Limited Use Mobile Device

  • Threat actors know our dependency on mobile devices.

  • To this end, discreet devices are crutches to reduce user error on your part from interfering with the mission.

  • Having the phone is not enough. Configuring it correctly is not enough. The user is responsible.

User Guidance

Warnings

  • Do not save personal information on the phone

  • Do not visit web sites unrelated to customer business on the phone

  • Do not conduct financial transactions on the phone.

Usage

  • Actively bring the device to the organizational security team for audits. Do not wait for instructions to do so.

  • This is an organizational phone. No expectations of privacy exist.

  • Use the SOS signing key in case of suspected compromise. New telephones are cheap.

  • Set message timeouts to fifteen minutes or less.

  • Transmit all files to C2. Do not store them outside the authorized communication application sandbox.

  • Do not generate calls or plaintext SMS or MMS messages.

  • Only use authorized MFA devices. This handset is not one.

Configuration

Device selection

CONUS

  • Inside the United States, choose only resellers with pay as you go (PAYGO) or prepaid business models.

  • Choose non-decorative handsets that resemble commonly used devices.

  • Purchase in stores for cash.

  • Do not introduce PII into the ordering process.

OCONUS

  • Buy from multi-vendor resellers when possible.

  • Avoid Chinese national vendors.

  • Avoid Iphones.

  • Avoid nation-state compliant, non-standard Android builds.

Low probability of intercept

  • Moved to another document

Android setup

  • Before installing any applications…

    • Go to settings->users and create a new Google identity.

      • Record all Google identities present in monthly device audits.

    • Ensure the device has no hard or soft links to the user’s name or organization.

Level 1: Child-proofing

This is for general OPSEC concerns at most. It offers no deniability.

  • The user shall not be authorized to perform his or her own service updates or renewals.

  • WARNING: The user can thwart security controls with limited oversight between audits.

  • Using the already-present user ID, install authorized communication applications, such as Wickr and Signal.

  • Child resistant launching

    • Install F-droid.

    • Install an approved launcher, such as Discreet launcher.

    • Disable all applications not related to using Signal, if the Android version allows.

      • This includes Google applications, such as Maps and the Play Store itself.

    • Use the launcher to hide all remaining applications except the authorized communication applications.

    • Uninstall F-droid.

  • Basic privacy protection

    • Disable location

    • Disable NFC

    • Disable Wifi calling

    • Disable Debug/Developer mode if active

Level 2: Limited deniability

  • Follow the above instructions with additional caveats.

  • Purchase multiple devices for cash in a remote geography from…

    • …the device’s intended use.

    • …the organizational presence.

  • Purchase activation materials separately from the telephone itself.

    • Use multi-vendor resellers for activation cards.

    • Avoid buying from on-line card pools.

    • Purchase in local currency.

  • Install an approved version of Android.

    • Remove all vendor applications except card refill.

    • Identify and disable signature verification processes.

    • Replace Google applications with an approved version of FakeGapps .

    • Replace all browsers. If a browser is required, activate the Guardian Project repository.

    • Install Locker and set organizational maxima for failed logins.

  • Install organizational certificates and mailing addresses.

    • Generate client certs for VPN and web site access.

    • Pre-authorize at least one exchange with each C2 address to avoid spam-listing.

    • White-list mobile provider’s in-country IPs for access to deniable communication sites.

    • Generate SOS signing key.