Limited Use Mobile Device
#########################

* Threat actors know our dependency on mobile devices.

* To this end, discreet devices are crutches to reduce *user error on your part* from interfering with the mission.

* Having the phone is not enough.  Configuring it correctly is not enough.  The user is responsible.

User Guidance
=============

Warnings
--------

  * Do not save personal information on the phone

  * Do not visit web sites unrelated to customer business on the phone

  * Do not conduct financial transactions on the phone.

Usage
-----

  * Actively bring the device to the organizational security team for audits.  Do not wait for instructions to do so.

  * This is an organizational phone.  No expectations of privacy exist.

  * Use the SOS signing key in case of suspected compromise.  New telephones are cheap.

  * Set message timeouts to fifteen minutes or less.

  * Transmit all files to C2.  Do not store them outside the authorized communication application sandbox.

  * Do not generate calls or plaintext SMS or MMS messages.

  * Only use authorized MFA devices.  This handset is not one.

Configuration
=============

Device selection
----------------

CONUS
^^^^^

* Inside the United States, choose only resellers with pay as you go (PAYGO) or prepaid business models.

* Choose non-decorative handsets that resemble commonly used devices.

* Purchase in stores for cash.

* Do not introduce PII into the ordering process.

OCONUS
^^^^^^

* Buy from multi-vendor resellers when possible.

* Avoid Chinese national vendors.

* Avoid Iphones.

* Avoid nation-state compliant, non-standard Android builds.

Low probability of intercept
----------------------------

* Moved to another document

Android setup
-------------

* Before installing any applications...

  * Go to settings->users and create a new Google identity.

    * Record **all Google identities** present in *monthly* device audits.

  * Ensure the device has no hard or soft links to the user's name or organization.

Level 1:  Child-proofing
^^^^^^^^^^^^^^^^^^^^^^^^

This is for general OPSEC concerns at most.  It offers no deniability.

  * The user shall not be authorized to perform his or her own service updates or renewals.

  * **WARNING:**  The user can thwart security controls with limited oversight between audits.

* Using the already-present user ID, install authorized communication applications, such as `Wickr`_ and `Signal`_.

* Child resistant launching

  * Install `F-droid`_.

  * Install an approved launcher, such as `Discreet launcher`_.

  * Disable all applications not related to using Signal, if the Android version allows.

    * This includes Google applications, such as Maps and the Play Store itself.

  * Use the launcher to hide all remaining applications except the authorized communication applications.

  * Uninstall `F-droid`_.

* Basic privacy protection

  * Disable location

  * Disable NFC

  * Disable Wifi calling

  * Disable Debug/Developer mode if active

Level 2:  Limited deniability
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Follow the above instructions with additional caveats.

* Purchase multiple devices for cash in a remote geography from...

  * ...the device's intended use.

  * ...the organizational presence.

* Purchase activation materials separately from the telephone itself.

  * Use multi-vendor resellers for activation cards.

  * Avoid buying from on-line card pools.

  * Purchase in local currency.

* Install an approved version of Android.

  * Remove all vendor applications except card refill.

  * Identify and disable signature verification processes.

  * Replace Google applications with an approved version of `FakeGapps`_ .

  * Replace all browsers.  If a browser is required, activate the `Guardian Project`_ repository.

    * Install `Tor Browser`_ .

    * Install  `Fennec`_ .

  * Install `Locker`_ and set organizational maxima for failed logins.

* Install organizational certificates and mailing addresses.

  * Generate client certs for VPN and web site access.

  * Pre-authorize at least one exchange with each C2 address to avoid spam-listing.

  * White-list mobile provider's in-country IPs for access to deniable communication sites.

  * Generate SOS signing key.

.. _Guardian Project:  https://guardianproject.info/
.. _Tor Browser:  https://guardianproject.info/apps/org.torproject.torbrowser/
.. _Fennec: https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/
.. _Locker: https://f-droid.org/en/packages/net.zygotelabs.locker/
.. _FakeGapps: https://f-droid.org/en/packages/com.thermatk.android.xf.fakegapps/
.. _Wickr: https://wickr.com/downloads/
.. _Signal: https://signal.org/download/
.. _F-droid: https://f-droid.org/en/packages/org.fdroid.fdroid/
.. _Discreet launcher: https://f-droid.org/en/packages/com.vincent_falzon.discreetlauncher/