile device distribution for hacking

    Kali NetHunter, mobile device distribution for hacking

    Kali NetHunter is an open source mobile distribution for Nexus mobile devices developed by a well known IT penetration testing company called Offensive Security, the same developers of Debian based Kali Linux for desktop computers. Kali NetHunter turns your Nexus mobile phone or tablet into a pocket penetration testing suite able launch attacks on wireless networks and unattended computers.

    One of the attacks demonstrated in video by the distribution developers it is called HID keyboard and it shows how a mobile phone running Kali NetHunter plugged into a computer USB port can automatically type in pre-programmed commands without touching the PC physical keyboard. With this technique, that also works with the lockscreen switched on, it would be possible to install a trojan horse or copying hard drive content in the target computer.

    Kali NetHunter hacking for Nexus mobile
    Kali NetHunter hacking for Nexus mobile

    Another poweful attack is using Kali NetHunter dnsmasq to provide DNS and DHCP services to a small network, this allows for all kind of middle man attacks. From displaying a fake phishing page that captures credentials every time somebody requests the URL for Paypal or Facebook, up to blocking Internet access to the whole network blocking DNS look ups. Other possible attacks are sniffing, spoofing, vulnerability scan, gathering information on a target computer, breaking into a wireless network and dozens more, all of the Kali Linux tools are included in NetHunter.

    After installing Kali NetHunter in your mobile device it is easy to launch any of the included penetration tests, you don’t have to use the command line if you don’t want to, many exploits can be launched with a webpanel and a VPN can be set up to cover your tracks, securing your connection from packet sniffers on the network.

    At the moment Kali NetHunter is only available for Google Nexus mobile phones and tablets, Nexus comes rooted with an unlocked bootloader, this makes it simple for end users to modify factory Android operating system settings. Other Android builds could become available in the future, NetHunter is open to community contributions.

    There has been reports of various antivirus software flagging Kali NetHunter official download as a virus, make sure to get it from the official site and compare the supplied file hashes so that you know it has not been tampered with, you should also change the default “toor” password to something else.

    Visit Kali NetHunter homepage