Mobile phones are used to compose stories, capture multi-media evidence and disseminate content to local and international audiences. This can be accomplished extremely quickly, making mobile media tools attractive to citizens and journalists covering rapidly unfolding events such as protests or political or other crises. The rise of mobiles has also helped extend citizen journalism into transient, poor or otherwise disconnected communities.
However, for those working under repressive regimes, citizen journalism can be a double-edged sword. Anything you create and disseminate can be used against you, whether through the legal system or in other more sinister forms of suppression.
Bloggers and online activists have various tools at their disposal to provide anonymous browsing, encryption, and privacy protection when working from a PC. For mobiles, the options are far fewer.
Currently, anonymous browsing (through Tor) requires an Android phone, but encrypted content uploads over https are possible with many of the newer feature phones. At the same time, we know that security depends as much on setting (and sticking to) good protocols as on the communication tools you use. You can minimise risk by using a phone that cannot immediately be traced to you, or by capturing notes, images and video on a phone but uploading from a securely-configured PC.
SMS and MMS (multi-media messages/pictures and are transmitted unencrypted across the GSM network. Anyone with access to the network (a hacker with some fairly inexpensive encryption cracking technology, the mobile network operator itself, or anyone who is able to co-opt them) can see the content of your message as well as a slew of identifying information: unique numbers identifying the phone and SIM card, the time of the message and approximate location of the sender, and the phone number of the recipient.
Voice calls are similarly vulnerable, with the added danger of identifying you by your voice (if recorded). You could also be overheard by someone in close physical proximity.
Mobile Internet connections reveal all the identifying information of the phone, as well as the address of the site being visited. Unless you are using an encrypted (https) connection, all your data is also transmitted in plain text. This leaves you vulnerable not only to hackers on the GSM network and network operators, but also to anyone who is able to watch your traffic on the Internet.
In general, third party applications have access to all of the above as well. They may also contain malicious code that can access and transmit data from your phone without your knowledge. Avoid installing third party apps on a phone you want to use securely.
Once you upload data to a website, you are bound by the terms of service of that site. The site owners may hand over any identifying information (such as your IP address) they have about you, or be compelled to do so.
This doesn't sound very promising - it's not. There are very few tools available for secure mobile communications, and none that are ideal in their current state.
However, there are some options for users of feature phones, and more for smartphones. When combined with a careful strategy, apps for encrypted communication and anonymous browsing can improve the security of your mobile journalism work.
If you're looking to invest in secure mobile communication, Android phones are a good bet. Smartphone platforms in general are better able to perform the 'heavy lifting' required for secure communication.
Android itself is largely open source, making it harder to hide malicious code. The rise of the widely-supported open source smartphone platform also opens the way for the development of an Android version with security built in at operating system level - the goal of the ongoing Guardian Project.
Right now, there are many applications in development, but few with viable releases for immediate use. TorProxy, an Android application that provides anonymous routing of Internet traffic through the Tor network, comes closest. After installing TorProxy and Shadow, an anonymous web browser, it is possible to browse without revealing the source or destination of your Internet traffic. Tor also provides encryption for all but the final communication stage between the last Tor server in the chain (the Tor 'exit node') and the destination.
The major weakness of the TorProxy/Shadow approach is that, because of a bug in the Android platform, it is not currently possible to use Shadow to communicate over https. Https is the encrypted version of the hypertext transfer protocol (http) used to browse the web. Sites that require the user to log in before they can add content - web email services, twitter, photo sharing sites such as flickr, major blogging platforms - often use https for authentication, and cannot be accessed without it. Without https, the Tor exit node can also access the unencrypted contents of your communication. If the exit node is malicious, this can be a critical security risk.
The TorProxy/Shadow is good for maintaining anonymity while researching or reading online, but unless the https bug is fixed, critically restricted when it comes to disseminating content.
In our tests, it was also extremely slow on unreliable mobile networks (3G was usable, but EDGE/GPRS was not). Even when used for browsing, Tor can be vulnerable in certain situations. For example, Flash video (such as YouTube) is blocked by default because it could compromise your privacy. You are strongly advised to read more about how Tor works to understand when you are and are not protected.
TorProxy and Shadows provide a version of Tor and Android phones
It's also worth noting that there is some concern about the security of the original Java library(OnionCoffee) from which TorProxy was developed. We're hoping to see improvements and other implementations in the coming months. If you're interested in a more robust implementation of Tor for Android, you should follow developments on Orbot, which is part of the Android Guardian project."