Smartphone, shut up!
✔ A checklist for your mobile security

This checklist is designed to help you review your smartphone security so that you can develop a feel for the subject. The list contains concrete suggestions for improving your security. This is the print version of the list. You can tick off the individual points with a pen.

Please be aware that safety always depends on individual risks. Some of the tasks described here may be mutually exclusive. In the end, safety is always a trade-off. There is no such thing as absolute safety.


Legend

Physical hazards due to direct access Dangers in the mobile network Apps and operating system Dangers on the Internet Important for journalism and criticism of the regime Important for migration and flight You expect house searches Usually quick and easy to implement May require specialist knowledge or research Is associated with habit changes Is rather more expensive

1 General information and tips

1.1 You care about your safety

100 Points

Very good! Your safety is obviously important to you. Otherwise you wouldn't bother with it. Your first points are safe.

1.2 You share this list with others

100 Points

If we manage to increase the security of all people, state surveillance measures will be less worthwhile. This will also benefit your safety. So share this list on your channels or print out the flyer.

1.3 You check this list from time to time

200 Points

Just as technology and this list are constantly changing, your life, your habits and your devices will change in the future. So take time to review this list from time to time.

1.4 You have already taken part in a cryptoparty

400 Points

Cryptoparties are events where you learn how to protect your devices and your communication.

If you are interested in cryptoparties and want to meet like-minded people, you can find out about upcoming events on cryptoparty.in, for example. Or you can follow the guide below and organize one yourself.

1.5 You know your most important contacts and logins by heart

400 Points

You know the most important numbers and names of your friends, family and acquaintances by heart. You can also log into your most important accounts, such as email, by heart. If you lose your phone or all your devices, you have the option of restoring your contacts.


2 Physical hazards due to direct access

2.1 You are not using a dumbphone

400 Points

Non-smart push-button devices are often carelessly classified as "secure". However, these often cannot be encrypted and do not offer secure communication.

In the event of confiscation or theft, contacts, text messages and call lists can be read. In addition, dumbphones are just as susceptible to attacks on the mobile network without further protective measures. Dumbphones cannot be encrypted, you cannot install apps such as password managers on them, you cannot clean your pictures of metadata and you cannot use secure messengers. So on the one hand, these phones have disadvantages. On the other hand, however, it should also be noted that non-smart devices completely rule out some dangers. For example, the risk of malware infections is much lower here. However, encryption and secure communication seem so important in the face of inflationary confiscation and surveillance that a smart device is definitely preferable.

2.2 You have removed your SIM card number

200 Points

There is an inconspicuous number on the back of your SIM card. Scratch it so that you cannot be identified by it and your provider in the event of confiscation.

Please be careful not to destroy the chip. Do not scratch too deeply!

2.3 You have set up a screen lock

400 Points

The display on your device switches off automatically after a while. To unlock it again, use complex patterns or alphanumeric passwords.

2.4 Your smartphones are encrypted

800 Points

Encrypt your smartphones with a strong alphanumeric password. This effectively prevents data from being read.

Strong encryption is important. A screen lock is not sufficient. Software like Cellebrite can easily bypass most screen locks via the USB interface. All your data, contacts, call logs, location data, login data and much more can then be collected and displayed by automated software such as Cellebrite Pathfinder via USB. Your encryption password should be particularly strong. Use a very complex pattern or an alphanumeric password for encryption.

2.5 You can switch off your devices quickly

200 Points

Encryption is only effective when the phone is switched off. Therefore, practise how to switch off your phone quickly in stressful situations.

Even if your phone is encrypted, software such as Cellebrite can access it via USB. As long as your phone is switched on, encryption is ineffective. Encryption is only really effective when it is switched off. Be sure to switch off your phone before you give it into someone else's hands! If you want to be on the safe side, you can also attach a killswitch to your phone. This allows you to quickly remove the battery in dangerous situations. The key will then disappear from your device's memory.

2.6 You are using a privacy film

200 Points

You can stick a special film on your display to prevent bystanders or cameras from being able to read it. These films are available for many models.

2.7 Your SIM card is protected with a PIN

400 Points

You should never deactivate the PIN protection on your SIM card. If the PIN is deactivated, authorities or other persons can use the card themselves to gain access to messengers, for example.

Note for anonymous SIM cards: If you use anonymous SIM cards, you often cannot activate the pin lock as you often do not know the pin / PUK associated with the card. You often receive these cards with the pin deactivated. In this case, you should make sure that all your messengers are secured with a second factor (e.g. PIN) and that you do not use the card itself for two-factor authentication.

2.8 You do without memory cards

600 Points

Memory cards cannot be reliably encrypted on all devices. It is also possible to restore data that was saved on them when they were previously used with other devices. Therefore, only use memory cards if you know what is stored on them and if you have overwritten them beforehand.

Some older Android devices also create a signature of apps used on your memory card by creating separate folders for apps used. This allows conclusions to be drawn about the apps you are using. Caution! Overwriting flash memory is often not 100% possible. Data can still be left behind.

2.9 You do not use biometric activation

600 Points

You should never use your fingerprint or face to unlock your phone. Authorities with access to fingerprints or images can otherwise unlock the device. Therefore, use complex patterns or alphanumeric passwords.

Fingerprints and facial recognition are not secure methods of unlocking your device. They are like passwords that you can never change. Data leaks or malware could cause this sensitive information to be lost and put you at a disadvantage. The police can also use your fingerprints to unlock your device.

2.10 You have deactivated the developer features

600 Points

Be sure to deactivate USB debugging if you are familiar with it. Normally, this function is deactivated by default on all devices and must be consciously activated by you.

2.11 You only use your own charging cable

200 Points

Only use power adapters and cables for charging that you trust. Mark the cable and power adapter to prevent them from being replaced.

If possible, use a USB cable without data function for charging. Tampered cables or public charging points could read data or install unwanted software. If you are not sure, you can simply switch off your phone for the charging process. This way, nothing can be installed and it will still charge.

2.12 Your operating system has verified boot

200 Points

Verified Boot prevents tampering with your operating system. You should make sure that your device is secured with it. If you have installed your own system, you should activate verified boot.

2.13 You have sealed your device

200 Points

Sealing can help you to determine whether hardware has been tampered with after returning your device. For example, put a drop of special sealing wax or nail polish on the seams of your device. This way you can determine whether it has been opened.

2.14 You have noted the unique numbers of your device

200 Points

In your phone's settings, you will find unique, unchangeable hardware numbers such as the serial number, WiFi Mac address, Bluetooth Mac address and IMEI. Make a note of these numbers. This way, you can always be sure that your device has not been secretly replaced.

2.15 You make regular backups

800 Points

Make regular backups of your most important data. Your backup doesn't have to be perfect. A bad backup is better than no backup!

You should also think about important apps such as 2-factor apps or password managers when making your backup. The settings can usually be easily exported from these. If possible, use open source backup software such as "oandbackup" or "Neo Backup". However, these require root rights. A simple regular copy of your most important data on a USB stick is also a good start! Remember that "No Backup, No Mercy" is an arrogant attitude. Not everyone has the knowledge and technical capabilities for backups. Help each other!

2.16 Your backups are encrypted

400 Points

If you have the option, you should definitely encrypt your backups to protect them from unauthorized access.

The Android app Neo Backup supports encryption out of the box. However, you can also create encrypted zip archives manually or encrypt entire USB sticks. Under Linux, MacOS and some versions of Windows, this can be done very easily via a graphical interface. You can also use encryption software for your sticks, such as VeraCrypt, which works on most operating systems. If you want to delve deeper into the matter and are not afraid of the command line, you can take a look at professional software such as Restic (Linux) or duplicity (Linux). You will then need to connect your device to a computer.

2.17 Your backups are stored decentrally and also outside your home

400 Points

Get an overview of the importance of your data for your everyday life and store it accordingly. For example, store a copy of your music or picture collection further away with friends. You should have quick access to backups of password managers, 2-factor apps or important documents.

2.18 You practise restoring your backups

400 Points

Restoring your data is the most important part of a backup. Practice this situation. This way you can see if your backup is intact. Make sure you can restore your backup without access to password managers and two-factor apps.

2.19 You do not store unused appliances in your home

400 Points

In the event of a house search or break-in, all devices are often stolen. Prepare for this by storing unused devices with your friends. That way you'll have a quick replacement.

2.20 You do not unlock your smartphone on demand

800 Points

When a smartphone is confiscated by court order or seized (voluntary surrender), the police often ask for pins and passwords. Say nothing. Do not unlock anything. Contact a lawyer.

2.21 You have overwritten your phone once

200 Points

Did you buy the phone second-hand? Then you should overwrite the entire memory once to avoid unwanted data being found on your device.

Used phones may contain illegal data that can be recovered and analyzed. To avoid this becoming your downfall, you should completely overwrite the phone once. If you have the possibility, generate large random files and copy them to your phone until it is full. Otherwise, you can also download large test files from the Internet and overwrite your phone's memory with them. Caution! Overwriting flash memory is often not 100% possible. Data may still be left behind.

2.22 Deactivate unused interfaces

400 Points

You should only activate positioning, WiFi, Bluetooth or NFC if you really need it

In certain cases, you can be recognized via WiFi. In the most extreme cases, even your home address can be determined. Some devices reveal the unique hardware number of your WiFi interface as well as the list of your known WiFi networks. On websites such as wigle.net, you can easily search for the physical locations of the networks. However, Bluetooth and other interfaces also harbor dangers. Bluetooth, for example, is susceptible to bluesnarfing (opening ports that are actually closed by commands from outside), bluejacking (sending unwanted messages), bluebugging (exploiting a backdoor), bluesmacking (denial of service) or car whispering (eavesdropping on the hands-free system).

  1. 2024-01-26 - Heise: Bluetooth zu unsicher: US Navy sucht Alternative - https://www.heise.de/news/Bluetooth-zu-unsicher-US-Navy-sucht-Alternative-9609217.html
  2. 2023-12-11 - Heise: Bluetooth-Lücke: Tastenanschläge in Android, Linux, iOS und macOS einschleusbar - https://www.heise.de/news/Bluetooth-Luecke-erlaubt-Einschleusen-von-Tastenanschlaegen-9570583.html
  3. 2023-10-30 - Heise: Von wegen privat: iPhones verrieten physische MAC-Adresse - https://www.heise.de/news/iPhone-Datenschutzpanne-Private-WLAN-Adresse-war-gar-nicht-so-privat-9349123.html
  4. 2023-09-01 - Golem: Bluetooth-Spam gelingt jetzt auch per Android-App - https://www.golem.de/news/kein-flipper-zero-noetig-bluetooth-spam-gelingt-jetzt-auch-per-android-app-2311-178988.html
  5. 2020-06-28 - Warum eine versteckte SSID keine Sicherheit bringt, sondern sogar Bewegungsprofile ermöglicht - https://www.wlan-blog.com/sicherheit/warum-eine-versteckte-ssid-keine-sicherheit-bringt-sondern-sogar-bewegungsprofile-ermoeglicht
  6. Wigle.net - All the networks. Found by Everyone. - https://wigle.net/

2.23 Avoid Bluetooth devices such as earbuds if possible

200 Points

If you want to be sure that you are not being monitored via Bluetooth, you should use a wired connection for your headphones.

Bluetooth devices such as earbuds can potentially be overheard when exchanging their secret keys. Attackers within range could listen in unnoticed.

2.24 Cameras that are not in use are covered

400 Points

You should simply cover unused cameras with stickers. For example, if you don't use the selfie camera or only use it rarely.

If you live in Germany, you can order special removable stickers for your smartphone cameras free of charge from the Federal Ministry for Family Affairs, Senior Citizens, Women and Youth (BMFSFJ). Make sure that you do not stick over the inconspicuous brightness sensor! This causes some smartphones to switch off the display because they think they are in a trouser pocket.


3 Dangers in the mobile network

3.1 You use data-saving telephone tariffs

200 Points

A flat rate generally generates less data than a tariff with minute-based billing or itemized bills. This is because these have to be recorded and stored. Flat rates generate less data. Prepaid tariffs generally do not even generate billing data and are therefore very data-efficient.

3.2 You have objected to the marketing of your transaction data

200 Points

Many network operators sell your movement data to various advertising companies. You can object to this transfer.

Ask the providers how long the data is stored in the various tariffs and with whom it is shared. There are also extra data protection-friendly providers such as "Wetell" in Germany. Nevertheless, these do not protect against the numerous monitoring possibilities in the mobile network! Anonymous SIM cards are therefore always preferable.

3.3 You have not activated your mobile data connection continuously

200 Points

Deactivate mobile data if you don't need it. An activated mobile internet connection leaves a continuous record of the cellular data you use in your provider's traffic data.

If you are not making calls, sending or receiving text messages and not using mobile data, your phone is in an idle state. No history of your radio cell position is then kept by your provider. If an authority or an attacker then wants to find you, they often rely on silent text messages (silent pings).

3.4 You don't take your cell phone to the demo

400 Points

You should not take your phone with you to the demo or switch it to flight mode some time beforehand and leave it in flight mode for some time after the demo.

This also applies if you use anonymous SIM cards. Targeted tracking (e.g. on the way home) of individual persons with so-called IMSI catchers allows a telephone number to be assigned to a person. Regardless of whether the SIM card is anonymous or not.

3.5 You don't use apps like "SnoopSnitch"

400 Points

Apps that can potentially detect IMSI catchers or silent text messages will not help you in the vast majority of cases. You should avoid these apps and instead learn why they don't do much and what the alternative is.

First of all, there is nothing wrong with apps like "SnoopSnitch" in general. We can be glad that there are people who deal with this matter and build such apps. Nevertheless, you have to understand that such apps are completely ineffective in the vast majority of cases. SnoopSnitch, for example, only works on 2G and 3G networks if your phone is rooted and if a very special chip is installed on the mainboard of your device. You need to understand that communication with the mobile network is a completely opaque black box for your operating system. Your operating system and your apps are not able to control or monitor communication with a radio tower (base station) in detail. This means that the wireless network can communicate with the chip on your device without it being aware of it. This is due to proprietary, commercial hardware that is not open source. This is also why you can be roughly located by silent SMS (stealth ping). The radio chip in your phone registers this, but does not report it to your operating system. Only a few chips have interfaces that allow the operating system to monitor them. SnoopSnitch only exists for this purpose. The only sensible defense is an anonymous SIM card.

3.6 You use anonymous SIM cards

800 Points

Anonymous SIM cards make it much more difficult for state actors and other attackers to choose their targets. Whether silent text messages, IMSI catchers, inventory data information, traffic data information, radio cell evaluations, source monitoring, state trojans or location monitoring. An anonymous SIM card is often the only sensible defense against such surveillance.

The subject of mobile phone surveillance is complex and cannot be dealt with in full within this framework. However, it is important to understand that security apps cannot do anything about such surveillance because, for example, it affects data that is already stored by your provider and not on your phone. Or because the apps themselves do not have access to your phone's proprietary radio chip and therefore cannot see silent text messages, for example. Or because the attack takes place in the wireless network between network providers. Or because your mobile provider simply sells your data on. So relying on apps or changes in behavior won't help. The only defense is anonymous SIM cards. Also bear in mind that in Germany, over 100 government agencies can access people's phone numbers and vice versa without a court order.

  1. 2024-01-23 - Netzpolitik.org: Erstmals Pegasus-Infektionen in Togo enthüllt - https://netzpolitik.org/2024/ueberwachung-mit-staatstrojanern-erstmals-pegasus-infektionen-in-togo-enthuellt/
  2. 2024-01-18 - Netzpolitik.org: Staatstrojaner bedrohen Grundrechte in der EU - https://netzpolitik.org/2024/eu-parlament-staatstrojaner-bedrohen-grundrechte-in-der-eu/
  3. 2023-12-09 - Golem: Angreifer können 714 Smartphone-Modelle vom 5G-Netz trennen - https://www.golem.de/news/dos-schwachstellen-angreifer-koennen-714-smartphone-modelle-vom-5g-netz-trennen-2312-180183.html
  4. 2023-10-27 - Heise: Forscher: Sicherheitslücken beim Roaming bleiben auch bei 5G eine große Gefahr - https://www.heise.de/news/Forscher-Sicherheitsluecken-beim-Roaming-bleiben-auch-bei-5G-eine-grosse-Gefahr-9347577.html
  5. 2023-09-16 - Tarnkappe: Mobilfunkanbieter gaben erneut Daten illegal an die Schufa - https://tarnkappe.info/artikel/rechtssachen/mobilfunkanbieter-gaben-erneut-daten-illegal-an-die-schufa-280583.html
  6. 2023-09-14 - Netzpolitik.org: Russische Exil-Journalistin mit Pegasus gehackt - https://netzpolitik.org/2023/meduza-russische-exil-journalistin-mit-pegasus-gehackt/
  7. 2023-06-27 - Netzpolitik.org: Firma legt Scoring-Profile der Hälfte aller weltweiten Handynutzer an - https://netzpolitik.org/2023/datenschutzbeschwerde-gegen-telesign-firma-legt-scoring-profile-der-haelfte-aller-weltweiten-handynutzer-an/
  8. 2022-06-21 - Netzpolitik.org: Behörden fragen jede Sekunde, wem eine Telefonnummer gehört - https://netzpolitik.org/2022/bestandsdatenauskunft-2021-behoerden-fragen-jede-sekunde-wem-eine-telefonnummer-gehoert/
  9. 2019-08-28 - Die 5-G Überwachungsstandards - https://invidious.lunar.icu/watch?v=_2HOcuH5rKc
  10. 2018-12-29 - 35C3 - Die verborgene Seite des Mobilfunks - https://yt.artemislena.eu/watch?v=CSZWTaTu9As
  11. 2017-08-02 - Interaktive Karte: Registrierungspflicht für Prepaid-SIM-Karten in Europa weit verbreitet - https://netzpolitik.org/2017/interaktive-karte-registrierungspflicht-fuer-prepaid-sim-karten-in-europa-weit-verbreitet/
  12. 2017-07-11 - Süddeutsche Zeitung: Das Ende der Anonymität - https://www.sueddeutsche.de/digital/prepaid-sim-karten-das-ende-der-anonymitaet-1.3564334
  13. 2016-09-20 - Informatik-Gutachten: Eine Telefonnummer ist ausreichend, um eine Person mit einer Drohnen-Rakete zu treffen - https://netzpolitik.org/2016/informatik-gutachten-eine-telefonnummer-ist-ausreichend-um-eine-person-mit-einer-drohnen-rakete-zu-treffen/
  14. 2014-12-28 - Tobias Engel: SS7: Locate. Track. Manipulate - https://yt.oelrichsgarcia.de/watch?v=-wu_pO5Z7Pk
  15. Bundesnetzagentur: Häu­fig ge­stell­te Fra­gen: All­ge­mein und SI­NA-An­bin­dung - https://www.bundesnetzagentur.de/DE/Fachthemen/Telekommunikation/OeffentlicheSicherheit/Autom_Auskunftsverfahren/FAQ/start.html
  16. Wikipedia: Was ist RRLP? - https://en.wikipedia.org/wiki/Radio_resource_location_services_protocol

3.7 You use your smartphone exclusively for one SIM card

400 Points

Only use your anonymous SIM card in a specific phone. Never use the same phone for another SIM card. This is because the unique number of the SIM and the unique number of your phone are always stored together in the provider's traffic data.

3.8 You often use other SIM cards and a proxy phone

200 Points

To further increase security, you can often change your anonymous SIM cards. Each time you switch, you should also change the phone used for this purpose.

Since the IMSI always appears together with the IMEI in the traffic data of your network provider, you should also change your phone when you change your SIM card. As you can imagine, it is time-consuming and expensive to change your phone from time to time. You would have to constantly set up your apps again and spend a lot of money on a new phone. To keep costs down, you can work with proxy phones. And this is how it works: You have a more expensive device for your regular use on which all your apps are installed. There is no SIM card in this phone. It is therefore invisible to the mobile network. You get Internet access via an inexpensive second device with a SIM card inserted. This phone does not need much power. However, it can provide you with a WiFi hotspot and therefore Internet. You can also use it to make normal phone calls if you want. This phone can be replaced quickly with the SIM card inserted. The only disadvantage is that you always have two smartphones with you.

3.9 You withdraw your credit anonymously

200 Points

You should also obtain the credit for your SIM card anonymously or via intermediaries. Therefore, use sim cards for which you can buy credit in cash at cash registers or ask friends to send you the credit code.

3.10 You don't give out your phone number

800 Points

Your anonymous card will only remain anonymous if you do not give your number in connection with your name. In order to still be reachable, you can switch to messengers with a call function that do not require a number or where the number can be hidden.

Anyone who knows your phone number can easily attack you. On sites such as cell-track.com or phone-location.info, for example, it is easy to find out whether a device is abroad or not, or whether a device is currently switched on. All you need is the number. There's nothing you can do about it except keep your number secret. That may not be really dangerous yet. But state actors have other possibilities, such as infecting the device with a zero-click exploit. Only an anonymous SIM card can effectively protect you from state attacks.

3.11 You don't make calls with your anonymous card

400 Points

Do not use your anonymous SIM card/phone for regular phone calls or text messages. You can see who the target contacts are in the traffic data if they do not also have an anonymous card. This may make it possible to narrow down who you are. If possible, only use the card with other anonymous cards or switch to Internet messengers for messages and phone calls.

3.12 You have purchased SIM cards and phones anonymously

200 Points

You should never order SIM cards and phones directly to your address or pay from your accounts. To leave no trace, you can ask friends to order or collect them for you. Pay in cash.

3.13 You use number suppression wisely

200 Points

You are aware that suppressing the phone number only means that it is not displayed on the other party's phone. Your number will still be stored in the traffic data of the providers involved. Use anonymous SIM cards if you need to remain anonymous.

3.14 You dial 110 and 112 carefully

400 Points

Advanced Mobile Location (AML) has been used in Germany and many other countries since 2019 and is gradually being expanded to locate people in emergency situations. If you don't want this, you should prepare yourself for it.

Before AML, rescue coordination centers only had extremely inaccurate radio cell data at their disposal (if at all) to locate people in emergency situations. AML, on the other hand, is firmly integrated into modern telephones and their operating systems: When an emergency number is dialed, the phone automatically activates GPS and WiFi to determine its own position. This is then automatically transmitted to the control center via the Internet or SMS. This extremely precise location is only activated by dialing the emergency numbers and cannot be used from outside without your active involvement. In most cases, there is nothing you can do to prevent you from being automatically located when you dial these numbers. Unfortunately, this also makes it more difficult to make anonymous reports. You should therefore always consider whether dialing emergency numbers from your own phone is really necessary. You can find a list of all countries with AML on Wikipedia. AML is part of the Play services on Android and can be deactivated via the emergency settings.

3.15 You have set up a block for third-party providers

400 Points

With a third-party block, you can prevent apps, websites or scammers from charging costs for subscriptions or other purchases to your phone bill.

If you would like to set up such a block, you can contact your provider online or by telephone.

3.16 You don't give your name immediately when you answer the phone

200 Points

You should not use your name to accept a call. Use generic phrases like 'hello' instead.


4 Apps and operating system

4.1 You are using a free operating system

800 Points

Free Android-based operating systems such as grapheneOS, CalyxOS or DivestOS can help you protect your privacy and are not tied to Google, Apple or Microsoft.

If you are unsure which system you should install, the clear recommendation is currently to install grapheneOS on one of the compatible phones. You can find more information in the links.

4.2 You have freed your phone from bloatware

400 Points

Smartphone manufacturers receive millions to billions from Google or Apple for placing their software on your phone. You should definitely remove these apps.

Of course, this is only worthwhile if it has a benefit: The pre-installed software collects data and analyzes your habits. You should therefore remove bloatware (sometimes this is not possible without root permissions) or install a custom operating system such as GrapheneOS.

4.3 You have deactivated or deleted your advertising ID

600 Points

You should definitely delete your advertising ID, change it frequently (Android) or prohibit your apps from tracking (iOS) if you do not want the data from different apps to be merged and sold again by so-called data brokers.

If you use iOS or Android, your operating system transmits an advertising ID to your apps in the background. This ID can be attached to the data records of individual apps. If the provider of your apps then sells this data, brokers can merge it with other data sets of yours. This creates veritable stockpiles of your personal data and interests that are traded online.

4.4 Are your apps and system up to date?

400 Points

Keep apps and your operating system up to date. Malware and state trojans often exploit vulnerabilities in software. Up-to-date apps and an up-to-date operating system are therefore important.

4.5 Do you use a password manager?

400 Points

Your security is increased enormously if you use a different complex password for all services on the Internet. You should save these in a password manager such as KeePass.

4.6 You only install apps from trustworthy sources

200 Points

Only use official app stores or F-Droid to obtain your apps. If you know your way around, you can also download apps directly from the manufacturers' websites. Always consider whether you need an app at all.

Infected apps have many ways of attacking you. For example, they can steal passwords.

4.7 You check access rights carefully

200 Points

Your flashlight app wants to access the memory? Not a good idea! Always ask yourself why an app needs permissions and only grant them gradually or when necessary.

4.8 You use alternative app stores

400 Points

You can obtain most apps via F-Droid or Aurora Store without logging into Google or without Google services.

4.9 You do without Google Play services and Apple services

800 Points

Google Play services and Apple services provide central infrastructures for some apps. For example, push messages are sent via these services. Government agencies use this fact to monitor iPhone and Android devices.

You can protect yourself from this by using apps that do not require Google or Apple services. Also avoid alternatives such as microG if you have installed your own operating system. For example, install apps from F-Droid that do not require these services. Messengers such as Telegram, Signal and Matrix offer their own alternatives for centralized push messages.

  1. 2024-01-24 - Golem: Prominente iOS-Apps spähen heimlich Gerätedaten aus - https://www.golem.de/news/ueber-push-benachrichtigungen-prominente-ios-apps-spaehen-heimlich-geraetedaten-aus-2401-181574.html
  2. 2023-12-13 - Tarnkappe: Apple-Richtlinien: Gerichtliche Anordnung für Push-Daten Pflicht! -
  3. 2023-12-07 - Kuketz: Android: Abhilfe gegen staatliche Überwachung durch Push-Nachrichten - https://www.kuketz-blog.de/android-abhilfe-gegen-staatliche-ueberwachung-durch-push-nachrichten/
  4. 2023-12-07 - Golem: Behörden spionieren Nutzer über Push-Benachrichtigungen aus - https://www.golem.de/news/apple-und-google-behoerden-spionieren-nutzer-ueber-push-benachrichtigungen-aus-2312-180106.html
  5. 2023-12-06 - Netzpolitik: Behörden fragen Apple und Google nach Nutzern von Messenger-Apps - https://netzpolitik.org/2023/push-dienste-behoerden-fragen-apple-und-google-nach-nutzern-von-messenger-apps/

4.10 You use privacy-friendly web browsers

400 Points

Use browsers such as DuckDuckGo browser, which do not collect any data about you and at the same time actively protect your privacy.

4.11 You waive root rights

200 Points

Root rights allow you to use many unique apps. However, these rights may also apply to malicious apps, which is why you should generally avoid root.

If you don't know what root is, you probably don't have it. Root has to be activated on most devices. Unfortunately, some apps that can potentially increase your security often require root rights. Examples include backup applications such as "Neo Backup", but also apps such as "SnoopSnitch", which try to detect IMSI catchers or silent text messages. You should always carefully consider whether you really need superuser rights on your device. In the vast majority of cases, there is no good reason for this. Apps such as "SnoopSnitch" only work in very few software and hardware constellations anyway. Setting up root for this reason is out of all proportion.

4.12 You use secure messengers

800 Points

You should definitely use open-source, encrypted messengers such as Briar, Signal, Threema, Element or SimpleX. Avoid insecure commercial messengers such as WhatsApp and co.

If you are unsure which messengers are good or if you need arguments to convince family and friends, you should definitely take a look at Kuketz's messenger matrix. There you can easily compare the individual messengers according to functions and security aspects.

4.13 Activate two-step verification in your messengers

400 Points

The two-step confirmation (two-factor authentication) prevents your SIM card or copies of it from being used to access your messages.

In some messengers, this works via email. In others, you can assign an additional pin. If you lose your phone number or other people or authorities get hold of your SIM card or a copy of it (sim swapping), they can log in with the phone number and read your messages or write in your name.

4.14 Do not share your Apple ID and deactivate iMessage

400 Points

You should not use iMessage and keep your Apple ID secret. iMessage has repeatedly been the target of so-called zero-click attacks in recent years.

In the past, specially prepared messages for iMessage have repeatedly been used to install government Trojans on iPhones. You should therefore avoid this software.

4.15 You restart your phone often

200 Points

You should restart your phone more often. For example, every morning or before critical conversations. Some state trojans do not survive restarts as they are often not persistent. Although new infections are possible later, this strategy can give you a private window of opportunity.

4.16 Your second factor for logins is on a separate device

200 Points

Your two-factor app is installed on a separate device. This means that your second factor cannot be used to log into your accounts if your device is compromised.


5 Dangers on the Internet

5.1 Use alternative frontends

600 Points

Alternative frontends for web services such as YouTube, Twitter, TikTok and other websites can help you protect your data.

Instead of YouTube, for example, you can use one of the many Invidious instances such as yewtu.be. This way you can avoid advertising and protect your privacy at the same time. You can also install LibRedirect for FireFox. This plugin automatically redirects you to an alternative frontend when surfing the Internet.

5.2 You use passkeys

600 Points

Passkeys can replace passwords in some applications and apps and make them completely superfluous. Unlike passwords, they cannot be stolen through phishing or data leaks. Use them when they are offered!

You should not bind PassKeys to a biometric unlock. Also remember to back up your PassKeys in case you lose your device.

5.3 You secure your accounts with two-factor authentication

600 Points

Many services and platforms on the internet offer to secure logins with a second factor. Use this option whenever possible.

Please also bear in mind that it must be possible to create a backup of your second factor. A cell phone number is not really a good second factor. Firstly, you can potentially lose your number. But it is also possible that other people or authorities can gain access to your number. If you lose your SIM card, you won't be able to access your accounts for the time being. If you use a hardware token as a second factor, please make sure that there is a second one for emergencies! If you use software solutions such as Time-Based-One-Time-Passwords, please make backups in your OTP apps!

5.4 You are using an ad blocker

600 Points

Targeted advertising campaigns (microtargeting) are used by intelligence services, among others, to infect individual devices with malware.

But it's not just intelligence agencies that use advertising to track people. Data brokers resell aggregated data about you and create profiles of you.

  1. 2024-03-18 - Golem: Der Spion aus dem Werbebanner - https://www.golem.de/news/standortdaten-aus-der-onlinewerbung-der-spion-aus-dem-werbebanner-2403-183217-2.html
  2. 2024-01-26 - Heise: Personalisierte Überwachung statt Werbung: Handydaten ausgewertet und verkauft - https://www.heise.de/news/Gezielte-Werbung-Israelischer-Verein-wirbt-mit-5-Milliarden-ueberwachten-Geraeten-9609259.html
  3. 2023-11-19 - Netzpolitik: Online-Werbung als „ernstes Sicherheitsrisiko“ - https://netzpolitik.org/2023/buergerrechtsorganisation-warnt-online-werbung-als-ernstes-sicherheitsrisiko/
  4. 2023-07-06 - Netzpolitik: The adtech industry tracks most of what you do on the Internet. This file shows just how much. - https://netzpolitik.org/2023/surveillance-advertising-in-europe-the-adtech-industry-tracks-most-of-what-you-do-on-the-internet-this-file-shows-just-how-much/
  5. 2021-10-26 - Kuketz: Für Anfänger/Bequeme: Werbung und Tracker unter iOS/Android systemweit verbannen - https://www.kuketz-blog.de/fuer-anfaenger-bequeme-werbung-und-tracker-unter-ios-android-systemweit-verbannen/
  6. eBlocker - https://eblocker.org
  7. Pi-hole - https://pi-hole.net/
  8. AdAway for Android - https://adaway.org/
  9. uBlock Origin for Firefox - https://addons.mozilla.org/de/firefox/addon/ublock-origin/

5.5 Do you use different pseudonyms and e-mail addresses?

200 Points

You can improve your security by using a different name and different email addresses or mobile numbers for registration on all platforms. This way, your accounts cannot be merged through data leaks.

5.6 You do not use your pseudonyms at the same time

200 Points

Work with a time delay if you want to share the same message in different channels or groups with different pseudonyms. Otherwise it will be obvious that one person is behind the various pseudonyms.

5.7 You use TOR or the TOR browser

800 Points

TOR (The Onion Router) can help you greatly improve your anonymity on the Internet. Use websites via the Tor browser and redirect apps with the Orbot app via the Tor network.

5.8 You use privacy-friendly search engines

400 Points

Google, Apple and other manufacturers pass on data to investigating authorities without hesitation. Therefore, use alternative search engines such as duckduckgo.com or stract.com

5.9 You only use encrypted cloud storage

600 Points

Many cloud providers cooperate fully with investigating authorities and will not hesitate to hand over your data. Only store encrypted data there.

In general, you should consider whether you need the relevant cloud services at all. For example, you can use apps such as "OpenKeychain" to encrypt files before uploading them to a cloud. If you use an Apple device with your iCloud, activate extended data protection there.

5.10 You use VPNs wisely

200 Points

Remember that you have to trust VPN providers. You pay them, so they know your identity. Many VPN services cooperate fully with investigative authorities. If you can, use the TOR network instead.

5.11 You delete metadata from your images

400 Points

Your smartphone invisibly attaches metadata such as coordinates, camera type, resolution, smartphone model or operating system to your pictures. With some camera apps, this can be partially or completely deactivated.

If your phone is stolen, this data can provide information about your origin. Use apps such as "Imagepipe" to clean up your pictures before you upload them to the internet. You can install Imagepipe on your Android smartphone via F-Droid. F-Droid is an installable catalog for free and open source software.

5.12 You read through data protection declarations

400 Points

Do you take the time to read the privacy policies of new apps and services you register with? Do you care who your data is shared with and what happens to it?

5.13 You encrypt your emails

800 Points

Do you use email? Then you should definitely think about encryption such as GPG/OpenPGP.

Did you know that in Germany, for example, many email providers are considered telecommunications services? This means that authorities can request your inventory data and emails. But even without official surveillance, emails are exposed to many dangers. An email passes through many nodes on its way to a mailbox and can be read at numerous points.

5.14 Delete unused accounts

400 Points

It is important to delete accounts that you no longer need. Take the time to do this once a year. Regardless of whether you needed them for a website or an app. If you haven't used them for a while, you should close them. This minimizes the risk of data leaks.

5.15 You check whether you are affected by data leaks

400 Points

Personal data is leaked from websites, portals and online stores every day. Those affected are rarely informed. The data is sold, traded or is often freely accessible.

On the website haveibeenpwned.com you can quickly and easily find out whether your email address appears in data leaks. You can also create an account there and be notified automatically when new findings are made.