Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:12
You are listening to the Privacy, Security and OSINT
0:14
show episode 303, released on July 7th
0:17
of 2023. This week, we take
0:19
a brief break from the self-hosting series
0:22
and revisit iOS privacy and
0:24
security. Specific support for this podcast
0:26
comes from our privacy services, OSINT
0:28
training, print books and digital guides.
0:31
More details can be found at intelltechniques.com.
0:33
Thank you for keeping this show ad-free.
0:36
Welcome back everyone. This show and
0:38
next week's show is a break
0:41
from the self-hosting series. We are halfway
0:43
through that series. We have another halfway to
0:45
go through. So this show is all
0:47
about the iPhone, the iPad, iOS
0:50
in general. Why would we do
0:52
another iOS show? As
0:54
you probably know, I push a custom
0:57
Android device. I carry
0:59
it every day. I encourage my clients to use it. I
1:01
believe graphing OS is the best option we
1:03
currently have. And I've been talking a lot
1:05
over the past several shows about
1:08
how I do that and why I recommend that. But
1:11
a lot of people still use iOS.
1:13
A lot of my clients still use iOS.
1:17
They like the iPhone. They want that iPhone and
1:19
they're not ready or maybe willing to
1:21
go to something such as graphing
1:23
OS. I also, I assume
1:25
a lot of people listening to this
1:27
show still use iOS and that's okay.
1:30
There's no gatekeeping here. There's no elitism.
1:33
Just because I prefer a hardened Android
1:36
device, that
1:36
doesn't mean iOS users should
1:38
be excluded or shamed or whatever. And
1:41
I'm going to talk about in just a moment some
1:43
ways in which iOS could be
1:45
superior to things like custom Android
1:48
operating systems. I always want to give equal
1:50
coverage on all things that we are
1:52
seeing, especially something as popular as iOS.
1:55
I want listeners who use iOS to still
1:57
have the benefit of making their devices as price
1:59
and secure as they possibly can, so
2:02
I occasionally want to revisit these
2:04
things. Now, that also brings
2:06
us to my digital guide, Extreme
2:09
Privacy Mobile Devices. Some
2:11
of the criticism about that digital
2:14
guide is that iOS
2:16
seems kind of like an afterthought
2:18
at the end of the book. The methods
2:21
I explained throughout the book, which I uncover
2:23
in great detail specifically how to apply
2:25
to a Graphene OS device, I didn't
2:28
really give them enough fair coverage
2:30
when we do talk about the iOS stuff.
2:33
This is all fair criticism. At
2:35
the time, I really wanted to push that digital
2:38
guide as a way to encourage people
2:40
to leave the traditional
2:41
Google and Apple ecosystems and
2:44
go to their own more private, more
2:47
secure options such as Graphene OS
2:49
or any other custom Android operating system which
2:51
you prefer.
2:53
But I now realize I could have done a
2:55
much better job on that final chapter
2:57
about specifically iOS devices
2:59
and how you can make them more secure
3:01
and more private. So I'm doing
3:03
two things here. One, we're dedicating this entire
3:06
show to iOS devices, but two, I put
3:09
out a brand new version of Extreme Privacy
3:11
Mobile Devices, the digital guide, the
3:14
digital PDF, and if you purchased
3:16
that PDF, then you received an
3:18
email notification this week telling you there's a new
3:21
edition and it's a substantially
3:23
updated edition. It revisits
3:25
everything iOS. The chapter at the
3:28
end about iOS devices is probably
3:30
double the length that it was and
3:32
I went through and meticulously tried to
3:34
apply all of the lessons throughout the book
3:37
for Graphene in order to apply them
3:39
the best you can for iOS.
3:41
But we're also going to revisit all of those
3:43
things in this episode today. If
3:45
you purchased Extreme Privacy Mobile Devices
3:48
PDF guide, you have access
3:50
to all the latest information. If you have not purchased
3:52
it because you're not moving
3:54
to Android, you are not interested in all that, I
3:56
think there is now enough value to justify
3:59
the 15 bucks to buy.
3:59
the digital guide and apply all the different
4:02
things throughout the book to your own iOS device.
4:05
Let's jump into that now with the benefits
4:07
of iOS. I know I have
4:10
said a lot of negative things about Apple, about
4:12
iOS. It's mostly about the privacy,
4:14
not about the security. There
4:17
are many great things about an
4:19
iPhone. It just works right
4:21
out of the box and it works well. It is beautiful.
4:24
The design, the layout, the screen,
4:26
the graphics, everything about that iOS
4:29
device. I
4:29
think is much more aesthetically pleasing
4:32
than any graphing device or any Android
4:34
device, but there's
4:36
a risk to that. There's a privacy risk to that.
4:39
I think most apps, most
4:41
mobile apps function better under iOS
4:44
than they do on Android. I think a lot of that is
4:46
they are probably, the people designing
4:48
them are probably more in tune
4:51
with the iOS environment. Now that being
4:53
said, there are a lot of open source Android
4:55
apps, which you can't even get on iOS, which
4:58
also are designed better for Android users. So
5:00
there's two sides to all of this. There's
5:03
also the general security of Apple.
5:06
I believe that an iOS device
5:08
is probably more secure
5:11
than any Android device. It's
5:14
just not more private, especially
5:16
when you have your own custom Android operating
5:18
system. My problem with Apple is
5:20
the privacy, the telemetry. There are many
5:22
risks with iOS. Apple is
5:25
constantly collecting information about
5:27
what you are doing on that device. They
5:30
say they don't share that, or at least they share that minimally.
5:32
They say that they do that to provide a better experience
5:35
to you. And I do believe them. I think the goal
5:37
of Apple is to provide the best experience
5:39
they can. And in order to do that, they collect
5:41
a lot of information about you in order to provide
5:44
that custom tailored experience. So
5:46
my complaints about Apple are about the
5:48
privacy, the telemetry, the things they're collecting.
5:51
My biggest complaint about iOS is that
5:53
you must have an account registered
5:55
to the device to download anything from the App
5:57
Store, including free applications.
5:59
There's no way around that, but we are going to talk
6:02
about some caveats of how to make that a bit
6:04
more less invasive
6:06
than just doing the stock login,
6:09
which they request you to do at the beginning. That's coming
6:11
up in just a moment. Other complaints
6:13
are that they really push iCloud. They
6:15
push you to use the iCloud infrastructure,
6:18
their own cloud storage, in order
6:20
to put all of your mail and contacts and calendars
6:23
and data documents, photos,
6:26
because they want you to rely on that. They
6:28
want you to stay in that ecosystem. They want you
6:30
to upgrade those plans for more storage
6:32
to make more money from you. I get it. It's
6:34
a business. No complaint about the business side.
6:37
I just don't like the privacy side. The
6:39
other risk of Apple is the constant improvements,
6:42
which probably sounds like a good thing, but every time
6:44
a major version of iOS comes out, you have
6:46
to revisit all of your settings to see what they've turned
6:48
back on, what they've added in order
6:50
to collect more information about your usage.
6:52
So we have a very, very
6:55
secure operating system with iOS. We
6:58
have a privacy invasive operating
7:01
system with iOS, but you can
7:03
control the majority of those invasions
7:06
by not using iCloud, by
7:08
not giving them that information, by controlling
7:11
what they get from you. And that's what we're going to talk about
7:13
today. It's no secret. I do not use
7:15
iOS as a daily driver. I use GrapheneOS.
7:18
I use a Pixel 6a currently. I have not
7:20
gone to the 7a, but if I were buying one today, I'd
7:22
probably go with that 7a.
7:24
But I do keep iOS devices
7:26
for testing. I currently have some
7:29
newer devices, which I use to test all of this
7:31
stuff and to test things before I issue
7:33
them to clients. As for clients,
7:35
I estimate that 60% of
7:38
my mobile device clients still use
7:40
iOS. They love their iPhone. They're not changing.
7:42
And that's okay. About 40%
7:45
have adopted GrapheneOS, which I think
7:47
is a very high number. I think I'm
7:50
very impressed with the number of clients who have taken the
7:52
jump and said, okay, I can do this. And then they discover
7:54
after a while, it's not too bad. It's
7:57
different. It's not my iPhone, but
7:59
this is pretty.
7:59
good and they really enjoy those privacy benefits.
8:02
So that's kind of the breakdown. Let's
8:04
get into the privacy and security considerations
8:06
about iOS and these are going to be the updates
8:09
and a lot of the things which I've added to the
8:11
mobile devices PDF. Let's work through
8:13
them one by one. In the final chapter
8:16
of the extreme privacy mobile devices PDF,
8:18
I dedicated everything to iOS and I walked
8:21
through all of these settings, all of those
8:23
just standard settings on a stock
8:26
iOS device and a lot of that
8:28
really hasn't changed.
8:29
A lot of it is also common sense. It's
8:32
if you see the option to
8:34
turn off access to
8:36
your camera for an app which doesn't
8:39
need access to your camera ever, okay
8:41
that's pretty common sense. So that
8:43
chapter will still walk through all the settings.
8:46
I did update a few things because I grabbed
8:48
a brand new fresh iOS
8:51
device with the latest iOS operating system. There
8:53
were a couple small changes but for the most part
8:55
if you already went through all those settings not
8:57
a whole lot has changed. A lot of it is just
8:59
do you want this app to
9:02
collect this type of information. Do you
9:04
want Apple to collect this type of information
9:06
and a lot of it's just going through all those things, disabling
9:09
them and just making sure that they're the way you want
9:11
them to be. Again, no big changes
9:14
there. One thing I focused a bit more
9:16
on with these updates is that you
9:18
can remove unused stock
9:21
Apple apps. It isn't like Mac OS. On
9:23
Mac OS you can't just decide
9:25
to remove the photos
9:28
app or the Apple Mail application. You
9:30
have to keep that in there. That's part of the operating system that's
9:32
locked in. iOS is not that way
9:35
kind of. You can absolutely go to
9:37
any stock app which you know you will never use
9:40
and remove that app. So I know I
9:42
will never use the Apple Mail application
9:44
so I can remove that. You hold it,
9:47
you get it to wiggle, you hit the X,
9:49
you say you want to actually delete the app. Does
9:51
that completely delete that app from your phone?
9:54
Probably not and you can still get it from the app store but
9:57
it does prevent that app from continuously
9:59
updating itself.
11:59
and it asks you to provide or create
12:02
an Apple ID, you should not
12:04
because if you do it at those initial prompts,
12:07
that is going to log you into everything Apple,
12:09
including iCloud and start the synchronization
12:11
process, which is not necessary in order
12:13
to use and update the phone. What I explained
12:16
better in the guide is how to avoid
12:18
all those prompts.
12:19
Never log in from the settings
12:22
application within the device. Instead,
12:26
only log in from the App Store
12:28
program. If you go to the App Store and
12:30
log into an Apple ID, that
12:32
does not log you into iCloud. If you go
12:34
to the settings app or the onboarding
12:37
process of an iOS device, that will log
12:39
you into both the App Store and iCloud.
12:42
I tried to explain that in more detail, but I also wanted
12:44
to offer the option of, well, what if you've already
12:47
logged into iCloud? Can we undo that? You
12:49
don't need to reset your phone. Just go log out. You
12:52
can go to the system settings, go to your profile
12:54
and log out completely. That will log you out of everything.
12:56
Then go to the App Store,
12:58
log in with your Apple ID so that you can download
13:00
and update applications. That will not log
13:02
you into iCloud. And I explained in the PDF how you can
13:05
go in to your settings
13:07
and see that iCloud is off to know
13:09
that you are not logged into iCloud,
13:11
but you are logged into Apple. Now, let's
13:14
be realistic. Is Apple still getting
13:16
your cell phone number, serial number,
13:18
et cetera? Of course they are. They're
13:20
going to collect that when you make that connection
13:23
and they're going to keep that synchronization updated
13:26
on their
13:26
end. But I
13:28
don't think that's the end of the world if you used an
13:30
alias name, an alias address, which they don't
13:33
verify. If you used an email address dedicated
13:35
for that process, I typically create a brand new
13:38
proton mail or something like that for my clients
13:40
just for their phone. And that's the only thing it's used
13:42
for. Creating an Apple ID, even
13:45
as it's to download
13:47
applications, free applications, they
13:49
will require a phone number. They do
13:51
accept VoIP numbers now, but I don't
13:53
recommend it because they're going to collect the cell
13:55
phone number
13:56
attached to your mobile device
13:58
anyway. I recommend that.
15:59
in order to use that with your
16:02
Android device in order to have even more
16:04
privacy with what gets connected and what
16:06
does not.
16:07
I didn't even really discuss things
16:10
like DNS with Apple because
16:12
the main motive of that book was to
16:14
show that maybe you want to get out
16:16
of that Apple ecosystem. So I've corrected
16:19
that and included a bit more on DNS
16:21
on the Apple side. I do still recommend
16:24
NextDNS for Apple users, but
16:26
the process is much different. With Android
16:29
users, you just take the URL,
16:31
you take that customized URL from your NextDNS
16:34
account, you pop it into your Android
16:37
settings and you're done.
16:37
Apple doesn't do that
16:39
because Apple does things their own way. So
16:42
I do walk you through how to
16:44
download your NextDNS profile,
16:46
import that profile into your iOS
16:49
device, and then you have the exact same
16:51
functionality as you did with Android. You
16:54
can now see everything that device
16:56
is doing, every connection it's making, and block
16:58
those undesired connections. There
17:00
are benefits of this process. With
17:02
this process, you are downloading that certificate, bringing
17:05
it into your iOS device, and iOS device
17:07
is treating this
17:07
as a proxy or as a DNS
17:10
connection. Therefore, it does
17:13
not conflict with VPN
17:15
applications. It's its own separate
17:17
thing. Now, in past
17:20
books, like my print books, I had talked about
17:22
an application called Lockdown, which
17:25
at one time I think was a great iOS
17:27
application. Currently,
17:28
I do not recommend that people
17:31
use the app Lockdown. And
17:33
if you do have Lockdown installed
17:35
on your device, I recommend that you uninstall
17:38
it. And this is for a few reasons. First, most
17:40
of the benefits or the beneficial portions
17:42
of that app are now a paid service, which
17:44
is not bad. I'm not against paid services.
17:47
We're going to talk about a few in a moment. However, the
17:49
main function, the main benefit we received
17:52
from that application in the past, we don't
17:54
get any more with the latest versions
17:56
of iOS. So therefore,
17:58
even the paid version... I don't believe
18:01
is nearly as good as just
18:03
using better DNS and using filtering
18:06
with DNS via next DNS.
18:10
Number two,
18:11
Apple still bypasses a lot
18:13
of the protections within the
18:16
lockdown application. So it sidesteps
18:18
them and says, okay, yeah, you're a firewall great,
18:20
but we're, we're gonna go around you,
18:22
you're not gonna filter us. Whereas with
18:25
proper DNS, you can get some back
18:27
or get back some of that control, which again,
18:30
better.
18:31
It's more of a minimal footprint
18:33
and you don't need to install another third party application.
18:36
The third reason I do not recommend lockdown is battery
18:38
drain. I am seeing that application really
18:40
start to drain the batteries of iOS
18:43
users because it's always just kind of there and
18:45
listening and running. And it's not really
18:47
given you a lot of protection. So let's revisit
18:49
that again. I no longer recommend lockdown
18:52
I did in the past. I
18:53
don't recommend the paid service. I recommend
18:55
removing lockdown completely
18:57
and activating a better
19:00
filtering DNS service such as
19:03
next DNS. And that's what I walk through in the
19:05
book, but also there's plenty of instructions on their
19:07
own website to have how to do that yourself. Next,
19:10
calendars and contacts. This
19:12
is something I updated actually throughout the Android
19:14
section and throughout the Apple section,
19:16
because I have talked a bit about secure
19:19
calendars and secure contacts, but I didn't give it a whole
19:21
lot of coverage.
19:22
I do recommend that
19:24
everyone uses end to end
19:27
encrypted calendars and contacts.
19:30
As I've said before, we talked about this two episodes ago
19:32
in the self hosting series, the data
19:34
you have in your calendars and contacts is probably
19:37
some of the most sensitive content you
19:39
own. Why would you share that with third party companies
19:42
and allow them to see that and abuse that? Let's
19:45
control that in an end to end encrypted
19:47
environment. So in the book,
19:48
I talk a bit more about the relationship
19:51
or the comparison, I guess, of things
19:53
like Proton, Tutanota, skiff,
19:56
we have third party end to
19:58
end encrypted providers,
19:59
give us end-to-end encrypted calendars
20:02
and contacts. But there
20:05
are limitations with these. All three
20:07
online providers, Proton, Tutanota, and Skiff,
20:09
will give you end-to-end fully
20:11
encrypted calendars which can
20:14
be shared. That's great.
20:16
And if you are okay just using either
20:19
their app
20:20
or their website to do all stuff
20:22
related to calendars, then you probably have
20:24
a solution done. You're ready to go. You don't need
20:26
anything else. With contacts,
20:29
it's a bit more murky. Proton
20:31
does not fully end-to-end
20:33
encrypt the name or the email address
20:35
of a contact, but they do completely encrypt
20:37
the phone number and any notes or anything like that. And
20:40
for them, that is because that's the way they
20:43
make sure that their email service can work and they can
20:45
see the name you are receiving from or
20:47
sending to, and they can see the email address of who it goes
20:49
to.
20:50
Skiff and Tutanota work
20:52
around that a bit and make it a bit more secure. So it's
20:54
important to understand what's protected
20:57
and what's not. Do your own research. Things
20:59
often change.
21:01
What I prefer is EddySync, and I talked
21:03
about this on the last episode, E-T-E-S-Y-N-C.
21:06
This is an end-to-end encrypted calendar,
21:09
contact, and note provider.
21:12
They store your calendars, contacts,
21:14
and notes on their server. End-to-end encrypted.
21:17
They cannot access anything at all. You
21:19
put an application on your iOS or Android device.
21:22
That application connects to the
21:24
EddySync servers to basically
21:26
say, okay, we've got a connection. We're shaking
21:28
hands. We've got the right credentials. I can see your content.
21:31
Great.
21:31
And then the application
21:33
synchronizes that with any third-party app
21:35
you approve. The reason this is mostly
21:37
important for my clients is that
21:40
they can now access
21:42
their calendars and contacts in a
21:44
native way through iOS or
21:47
Android if they're using that.
21:49
The stock calendars, the Apple
21:51
calendars app can now see all their calendars.
21:54
If I make a change on that stock calendar
21:56
app, it synchronizes that change to the EddySync
21:58
servers. And then EddySync
21:59
can also synchronize that to any other
22:02
device. Maybe you've got that laptop
22:04
that you also want to synchronize a calendar. That all works
22:07
behind the scenes. The other benefit, especially
22:09
for contacts, is now your phone
22:12
application, your VoIP application, whatever
22:14
you're using to make phone calls, can now see all of your
22:16
contacts. If you are simply
22:19
storing your secure contacts in Proton,
22:21
Tutenota, or Skiv, that doesn't
22:23
work. Your applications cannot access
22:26
your contacts. With EddySync, it's
22:28
still end-to-end encrypted. You're paying a couple
22:30
of months for that, or a couple bucks a month for
22:32
that service. But now your
22:35
stock apps, that VoIP app that we're going to talk
22:37
about in just a moment, it can now access
22:39
your contacts and make calls very easily.
22:41
And now that data is not
22:43
only on your local device, it's synchronized
22:46
securely with a third party. We
22:48
also talked about last week's show how you can self-host
22:51
EddySync. And now you're not even trusting
22:53
them with your data. You're not relying on them with your data. We're
22:55
kind of getting out of the scope of this
22:57
week's show, but
22:59
we have to understand all these different options
23:02
we have in order to apply our
23:04
own personal level of privacy and security, which
23:06
is perfect for us. With calendars
23:08
and contacts, my best advice is to always
23:10
choose the most minimal option, which
23:13
works fully for you.
23:15
If having them through a web browser
23:17
or through an app like Proton, Tutenota,
23:19
Skiv, etc., if that works for you, great.
23:22
That's the most minimal, easy option. But
23:24
that doesn't get them to your native device
23:26
applications. If you want that, then you need to go a
23:28
step further and choose something like EddySync, which
23:31
will make sure that happens. As
23:33
far as I can tell, EddySync is the only option
23:35
which provides true end-to-end encryption
23:38
for contacts and calendars while
23:40
allowing access to that data to native
23:43
apps within the device, which again,
23:45
very important for a lot of my clients because
23:48
they want that iPhone because it just works. They
23:50
want that availability of that data in
23:52
those stock apps because it just works. But also,
23:55
now they can synchronize that to their macOS devices,
23:57
and now they have encrypted end-to-end encrypted calendars.
23:59
and contacts on all their devices, they've
24:02
got the privacy and they've got that easy use.
24:05
Next, I revisited password managers
24:08
for iOS and nothing's
24:10
really changed here. I still
24:12
recommend for most people a key pass
24:15
style database. For iOS
24:17
users, I recommend Strongbox. Strongbox
24:20
is a freemium application. The
24:23
free version, if you just want to put
24:25
your own local key pass database
24:27
on your phone, even if you want to put it in read-only
24:29
mode to have all your stuff on there, free version
24:32
should work for you just fine. If you do want
24:34
to use biometrics and you want to use Face
24:36
ID to unlock your database or you want
24:39
to have some of those premium features, you're
24:41
going to have to pay a fee for
24:42
that. So try
24:45
it. Try the free version, see if it works for you. See if
24:47
you can justify upgrading. Most
24:50
of my clients want that ability to just use Face ID
24:52
to unlock their password manager. Okay, I get
24:54
it. I like that I can put password
24:56
manager or their password database on
24:59
their local device in read-only mode so that
25:01
they're not having two updated copies of their
25:03
password manager and make their desktop version
25:06
the only editable mode. So there's
25:08
a lot of features I like about Strongbox.
25:11
I like their 2FA options. I
25:14
like that my clients who want to just have one
25:16
password database with their passwords and
25:18
their 2FA, which doesn't rely on any type
25:20
of cloud synchronization whatsoever and doesn't
25:23
connect to any third-party cloud. I
25:25
like them to have that option and if they want it all
25:27
in one, I prefer it be offline. So again,
25:29
I really like Strongbox for that. Aesthetically,
25:33
it works really well. It's easy. It has that nice
25:35
iOS feel and you can
25:37
decide if the premium features are worth it for you.
25:39
For my clients who want
25:41
that synchronization, they want that
25:43
immediate password, whatever
25:45
synchronization to happen. I do still
25:48
like Bitwarden. I think it's the best option, but
25:50
we're talking extreme privacy here. So for a lot of
25:52
my clients, they don't trust any
25:54
cloud, including a secure cloud,
25:57
including an end-to-end encrypted cloud. They
25:59
want that.
25:59
content. They want that data on their device.
26:02
They want it locally. They don't want it synchronized
26:04
anywhere. They don't want a copy floating around. They want control
26:06
of it. So for those situations, I recommend,
26:09
okay, desktop, key pass XC,
26:11
and let's put a read-only copy of that database
26:14
on your iOS device using strongbox
26:16
to open it. And on occasion, we go
26:18
upload that file. We connect
26:20
your phone via USB cable if you need to to
26:23
your device. We move that file over and
26:25
now you've got a fresh database that's been updated.
26:27
For the few of my clients using sync
26:29
thing
26:29
for some of their self-hosting, we can also use that
26:32
to copy over that database from say their
26:35
desktop key pass XC usage over
26:37
into their strong box
26:39
usage. So lots of options there. Again,
26:42
these shows start to
26:44
intertwine into each other where the things we
26:46
talked about two weeks ago, a week ago start to play into
26:49
how they can help us today. Next,
26:51
let's revisit voice over IP, VoIP
26:53
calling. In past print
26:55
books, I've talked about Linphone,
26:58
which is in a free application you can put on
27:00
your iOS device and you can use
27:02
it to connect to Twilio, Telnix, whatever VoIP
27:04
service you're using in order to make and receive calls.
27:07
I don't recommend Linphone
27:10
anymore. Well, let me, let me back
27:12
off that a bit. I believe there's a better option
27:14
than Linphone. Linphone still works.
27:17
My complaints on Linphone, which is not their fault,
27:19
is that it has to be open,
27:22
connected, registered in order for an incoming call
27:24
to come in. Linphone does not provide
27:26
any type of push services, which help do
27:28
that. And that's where a company called
27:31
Acrobits come in. Now Acrobits has
27:33
two software options for iOS. One
27:36
is called Softphone and one is called Groundwire.
27:40
The biggest difference here is this
27:43
voice over IP app, which allows you to
27:45
make and receive calls, has native
27:48
push services embedded into it. What
27:51
that means is once you have your
27:53
Twilio, Telnix, whatever you're using, your VoIP numbers
27:56
programmed into it,
27:58
Acrobits push service. will
28:00
shoot an incoming call to your device, even
28:03
if you don't have the app opened, launched,
28:06
whatever. It's much
28:08
more like a native cell phone
28:11
application because you don't have
28:13
to be prepared or expecting anything.
28:16
Push services will let you know,
28:18
will give you a notification, hey you've got a call
28:20
coming in, do you want to answer it yes or no, here's what number it's coming
28:23
from. This has been a game-changer for
28:25
my clients who use iOS and
28:27
rely on VoIP products. They know
28:29
that they should never use their true cell
28:31
phone to give to their friends, their family,
28:34
because their friends and family are going to abuse that,
28:36
they're
28:36
going to store it in securely, it's going to end up in a
28:38
caller ID database, and now everyone knows that's
28:40
your true number and now you're a victim of SIM
28:42
swapping. I have a close friend who wanted
28:45
to jump down this privacy and security rabbit
28:47
hole.
28:48
He has an iOS device and he said
28:50
okay
28:52
tell me more about this VoIP stuff and I told him how okay
28:54
you can buy a number for a buck a month and
28:57
now you have that number and if you use it minimally
28:59
it's a few cents per month, it's pretty cheap, and
29:02
we got carried away and now on
29:04
his Acrobat software I
29:06
think he has about 14 VoIP
29:09
numbers including a toll-free number which he uses for his
29:11
business and even if he hasn't opened
29:13
that app in days and it's dormant and it's closed
29:15
or whatever, the moment anyone
29:17
calls any of those numbers his phone
29:19
rings and he can decide if he wants to take
29:22
that call. Now this comes
29:24
at a cost, you have to pay
29:26
for the application but you don't
29:29
have to pay for an ongoing
29:31
service or license. I think this is
29:33
a very fair deal, the way it works
29:36
is soft phone is the
29:38
junior application and ground wire
29:41
is the premium application. Soft phone I
29:43
believe is $6.99 one time,
29:45
ground wire is $9.99 one-time
29:48
purchase. This isn't an annual renewal,
29:51
it's not a license, it's not something that's going
29:53
to come back and say hey you have to pay us again, it's a one-time
29:55
purchase but with that one-time purchase you
29:58
get unlimited push services. from
30:00
their server to push that out, which
30:03
means you have to register
30:05
your voiceover IP number, like say that Twilio
30:07
or Telnix number within the application. It
30:10
is then going to synchronize that
30:12
SIP connection and encrypted
30:15
SIP credentials on
30:18
the Acrobits server so that they can
30:20
monitor for incoming calls and push it to you.
30:23
I don't have a problem with this because
30:25
A, it's not your credentials to access
30:27
your Twilio, Telnix, or whatever account. It's
30:29
your SIP credentials for that one
30:32
number. B, we must
30:34
remember voiceover IP is not secure
30:36
communication anyway. It's a telephone call. There's
30:38
nothing secure. There's nothing encrypted about it.
30:40
There's nothing private about it. It's used for all that junk
30:42
in our life when we don't want to give out our true cell
30:44
phone number. Therefore, I don't have
30:46
an objection to sharing my SIP credentials
30:50
with Acrobits in order to get that
30:52
push service. Let's pause
30:54
here and digress a bit because I
30:56
want to talk about something which I just updated
30:59
in the mobile devices
30:59
PDF yesterday, Thursday. If
31:02
you are using iOS and if you are using
31:04
GroundWire as your VoIP application,
31:07
you might want to consider VoIP.ms
31:11
as your VoIP provider. If you are
31:13
familiar with my Extreme Privacy Print book and
31:16
earlier editions of the mobile devices PDF,
31:18
you probably know that I recommend not using
31:21
VoIP.ms. The reason
31:23
was at the time, VoIP.ms
31:27
was requiring ID, photo
31:29
government ID, unredacted with the photo
31:32
in order to open an account. I have
31:34
some back and forth email from their sales director
31:36
telling me that you can't open any account
31:39
at VoIP.ms without
31:41
sending your photo ID and letting them see your photo
31:44
and whatever they want to do with that. So I've always not
31:46
recommended them, but I recently reached
31:49
out to their CEO and just said, look,
31:51
is this still the case? I've never been able
31:54
to get an account. I've always been suspended. They've
31:56
always wanted ID. And he says
31:58
they are working on... restricting
32:00
that ID requirement in order to open
32:03
a VoIP.ms account. Basically,
32:05
if you trigger enough fraud warnings
32:08
during the account creation process, you
32:10
get flagged. Then they demand ID
32:13
to make sure you are who you say you are. That's because
32:15
of their own know your customer rules they
32:17
have to obey. If you don't
32:20
trigger those warnings, you will not be asked
32:22
for ID. So for example, if
32:25
you register at VoIP.ms using
32:28
John Doe with
32:29
a burner email behind a VPN
32:32
with a CMRA address, you're
32:34
going to get flagged. You're going to have to
32:37
provide ID to prove you are who you say
32:39
you are. So I don't object
32:41
to using my real name with my
32:43
VoIP accounts. It's kind of like I don't
32:45
object to using my real name at my mail
32:47
drop. That's where all my official mail goes
32:50
to. If I'm using a VoIP provider
32:52
to make phone calls to my friends and family and businesses
32:55
under my name, why would I need to put it under an alias
32:58
name? So I do recommend
32:59
trying VoIP.ms as a service.
33:04
It's 85 cents a month for a phone number
33:07
compared to Twilio's $1.15. It's
33:09
less than a penny a call. The VoIP call
33:11
prices are about the same. Otherwise, when
33:14
you create account, I encourage you to use your real
33:16
name. I encourage you to use a
33:18
business domain name like I discuss in my
33:20
mobile devices book. And I encourage
33:23
you to not use a CMRA
33:25
UPS store PO box, etc. as your address
33:28
that will probably get flagged.
33:29
I'm not saying you should use your home address, but
33:32
you should use a residential address
33:34
knowing that no mail will ever be sent to you at
33:36
that address. I also recommend not using
33:39
a VPN. If you don't flag all
33:41
of these things that they're looking for to detect
33:43
fraud, you should be able to create an account.
33:45
Okay. And if not, you just need to talk to
33:47
them to say, what are my options to prove my identity
33:50
without sending you my driver's license. Now,
33:53
once you have a VoIP.ms account
33:55
and you have ground wire as
33:58
your VoIP application.
33:59
on your iOS or Android phone, you
34:02
can now add messaging to
34:04
that. And this is where VoIP.ms
34:07
is unique from Twilio and Telnix. With
34:09
Twilio and Telnix, you have to have your own web
34:12
server in order to forward incoming
34:14
SMS text messages to an email address,
34:16
or you have to forward them to another number. With
34:19
VoIP.ms, they have a much
34:22
more simple SIP SMS
34:24
messaging system, which allows you to
34:27
basically turn on one toggle within
34:29
the ground wire settings. And
34:31
now you can send and receive any
34:34
SMS messages you want through the VoIP.ms
34:37
service. In other words, for 85 cents a month, you
34:39
can have a number from VoIP.ms.
34:43
That number can be configured within
34:45
your ground wire application on your iOS
34:47
device or on your Android device. That
34:50
application can make telephone calls,
34:52
it can send SMS messages,
34:55
and that application will take advantage of
34:57
ground wires,
34:59
push services to
35:01
notify you
35:02
whenever an incoming SMS text
35:04
message or voice call comes in without
35:06
the app running. And that is
35:09
unique. After talking with the CEO of VoIP.ms,
35:12
we generated a referral link. That referral
35:14
link is in the show notes. If you use
35:16
that link, you'll get some free credits to try out
35:18
their service. And also free credits
35:20
will be thrown towards our shows test account
35:23
so that we can always keep testing things too. If
35:26
you have the Extreme Privacy Mobile Devices
35:28
PDF, you should have just received
35:31
an update yesterday, Thursday the
35:33
6th, which walks you through the
35:35
entire setup of everything with
35:38
VoIP.ms. Whether you are using
35:40
SIPNETIC on Android, whether
35:43
you are using the official VoIP.ms
35:46
SMS application through F-Droid, or
35:48
whether you are using something like ground wire through
35:51
iOS. This is where that
35:53
extra $3 for ground wire as
35:56
an application versus soft phone
35:58
application comes in.
35:59
The cheaper soft phone application
36:02
can make and receive voice calls all you want, but it does
36:04
not handle SMS text messaging. That
36:06
more expensive ground wire application does
36:09
allow SMS text messaging.
36:11
I should note here, Acrobits does have a version
36:13
for Android. So you could replicate
36:15
this on an Android device with push services
36:17
by paying that fee.
36:19
I don't currently use it on my
36:22
Android device. I still do use Sympathetic,
36:24
but
36:25
I don't have incoming calls
36:27
which are unexpected. I don't answer unexpected
36:30
incoming calls. I use it as my
36:33
VoIP on my mobile device as a way to
36:35
call out when needed. I don't care about incoming
36:37
calls. I don't want them during my device, but
36:40
I do have clients who do prefer
36:42
Acrobits on their Android
36:44
devices because of the better notifications
36:47
of when a call is coming in. Like say that the
36:49
school is calling about their kid, they have to get that call.
36:52
So I completely understand that. Look into it, see
36:54
if maybe that is appropriate for you, and
36:56
see if you can justify that cost on your
36:58
end. Next, I get more into
37:00
the data service aspect. In
37:03
Extreme Privacy Mobile Devices, the PDF, I
37:05
talk about wireless data only
37:07
service packages. I originally had talked about
37:09
both Twilio and Telnix. Twilio no longer offers
37:11
that. They've sold that out to a company called Core,
37:14
but Telnix does still
37:17
offer data only packages for,
37:19
I believe it's $2 per month plus
37:22
seven cents per megabyte until
37:24
you reach a couple hundred
37:25
megabytes, and then that price per megabyte
37:27
does go down. So I do
37:30
get more into that. Basically, I've already had
37:32
an entire chapter in the guide dedicated
37:34
to that, but I did get more into it specifically
37:36
for iOS and talking about
37:39
how to switch those SIM connections.
37:41
So maybe you've got that you've got that
37:43
eSIM device, which is your daily driver. Maybe
37:45
it's that prepaid mint, and then you have your physical
37:48
SIM in the device, which might be your Telnix,
37:50
which might be your data only, which you use overseas,
37:52
or you use when you don't have a signal with your provider.
37:55
So I
37:55
do get into that a bit more, but it's
37:58
really just beating the dead horse at that point. because
38:00
we've discussed it so much in the past. From
38:02
there, I spent some more time talking about custom
38:05
application settings. So if you are using Signal,
38:07
ProtonMail, etc., here are the default
38:09
settings and here are the things I would change
38:11
if I were you that just give you a bit more, a
38:14
bit more privacy, a bit more control maybe.
38:16
Remember, with iOS,
38:18
in general, you don't have a lot of control like
38:21
you do with Android. iOS devices
38:23
control everything for you. You're in that walled garden.
38:25
That's for your security. And they don't let
38:27
you really modify a whole lot, where Android
38:30
just says, make it yours, man. Do
38:32
what you want to do with this thing. So I
38:34
did try to talk about various applications which are
38:36
popular in this community like Proton,
38:38
Signal, etc., and the changes I would make
38:40
within their settings, not so much the iOS
38:43
settings. Finally, with iOS, I do
38:45
talk about some of the
38:48
better shortcuts or better
38:50
home launching applications. With
38:53
the Android side, especially Graphing
38:55
OS, I talk about different launchers you can use
38:57
to make it look exactly how you want to look. I
39:00
have a very customized Android screen.
39:03
I like the way it looks. I like the icons.
39:05
I'm very minimalistic and it's very important to me
39:07
to have that clean interface.
39:09
iOS natively doesn't
39:11
let you do that stuff and you cannot install
39:14
another launcher, but you can
39:17
play with shortcuts. So I talk in the
39:19
book about how you can use
39:21
the shortcuts app to generate a shortcut
39:24
to an application and then control exactly
39:26
how that icon looks. Exactly the color
39:29
you want, the placement you want. So you
39:31
have a bit more cosmetic
39:33
control, which probably should not be important,
39:36
but it is for me. After using a custom
39:38
launcher on an
39:39
Android phone with all black and white
39:41
perfect icons the way I want them, and then looking
39:43
at a client's phone with stock iOS
39:46
applications, which all different colors,
39:49
different designs, different logos, some
39:51
are square, some are not, some are transparent,
39:54
drives me crazy.
39:55
So I like to customize
39:58
the screen with the shoulder.
39:59
shortcuts app to create shortcuts to
40:02
the apps I want. There are some caveats with that,
40:04
such as notification badges, but I talk about that
40:06
in the book of how you can maybe get
40:08
around that a bit with being selective
40:10
on how you choose to make your screen look.
40:12
And I give some visual examples of mine within
40:15
the book. All right, I think we touched enough
40:17
on iOS for this show. Again,
40:20
if you have already purchased extreme privacy mobile devices,
40:22
make sure you go get the latest edition, especially
40:24
if you are an iOS user, there's tons of new
40:27
stuff in there. If you've been avoiding
40:29
extreme privacy mobile devices because it's so
40:31
focused on Android, you are an iOS user,
40:34
you're never going to switch from iOS. In the
40:36
past, I've steered you away.
40:38
And I've said this book probably isn't for you,
40:40
no offense. It's just, I don't
40:42
wanna oversell it. I'm walking
40:45
back a bit on that now because I've added so
40:47
much for iOS, ways
40:49
to apply the lessons throughout the book,
40:52
specifically for an iOS device. So now I would
40:54
say, if you don't have the book,
40:56
you're an iOS user and you want to
40:58
get back a bit of that privacy and security control,
41:01
then I would recommend Extreme Privacy
41:03
Mobile Devices, the PDF. The entire
41:05
book will go through the overall
41:07
mobile fundamentals using
41:10
Android as a guide of how to install
41:12
them. And then the final chapter is a very lengthy
41:14
chapter which says, okay, now let's
41:16
take all of those things we talked about through the entire
41:18
book and let's apply them to iOS, even though
41:20
you don't necessarily have all the tools, which
41:23
you would otherwise have with the Android operating
41:25
system. I think it's worth it now. You make
41:27
the call again, purchases receive
41:30
free updates forever and they
41:32
support the show. Let's talk about next week.
41:34
We're doing one more episode before
41:36
we jump back into the self
41:38
hosting series. So next week's episode is a culmination
41:41
of four big things. One,
41:44
the government photo ID available
41:46
in a preferred name, which I teased a couple
41:48
of shows ago should arrive. So I hope to
41:50
discuss my thoughts on that. Number
41:52
two, I'm almost done with the new OSINT
41:54
tool,
41:56
it's a new phone number search method, which
41:58
gives you full subscriber details.
41:59
name, billing address, caller
42:02
ID entry, the presence of it
42:04
within any contact uploads, which might include
42:06
nicknames, the presence of that number within a
42:08
data, breaches, or leak, the current carrier,
42:11
the full porting history, VoIP 911 registration,
42:13
and all marketing records associated
42:16
with that device. It's an all-in-one text-based
42:19
query and response, and
42:21
when it's done, it'll be on my site, but also
42:24
it'll have the option you can self-host it if you want.
42:28
I have some very sensitive travel next week, which
42:30
requires me to bring several sensitive items with
42:32
me, so I picked up the Silent Pocket E3
42:34
Faraday backpack. I'm going to run
42:37
it through its paces, see what works,
42:39
see what doesn't, and I hope to have a full report
42:41
when I get back on how that worked on
42:44
this trip. And finally, one
42:46
leg of my travel will allow me to
42:48
test our brand new second passport
42:51
option, which displays a quote, preferred
42:53
name. Once I'm home successfully,
42:56
that can also finally be explained,
42:58
or if I'm in a foreign jail cell, maybe
43:00
they will let me record a show from there. Either
43:02
way, it should be a very full episode.
43:05
Let's meet back here soon.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More