Well, it's kind of been a whirlwind couple of weeks in terms of information security.
The FBI literally went with THINK OF THE CHILDREN as a reason for telling everyone that encrypting the data on your phone is dangerous.
If you didn't click the link, the tl;dr version is that the FBI came out against Apple and Google offering data encryption on their devices. Their reasoning is that it could help kidnappers. Neither Apple nor Google can help decrypt that data, and the FBI says that's bad, mkay?
While encryption could be used for nefarious purposes, the idea that no one should ever use it because someone might use it maliciously is so incredibly insane, I can't really even fathom how that's remotely defensible.
So, as a result, I decided to see what it would take to go (nearly) 100% data dark on my cell phone.
It took me a few hours total, but really only because I wasn't previously familiar with OpenVPN.
First of all, all internet traffic (whether on wifi--any wifi) or on cellular data is tunnelled through an off-shore VPN.
This does NOT hide carrier data, which would include cellular triangulation, phone calls, and SMS messages. I suppose you could, in more urban areas, survive on internet-based solutions for these and ditch the cellular carrier altogether, but you would have to choose wisely if you're planning on being security conscious.
Secondly, I used the included Android 4.4 KitKat tools to encrypt my phone, but I didn't like how google uses the lock screen pin or password to ALSO be the device encryption password, so I took an extra step. But all the details are below.
What you need
- A Server running Linux
- A Phone running Android 4.3 or later
- Some patience
The VPN Server
To start, I first setup an off-shore server running CentOS 6.5. To do this, I went with Digital Ocean. The lowest tier, $5/month, is plenty to handle this server as long as you don't end up with too many clients connecting to it.
Getting the server up and running is pretty easy. With DO, you just pick your size, pick a base image, and pick a data center to host it, and that's it. 50 seconds later, you have a live server.
After you get logged in using the password DO sends you, it's a matter of getting the OpenVPN server setup. Having never done this, I went in search of a guide, and I found this one which was super easy to follow, and really complete. So just follow the instructions there, and you've got the server part done.
At this point, you've got a working server. But to optimize this for your cell phone, there are a couple of changes I would suggest making. In the /etc/openvpn/server.conf file we'll be changing this:
First, we're going to change from UDP to TCP. While this can cause some performance issues, it allows for longer keepalive timing, which will significantly reduce the impact on your battery.
#TCP or UDP server? proto tcp ;proto udp
Next, we'll set the new keepalive values to send a keealive signal every 120 seconds and close the link if there's been no response in 240 seconds:
# The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 120 240
Part of what you do on the server is create the configuration files and authentication keys for the device(s) you're going to be connecting to the VPN server. OpenVPN also includeds a client configuration file you can make, which makes client setup a breeze. So by following the guide I linked above, you'll end up with 4 files you'll need for each device you're connecting.
ca.crt, devicename.key, devicename.crt, and devicename.conf
You'll need to get those files onto your phone. You can use whatever method you like, but the safest method would be to get those to your local computer and use a USB cable to copy the files to your phone.
Connecting to the VPN is super easy once you've got the VPN server setup and those four files ready. I used this OpenVPN App.
You just open the app, start a new connection and feed it your devicename.conf file. It will setup everything you need, assuming you followed the directions in the guide. Next, you just feed it the ca.crt, devicename.crt, and devicename.key, and you're all ready to go. While you're connected, your internet traffic is 100% encrypted, whether over cellular data OR any WIFI you're connected to.
This step requires a little extra work, and some time. The actual encryption step is pretty simple. On your phone go in to Settings > Security > Encrypt.
Android requires you to have a PIN or Password screen lock for you to encrypt your device, which is good! But the reason they require it isn't so good. By default, Android uses the phone lock password as the disk encryption password as well.
To me, this is a bad idea. You want the disk encryption password to be particularly strong. In the event someone has your phone, you want the decryption to be difficult, and the simpler the password, the easier it will be to brute-force decrypt the phone.
So by default, you're stuck with either having a long and difficult to enter pin or password to unlock your phone, or having a weak password encryption key.
Just to note: You can do the above, and you're encrypted. What follows is a little more technical and has the possibility of damaging your phone or voiding your warranty, so perform the next steps at your own risk.
While having a weak password is better than having no encryption at all, if you're technologically adventerous, there's a way around it.
Using TowelRoot, most phones can be rooted in a matter of just a few seconds. Just download the APK, install it, and run it, and you're done. After that, I would advise installing something like [SuperSU}(https://play.google.com/store/apps/details?id=eu.chainfire.supersu&hl=en) to manage root access on your phone.
But once you're successfully rooted, you can change the encryption password pretty easily.
Just use any Terminal Emulator and run the following:
su - vdc cryptfs changepw <newpassword>
At that point, reboot your phone, test your new password, and you're good to go. Your phone data is safe and ecnrypted, your internet traffic is encrypted, and now no one can (easily) snoop on you from your phone.
And despite what the FBI says, there's nothing inherently dangerous to you or others by encrypting your phone. Your non-celebrity nudes and sexts will be totally safe, and you can give the middle finger to those who don't want you to know how to keep your own data safe.
This kind of thing would also be useful for the people protesting in Hong Kong, since the Chinese government is targeting phones with crazy viruses.