MobileActive.org

SMSTester for Android: Project and Source Now Open

One of the main goals of the SaferMobile project is to release software tools that allow activists and rights defenders to use their mobile phones as network monitors and sensors. The goal is to help them, and the mobile developers, human rights organizations and people on the street they work with, to monitor network performance and proactively detect blocking, filtering and censorship. SMSTester is the first tool we are publicly releasing within this category, and it is free, freely licensed and open-source. Our first trial run with Short Message Service Tester (SMSTester) was completed in April 2011. The results are written up here.

Introducing SaferMobile: Mobile Security for Rights Defenders, Activists, and Journalists

Activists, rights defenders, and journalists use mobile devices for reporting, organizing, mobilizing, and documenting. We have written about many of these uses for years now, describing how mobile phones provide countless benefits to activists and rights defenders. Mobile tech is relatively low cost and allows for increased efficiencies and vast reach, for example. But, there is a darker side.

Mobile Phones present specific risks to rights defenders, journalists, and activists. We believe that is is critically important to know that mobile communication is inherently insecure and exposes rights defenders and those working in sensitive environment to risks that are not easy to detect or overcome. (We provide an overview of those risks in this Primer, for instance)

To address mobile safety and security for rights defenders, we are introducing SaferMobile, to help activists, human rights defenders, and journalists assess the mobile communications risks that they are facing, and then use appropriate mitigation techniques to increase their ability to organize, report, and work more safely.

What is SaferMobile? 

• Online and offline educational and tactical resources (risk evaluation tools, case studies, how-to guides, security tool reviews); 
• Trainings and curricula for use in various countries and with different constituencies; 
• Specific mobile security software focused on the needs of rights defenders, activists, and journalists.

As will all that we do, we believe that there certain values and principles that are paramount in this work. For SaferMobile, we are following these principles:

• We believe that skilled, trained, and knowledgeable activists, journalists, and rights defenders are key to democratic changes. We also believe that the smart and effective use of technology constitutes an integral piece of their skill set.
• The better activists, journalists, and rights defender are able to work, the more safely they are able to organize and communicate, the more likely it is that their work is effective and heard. 
• We are committed to accessible, useful, actionable, and technically accurate and secure content, materials, and software. 
• We are also committed to describing technological vulnerabilities in terms that non-technical users can easily understand. 
• We work with activists on the ground to ensure that the content we produce addresses real uses and risks. 
• We also seek responsive connections between activists and security professionals so that both are more able to assess and respond to changing risks.  
• Lastly, we are maintaining information that reflects current security risks and technological vulnerabilities and is vetted for security and technological accuracy by knowledgeable experts.

Roadmap and Process

The SaferMobile project is just beginning its second Phase. Phase 1 included needs assessment with users and peers – activists, rights defenders, journalists, technologists, security experts, and mobile developers. Through this research, we outlined plans for web content, training curriculum and tools (software) and are now creating these pieces in Phase 2 of the project (May-August 2011). 

Our approach is iterative and open – we work as a team to develop ideas and welcome review and comments from peers. We maintain a wiki for this initial phase that will act as a living lab for content and code as we develop both. 

Who Cares Where I Am, Anyway? An Update on Mobile Phone Location Tracking

Apple’s release of version 4.3.3 of its iOS operating system “..kills iPhone tracking”, according to a recent article. After nearly three weeks of public attention on this issue, this news will perhaps appease some iPhone fans but is not likely to end the debate over what users should know and control about their smartphones’ location tracking abilities. Like Apple, Google’s Android and Microsoft’s Windows Phone systems have also recently come under fire, though important differences exist in the way each company collects and uses location-based information.

We have reviewed recent articles and research on each of these mobile operating systems’ location tracking capabilities and will describe the various claims made and the research undertaken to test these claims.

SMSTester - Monitoring SMS Delivery (and Keyword Filtering, Possibly)

NOTE: This article was updated with an addendum and additional data.

Inspired by Michael Benedict's original blog post on monitoring SMS delivery reliability in Tanzania and recent reports of SMS keyword blocking in Uganda, MobileActive.org set out to replicate Michael's work - and add to it. SMS is such a crucial part of many mobile projects and just day-to-day life across the developing world, yet there’s a lack of public knowledge of mobile network operator interdependency, latency, and reliability (how mobile network operators work together to transmit SMS, the lag time between sending and receiving a message, and the guarantee that a message will reach its recipient).

Michael's post got us thinking: Can this type of experiment be replicated without extra hardware required (GPRS modems, etc.)? After a few quick brainstorming sessions at the OpenMobile Lab in New York, we created an alpha version of a mobile application that recreates a number of latency tests. It’s far from perfect - and there is still plenty of work to be done - but we’re confident that this project will lead us to extremely valuable data about the transparency and reliability of SMS on mobile networks.

SMSTester - The App

SMSTester is a simple Android app that allows a user create a set of keywords to be sent as SMS messages. This allows the user to explore differences in latency for any type of message - from basic, everyday text like ‘milk’ or ‘newspaper’ to politically inflammatory text such as ‘revolution.’ We then set up a logging mechanism to timestamp and record each SMS as it is sent (from the sender side) or received (on the receipt side). By comparing the sent and received timestamps, we’re very easily able to calculate message latency from one SIM to another.

Initial Deployment

We deployed SMSTester in a test in Egypt a few weeks ago. As this was the initial trial for a fully untested application, we were careful.  While we did run our tests across a number of local mobile operator networks, we kept the test volume small enough to keep us under the radar (for now!). Our test methodology included:

1. Testing across all three major mobile operator networks in Egypt: Etisalat, Mobinil, and Vodafone
2. Consistent keyword test bed containing both ‘safe’ and ‘political’ terms, where ‘safe’ refers to everyday vocabulary and ‘political’ refers to politically sensitive words
3. Language coverage across both English and Arabic
4. Roughly 270 messages successfully sent, received and analyzed

What We Looked For And Why

The main focus of our analysis was SMS delivery latency, delay, or more generally, delivery failures. There are plenty of anecdotal stories of seemingly random delays lasting multiple hours or even days in many countries where we work. While network congestion and growing infrastructure are often to blame for SMS unreliability, there are also legitimate concern that delays may be an indication of deliberate message filtering and monitoring. What has emerged is an environment in which activists and human rights defenders are unable to clearly understand what networks - and what behavior - is safe or hazardous for themselves or their contacts. The end goal of this research, put simply, is to change this paradigm. Rumors of keyword filtering are not helpful; what is helpful is any evidence of surveillance.

This small experiment is just a start, of course. Our hypothesis is that keyword filtering and other malicious behavior on the part of mobile network operators may manifest in the form of increased message latency or overt message blockage. If we could detect any sign of a correlation between message content and delivery with just some initial testing in-country, this would be a great first step towards our overall goal. However it’s very important to note that while message latency or failure may be indicative of bad behavior on the part of the carries, it could be due to any number of contributing factors and is by no means an implication of foul play. For now we’re merely hypothesizing.

Results

Despite the minor bugs discovered, we gathered very valuable information about message latency in Egypt during this trial. The most valuable data was on the Etisalat network (also known as the Emirates Telecommunications Corporation), based in the UAE. The majority of the data we recovered from this trial was between an Etisalat SIM and other Egyptian networks. (Note: This was the result of inadvertent data loss for other test scenarios and we did not specifically target Etisalat).

Main Conclusions

Big Caveat (READ THIS!): Given the small sample size of this test, it should be noted that none of these conclusions are definitive. In fact, the very nature of such a small sample size warrants much further investigation.

(1) Delivery between Etisalat & Mobinil networks warrants further investigation. As shown below, the delivery time for English language text messages from Etisalat to Mobinil is significantly greater than delivery time to any other network, for both English and Arabic texts. This may be due to any number of network delays, and it may also be indicative of English language filtering by one or both of the mobile network operators.

 (2) Delivery time of politically sensitive English messages on Etisalat warrants further investigation. The chart below shows that politically sensitive English messages sent across the Etisalat network were delivered with significantly more latency than others, with the possible exception of politically sensitive Arabic messages. In addition, each of the three messages that were delivered out of order fell into this category. Similar to the above conclusion, this may be indicative of specific filtering on behalf of Etisalat.

"Don't be fooled" Mobile Security Hackday, April 1, NYC

Please join us on Friday, April 1 in NYC!  To celebrate April Fools Day and to highlight mobile phone & digital network insecurities, the Guardian Project  and MobileActive.org are hosting "Don't be Fooled", part of the new SaferMobile initiative. This hackday will showcase mobile tools to enhance security, profile GP's open-source tools and feature a room for face-to-face conversations about mobile security.

Do to the intimate size of the venue, we are caping RSVPs at 30: 20 "developers / hackers" who want to learn about developing secure mobile phone services and 10 practitioners who want to root their phones / learn about mobile security. Please put your name here!

Location: Open Mobile Lab, 127 W 27 St, Suite 702, NYC
Time: Friday, 1 April 2011 from 9:30 till 5:00. Beer O'Clock from 5:00 till 7:00.
Hashtag: #safermobile

The Guardian Project (@guardianproject) aims to create easy to use apps, open-source firmware MODs, and customized, commercial mobile phones that can be used and deployed around the world, by any person looking to protect their communications and personal data from unjust intrusion and monitoring.

MobileActive.org (@MobileActive) connects people, organizations, and resources using mobile technology for social change. Our global network of practitioners and technologists are working

Photo Courtesy flickr user juli ryan

Safer Photos: How to Remove Location Information from Mobile Images