Something a Little Different

(First Published on Medium September 2020)

Now, I thought I would write about something not totally OSINT related but maybe of use in some instances. As you know I like a bit of privacy too, so I thought I would do a little article on how we can achieve a little more privacy. We appear to spend vast sums on the latest super-duper mobile devices but then either don’t consider or don’t want to spend extra on safeguarding our privacy. Yes, it can cost, but I want to demonstrate how you can still buy a good quality mobile phone and afford to spend a little on your privacy too. Don’t forget simply locking your mobile phone’s privacy settings down doesn’t cost penny.

A caveat here, this is just one way you can approach this subject and not everything contained within may be suitable or desirable for everyone. This is a non technical guide using everyday apps and services (I don’t do technical really well). Take what you want, leave what don’t want.

Modern Apple & Android phones for example now offer imbedded eSIMs so it is now possible to have 2 mobile numbers for a device. This we see with some other types of phones that can accept two physical SIMS one which tended to be a throwaway. A user can now have an eSIM as their main service provider number but then use a pay as you go physical SIM as a throwaway, that they can share with friends and family. Once its been truly compromised it can be easily changed.

It is also possible for anyone to have control of a second number for verification to apps etc, such as WhatsApp or even use for verification for none essential services, such as junk email accounts. By buying a second phone for as little as £10 and putting a TopUp of £10 on it you have a second number used only for authenticating apps and thus avoiding the need to share your real mobile number. The reason for topping the phone up, is not because a user requires call data, it is simply so the network does not reclaim the number. Tesco currently sell an Alcetal mobile for £4.99 if you also top up with £10. Buy for cash and no personal details required.

There are many privacy & operational security benefits to the above examples. The actual second phone and SIM could be stored at your home address and never leave. It also stops others storing your real mobile on their own device when using messenger Apps thus obfuscating your real mobile number. We know that the apps that others have on their devices suck up their contact list. So that fresh new phone number you have, is pretty much busted as soon as you start sharing it with friends and family.

Once you have obtained your second number it can then be used to verify messenger apps such as WhatsApp or Signal. Both these Apps are end to end encrypted. Apps such as Facebook Messenger and Telegram are not true E2E as there has to be some interaction on the part of the user to start a, “Secret Chat,” for instance. It is believed that Telegram have the encryption key which would enable them to unencrypt any messages.

Other E2E messenger Apps that are not as well known are Threema & Session. These apps do not require a mobile number to verify and are considered more secure and private than the previous ones mentioned. They rely on the user generating a secret key or Id, this is then shared via a QR code when two people or a group meet and verify each other as being genuine contacts. A mobile number will always be a weakness.

Some of these messenger apps have the capability to auto delete messages after a certain time or when the conversation reaches a certain length. Usability differs between iPhones and Android phones. Messenger apps are also capable of VOIP calling, in the main only to other users of the app.

VOIP (Voice Over IP) also known as VoLTE (Voice over 4G) is another way of making phone calls from a mobile. It does not rely on the traditional mobile carrier method that provides cellular connectivity, instead it uses a wireless network or 4G. There are many third party Apps available on both iPhone and Android that would allow you to use VOIP and they are sometimes marketed as temporary or disposable numbers.

Onoff is a French company that offers British VOIP numbers as does Hushed which is an American company. With Onoff you can buy a number with limitless call allowance for £50 a year. On both platforms you can have numerous disposable mobile numbers. If you’re a journalist or business person for example that travels abroad these apps maybe very useful.

Buy a temporary number share it whilst you are away and keep your personal number private. I read an article by a journalist who went to a country in Africa ordered a taxi and when it arrived the taxi driver knew her name as he had used, “Truecaller.” She had shared her personal mobile number that much it had been sucked up by Truecaller. We simply do not know how our mobile number is being shared and compromised.

Another popular privacy focused VOIP provider is MySudo which offers up to 9 alias phone numbers and email addresses for £450 pounds a year however other pricing plans are available. All these Apps can be purchased through the App Store or Google Play using their own gift cards which can be purchased with cash from any Supermarket.

Another benefit of using an app like MySudo is that the user can store all their contacts in the app and not in the phones default contacts and stop any calls from appearing in the devices own call records.

Onoff & Hushed do offer a certain degree of privacy / anonymity however you have to open an account to purchase a number(s) and they also capture other data from the user, MySudo however is a zero logging company, you do not need to create an account to use their services. At the time of this write up MySudo is only available on Apple in the UK however it is planned to be launched on Android.

In the privacy policy of Onoff they state for instances that they log call data, usage and also SMS & MMS content, along with geolocation data, device identifiers and standard identifier of detected Wi-Fi networks. Hushed have a similar privacy policy but also retain voicemail messages. MySudo does not capture any of this information but there are still small tweaks that you can make such as switching off the submission or crash and anonymised analytically data reports.

It is important to understand that the providers of VOIP numbers are in fact buying the numbers from Twillio an American company that provides VOIP services, they then resell to commercial customers. In general terms VOIP numbers cannot be used for verifying accounts but there are exceptions to thar rule. I tried recently to use a VOIP number for Signal by ignoring the SMS verification option and opting for the phone call verification instead but that failed too.

It is possible then for you to obtain more zero knowledge non traceable communication on an everyday modern mobile phone. I say, more, because I truly do not know exactly how or what companies such as, Apple, Google, Facebook etc are able to capture and how they link it all together but if anyone knows I would love to know too! (I have previously written about UUIDs and collection of personal data.)

On top of any measure you take you still need to consider the basics of locking down the privacy settings of the phone, this will also limit any information Apple or Google obtain for instance, pertaining to location data for example. You could lock your privacy settings down, turn off your location data but then use Apple Pay or Google Pay and still give away location information when you are purchasing goods or services.

So to try and make sense of it all, lets try and put this into practice.

An iPhone SE costs £420 pounds and can be purchased for cash. It uses the same chipset as the more expensive iPhone 11 but at a fraction of the price. To set your iPhone up, you can acquire 40GB of data on a Tesco pay as you go SIM costing £20 a month and this can be purchased again for cash. If the user does not use their own Wi-fi and uses 4G away from their home address then the crucial IP on creation that are valued will be near worthless. You may also choose to use free Wi-Fi for instance at Tesco or Asda as neither ask for authentication details, such as, mobile number, email, or other PII (personal identifiable information).

You do not have to provide genuine PII for setting up the iPhone either to enable you to use gift cards to pay for services thought the App Store.

Apple SE 2020 edition.

To purchase 3 VOIP numbers and 3 emails addresses and associated minutes and texts from MySudo will cost £100 for 12 months and can be paid for using Apple gift cards, again paid for using cash. On top of that the use of a zero knowledge no logs VPN (Virtual Private Network) from ProtonVPN will further hide a users IP and will cost another £100 again paid for using Apple gift cards.

Then you have the cost of a second phone and top up for £15 pounds, the overall cost is £655 and you will now begin to see that the cost of a more private, secure phone is not that expensive.

Using Apple and MySudo would enable a user to sandbox their communications not just from the actual physical phone but also between the different apps and elements of their life to ensure there is no contamination different parts of your life. By using secure messaging platforms such as, Signal, Session or Threema, along with MySudo a contact may never potentially see that the original Tesco mobile number that is used to provide 4G.

It is true that more effort is required on behalf of the user to ensure that they follow strict operational security and privacy practices. Even with a VPN I never use my home Wi-Fi, 4G allows you to blend with numerous other users, sharing the same IP in case your VPN ever fails. If your not up to any naughtiness no one should be interested in trying find you in the crowd.

When looking closer at the iPhone SE for instances we should look to see if the following have been disabled in the settings menu. Android phones have similar settings but I have to say Apple is easier to lockdown. Android appears to have settings within settings and drives me nuts at times.

I have disabled Facetime as it is searchable via mobile number or email so anyone with an Apple device can see if their contact is on Facetime and contact them. Frustratingly I haven’t found a way to completely disable the search functionality, even if you delete the app. You can only stop people contacting you. (If anyone knows how to disable it completely please reach out). If I had an Android phone I could delete Google Duo, end of!

• Wi-Fi

• Bluetooth

• Personal Hotspot

• Siri

• Facetime

• Location Services

• Health

• Motion & Fitness

• Analytics & Improvements

• iCloud• iCloud Drive

• Find My Phone

Also annoying, you can only update the OS over Wi-Fi. It’s easily achievable on your travels using free non PII Wi-Fi on your travels.

All the above can easily be achieved using an Android phone. In fact Android is a more flexible OS and as such it is also possible to hide the existence of the apps on your home screen from prying eyes (but not completely) There are many apps that will help you hide apps, such as Nova Launcher. Probably the easiest way is to delete the app from the home screen(s) and from the app tray. Which ever way you hide your apps they are still easy to find. They have to exist in the Google Play Store of installed apps so you can find then there. I tend to watch how people look after their mobile devices in public. It is not hard to see what apps are on person’s mobile.

Apple’s iPhone isn’t as easy to disguise apps, you can do this natively with some of Apple’s preloaded apps by using the Screen Time options in the Settings menu and there are also apps you can download but I don’t like the idea of introducing another / unnecessary app and so I haven’t tried this.

Samsung offers a very intriguing app called, Secure Folder, the easiest way to explain what Secure Folder is, is to say it is like having a phone within a phone. You can either copy your existing apps into Secure Folder where they will be sandboxed from the original apps with the own files & cache or you can download new ones from the Google Play store and create new accounts.

By using Secure Folder unlike the Android example above you would not be able to see the Secure Folder apps in the main phones Google Play Store as it has it’s own. To access Secure Folder you would need a PIN or Fingerprint authentication. The app icon can be hidden from the home screen altogether using Quick Panel. This is something I intend to explore using a dual eSIM device.

Hopefully the above helps people improve your privacy, if you only alter the settings of the device you are using, it is still a win.