iPhone opsec guide

Note: Be aware that these operational security guidelines are generally not applicable if you’re attempting to evade your own government’s surveillance. Not only do all new iPhone registrations (software and hardware identifiers) go through NSA-surveilled datacenters, the only way to avoid passive or active cellular tracking is to not use a cell phone. Further, everything listed here depends on your threat model.

Physical security

  1. Assure that your iPhone is generation 6 or greater (A7, A8, A9) to benefit from Secure Enclave.
  2. Only use a randomly-generated (stored offline and/or memorized) 12+ digit alphanumeric passphrase.
  3. Enroll in TouchID to minimize shoulder-surfing passphrase disclosure, but be aware of where you leave your fingerprints.
  4. Register your iPhone on someone else’s account so not to attach SSN to IMEI/IMSI/SIM.
  5. Register a new, random phone number.
  6. Do not pay for your iPhone with your credit or debit card.
  7. Never pay service charges with your credit or debit card.
  8. Never share the iPhone’s real phone number with anybody.
  9. Use only VoIP phone numbers for app registration (Signal).
  10. Never connect your iPhone to PCs in order to minimize infection and to minimize security certificate sharing.
  11. Only charge your iPhone directly from power or using a power-only USB cable.
  12. Always keep Wi-Fi disabled. Wi-Fi networks track hardware MAC addresses that get reported to centralized databases (Cisco Meraki, etc) for tracking and/or advertising purposes, and you do not want to disclose your physical location any more finitely to third party services via IP address.
  13. Always keep Bluetooth disabled.
  14. Always turn your iPhone off at night.
  15. Always turn your iPhone off when you are going to be away from the device.
  16. Always turn your iPhone off when passing through security screenings.
  17. Store your iPhone in a locked safe when leaving unattended.
  18. Do not bring your iPhone to events that have moderate-to-high risk of being confiscated, or at least keep your iPhone off at these events.
  19. Do not let others use your iPhone.
  20. Remove the microphone from your iPhone.
  21. Remove all cameras from your iPhone or keep the cameras covered with tape or stickers.
  22. When needing to carry the device but minimize surveillance, power off your iPhone and store it in a Faraday cage.
  23. Be aware that the NSA CO-TRAVELER program keeps track of your iPhones location and which devices your iPhone is ever in close proximity to.

Software security

  1. Never use your iPhone for Web browsing.
  2. Sign out of iCloud.
  3. Do not enable Siri.
  4. Use parental controls to disable Safari.
  5. Only install trusted apps (Signal) to minimize exposure to remote infection.
  6. Never sign into any cloud-based email-, calendar-, or contact-syncing accounts.
  7. Manually input contacts and keep contacts stored locally.

EMET profile for Tor Browser

Windows 10 (1511)
EMET: 5.5.5871.31890
Tor Browser: 6.0.1

When configured, EMET will force enable these security settings for Tor Browser:

  • DEP
  • SEHOP
  • NullPage
  • HeapSpray
  • EAF
  • EAF+
  • MandatoryASLR
  • BottomASLR
  • LoadLib
  • MemProt
  • Caller
  • StackPivot
  • ASR

Steps

(Perform the following if you want to manually set this up and not simply import my prepared config file.)

  • Import > CertTrust
  • Import > Popular Software
  • Import > Recommended Software
  • Quick Profile Name: Maximum security settings
  • Apps > Add Application (find and select your *\Tor Browser\Browser\firefox.exe)
  • Enable ASR for Mozilla Firefox then add these ASR modules
    flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll
  • Enable ASR for Tor Project Firefox then add the same ASR modules:
    flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll
  • Enable ASR for Mozilla Firefox plugin container then add the same ASR modules:
    flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll
  • Disable “SimExecFlow” for Tor Project Firefox.

Example EMET view

2016-06-11