Smartphone, shut up!

✔ A checklist for your mobile security

1. Flyer: Smartphone, halt's Maul! - https://smartphone-halts-maul.de/flyer

If you are interested in cryptoparties and want to meet like-minded people, you can find out about upcoming events on cryptoparty.in, for example. Or you can follow the guide below and organize one yourself.

1. 2019-12-21 - Digitalcourage: How To CryptoParty - https://digitalcourage.de/digitale-selbstverteidigung/how-to-cryptoparty
2. Nächte Cryptoparties auf cryptoparty.in - https://www.cryptoparty.in/parties/upcoming

In the event of confiscation or theft, contacts, text messages and call lists can be read. In addition, dumbphones are just as susceptible to attacks on the mobile network without further protective measures. Dumbphones cannot be encrypted, you cannot install apps such as password managers on them, you cannot clean your pictures of metadata and you cannot use secure messengers. So on the one hand, these phones have disadvantages. On the other hand, however, it should also be noted that non-smart devices completely rule out some dangers. For example, the risk of malware infections is much lower here. However, encryption and secure communication seem so important in the face of inflationary confiscation and surveillance that a smart device is definitely preferable.

Please be careful not to destroy the chip. Do not scratch too deeply!

Strong encryption is important. A screen lock is not sufficient. Software like Cellebrite can easily bypass most screen locks via the USB interface. All your data, contacts, call logs, location data, login data and much more can then be collected and displayed by automated software such as Cellebrite Pathfinder via USB. Your encryption password should be particularly strong. Use a very complex pattern or an alphanumeric password for encryption.

1. 2024-04-03 - Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies - https://thehackernews.com/2024/04/google-warns-android-zero-day-flaws-in.html
2. 2024-02-12 - Netzpolitik: Sachsen-Anhalt - Alle 3,5 Stunden durchsucht die Polizei ein Smartphone - https://netzpolitik.org/2024/sachsen-anhalt-alle-35-stunden-durchsucht-die-polizei-ein-smartphone/
3. 2023-12-29 - 37c3: Gläserne Geflüchtete - Mit Computern das Leben zum Schlechteren verändern - https://media.ccc.de/v/37c3-12306-glaserne_gefluchtete
4. 2023-06-28 - Netzpolitik: Abschiebung von Geduldeten: Berlin durchsucht weiter Handys - https://netzpolitik.org/2023/abschiebung-von-geduldeten-berlin-durchsucht-weiter-handys/
5. 2016-12-08 - Phone-Cracking Cellebrite Software Used to Prosecute Tortured Dissident - https://theintercept.com/2016/12/08/phone-cracking-cellebrite-software-used-to-prosecute-tortured-dissident

Even if your phone is encrypted, software such as Cellebrite can access it via USB. As long as your phone is switched on, encryption is ineffective. Encryption is only really effective when it is switched off. Be sure to switch off your phone before you give it into someone else's hands! If you want to be on the safe side, you can also attach a killswitch to your phone. This allows you to quickly remove the battery in dangerous situations. The key will then disappear from your device's memory.

1. 2023-10-30 - Netzpolitik: Beschlagnahmte Smartphones: Ein Grundrechtseingriff unbekannten Ausmaßes - https://netzpolitik.org/2023/beschlagnahmte-smartphones-ein-grundrechtseingriff-unbekannten-ausmasses/
2. 2020-01-26 - Ein Killswitch für dein Smartphone - https://steampixel.de/ein-killswitch-fur-dein-smartphone/

Note for anonymous SIM cards: If you use anonymous SIM cards, you often cannot activate the pin lock as you often do not know the pin / PUK associated with the card. You often receive these cards with the pin deactivated. In this case, you should make sure that all your messengers are secured with a second factor (e.g. PIN) and that you do not use the card itself for two-factor authentication.

Some older Android devices also create a signature of apps used on your memory card by creating separate folders for apps used. This allows conclusions to be drawn about the apps you are using. Caution! Overwriting flash memory is often not 100% possible. Data can still be left behind.

Fingerprints and facial recognition are not secure methods for unlocking your device. They are like passwords that you can never change. Data leaks or malware could cause this sensitive information to be lost and put you at a disadvantage. The police can also use your fingerprints to unlock your device. There have already been court rulings on this in Germany and the USA. If you have an iPhone, you can temporarily lock Face ID and your fingerprint by pressing a special key combination. For Android, the lockdown mode is available on some devices with which you can quickly disable these functions in an emergency.

1. 2024-04-19 - Heise: US-Gericht billigt erzwungenen Fingerabdruck zum Entsperren des Smartphones - https://www.heise.de/news/US-Gericht-billigt-erzwungenen-Fingerabdruck-zum-Entsperren-des-Smartphones-9691611.html
2. 2024-02-21 - Golem: Forscher erzeugen Fingerabdrücke aus Wischgeräuschen - https://www.golem.de/news/security-forscher-erzeugen-fingerabdruecke-aus-wischgeraeuschen-2402-182449.html
3. 2024-01-11 - Heise: Grundannahme widerlegt: KI findet Muster bei Fingerabdrücken einer Person - https://www.heise.de/news/Mit-KI-ermittelt-Mehrere-Fingerabdruecke-einer-Person-haben-doch-Gemeinsamkeiten-9594962.html
4. 2023-06-29 - How to use Android's lockdown mode (and why) - https://www.zdnet.com/article/how-to-use-the-android-lockdown-mode-and-why-you-should/
5. 2023-03-10 - Netzpolitik: Polizei darf Fingerabdrücke nehmen, um Handy zu entsperren - https://netzpolitik.org/2023/gerichtsbeschluss-polizei-darf-fingerabdruecke-nehmen-um-handy-zu-entsperren/
6. 2017-09-15 - Heise: Face ID: Not-Tastenkombination deaktiviert Gesichtserkennung - https://www.heise.de/news/Face-ID-Not-Tastenkombination-deaktiviert-Gesichtserkennung-3833463.html

1. 2022-02-14 - Heise: Android: Entwickleroptionen aktivieren/deaktivieren - https://www.heise.de/tipps-tricks/Android-Entwickleroptionen-aktivieren-deaktivieren-4041510.html

If possible, use a USB cable without data function for charging. Tampered cables or public charging points could read data or install unwanted software. If you are not sure, you can simply switch off your phone for the charging process. This way, nothing can be installed and it will still charge.

1. 2023-04-12 - Tarnkappe: FBI warnt vor der Nutzung öffentlicher Handy-Ladestationen - https://tarnkappe.info/artikel/it-sicherheit/fbi-warnt-vor-der-nutzung-oeffentlicher-handy-ladestationen-272873.html

1. 2020-08-09 - Steampixel: Schon mal über Hardware-Versiegelungen nachgedacht? - https://steampixel.de/schon-mal-uber-hardware-versiegelungen-nachgedacht/

You should also think about important apps such as 2-factor apps or password managers when making your backup. The settings can usually be easily exported from these. If possible, use open source backup software such as "oandbackup" or "Neo Backup". However, these require root rights. A simple regular copy of your most important data on a USB stick is also a good start! Remember that "No Backup, No Mercy" is an arrogant attitude. Not everyone has the knowledge and technical capabilities for backups. Help each other!

1. F-Droid: Neo Backup - https://f-droid.org/de/packages/com.machiav3lli.backup/
2. F-Droid: oandbackup - https://f-droid.org/de/packages/dk.jens.backup/

The Android app Neo Backup supports encryption out of the box. However, you can also create encrypted zip archives manually or encrypt entire USB sticks. Under Linux, MacOS and some versions of Windows, this can be done very easily via a graphical interface. You can also use encryption software for your sticks, such as VeraCrypt, which works on most operating systems. If you want to delve deeper into the matter and are not afraid of the command line, you can take a look at professional software such as Restic (Linux) or duplicity (Linux). You will then need to connect your device to a computer.

1. 2022-12-29 - Windows: How to encrypt a USB flash drive—and why you should - https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/how-and-why-to-encrypt-usb-flash-drive
2. 2022-03-30 - Windows: How to password protect ZIP files and folders on PC - https://nordvpn.com/de/blog/how-to-password-protect-a-zip-file/
3. 2021-09-01 - Linux: How to encrypt a USB disk - https://medium.com/tech-notes-and-geek-stuff/how-to-encrypt-a-usb-disk-47f6a4166f03
4. MacOS: Verschlüsseln und Schützen eines Speichermediums mit einem Passwort mit dem Festplattendienstprogramm auf dem Mac - https://support.apple.com/de-de/guide/disk-utility/dskutl35612/mac
5. VeraCrypt - https://veracrypt.fr/en/Downloads.html
6. duplicity - https://duplicity.us/
7. restic - https://restic.net/

Used phones may contain illegal data that can be recovered and analyzed. To avoid this becoming your downfall, you should completely overwrite the phone once. If you have the possibility, generate large random files and copy them to your phone until it is full. Otherwise, you can also download large test files from the Internet and overwrite your phone's memory with them. Caution! Overwriting flash memory is often not 100% possible. Data may still be left behind.

1. Hier findest du große Test-Dateien - https://fastest.fish/test-files

In certain cases, you can be recognized via WiFi. In the most extreme cases, even your home address can be determined. Some devices reveal the unique hardware number of your WiFi interface as well as the list of your known WiFi networks. On websites such as wigle.net, you can easily search for the physical locations of the networks. However, Bluetooth and other interfaces also harbor dangers. Bluetooth, for example, is susceptible to bluesnarfing (opening ports that are actually closed by commands from outside), bluejacking (sending unwanted messages), bluebugging (exploiting a backdoor), bluesmacking (denial of service) or car whispering (eavesdropping on the hands-free system).

1. 2024-01-26 - Heise: Bluetooth zu unsicher: US Navy sucht Alternative - https://www.heise.de/news/Bluetooth-zu-unsicher-US-Navy-sucht-Alternative-9609217.html
2. 2023-12-11 - Heise: Bluetooth-Lücke: Tastenanschläge in Android, Linux, iOS und macOS einschleusbar - https://www.heise.de/news/Bluetooth-Luecke-erlaubt-Einschleusen-von-Tastenanschlaegen-9570583.html
3. 2023-10-30 - Heise: Von wegen privat: iPhones verrieten physische MAC-Adresse - https://www.heise.de/news/iPhone-Datenschutzpanne-Private-WLAN-Adresse-war-gar-nicht-so-privat-9349123.html
4. 2023-09-01 - Golem: Bluetooth-Spam gelingt jetzt auch per Android-App - https://www.golem.de/news/kein-flipper-zero-noetig-bluetooth-spam-gelingt-jetzt-auch-per-android-app-2311-178988.html
5. 2020-06-28 - Warum eine versteckte SSID keine Sicherheit bringt, sondern sogar Bewegungsprofile ermöglicht - https://www.wlan-blog.com/sicherheit/warum-eine-versteckte-ssid-keine-sicherheit-bringt-sondern-sogar-bewegungsprofile-ermoeglicht
6. Wigle.net - All the networks. Found by Everyone. - https://wigle.net/

Bluetooth devices such as earbuds can potentially be overheard when exchanging their secret keys. Attackers within range could listen in unnoticed.

1. 2023-11-30 - Heise: BLUFFS: Neue Angriffe gefährden Bluetooth-Datensicherheit auf Milliarden Geräten - https://www.heise.de/news/BLUFFS-Neue-Angriffe-gefaehrden-Bluetooth-Datensicherheit-auf-Milliarden-Geraeten-9544862.html
2. 2020-05-21 - Heise: Bluetooth-Sicherheitslücke ermöglicht unerkannte Angriffe - https://www.heise.de/news/Bluetooth-Sicherheitsluecke-ermoeglicht-unerkannte-Angriffe-4726211.html

If you live in Germany, you can order special removable stickers for your smartphone cameras free of charge from the Federal Ministry for Family Affairs, Senior Citizens, Women and Youth (BMFSFJ). Make sure that you do not stick over the inconspicuous brightness sensor! This causes some smartphones to switch off the display because they think they are in a trouser pocket.

1. 2020-05-21 - Heise: Bluetooth-Sicherheitslücke ermöglicht unerkannte Angriffe - https://www.heise.de/news/Bluetooth-Sicherheitsluecke-ermoeglicht-unerkannte-Angriffe-4726211.html
2. BMFSFJ: Webcamsticker-Karte TOP SECRET - https://www.bmfsfj.de/bmfsfj/service/publikationen/webcamsticker-karte-top-secret-96100

Ask the providers how long the data is stored in the various tariffs and with whom it is shared. There are also extra data protection-friendly providers such as "Wetell" in Germany. Nevertheless, these do not protect against the numerous monitoring possibilities in the mobile network! Anonymous SIM cards are therefore always preferable.

1. 2018-02-09 - Mobilfunkanbieter: Widerspruch gegen Erhebung von Bewegungsdaten - https://www.kuketz-blog.de/mobilfunkanbieter-widerspruch-gegen-erhebung-von-bewegungsdaten/

If you are not making calls, sending or receiving text messages and not using mobile data, your phone is in an idle state. No history of your radio cell position is then kept by your provider. If an authority or an attacker then wants to find you, they often rely on silent text messages (silent pings).

1. Location Area - https://de.wikipedia.org/wiki/Location_Area

This also applies if you use anonymous SIM cards. Targeted tracking (e.g. on the way home) of individual persons with so-called IMSI catchers allows a telephone number to be assigned to a person. Regardless of whether the SIM card is anonymous or not.

First of all, there is nothing wrong with apps like "SnoopSnitch" in general. We can be glad that there are people who deal with this matter and build such apps. Nevertheless, you have to understand that such apps are completely ineffective in the vast majority of cases. SnoopSnitch, for example, only works on 2G and 3G networks if your phone is rooted and if a very special chip is installed on the mainboard of your device. You need to understand that communication with the mobile network is a completely opaque black box for your operating system. Your operating system and your apps are not able to control or monitor communication with a radio tower (base station) in detail. This means that the wireless network can communicate with the chip on your device without it being aware of it. This is due to proprietary, commercial hardware that is not open source. This is also why you can be roughly located by silent SMS (stealth ping). The radio chip in your phone registers this, but does not report it to your operating system. Only a few chips have interfaces that allow the operating system to monitor them. SnoopSnitch only exists for this purpose. The only sensible defense is an anonymous SIM card.

1. 2024-04-03 - Stille SMS & Co.: Regierung erklärt heimliche Überwachung komplett für geheim - https://www.heise.de/news/Stille-SMS-Co-Regierung-erklaert-heimliche-Ueberwachung-komplett-fuer-geheim-9674437.html
2. 2018-08-07 - Süddeutsche Zeitung: Alle eineinhalb Minuten pingt der Staat - https://www.sueddeutsche.de/digital/stille-sms-alle-eineinhalb-minuten-pingt-der-staat-1.4085229

The subject of mobile phone surveillance is complex and cannot be dealt with in full within this framework. However, it is important to understand that security apps cannot do anything about such surveillance because, for example, it affects data that is already stored by your provider and not on your phone. Or because the apps themselves do not have access to your phone's proprietary radio chip and therefore cannot see silent text messages, for example. Or because the attack takes place in the wireless network between network providers. Or because your mobile provider simply sells your data on. So relying on apps or changes in behavior won't help. The only defense is anonymous SIM cards. Also bear in mind that in Germany, over 100 government agencies can access people's phone numbers and vice versa without a court order.

1. 2024-04-02 - Überwachung ab jetzt komplett geheim - https://www.nd-aktuell.de/artikel/1181145.kleine-anfragen-ueberwachung-ab-jetzt-komplett-geheim.html
2. 2024-01-23 - Netzpolitik.org: Erstmals Pegasus-Infektionen in Togo enthüllt - https://netzpolitik.org/2024/ueberwachung-mit-staatstrojanern-erstmals-pegasus-infektionen-in-togo-enthuellt/
3. 2024-01-18 - Netzpolitik.org: Staatstrojaner bedrohen Grundrechte in der EU - https://netzpolitik.org/2024/eu-parlament-staatstrojaner-bedrohen-grundrechte-in-der-eu/
4. 2023-12-09 - Golem: Angreifer können 714 Smartphone-Modelle vom 5G-Netz trennen - https://www.golem.de/news/dos-schwachstellen-angreifer-koennen-714-smartphone-modelle-vom-5g-netz-trennen-2312-180183.html
5. 2023-10-27 - Heise: Forscher: Sicherheitslücken beim Roaming bleiben auch bei 5G eine große Gefahr - https://www.heise.de/news/Forscher-Sicherheitsluecken-beim-Roaming-bleiben-auch-bei-5G-eine-grosse-Gefahr-9347577.html
6. 2023-09-16 - Tarnkappe: Mobilfunkanbieter gaben erneut Daten illegal an die Schufa - https://tarnkappe.info/artikel/rechtssachen/mobilfunkanbieter-gaben-erneut-daten-illegal-an-die-schufa-280583.html
7. 2023-09-14 - Netzpolitik.org: Russische Exil-Journalistin mit Pegasus gehackt - https://netzpolitik.org/2023/meduza-russische-exil-journalistin-mit-pegasus-gehackt/
8. 2023-06-27 - Netzpolitik.org: Firma legt Scoring-Profile der Hälfte aller weltweiten Handynutzer an - https://netzpolitik.org/2023/datenschutzbeschwerde-gegen-telesign-firma-legt-scoring-profile-der-haelfte-aller-weltweiten-handynutzer-an/
9. 2022-06-21 - Netzpolitik.org: Behörden fragen jede Sekunde, wem eine Telefonnummer gehört - https://netzpolitik.org/2022/bestandsdatenauskunft-2021-behoerden-fragen-jede-sekunde-wem-eine-telefonnummer-gehoert/
10. 2019-08-28 - Die 5-G Überwachungsstandards - https://invidious.lunar.icu/watch?v=_2HOcuH5rKc
11. 2018-12-29 - 35C3 - Die verborgene Seite des Mobilfunks - https://yt.artemislena.eu/watch?v=CSZWTaTu9As
12. 2017-08-02 - Interaktive Karte: Registrierungspflicht für Prepaid-SIM-Karten in Europa weit verbreitet - https://netzpolitik.org/2017/interaktive-karte-registrierungspflicht-fuer-prepaid-sim-karten-in-europa-weit-verbreitet/
13. 2017-07-11 - Süddeutsche Zeitung: Das Ende der Anonymität - https://www.sueddeutsche.de/digital/prepaid-sim-karten-das-ende-der-anonymitaet-1.3564334
14. 2016-09-20 - Informatik-Gutachten: Eine Telefonnummer ist ausreichend, um eine Person mit einer Drohnen-Rakete zu treffen - https://netzpolitik.org/2016/informatik-gutachten-eine-telefonnummer-ist-ausreichend-um-eine-person-mit-einer-drohnen-rakete-zu-treffen/
15. 2014-12-28 - Tobias Engel: SS7: Locate. Track. Manipulate - https://yt.oelrichsgarcia.de/watch?v=-wu_pO5Z7Pk
16. Bundesnetzagentur: Häu­fig ge­stell­te Fra­gen: All­ge­mein und SI­NA-An­bin­dung - https://www.bundesnetzagentur.de/DE/Fachthemen/Telekommunikation/OeffentlicheSicherheit/Autom_Auskunftsverfahren/FAQ/start.html
17. Wikipedia: Was ist RRLP? - https://en.wikipedia.org/wiki/Radio_resource_location_services_protocol

Since the IMSI always appears together with the IMEI in the traffic data of your network provider, you should also change your phone when you change your SIM card. As you can imagine, it is time-consuming and expensive to change your phone from time to time. You would have to constantly set up your apps again and spend a lot of money on a new phone. To keep costs down, you can work with proxy phones. And this is how it works: You have a more expensive device for your regular use on which all your apps are installed. There is no SIM card in this phone. It is therefore invisible to the mobile network. You get Internet access via an inexpensive second device with a SIM card inserted. This phone does not need much power. However, it can provide you with a WiFi hotspot and therefore Internet. You can also use it to make normal phone calls if you want. This phone can be replaced quickly with the SIM card inserted. The only disadvantage is that you always have two smartphones with you.

Anyone who knows your phone number can easily attack you. On sites such as cell-track.com or phone-location.info, for example, it is easy to find out whether a device is abroad or not, or whether a device is currently switched on. All you need is the number. There's nothing you can do about it except keep your number secret. That may not be really dangerous yet. But state actors have other possibilities, such as infecting the device with a zero-click exploit. Only an anonymous SIM card can effectively protect you from state attacks.

Before AML, rescue coordination centers only had extremely inaccurate radio cell data at their disposal (if at all) to locate people in emergency situations. AML, on the other hand, is firmly integrated into modern telephones and their operating systems: When an emergency number is dialed, the phone automatically activates GPS and WiFi to determine its own position. This is then automatically transmitted to the control center via the Internet or SMS. This extremely precise location is only activated by dialing the emergency numbers and cannot be used from outside without your active involvement. In most cases, there is nothing you can do to prevent you from being automatically located when you dial these numbers. Unfortunately, this also makes it more difficult to make anonymous reports. You should therefore always consider whether dialing emergency numbers from your own phone is really necessary. You can find a list of all countries with AML on Wikipedia. AML is part of the Play services on Android and can be deactivated via the emergency settings.

1. 2024-03-20 - Heise: Datenschützer erlauben bundesweite Notruf-Ortung - https://www.heise.de/news/Streit-um-110-Datenschuetzer-erlauben-bundesweite-Notruf-Ortung-9659860.html
2. 2023-12-31 - Heise: Notruf 112: Android kann im Notfall mehr Daten an Leitstelle senden ​ - https://www.heise.de/hintergrund/Notruf-112-Android-kann-im-Notfall-mehr-Daten-an-Leitstelle-senden-9583718.html
3. Der Notfall-Standortdienst liefert schnell genaue Standortinformationen - https://www.android.com/intl/de_de/safety/emergency-help/emergency-location-service/how-it-works/
4. ILS Freiburg: Standortdaten beim Notruf 112 - https://ils-freiburg.de/standortdaten.php
5. Wikipedia: Advanced Mobile Location - https://de.wikipedia.org/wiki/Advanced_Mobile_Location

If you would like to set up such a block, you can contact your provider online or by telephone.

1. 2024-02-19 - Mimikama: Smartphone-Fallen: Schutz vor Abofallen mit Drittanbietersperre - https://www.mimikama.org/drittanbietersperre-schutz-abofalle-smartphone/

If you are unsure which system you should install, the clear recommendation is currently to install grapheneOS on one of the compatible phones. You can find more information in the links.

1. 2022-04-25 - Golem: Datenschutz gibt's nur mit alternativem Android - https://www.golem.de/news/smartphone-ohne-google-datenschutz-gibt-s-nur-mit-alternativem-android-2204-164785.html
2. 2020-11-17 - Kuketz: GrapheneOS: Das Android für Sicherheits- und Datenschutzfreaks - https://www.kuketz-blog.de/grapheneos-das-android-fuer-sicherheits-und-datenschutzfreaks/
3. GrapheneOS - https://grapheneos.org/
4. DivestOS - https://divestos.org/
5. CalyxOS - https://calyxos.org/

Of course, this is only worthwhile if it has a benefit: The pre-installed software collects data and analyzes your habits. You should therefore remove bloatware (sometimes this is not possible without root permissions) or install a custom operating system such as GrapheneOS.

1. 2023-02-21 - Google zahlt Milliarden für Chrome unter iOS - https://www.onlinehaendler-news.de/digital-tech/unternehmen/137709-google-zahlt-milliarden-chrome-ios

If you use iOS or Android, your operating system transmits an advertising ID to your apps in the background. This ID can be attached to the data records of individual apps. If the provider of your apps then sells this data, brokers can merge it with other data sets of yours. This creates veritable stockpiles of your personal data and interests that are traded online.

1. 2024-01-12 - Heise: Sicherheitsrisiko: So einfach können Handy-Nutzer heimlich verfolgt werden​ - https://www.heise.de/news/Sicherheitsrisiko-So-einfach-koennen-Handy-Nutzer-heimlich-verfolgt-werden-9596230.html
2. 2022-01-24 - Mobilsicher: Werbe-ID: So funktioniert das Nummernschild fürs Smartphone - https://mobilsicher.de/ratgeber/smartphone-nutzer-sollten-jetzt-ihre-werbe-id-aendern
3. 2020-05-18 - Heise: DSGVO-Beschwerde: Datenschützer hält Android-Tracking für hochproblematisch - https://www.heise.de/news/DSGVO-Beschwerde-Datenschuetzer-haelt-Android-Tracking-fuer-hochproblematisch-4722862.html

Infected apps have many ways of attacking you. For example, they can steal passwords.

1. 2023-12-10 - Heise: Black Hat Europe 2023: Neuer Angriff "AutoSpill" auf Android-Passwortmanager - https://www.heise.de/news/Black-Hat-Europe-2023-Neuer-Angriff-AutoSpill-auf-Android-Passwortmanager-9569772.html

1. 2024-04-01 - Malicious Apps Caught Secretly Turning Android Phones into Proxies for Cybercriminals - https://thehackernews.com/2024/04/malicious-apps-caught-secretly-turning.html
2. 2023-04-12 - Tarnkappe: Kriminelle verkaufen in Google Play Store eingeschleuste Malware - https://tarnkappe.info/artikel/it-sicherheit/malware/kriminelle-verkaufen-in-google-play-store-eingeschleuste-malware-272859.html
3. F-Droid herunterladen - https://f-droid.org/de/
4. Aurora Store über F-Droid herunterladen - https://f-droid.org/de/packages/com.aurora.store/

You can protect yourself from this by using apps that do not require Google or Apple services. Also avoid alternatives such as microG if you have installed your own operating system. For example, install apps from F-Droid that do not require these services. Messengers such as Telegram, Signal and Matrix offer their own alternatives for centralized push messages.

1. 2024-01-24 - Golem: Prominente iOS-Apps spähen heimlich Gerätedaten aus - https://www.golem.de/news/ueber-push-benachrichtigungen-prominente-ios-apps-spaehen-heimlich-geraetedaten-aus-2401-181574.html
2. 2023-12-13 - Tarnkappe: Apple-Richtlinien: Gerichtliche Anordnung für Push-Daten Pflicht! -
3. 2023-12-07 - Kuketz: Android: Abhilfe gegen staatliche Überwachung durch Push-Nachrichten - https://www.kuketz-blog.de/android-abhilfe-gegen-staatliche-ueberwachung-durch-push-nachrichten/
4. 2023-12-07 - Golem: Behörden spionieren Nutzer über Push-Benachrichtigungen aus - https://www.golem.de/news/apple-und-google-behoerden-spionieren-nutzer-ueber-push-benachrichtigungen-aus-2312-180106.html
5. 2023-12-06 - Netzpolitik: Behörden fragen Apple und Google nach Nutzern von Messenger-Apps - https://netzpolitik.org/2023/push-dienste-behoerden-fragen-apple-und-google-nach-nutzern-von-messenger-apps/

1. How To Get the DuckDuckGo App on Android - https://duckduckgo.com/duckduckgo-help-pages/mobile/android/

If you don't know what root is, you probably don't have it. Root has to be activated on most devices. Unfortunately, some apps that can potentially increase your security often require root rights. Examples include backup applications such as "Neo Backup", but also apps such as "SnoopSnitch", which try to detect IMSI catchers or silent text messages. You should always carefully consider whether you really need superuser rights on your device. In the vast majority of cases, there is no good reason for this. Apps such as "SnoopSnitch" only work in very few software and hardware constellations anyway. Setting up root for this reason is out of all proportion.

If you are unsure which messengers are good or if you need arguments to convince family and friends, you should definitely take a look at Kuketz's messenger matrix. There you can easily compare the individual messengers according to functions and security aspects.

1. 2024-03-26 - Techcrunch: Telegram’s peer-to-peer SMS login service is a privacy nightmare - https://techcrunch.com/2024/03/25/telegrams-peer-to-peer-sms-login-service-is-a-privacy-nightmare/
2. 2024-02-21 - Netzpolitik: Signal erlaubt bald Verbergen der Telefonnummer - https://netzpolitik.org/2024/messenger-signal-erlaubt-bald-verbergen-der-telefonnummer/
3. 2024-01-18 - Golem: Whatsapp lässt fremde Nutzer Geräteinformationen abgreifen - https://www.golem.de/news/missbrauch-moeglich-whatsapp-laesst-fremde-nutzer-geraeteinformationen-abgreifen-2401-181313.html
4. Messenger-Matrix - https://www.messenger-matrix.de/

In some messengers, this works via email. In others, you can assign an additional pin. If you lose your phone number or other people or authorities get hold of your SIM card or a copy of it (sim swapping), they can log in with the phone number and read your messages or write in your name.

In the past, specially prepared messages for iMessage have repeatedly been used to install government Trojans on iPhones. You should therefore avoid this software.

1. 2024-01-07 - Aufregung über angebliche Hintertür in Apple-Chips für iPhones und Macs - https://www.derstandard.de/story/3000000201983/aufregung-um-vermeintliche-hintertuer-in-apple-chips-fuer-iphones-und-macs
2. Was ist eine Zero-Click-Malware und wie funktioniert sie? - https://www.kaspersky.de/resource-center/definitions/what-is-zero-click-malware

Instead of YouTube, for example, you can use one of the many Invidious instances such as yewtu.be. This way you can avoid advertising and protect your privacy at the same time. You can also install LibRedirect for FireFox. This plugin automatically redirects you to an alternative frontend when surfing the Internet.

1. 2024-03-25 - Heise: USA: Polizei will Daten zu allen, die bestimmte YouTube-Videos angesehen haben - https://www.heise.de/news/USA-Polizei-will-Daten-zu-allen-die-oeffentliche-YouTube-Videos-angesehen-haben-9664535.html
2. LibRedirect - https://libredirect.github.io/

You should not bind PassKeys to a biometric unlock. Also remember to back up your PassKeys in case you lose your device.

1. 2023-10-19 - t3n: Internet ohne Passwörter: Was ihr jetzt über Passkeys wissen müsst - https://t3n.de/news/passkeys-android-ios-mac-windows-1583254/

Please also bear in mind that it must be possible to create a backup of your second factor. A cell phone number is not really a good second factor. Firstly, you can potentially lose your number. But it is also possible that other people or authorities can gain access to your number. If you lose your SIM card, you won't be able to access your accounts for the time being. If you use a hardware token as a second factor, please make sure that there is a second one for emergencies! If you use software solutions such as Time-Based-One-Time-Passwords, please make backups in your OTP apps!

1. 2024-01-23 - Heise: Gefälschter Tweet zur Freigabe von Bitcoin-ETFs: SEC Opfer von SIM-Swapping - https://www.heise.de/news/Gefaelschter-Tweet-zur-Freigabe-von-Bitcoin-ETFs-SEC-Opfer-von-SIM-Swapping-9605332.html

But it's not just intelligence agencies that use advertising to track people. Data brokers resell aggregated data about you and create profiles of you.

1. 2024-03-18 - Golem: Der Spion aus dem Werbebanner - https://www.golem.de/news/standortdaten-aus-der-onlinewerbung-der-spion-aus-dem-werbebanner-2403-183217-2.html
2. 2024-01-26 - Heise: Personalisierte Überwachung statt Werbung: Handydaten ausgewertet und verkauft - https://www.heise.de/news/Gezielte-Werbung-Israelischer-Verein-wirbt-mit-5-Milliarden-ueberwachten-Geraeten-9609259.html
3. 2023-11-19 - Netzpolitik: Online-Werbung als „ernstes Sicherheitsrisiko“ - https://netzpolitik.org/2023/buergerrechtsorganisation-warnt-online-werbung-als-ernstes-sicherheitsrisiko/
4. 2023-07-06 - Netzpolitik: The adtech industry tracks most of what you do on the Internet. This file shows just how much. - https://netzpolitik.org/2023/surveillance-advertising-in-europe-the-adtech-industry-tracks-most-of-what-you-do-on-the-internet-this-file-shows-just-how-much/
5. 2021-10-26 - Kuketz: Für Anfänger/Bequeme: Werbung und Tracker unter iOS/Android systemweit verbannen - https://www.kuketz-blog.de/fuer-anfaenger-bequeme-werbung-und-tracker-unter-ios-android-systemweit-verbannen/
6. eBlocker - https://eblocker.org
7. Pi-hole - https://pi-hole.net/
8. AdAway for Android - https://adaway.org/
9. uBlock Origin for Firefox - https://addons.mozilla.org/de/firefox/addon/ublock-origin/

1. 2020-10-13 - Polizei erhält Liste aller Nutzer, die nach einem Schlagwort gegoogelt haben - https://netzpolitik.org/2020/ermittlungen-in-den-usa-polizei-erhaelt-liste-aller-nutzer-die-nach-einem-schlagwort-gegoogelt-haben/
2. 2020-10-09 - Heise: Inverssuche: Google liefert Polizei Nutzerdaten auf Basis von Suchbegriffen - https://www.heise.de/news/Inverssuche-Google-liefert-Polizei-Nutzerdaten-auf-Basis-von-Suchbegriffen-4925754.html
3. duckduckgo.com - https://duckduckgo.com/
4. stract.com - https://stract.com/

In general, you should consider whether you need the relevant cloud services at all. For example, you can use apps such as "OpenKeychain" to encrypt files before uploading them to a cloud. If you use an Apple device with your iCloud, activate extended data protection there.

1. 2023-12-07 - Apple trommelt für Ende-zu-Ende-Verschlüsselung von Cloud-Daten - https://www.heise.de/news/Apple-trommelt-fuer-Ende-zu-Ende-Verschluesselung-von-Cloud-Daten-9567657.html
2. 2023-08-04 - BAMF soll Cloud-Speicher von Asylsuchenden auslesen - https://netzpolitik.org/2023/innenministerium-bamf-soll-cloud-speicher-von-asylsuchenden-auslesen/
3. F-Droid: OpenKeychain: Easy PGP - https://f-droid.org/de/packages/org.sufficientlysecure.keychain/
4. So aktivierst du den erweiterten Datenschutz für iCloud - https://support.apple.com/de-de/HT212520

If your phone is stolen, this data can provide information about your origin. Use apps such as "Imagepipe" to clean up your pictures before you upload them to the internet. You can install Imagepipe on your Android smartphone via F-Droid. F-Droid is an installable catalog for free and open source software.

1. F-Droid - https://f-droid.org/de/

Did you know that in Germany, for example, many email providers are considered telecommunications services? This means that authorities can request your inventory data and emails. But even without official surveillance, emails are exposed to many dangers. An email passes through many nodes on its way to a mailbox and can be read at numerous points.

1. 2024-02-27 - Heise: Mailbox.org: Rechtswidrige behördliche Auskunftsanfragen stark angestiegen - https://www.heise.de/news/Mailbox-org-Rechtswidrige-behoerdliche-Auskunftsanfragen-stark-angestiegen-9640860.html

On the website haveibeenpwned.com you can quickly and easily find out whether your email address appears in data leaks. You can also create an account there and be notified automatically when new findings are made.

1. ';--have i been pwned? - https://haveibeenpwned.com/