Ask a hacker: Top four anti-surveillance apps

Ask a hacker: Top four anti-surveillance apps

Summary: After a week of leaks of NSA citizen surveillance and Internet company denials, Violet Blue reports which mobile apps are best for privacy.

SHARE:

Did they or didn't they? That's the question at the end of this week's ground-shaking news that two highly classified programs reveal the U.S. government has been spying on its citizens behind closed doors for years, made public in leaks as reported by Guardian U.K.

One NSA program brought to light this week harvests phone records via Verizon. The second program is called Prism, in which the NSA data-mines user information directly from nine Internet giants, including Apple, Facebook, Google, Microsoft and Skype.

No one has contested the Verizon data/surveillance exchange deal. President Obama today confirmed the existence of both NSA programs and acknowledges Prism, tech companies Google and Facebook issued carefully-worded statements with each company saying it had never head of Prism.

If the NSA is getting their intel without our knowledge or consent straight from the tap, there's nothing we can do to protect ourselves. Except maybe yell at them really loud. Just like in a classic scary movie, the calls are actually coming from inside the house.

Add to this the element of outside information seekers: data dealers who work to make a buck by scraping sites, exploiting security holes, or making direct data sales with the very same companies alleged to be part of Prism. Now we can extend the horror film analogy, where we find out (always too late!) that the serial killer is also the babysitter.

Even against odds, I felt that at the very least we can make someone's job a little bit harder.

Hence the title of this post. I asked not just one, but several hackers who work professionally in high-level security environments what the best anti-surveillance, pro-privacy phone apps are. What is on their phones? What should be on mine?

After they finished laughing at my question (especially in light of the Prism revelations), I got solid answers. You can tell me what I left out in the comments, but I only wanted to post apps that were tested and in use by people whose jobs (or more) depend on personal communication security.

Keep in mind that the sudden activation of encryption tools can draw attention to you, when before there might have been none.

However, now might be a good time to take advantage of the fact that in the middle of this news storm, suddenly lots of people are going to be trying out anti-surveillance software.

Most recommended: Text Secure and Red Phone by Whisper Systems (Android only; iOS in development).

Both apps are free and open source, "enabling anyone to verify its security by auditing the code."

1. Text Secure (play.google.com)

text secure nsa

TextSecure encrypts your text messages over the air and on your phone. It's almost identical to the normal text messaging application, and is just as easy to use. 

TextSecure provides a secure and private replacement for the default text messaging app. All messages are encrypted locally, so if your phone is lost or stolen, your messages will be safe.

Messages to other TextSecure users are encrypted over the air, protecting your communication in transit. TextSecure is the only Android private SMS/MMS messenger replacement that uses open source peer-reviewed cryptographic protocols to keep your messages safe.

Rather than simply pretending to hide your texts by putting them in another place, TextSecure uses cryptography to ensure that they remain truly secure.

2. Red Phone (play.google.com)

red phone

RedPhone provides end-to-end encryption for your calls, securing your conversations so that nobody can listen in.

RedPhone uses your normal phone number to make and receive calls, so you don't need yet another identifier. Use the default system dialer and contacts apps to make calls as you normally would.

RedPhone will give you the opportunity to upgrade to encrypted calls whenever the person you're calling also has RedPhone installed.

RedPhone calls are encrypted end-to-end, but function just like you're used to. Uses wifi or data, not your plan's voice minutes.

Second place must-haves: Tor apps Onion Browser (Apple iOS) and Orbot (Android), or running your own VPN.

Both Onion Browser and Orbot make use of the Tor Project, but they each function slightly differently (with privacy protection limitations falling on the Apple side of the tree due to the closed nature of iOS).

3. Onion Browser (Apple iTunes)

onion

Onion Browser is a minimal web browser that encrypts and tunnels web traffic through the Tor onion router network and provides other tools to help browse the internet while maintaining privacy.

Websites do not see your real IP address. Your connection is encrypted before it leaves your device, providing protection against snooping by ISPs or people who share a WiFi connection with you.

Tunnel bypasses restrictive firewalls: you can access the entire Internet from behind ISPs or corporate connections, or when inside countries that practice online censorship. Access websites on the "dark net" of anonymous .onion web sites, only accessible in the Tor network.

User-Agent spoofing: hides the fact that you are using an iPhone/iPad from websites you visit. Ability to block third party cookies or all cookies. Can change IP address and clear cookies/history/cache in one button.

CHINA/IRAN NOTE: Due to online censorship techniques using deep-packet inspection (DPI), this app does NOT currently function in China or Iran.

4. Orbot (play.google.com)

orbot

Orbot is a "proxy app that empowers other apps to use the internet more securely. It uses Tor to encrypt Internet traffic and hide it by basically bouncing through a series of computers around the world; it is the official version of the Tor onion routing service for Android.

(...) instead of connecting you directly like VPNs and proxies. This process takes a little longer, but the strongest privacy and identity protection available is worth the wait.

Use with Orweb, the most anonymous way to access any website, even if it’s normally blocked, monitored, or on the hidden web. Use Gibberbot with Orbot to chat confidentially with anyone, anywhere for free.

Orbot can be configured to transparently proxy all of your Internet traffic through Tor. You can also choose which specific apps you want to use through Tor.

Any installed app can use Tor if it has a proxy feature, using the settings found here. Check out our fun, interactive walkthrough.

The thing to know about Tor-based projects is that they will slow down your response times, and for many — privacy or not — this is a dealbreaker.

To Tor or not to Tor, everyone agreed that running a VPN (Virtual Private Network) of some kind is a smart thing to do. Read Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs).

Yes, there is so much more you can do.

A good place to start is The Electronic Frontier Foundation (EFF) Surveillance Self-Defense Guide. If you're low on time to read it all, skip to What Can I Do To Protect Myself?

The EFF now has a two-click form — Massive Spying Program Exposed — where visitors can instantly send emails to their representatives calling for a full Congressional investigation saying, "It's time for a full accounting of America's secret spying programs—and an end to unconstitutional surveillance."

Update Saturday, June 8, 2:34am PST to include footnote: These apps are good to protect you from many types of invasive attacks, but they won't protect against skilled attackers (such as powerful, unethical governments with unrestrained technical access). It's important to know that mobile devices - in this instance mobile phones, specifically - are generally weak platforms. If you're a person who's at-risk, don't bet your life on any app - or any phone.

Topics: Mobility, Apple, Apps, Google, Government US, Mobile OS, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • Hmm

    don't these require the client to be encrypted as well?

    As for VPN, sure that would be great if they didn't drag your high speed network connection down and, we have no idea whose apps are allowing access to these systems.

    Crud, for that matter we don't even know if ZDNET isn't sending us to these apps because they do play into the Matrix! :)
    slickjim
  • Unknown variables..

    No one knows officially the capabilities of the NSA, CIA, NRO, etc. For all we know their multiple football stadium sized datacenters and compute can parse and crack through items we can only theorize about. Or they truly do have backdoors to items via court orders that we'll never hear of due to gag orders.

    It truly is tin-foil hat level stuff at this point. They either can crack whatever is commercial, some of it, have backdoors into stuff, or nothing at all...

    If you don't have anything to hide, just go about your business. I don't think the guberment cares what 99% of the US population is doing online. They want to find that 1% that can cause damage.
    unredeemed
    • you buy that argument?

      ..that "if you have nothing to hide, you have nothing to worry about?" Once "they" know everything, how long before they start dictating to YOU what you can and can't do, eat, read, experience, attend etc etc?

      Especially after the 'revenooers' get their dirty mitts on your medical records. Like ice cream? Well, given your weight and cholesterol, and seeing the 'public' is paying for your care, we're just going to have to disable buying ice cream on your credit ID chip.

      Uh oh, Mr Unredeemed, that's the 3rd time this month you've bought a six pack of beer... we've gone ahead and scheduled a substance abuse screening for you, thursday after next. Failure to appear will automatically disable your credit ID entirely...

      That's where "I've got nothing to hide" is headed. Either we're free, or we're not. The decision has actually come due right at this moment in global history. Something tells me humanity is going to blow it.
      pgit
      • Yup...

        Nobody complained - and then - all of a sudden there was no one left to complain - because they were all sent to the gulags! HA! Seriously though - we should ALL be concerned - for real. And I say that with my tin foil hat off! :)
        JCitizen
    • It's no tin-foil hat level stuff at this point.

      @unredeemed: I'll point you just one possible publicly known backdoor: the not so new anymore google play store in Android.
      With proper legal mandate a spy agency could in theory gain access to the same nice web interface you use when installing an app+access to some malware apps to (almost) silently install and run any piece of malware they need, hence no need to crack anything on Android.
      Please prove me wrong.
      g1a1m1e1s
  • Another Idea

    Thanks, VB! How about Wickr for iOS?
    m0o0o0o0o
  • Scary stuff

    Now you are guilty until proven innocent.

    [Comment transmitted via VPN] :-)
    SunFire23
  • PS

    The reason you have only four comments is because the govt is apparently achieving its goals of intimidation, & has most people shared-skitless. (Yup, I made that term up on the spot.)
    Paul B. Wordman
  • People must really be stupid

    People must really be stupid to think the NSA needs "special" weapons and abilities that the average "internet user" needs to hide from. The people on the internet today have become so complacent that we brag about what we are doing to the world. Think about the average "internet user". You wake up in the morning, and the first thing you do is "tweet your peeps" your plans for the day. You want to be unpredictable and not be followed by the government, yet you summarize your days itinerary to the world in 140 words or less. Then you go on a site where you use your real name to post opinions for your 500+ "friends" and family to see. If you are lucky, one of your posts about bad service at Dunkin Donuts or a kid going hungry at lunch because his parents forgot to give him money or a bag lunch 2 days in a row goes viral and your life is ruined because you wanted to tell the world your opinion. So before 9am you have given everyone your days itinerary, and possibly gotten fired/shunned by all your friends, but the day is just starting. You see that site where you use your real name to make posts also lists the company you work for, your age, your birthdate, etc..Your itinerary for the day included traveling. What better way to let your people follow you then by posting your travel plans down to the minute by checking in at each stop with Foursquare. You can't forget the pictures. You remember the scandal where there was GPS information embedded into the pictures of most smart phones? How that was handled is they gave the user the option to disable GPS information and instead upload them to Facebook where Facebook asks you where the photo was taken, and you type out the answer. I could go on for days, but I think you get the point...
    Whyzer
  • Encryptiom

    Its funny to see that thouse who dont understand encryption shout the most.
    Encryption is like breaking an egg when cooking,
    or a stone wile digging.
    Only thing you do is when you give one half to a friend , you are sure they have the unike other half.
    This proving the idenity , PGP , tor , truecrypt , red phone , the tools mentiont here all use this principle virtualty...
    the diffrence is the virtal object broken is just as big as 1 square light year. to make in imagineble...
    Like the egg one site only fits to the other site and is always unike.
    The prtection is in the amount off energy needed to create the other half of the object , to break a egg or a stone is easy , to create the missing peace is mutch harder.
    If you make the virtual halfs 1 square light year it will be imposible to break in a resenbele tme by anny computer power even quantom computing.
    Keeping all agenies out.
    xyz12000
  • Out of all the smart phone

    Out of all the smart phone out there, Blackberry is probably the most secure platform. Government has the hardest time to crack. Look at what UAE and India threaten to ban BB unless they make it LESS secure a few years ago. I don't know about the new BB 10 platform but the old one is secure enough for me.
    slam5
  • Franklin was a smart guy, wasn't he?

    "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

    What was it that compromised the 4th amendment? Oh that's right, The "Patriot" Act.
    AlkiDweller
  • Data Collection

    What is being monitored and ecorded is no the content of the communications but the connectivity. That is this number XXX-XXX-XXXX called this number XXX-XXX-XXXX at this date and time for a call that lasted XXX seconds... This also records conference calls and the connected elements of said calls. In addition Email address ABCDEF@ISP.COM mailed an emaill to XYZW@ISP.COM at Month/Day/Time and these include multiple adresses and of course any subsequent forwarding of said emails...
    At no time is the content of the email recorded or the content of the the telephony...

    The are using this fo connectivity tracking. Court orders would be procured to record content.

    My concern is the lenght of time the archive exists and for what use it is employed.... This elements need addressing and privacy concerns built into them....
    edjcox
    • Re: Data collection

      About data collection for phone calls- Not true what you are saying. ~15 years ago there were 'secret' features developed in the AT&T (Became Lucent, now Alcatel-Lucent) for recording full conversations.
      rob@...
    • ApheliaDawn

      Listen all of you brilliant narcissistic technological geniuses that may be 13 or may be 35 , I do not care about your age. I do care very VERY MUCH about FREE SPEECH , FREE PRESS, AND FREDOM AS ESTABLISHED UNDER OUR UNITED STATES CONSTITUTION WITH OUR BILL OF RIGHTS! You all are joking about the NSA and our very own government WE PAY spying on us and taking away our established rights we have fought for years to keep!!! This is not just about high tech. You all could put yourselves in one big area and shame anyone one in the world and especially our President and his inexperience and corrupt supporters. How can we , with the knowledge - thus - the power let idiots destroy our once GREAT UNITED STATES OF AMERICA BY STOMPING ALL OVER OUR HUMAN RIGHTS ! I do not know code, I am learning the ins and outs of a hacker's world now to preserve my life. He is stalking and harassing me. The police do nothing! My data is ripped off each month and has been for 6 months now. I write as a job. I have lost all of my work. I have 5 Facebook sites , none of which actually belong to me. He handles my whole life. I am isolated and now Apple Genius techs. Are my last chance but I will never know where he is or if he can take over again. The internet was to bridge communication not for this spying and lying and hurt. I know we have to joke about the isolation because we are alone and see what is realistic. We have got to pull together because this is our generation of expertise. If we can't stop and find a way to police this and protect this now within a year it will be out of control. This is where we needed Snowden and Anonymous and Wiki leaks the guys that know the bad guys , where to find them and how to get us together for a Constitution of free speech, press, and equality and justice monitoring our use of the internet as a valuable communication tool - NOT WEAPON! Thank you if you took the time to read this !!! We are all so important to our people right NOW!!! God Bless Us All!
      ApheliaDawn
  • Secure Contect

    I'm a fan of the App, Private Tunnel. It supports PC, iOS, Android. A good point was raised that although these apps claim privacy and security can we ever be guaranteed that the "people in charge" can't just rock up and say hand over the data? In which case these apps might go some way to protect our data from hackers etc but what happened to privacy?
    TonyReilly
  • Recursive paranoia

    Overall, a decent introduction to the subject matter.

    One point we'd quibble is the assertion that "sudden activation of encryption tools can draw attention to you, when before there might have been none." In certain extreme corner states, this could be the case, as for example in high-security corporate environments with LAN administrators actively engaged in extensive DPI, or a spook agency like the NSA who is already monitoring someone very carefully and notes their packet traffic suddenly jumps dramatically in entropic content.

    But those are really unusual situations - almost ridiculously so.

    In point of fact, pushing encrypted packets over the internet isn't suddenly going to result in a knock on the door from thuggish spooks. In part, this is because SSL "encryption" is already in widespread use on the conventional internet (albeit, SSL is seriously loose around the edges, cryptographically speaking) - there does exist technology to determine whether a session is encrypted via baseline TLS or something more exotic, but such tech is several big steps away from widespread usage. Sure, the NSA might have a super-secret tool that does it seamlessly, but if so they're chasing mosquitoes around with sledgehammers. Unlikely.

    That said, it does bring up an interesting structural consideration: the more folks use encryption, the less encryptions appears as unusual to network monitors. Which bears consideration - a genuine example of "positive sum interactions," from the perspective of subverting dragnet surveillance at a structural level.

    Don't be FUDded out of using crypto - use it, and clog the NSA's expensive systems with incompressible gibberish. Sure, in a few years they may be able to brute-force 256 AES... but the joke's on them if they burn all that processor capacity to do so, only to find out it was protecting packets streaming one favourite radio station. You can see the asymmetric angle on this, eh?

    On a related note, and assumptions to the contrary, there's no inherent technological reason for VPN services to be slower than plaintext connections. None at all. Indeed, with desktop/laptop processors as freakishly powerful as they are today, even running heavy crypto won't even require those chips to move beyond an easy walk - they're that fast. And, from the ISPs perspective, pushing packets with encrypted payload is no different from any other packets: the come in, they get routed, they go out. Same difference.

    No, the only reason VPN services are slow is bad management. Either the servers composing the networks are poorly configured, poorly administered, or over-subscribed (i.e. greed). Well, some old VPN protocols have all sorts of ugly constraints and weaknesses (see also: PPTP) but anyone using that stuff nowadays has nobody to blame but themselves for slow performance. Real VPN frameworks, like OpenVPN, can support multi-hundred-megabit throughput without so much as a hiccup.

    So unless you're running a gigabit connection to your house courtesy Google Fiber, a good VPN service won't slow you down - and might even create speed upticks if it helps you subvert stupid, archaic, speed-gobbling "compression" gimmicks or other MitM-ish crap from your local ISP. If you do see big speed drops when using a VPN service, you've got the wrong service.

    (note: "free" VPN services, which are generally supported by content-targeted advertisements and thus qualify as 'foxes guarding henhouses' categorical errors of judgement, are pathetically slow - you get what you pay for - so the only relevant ones are subscription-based and professional administered)

    An example of a VPN review that confirms a blazingly fast VPN service is...

    http://schoolofprivacy.eu/post/51568448564/vpn-review-cryptocloud

    There's others, but they're sort of needles in the haystack of crappy, me-too VPN companies out there nowadays. Sadly, the bad ones far outnumber the good ones - and the bad ones given all of them a bad name. Still and all, the good ones kick ass.

    ~ Baneki Privacy Labs | http://baneki.cultureghost.net
    Baneki Privacy Labs
  • ApheliaDawn

    I am new to posting and I posted a rather long post earlier encouraging all of you BRILLIANT GENUIS's to start thinking how we can all get together and save our internet from MAD BAD HACKERS to the creative and MAGNIFICENT commutation tool it was meant to become to help bridge gaps for businesses, families, security, create more creative artistic artistic works, to help cure more people everywhere, to share inventions and education, to bring peace and love and better understanding. Yes, it can help in protection of our people, but not under lies and deceptions. There needs to be an out front statement of founding and regulations with no infringements on human rights in place.
    ApheliaDawn