Digital privacy and security is increasingly needed for people of all walks of life. Much of our lives is now digital information which can be stolen, tracked, or traced. Many people are getting the privacy they need using an encrypted phone. Encrypted phones offer security and peace-of-mind knowing your information, like chats and photos, won’t wind up on some hacker’s server offered up to the highest bidder.
There are many options for using encryption on your phone, from locking down the device with OS-installed encryption and using chat apps with encryption, to using a separate fully-locked down phone with complete encryption. Each option is a is a step in the right direction towards getting the protection your conversations and files deserve. This article starts by teaching you the basics of how and why data is stolen, and then teaches you the ins and outs of an encrypted phone ecosystem so you can make an informed choice.
How do hackers get your data?
All hacks focus on exploiting one of three things:
- Poor security practices (like easy to guess passwords)
- Bugs in software that opens a vulnerability
- Vulnerabilities in how networks operate
When we look at using an encrypted device, you’re protecting against hacks and vulnerabilities in how devices connect to the internet. Here are the top five most common network attacks:
- Fake WAP/Evil Twin: A hacker sets up a WAP (wireless access point…a Wi-Fi hotspot) which looks official but isn’t, such as setting up “Free McDonald’s Wi-Fi” at a location which provides “Free McDonalds Wi-Fi” to customers. Everyone who connects to the hacker’s ‘evil twin’ will have their unencrypted data displayed as plain text. Encrypted phones protect against this difficult to detect hack because they establish an additional secure connection encrypting data before it’s sent over the wireless network.
- Man-in-the-Middle: A hacker inserts themselves between the victim’s device and their destination server, reading and storing all unencrypted data. An encrypted phone renders this attack useless because all network and message data is encrypted in transit end to end.
- Network Eavesdropping: Packet capture tools, used by legitimate network administrators to troubleshoot and protect networks, ‘sniff’ and record data packets sent over a network. This data is then listened to or read with a packet analyzer. Encrypting data, including metadata, before it leaves a phone and connects to the network protects intercepted data from being decoded.
- SS7 hacks: Weaknesses in telecommunication networks allows hackers to steal any information as it is in transit, including listening to phone calls on a 3G network or reading unencrypted SMS texts. Encrypting all of the data, including what is sent over mobile networks, will protect users. This vulnerability has existed for over 50 years and is still resulting in stolen data today.
- IMSI Catcher: Like packet sniffers, IMSI catchers pretend to be a legitimate cell tower, except before relaying connections to a carrier’s real tower, the catcher collects data from all connected phones. IMSI catchers can record calls made over 3G networks, read SMS messages, and capture unprotected internet traffic. This may sound like science fiction, but it is used legitimately by police in the course of investigations. However, hackers, private investigators, and state-sponsored hacking groups are also getting access to these tools and using them to intercept unencrypted traffic.
These are real acts done by hackers the world over. They don’t even have to be particularly skilled as there are tools which can be purchased to do them. Some are even super cheap, like this $7 passive IMSI catcher:
The only way to be secure is with encryption as hackers only attack the easiest targets, and would rather try to hack someone who uses no encryption. There will be new hacks in the future, and the surest way to protect against any hack which has not yet been invented is encryption. Many attacks used by hackers are stopped dead by an encrypted phone. The key feature in encrypted phones is ensuring your connections—over mobile data or WiFi—are encrypted before the device sends any personally identifiable information.
Why do hackers want to steal this data?
Many people don’t understand how valuable their data is to hackers. Here are examples of how cybercriminals turn data into money:
- Sell it: Stealing data and selling it to other criminals to use the information for what they need is lucrative. Information can be packaged according to data type, and then sold to whoever is looking to use that kind of data. Selling bulk email addresses to spammers is an easy way to make money.
- Phishing attacks: Information a hacker obtains can be used to craft more convincing phishing attacks with customized and detailed information in their messages for the individual being targeted. Information about an employer—like names and email addresses of people you work with—can be used against someone in an effort to steal information about a workplace.
- Identity theft: Something as simple as sending a social insurance number to a new employer can be just the piece of data a hacker is looking for. They can then open up accounts in the name of the victim, such as credit and debit cards, and drain them dry.
- Blackmail: It’s becoming common for hackers to steal photos, particularly in sextortion, and secure documents to commit blackmail. They threaten to release the information to employers, friends, and family, and expect payment in return for keeping the data secret. Encryption stops hackers from stealing and using the data.
- Fraud: This is common with stolen medical data. The data is used to create fake credentials that are used to apply for Medicaid for expensive surgeries that were never done. There is also fraud via filing refunds on fake tax returns.
- Login credentials: Usually done on a fake WiFi hotspot, hackers steal login credentials from victims and see if they use them elsewhere—like Amazon or iTunes—and make purchases there.
- LOLz: New hackers want to steal data simply to prove that they can. Experienced hackers can practice hacking a particular phone vulnerability of an innocent person before taking on a bigger target. While they often only sell any data, it’s still bad if they find personal data which can lead to blackmail.
Money is the biggest factor in why hackers steal any type of data. They either get money from the data itself directly, or sell the data to someone who can get money out of it. There is no way to stop greed, but encryption stops hackers.
The encrypted phone ecosystem
Smartphones have moved far beyond being only a phone, it’s now a device for:
- Sending text messages and emails
- Keeping a list of business and personal contacts.
- Storing conversations with people on the phone.
- Receiving and reading work documents.
- Taking and sending photos.
- Creating notes for personal and business use.
This means that there are key areas where data needs to be encrypted for true protection as part of a complete encrypted phone ecosystem:
- Protected hardware: Protecting the phone itself is essential, like making sure it has tamper-resistant features which protect the mobile operating system (e.g iOS or Android).
- Secured app: Making certain that the app is self-contained so data can’t be transferred out, messages and documents can be deleted if needed, and nothing can leak in or out.
- Network encryption: Full network encryption is a basic requirement for any encrypted phone. It allows for secure communications over any network. The next level is offering a secure network, which is provided by Sky ECC.
- Device management: The simplest ‘hack’ of all is the physical theft of a device. Device management allows you to locate where the device is and erase it remotely.
- Secure container: This isolates your communication app from all other apps which could potentially be infected with malware or spyware. A tool which is on the highest level will offer this containerization within an encrypted container.
These are the four ways phone apps can be made more secure, and each done for true security and protection. Below are some of the ways Sky ECC handles each feature and see how it compares to other “secure” methods of communication.
1: Protecting the hardware of an encrypted phone
Your encrypted phone is going to use one of the two forms of encryption above in a number of ways if it is to be truly effective. Here are the major considerations:
- Any data kept on the phone must be encrypted.
- All network connections are encrypted through a secure tunnel or VPN
- Metadata used to send and receive messages should be encrypted.
- Messages must be encrypted during transportation over a network.
- Servers used to store any messages must be encrypted—though even encrypted messages shouldn’t be stored on servers.
Your encrypted phone can’t call itself truly encrypted without these four types of encryption. There are three major weaknesses for apps which claim to be completely encrypted:
- They fail to encrypt the metadata, a problem that WhatsApp has. This can reveal who you are, who you talk to, when you talked to them, and other details which should be private.
- They fail to encrypt data stored on servers, such as chat backups. Another major downfall of WhatsApp is that they store chat backups on a server in plain text with no encryption.
- Images and videos are frequently stored on the phone in local storage with no encryption, leading to media-jacking attacks.
Many “secure” apps for communication focus on client-to-server encryption, which protects the data while it’s being transported, but decrypt messages on the server. End-to-end encryption ensures the messages are encrypted on the phone and stay that way until the message reaches your contact.
Many apps fail to encrypt data when it is being stored on servers or the phone itself, and they fail to encrypt metadata. A truly encrypted phone will not compromise any of these areas, and Sky ECC was built with these important points in mind.
What are brute force attacks?
A brute force attack uses software to guess passwords until the right one is found. Protection against brute force attacks has to be part of any phone’s security strategy. Here’s how Sky ECC prevents brute force hacks:
- Passcode entries are limited to 10, but can be set to as few as three for more protection.
- A CAPTCHA is used on the second-to-last password attempt. This makes automated brute force attacks very difficult to do.
- If the last password attempt fails the app deletes all its data. Truly secure data must not ever fall into the wrong hands, and this is the last resort for keeping it protected.
Brute force attacks are a very real problem. There are many password cracking tools out there for legitimate penetration testing reasons. Hackers are taking them and refining them all the time to develop new programs to make it easier, such as Hatch:
A truly encrypted phone, such as one with security features like Sky ECC, will not only encrypt data on the phone, but also protect it from brute force attacks. Encryption is meaningless if an attacker can get around it with a password cracker.
2: Secure chat app
Everything starts with an app with is actually secure. It must handle all encryption before sending data to any network, and should have other features built in as failsafes:
- Installing the app within a secure container protected with its own encryption.
- Only storing messages on the device in the app, not on servers.
- The ability to approve contacts before they message you, and block them when they’re a problem.
- Secure storage of files (images and documents) within the app.
- Self-destructing messages with varying time frames of deletion.
- Control of when entire conversations can be deleted from both the sending and receiving phone.
- Encrypted metadata to protect basic information.
These features are all built into Sky ECC, and they must be built into any secure chat app as part of the greater ecosystem of an encrypted phone. Each step offers another layer of protection as you can’t rely on encryption alone.
3: Network encryption
Many communication apps out there now offer end-to-end encryption. This should be the absolute minimum requirement for any secure and encrypted phone. These apps, especially the free ones, rarely, if ever, go the extra mile and have their own secure network.
Secure networks are controlled by a known entity, with always-on encryption. Secure phones typically use two types of networks which require different types of protections:
- Private Mobile data networks: These require SIM-based protections to secure the cellular data before it reaches a tower.
- Secure tunnels or VPNs over Wi-Fi networks: Encryption of the data before it reaches the destination server is necessary here.
We have made this as easy as possible to understand in the context of Sky ECC’s network of servers using this diagram:
You can see here that SIM-based protections encrypt the data before it goes to a cell tower, and secure tunnels protect it before it goes to the Wi-Fi network. That’s a nice diagram, but what’s even better is that our server network is global. We work everywhere you are, with servers in:
- North America
- South America
This is essential when travelling to countries with heavy surveillance because you bypass their networks entirely. Network encryption is a bare minimum, but a secure global network is the next level of protection for your encrypted phone. Controlling the network, as Sky ECC does, while using end-to-end encryption allows for the greatest possible amount of protection for data in transit.
4: Device management
An often overlooked aspect of encrypted phones, and secure chat apps in general, is what to do if a device is lost or stolen. There are a few considerations here:
- GPS location: It can sometimes be as simple as seeing that the device was left at the local coffee shop and going back to retrieve it, or that it’s in another area of the office.
- Remote deletion: There is no substitute for being able to delete a device remotely when it is lost or stolen and can’t be retrieved. A phone which is connected to the internet via mobile networks will be instantly deleted as soon as it connects to a network. Having all data on it encrypted is great, not having the data on it at all is better.
- Support: There needs to be some sort of support agent who can delete a phone when it’s lost as the owner likely can’t. The support agent should be able to remotely lock or wipe any device with the push of a button in a centralized dashboard.
- App control: Being able to lock down app downloads is beneficial as it allows harmful apps to be blocked. An encrypted phone is useless if it’s compromised with spyware.
There is no way to have a completely protected phone without some form of device management. This feature allows for protection when the user doesn’t have direct access to the device, and when they are unaware of risks from downloaded apps. Sky ECC leverages remote device protections without compromising security with accessible GPS data.
5: Secure container
Creating a secure container on an encrypted phone is often overlooked. The purpose is to isolate the app from any outside intrusions from other apps on the phone, especially malware that could come from them.
Sky ECC installs the entire app within a separate partition on the phone surrounded by encryption. Many secure chat apps skip this part of the process and wind up being compromised in some way. This recently happened to WhatsApp, and there are even “top 5 WhatsApp hacking tool’ lists out there which should worry you.
Secure containers aren’t a new concept, people have been running virtual machines on their computers for decades to protect the rest of their machine, but it’s vastly underutilized in the communications world. Communication apps which simply sit on your phone are at risk of infection from other apps when a separate container would protect them.
Sky ECC is a complete encrypted phone ecosystem
Sky ECC’s architecture considered all of the encryption needs of every phone user and offers the following solutions:
- Device: The phone itself is secure thanks to Sky ECC being exclusive to phones with tamper-resistant chips. The operating system and app itself are also protected, with the Sky ECC app being stored within an encrypted container. Messages and files on phones are encrypted with 521-bit ECC encryption.
- Transport: All messages sent through Sky ECC are transmitted over a secure global network of servers controlled by Sky. They are encrypted with a 521-bit encryption algorithm, which is magnitudes stronger than what’s used by WhatsApp, Signal, and many other competitors. Sky ECC encrypts metadata with AES 256-bit encryption, the standard used by the military for its most top secret information.
- Storage: Not storing data on external servers is essential as data can’t be compromised on the server if it is not on the server in the first place. Messages are only stored on Sky ECC’s servers when the recipient is not online, while staying encrypted with 521-bit ECC, and undelivered messages are deleted after 48 hours so that data isn’t left hanging out in the breeze.
These are basic steps which every secure messaging phone should take, and which Sky ECC does take. Many apps and phones don’t, and many users are compromised because of this.
What can an encrypted phone can do for you?
Conversations deserve to be protected. Files and images deserve to be protected. Contacts deserve to be protected. A truly encrypted phone will help with all of these as it encrypts data:
- On the phone itself.
- While it’s being transported.
- When it’s stored on external servers.
Much has been made of the end-to-end encryption of tools like WhatsApp, but that only covers a fraction of the data. Sky ECC has taken the steps to encrypt every aspect of what a truly encrypted phone needs to be secure. This will give assurances that our encrypted phone is truly encrypted, and not just a token of security.
Why hackers steal this data is important as knowing motivations can help users understand why they become victims of the data theft ecosystem. Common motives include:
- Selling the data
- Peronalizing phishing attacks
- Identity theft
- Blackmail of targets
- Fraud of various forms
- Stealing login credentials
Money is the motivating factor in all of this, so phone users need to make sure that none of the information they’re sharing online can be stolen and turned into money in some form. Using an encrypted phone is how anyone can do it, and using Sky ECC is the best way to have an encrypted phone with features that offer:
- End-to-end encryption using a 521 bit ECC algorithm
- A container for the chat app itself secured with encryption
- Secure storage via the Vault feature
- Message deletion options which wipe conversations out
These secure features go beyond the standards offered by competitors and truly give everyone an encrypted phone that covers every need for secure communications in today’s world.