0:12

You are listening to the Privacy, Security and OSINT

0:14

show episode 303, released on July 7th

0:17

of 2023. This week, we take

0:19

a brief break from the self-hosting series

0:22

and revisit iOS privacy and

0:24

security. Specific support for this podcast

0:26

comes from our privacy services, OSINT

0:28

training, print books and digital guides.

0:31

More details can be found at intelltechniques.com.

0:33

Thank you for keeping this show ad-free.

0:36

Welcome back everyone. This show and

0:38

next week's show is a break

0:41

from the self-hosting series. We are halfway

0:43

through that series. We have another halfway to

0:45

go through. So this show is all

0:47

about the iPhone, the iPad, iOS

0:50

in general. Why would we do

0:52

another iOS show? As

0:54

you probably know, I push a custom

0:57

Android device. I carry

0:59

it every day. I encourage my clients to use it. I

1:01

believe graphing OS is the best option we

1:03

currently have. And I've been talking a lot

1:05

over the past several shows about

1:08

how I do that and why I recommend that. But

1:11

a lot of people still use iOS.

1:13

A lot of my clients still use iOS.

1:17

They like the iPhone. They want that iPhone and

1:19

they're not ready or maybe willing to

1:21

go to something such as graphing

1:23

OS. I also, I assume

1:25

a lot of people listening to this

1:27

show still use iOS and that's okay.

1:30

There's no gatekeeping here. There's no elitism.

1:33

Just because I prefer a hardened Android

1:36

device, that

1:36

doesn't mean iOS users should

1:38

be excluded or shamed or whatever. And

1:41

I'm going to talk about in just a moment some

1:43

ways in which iOS could be

1:45

superior to things like custom Android

1:48

operating systems. I always want to give equal

1:50

coverage on all things that we are

1:52

seeing, especially something as popular as iOS.

1:55

I want listeners who use iOS to still

1:57

have the benefit of making their devices as price

1:59

and secure as they possibly can, so

2:02

I occasionally want to revisit these

2:04

things. Now, that also brings

2:06

us to my digital guide, Extreme

2:09

Privacy Mobile Devices. Some

2:11

of the criticism about that digital

2:14

guide is that iOS

2:16

seems kind of like an afterthought

2:18

at the end of the book. The methods

2:21

I explained throughout the book, which I uncover

2:23

in great detail specifically how to apply

2:25

to a Graphene OS device, I didn't

2:28

really give them enough fair coverage

2:30

when we do talk about the iOS stuff.

2:33

This is all fair criticism. At

2:35

the time, I really wanted to push that digital

2:38

guide as a way to encourage people

2:40

to leave the traditional

2:41

Google and Apple ecosystems and

2:44

go to their own more private, more

2:47

secure options such as Graphene OS

2:49

or any other custom Android operating system which

2:51

you prefer.

2:53

But I now realize I could have done a

2:55

much better job on that final chapter

2:57

about specifically iOS devices

2:59

and how you can make them more secure

3:01

and more private. So I'm doing

3:03

two things here. One, we're dedicating this entire

3:06

show to iOS devices, but two, I put

3:09

out a brand new version of Extreme Privacy

3:11

Mobile Devices, the digital guide, the

3:14

digital PDF, and if you purchased

3:16

that PDF, then you received an

3:18

email notification this week telling you there's a new

3:21

edition and it's a substantially

3:23

updated edition. It revisits

3:25

everything iOS. The chapter at the

3:28

end about iOS devices is probably

3:30

double the length that it was and

3:32

I went through and meticulously tried to

3:34

apply all of the lessons throughout the book

3:37

for Graphene in order to apply them

3:39

the best you can for iOS.

3:41

But we're also going to revisit all of those

3:43

things in this episode today. If

3:45

you purchased Extreme Privacy Mobile Devices

3:48

PDF guide, you have access

3:50

to all the latest information. If you have not purchased

3:52

it because you're not moving

3:54

to Android, you are not interested in all that, I

3:56

think there is now enough value to justify

3:59

the 15 bucks to buy.

3:59

the digital guide and apply all the different

4:02

things throughout the book to your own iOS device.

4:05

Let's jump into that now with the benefits

4:07

of iOS. I know I have

4:10

said a lot of negative things about Apple, about

4:12

iOS. It's mostly about the privacy,

4:14

not about the security. There

4:17

are many great things about an

4:19

iPhone. It just works right

4:21

out of the box and it works well. It is beautiful.

4:24

The design, the layout, the screen,

4:26

the graphics, everything about that iOS

4:29

device. I

4:29

think is much more aesthetically pleasing

4:32

than any graphing device or any Android

4:34

device, but there's

4:36

a risk to that. There's a privacy risk to that.

4:39

I think most apps, most

4:41

mobile apps function better under iOS

4:44

than they do on Android. I think a lot of that is

4:46

they are probably, the people designing

4:48

them are probably more in tune

4:51

with the iOS environment. Now that being

4:53

said, there are a lot of open source Android

4:55

apps, which you can't even get on iOS, which

4:58

also are designed better for Android users. So

5:00

there's two sides to all of this. There's

5:03

also the general security of Apple.

5:06

I believe that an iOS device

5:08

is probably more secure

5:11

than any Android device. It's

5:14

just not more private, especially

5:16

when you have your own custom Android operating

5:18

system. My problem with Apple is

5:20

the privacy, the telemetry. There are many

5:22

risks with iOS. Apple is

5:25

constantly collecting information about

5:27

what you are doing on that device. They

5:30

say they don't share that, or at least they share that minimally.

5:32

They say that they do that to provide a better experience

5:35

to you. And I do believe them. I think the goal

5:37

of Apple is to provide the best experience

5:39

they can. And in order to do that, they collect

5:41

a lot of information about you in order to provide

5:44

that custom tailored experience. So

5:46

my complaints about Apple are about the

5:48

privacy, the telemetry, the things they're collecting.

5:51

My biggest complaint about iOS is that

5:53

you must have an account registered

5:55

to the device to download anything from the App

5:57

Store, including free applications.

5:59

There's no way around that, but we are going to talk

6:02

about some caveats of how to make that a bit

6:04

more less invasive

6:06

than just doing the stock login,

6:09

which they request you to do at the beginning. That's coming

6:11

up in just a moment. Other complaints

6:13

are that they really push iCloud. They

6:15

push you to use the iCloud infrastructure,

6:18

their own cloud storage, in order

6:20

to put all of your mail and contacts and calendars

6:23

and data documents, photos,

6:26

because they want you to rely on that. They

6:28

want you to stay in that ecosystem. They want you

6:30

to upgrade those plans for more storage

6:32

to make more money from you. I get it. It's

6:34

a business. No complaint about the business side.

6:37

I just don't like the privacy side. The

6:39

other risk of Apple is the constant improvements,

6:42

which probably sounds like a good thing, but every time

6:44

a major version of iOS comes out, you have

6:46

to revisit all of your settings to see what they've turned

6:48

back on, what they've added in order

6:50

to collect more information about your usage.

6:52

So we have a very, very

6:55

secure operating system with iOS. We

6:58

have a privacy invasive operating

7:01

system with iOS, but you can

7:03

control the majority of those invasions

7:06

by not using iCloud, by

7:08

not giving them that information, by controlling

7:11

what they get from you. And that's what we're going to talk about

7:13

today. It's no secret. I do not use

7:15

iOS as a daily driver. I use GrapheneOS.

7:18

I use a Pixel 6a currently. I have not

7:20

gone to the 7a, but if I were buying one today, I'd

7:22

probably go with that 7a.

7:24

But I do keep iOS devices

7:26

for testing. I currently have some

7:29

newer devices, which I use to test all of this

7:31

stuff and to test things before I issue

7:33

them to clients. As for clients,

7:35

I estimate that 60% of

7:38

my mobile device clients still use

7:40

iOS. They love their iPhone. They're not changing.

7:42

And that's okay. About 40%

7:45

have adopted GrapheneOS, which I think

7:47

is a very high number. I think I'm

7:50

very impressed with the number of clients who have taken the

7:52

jump and said, okay, I can do this. And then they discover

7:54

after a while, it's not too bad. It's

7:57

different. It's not my iPhone, but

7:59

this is pretty.

7:59

good and they really enjoy those privacy benefits.

8:02

So that's kind of the breakdown. Let's

8:04

get into the privacy and security considerations

8:06

about iOS and these are going to be the updates

8:09

and a lot of the things which I've added to the

8:11

mobile devices PDF. Let's work through

8:13

them one by one. In the final chapter

8:16

of the extreme privacy mobile devices PDF,

8:18

I dedicated everything to iOS and I walked

8:21

through all of these settings, all of those

8:23

just standard settings on a stock

8:26

iOS device and a lot of that

8:28

really hasn't changed.

8:29

A lot of it is also common sense. It's

8:32

if you see the option to

8:34

turn off access to

8:36

your camera for an app which doesn't

8:39

need access to your camera ever, okay

8:41

that's pretty common sense. So that

8:43

chapter will still walk through all the settings.

8:46

I did update a few things because I grabbed

8:48

a brand new fresh iOS

8:51

device with the latest iOS operating system. There

8:53

were a couple small changes but for the most part

8:55

if you already went through all those settings not

8:57

a whole lot has changed. A lot of it is just

8:59

do you want this app to

9:02

collect this type of information. Do you

9:04

want Apple to collect this type of information

9:06

and a lot of it's just going through all those things, disabling

9:09

them and just making sure that they're the way you want

9:11

them to be. Again, no big changes

9:14

there. One thing I focused a bit more

9:16

on with these updates is that you

9:18

can remove unused stock

9:21

Apple apps. It isn't like Mac OS. On

9:23

Mac OS you can't just decide

9:25

to remove the photos

9:28

app or the Apple Mail application. You

9:30

have to keep that in there. That's part of the operating system that's

9:32

locked in. iOS is not that way

9:35

kind of. You can absolutely go to

9:37

any stock app which you know you will never use

9:40

and remove that app. So I know I

9:42

will never use the Apple Mail application

9:44

so I can remove that. You hold it,

9:47

you get it to wiggle, you hit the X,

9:49

you say you want to actually delete the app. Does

9:51

that completely delete that app from your phone?

9:54

Probably not and you can still get it from the app store but

9:57

it does prevent that app from continuously

9:59

updating itself.

11:59

and it asks you to provide or create

12:02

an Apple ID, you should not

12:04

because if you do it at those initial prompts,

12:07

that is going to log you into everything Apple,

12:09

including iCloud and start the synchronization

12:11

process, which is not necessary in order

12:13

to use and update the phone. What I explained

12:16

better in the guide is how to avoid

12:18

all those prompts.

12:19

Never log in from the settings

12:22

application within the device. Instead,

12:26

only log in from the App Store

12:28

program. If you go to the App Store and

12:30

log into an Apple ID, that

12:32

does not log you into iCloud. If you go

12:34

to the settings app or the onboarding

12:37

process of an iOS device, that will log

12:39

you into both the App Store and iCloud.

12:42

I tried to explain that in more detail, but I also wanted

12:44

to offer the option of, well, what if you've already

12:47

logged into iCloud? Can we undo that? You

12:49

don't need to reset your phone. Just go log out. You

12:52

can go to the system settings, go to your profile

12:54

and log out completely. That will log you out of everything.

12:56

Then go to the App Store,

12:58

log in with your Apple ID so that you can download

13:00

and update applications. That will not log

13:02

you into iCloud. And I explained in the PDF how you can

13:05

go in to your settings

13:07

and see that iCloud is off to know

13:09

that you are not logged into iCloud,

13:11

but you are logged into Apple. Now, let's

13:14

be realistic. Is Apple still getting

13:16

your cell phone number, serial number,

13:18

et cetera? Of course they are. They're

13:20

going to collect that when you make that connection

13:23

and they're going to keep that synchronization updated

13:26

on their

13:26

end. But I

13:28

don't think that's the end of the world if you used an

13:30

alias name, an alias address, which they don't

13:33

verify. If you used an email address dedicated

13:35

for that process, I typically create a brand new

13:38

proton mail or something like that for my clients

13:40

just for their phone. And that's the only thing it's used

13:42

for. Creating an Apple ID, even

13:45

as it's to download

13:47

applications, free applications, they

13:49

will require a phone number. They do

13:51

accept VoIP numbers now, but I don't

13:53

recommend it because they're going to collect the cell

13:55

phone number

13:56

attached to your mobile device

13:58

anyway. I recommend that.

15:59

in order to use that with your

16:02

Android device in order to have even more

16:04

privacy with what gets connected and what

16:06

does not.

16:07

I didn't even really discuss things

16:10

like DNS with Apple because

16:12

the main motive of that book was to

16:14

show that maybe you want to get out

16:16

of that Apple ecosystem. So I've corrected

16:19

that and included a bit more on DNS

16:21

on the Apple side. I do still recommend

16:24

NextDNS for Apple users, but

16:26

the process is much different. With Android

16:29

users, you just take the URL,

16:31

you take that customized URL from your NextDNS

16:34

account, you pop it into your Android

16:37

settings and you're done.

16:37

Apple doesn't do that

16:39

because Apple does things their own way. So

16:42

I do walk you through how to

16:44

download your NextDNS profile,

16:46

import that profile into your iOS

16:49

device, and then you have the exact same

16:51

functionality as you did with Android. You

16:54

can now see everything that device

16:56

is doing, every connection it's making, and block

16:58

those undesired connections. There

17:00

are benefits of this process. With

17:02

this process, you are downloading that certificate, bringing

17:05

it into your iOS device, and iOS device

17:07

is treating this

17:07

as a proxy or as a DNS

17:10

connection. Therefore, it does

17:13

not conflict with VPN

17:15

applications. It's its own separate

17:17

thing. Now, in past

17:20

books, like my print books, I had talked about

17:22

an application called Lockdown, which

17:25

at one time I think was a great iOS

17:27

application. Currently,

17:28

I do not recommend that people

17:31

use the app Lockdown. And

17:33

if you do have Lockdown installed

17:35

on your device, I recommend that you uninstall

17:38

it. And this is for a few reasons. First, most

17:40

of the benefits or the beneficial portions

17:42

of that app are now a paid service, which

17:44

is not bad. I'm not against paid services.

17:47

We're going to talk about a few in a moment. However, the

17:49

main function, the main benefit we received

17:52

from that application in the past, we don't

17:54

get any more with the latest versions

17:56

of iOS. So therefore,

17:58

even the paid version... I don't believe

18:01

is nearly as good as just

18:03

using better DNS and using filtering

18:06

with DNS via next DNS.

18:10

Number two,

18:11

Apple still bypasses a lot

18:13

of the protections within the

18:16

lockdown application. So it sidesteps

18:18

them and says, okay, yeah, you're a firewall great,

18:20

but we're, we're gonna go around you,

18:22

you're not gonna filter us. Whereas with

18:25

proper DNS, you can get some back

18:27

or get back some of that control, which again,

18:30

better.

18:31

It's more of a minimal footprint

18:33

and you don't need to install another third party application.

18:36

The third reason I do not recommend lockdown is battery

18:38

drain. I am seeing that application really

18:40

start to drain the batteries of iOS

18:43

users because it's always just kind of there and

18:45

listening and running. And it's not really

18:47

given you a lot of protection. So let's revisit

18:49

that again. I no longer recommend lockdown

18:52

I did in the past. I

18:53

don't recommend the paid service. I recommend

18:55

removing lockdown completely

18:57

and activating a better

19:00

filtering DNS service such as

19:03

next DNS. And that's what I walk through in the

19:05

book, but also there's plenty of instructions on their

19:07

own website to have how to do that yourself. Next,

19:10

calendars and contacts. This

19:12

is something I updated actually throughout the Android

19:14

section and throughout the Apple section,

19:16

because I have talked a bit about secure

19:19

calendars and secure contacts, but I didn't give it a whole

19:21

lot of coverage.

19:22

I do recommend that

19:24

everyone uses end to end

19:27

encrypted calendars and contacts.

19:30

As I've said before, we talked about this two episodes ago

19:32

in the self hosting series, the data

19:34

you have in your calendars and contacts is probably

19:37

some of the most sensitive content you

19:39

own. Why would you share that with third party companies

19:42

and allow them to see that and abuse that? Let's

19:45

control that in an end to end encrypted

19:47

environment. So in the book,

19:48

I talk a bit more about the relationship

19:51

or the comparison, I guess, of things

19:53

like Proton, Tutanota, skiff,

19:56

we have third party end to

19:58

end encrypted providers,

19:59

give us end-to-end encrypted calendars

20:02

and contacts. But there

20:05

are limitations with these. All three

20:07

online providers, Proton, Tutanota, and Skiff,

20:09

will give you end-to-end fully

20:11

encrypted calendars which can

20:14

be shared. That's great.

20:16

And if you are okay just using either

20:19

their app

20:20

or their website to do all stuff

20:22

related to calendars, then you probably have

20:24

a solution done. You're ready to go. You don't need

20:26

anything else. With contacts,

20:29

it's a bit more murky. Proton

20:31

does not fully end-to-end

20:33

encrypt the name or the email address

20:35

of a contact, but they do completely encrypt

20:37

the phone number and any notes or anything like that. And

20:40

for them, that is because that's the way they

20:43

make sure that their email service can work and they can

20:45

see the name you are receiving from or

20:47

sending to, and they can see the email address of who it goes

20:49

to.

20:50

Skiff and Tutanota work

20:52

around that a bit and make it a bit more secure. So it's

20:54

important to understand what's protected

20:57

and what's not. Do your own research. Things

20:59

often change.

21:01

What I prefer is EddySync, and I talked

21:03

about this on the last episode, E-T-E-S-Y-N-C.

21:06

This is an end-to-end encrypted calendar,

21:09

contact, and note provider.

21:12

They store your calendars, contacts,

21:14

and notes on their server. End-to-end encrypted.

21:17

They cannot access anything at all. You

21:19

put an application on your iOS or Android device.

21:22

That application connects to the

21:24

EddySync servers to basically

21:26

say, okay, we've got a connection. We're shaking

21:28

hands. We've got the right credentials. I can see your content.

21:31

Great.

21:31

And then the application

21:33

synchronizes that with any third-party app

21:35

you approve. The reason this is mostly

21:37

important for my clients is that

21:40

they can now access

21:42

their calendars and contacts in a

21:44

native way through iOS or

21:47

Android if they're using that.

21:49

The stock calendars, the Apple

21:51

calendars app can now see all their calendars.

21:54

If I make a change on that stock calendar

21:56

app, it synchronizes that change to the EddySync

21:58

servers. And then EddySync

21:59

can also synchronize that to any other

22:02

device. Maybe you've got that laptop

22:04

that you also want to synchronize a calendar. That all works

22:07

behind the scenes. The other benefit, especially

22:09

for contacts, is now your phone

22:12

application, your VoIP application, whatever

22:14

you're using to make phone calls, can now see all of your

22:16

contacts. If you are simply

22:19

storing your secure contacts in Proton,

22:21

Tutenota, or Skiv, that doesn't

22:23

work. Your applications cannot access

22:26

your contacts. With EddySync, it's

22:28

still end-to-end encrypted. You're paying a couple

22:30

of months for that, or a couple bucks a month for

22:32

that service. But now your

22:35

stock apps, that VoIP app that we're going to talk

22:37

about in just a moment, it can now access

22:39

your contacts and make calls very easily.

22:41

And now that data is not

22:43

only on your local device, it's synchronized

22:46

securely with a third party. We

22:48

also talked about last week's show how you can self-host

22:51

EddySync. And now you're not even trusting

22:53

them with your data. You're not relying on them with your data. We're

22:55

kind of getting out of the scope of this

22:57

week's show, but

22:59

we have to understand all these different options

23:02

we have in order to apply our

23:04

own personal level of privacy and security, which

23:06

is perfect for us. With calendars

23:08

and contacts, my best advice is to always

23:10

choose the most minimal option, which

23:13

works fully for you.

23:15

If having them through a web browser

23:17

or through an app like Proton, Tutenota,

23:19

Skiv, etc., if that works for you, great.

23:22

That's the most minimal, easy option. But

23:24

that doesn't get them to your native device

23:26

applications. If you want that, then you need to go a

23:28

step further and choose something like EddySync, which

23:31

will make sure that happens. As

23:33

far as I can tell, EddySync is the only option

23:35

which provides true end-to-end encryption

23:38

for contacts and calendars while

23:40

allowing access to that data to native

23:43

apps within the device, which again,

23:45

very important for a lot of my clients because

23:48

they want that iPhone because it just works. They

23:50

want that availability of that data in

23:52

those stock apps because it just works. But also,

23:55

now they can synchronize that to their macOS devices,

23:57

and now they have encrypted end-to-end encrypted calendars.

23:59

and contacts on all their devices, they've

24:02

got the privacy and they've got that easy use.

24:05

Next, I revisited password managers

24:08

for iOS and nothing's

24:10

really changed here. I still

24:12

recommend for most people a key pass

24:15

style database. For iOS

24:17

users, I recommend Strongbox. Strongbox

24:20

is a freemium application. The

24:23

free version, if you just want to put

24:25

your own local key pass database

24:27

on your phone, even if you want to put it in read-only

24:29

mode to have all your stuff on there, free version

24:32

should work for you just fine. If you do want

24:34

to use biometrics and you want to use Face

24:36

ID to unlock your database or you want

24:39

to have some of those premium features, you're

24:41

going to have to pay a fee for

24:42

that. So try

24:45

it. Try the free version, see if it works for you. See if

24:47

you can justify upgrading. Most

24:50

of my clients want that ability to just use Face ID

24:52

to unlock their password manager. Okay, I get

24:54

it. I like that I can put password

24:56

manager or their password database on

24:59

their local device in read-only mode so that

25:01

they're not having two updated copies of their

25:03

password manager and make their desktop version

25:06

the only editable mode. So there's

25:08

a lot of features I like about Strongbox.

25:11

I like their 2FA options. I

25:14

like that my clients who want to just have one

25:16

password database with their passwords and

25:18

their 2FA, which doesn't rely on any type

25:20

of cloud synchronization whatsoever and doesn't

25:23

connect to any third-party cloud. I

25:25

like them to have that option and if they want it all

25:27

in one, I prefer it be offline. So again,

25:29

I really like Strongbox for that. Aesthetically,

25:33

it works really well. It's easy. It has that nice

25:35

iOS feel and you can

25:37

decide if the premium features are worth it for you.

25:39

For my clients who want

25:41

that synchronization, they want that

25:43

immediate password, whatever

25:45

synchronization to happen. I do still

25:48

like Bitwarden. I think it's the best option, but

25:50

we're talking extreme privacy here. So for a lot of

25:52

my clients, they don't trust any

25:54

cloud, including a secure cloud,

25:57

including an end-to-end encrypted cloud. They

25:59

want that.

25:59

content. They want that data on their device.

26:02

They want it locally. They don't want it synchronized

26:04

anywhere. They don't want a copy floating around. They want control

26:06

of it. So for those situations, I recommend,

26:09

okay, desktop, key pass XC,

26:11

and let's put a read-only copy of that database

26:14

on your iOS device using strongbox

26:16

to open it. And on occasion, we go

26:18

upload that file. We connect

26:20

your phone via USB cable if you need to to

26:23

your device. We move that file over and

26:25

now you've got a fresh database that's been updated.

26:27

For the few of my clients using sync

26:29

thing

26:29

for some of their self-hosting, we can also use that

26:32

to copy over that database from say their

26:35

desktop key pass XC usage over

26:37

into their strong box

26:39

usage. So lots of options there. Again,

26:42

these shows start to

26:44

intertwine into each other where the things we

26:46

talked about two weeks ago, a week ago start to play into

26:49

how they can help us today. Next,

26:51

let's revisit voice over IP, VoIP

26:53

calling. In past print

26:55

books, I've talked about Linphone,

26:58

which is in a free application you can put on

27:00

your iOS device and you can use

27:02

it to connect to Twilio, Telnix, whatever VoIP

27:04

service you're using in order to make and receive calls.

27:07

I don't recommend Linphone

27:10

anymore. Well, let me, let me back

27:12

off that a bit. I believe there's a better option

27:14

than Linphone. Linphone still works.

27:17

My complaints on Linphone, which is not their fault,

27:19

is that it has to be open,

27:22

connected, registered in order for an incoming call

27:24

to come in. Linphone does not provide

27:26

any type of push services, which help do

27:28

that. And that's where a company called

27:31

Acrobits come in. Now Acrobits has

27:33

two software options for iOS. One

27:36

is called Softphone and one is called Groundwire.

27:40

The biggest difference here is this

27:43

voice over IP app, which allows you to

27:45

make and receive calls, has native

27:48

push services embedded into it. What

27:51

that means is once you have your

27:53

Twilio, Telnix, whatever you're using, your VoIP numbers

27:56

programmed into it,

27:58

Acrobits push service. will

28:00

shoot an incoming call to your device, even

28:03

if you don't have the app opened, launched,

28:06

whatever. It's much

28:08

more like a native cell phone

28:11

application because you don't have

28:13

to be prepared or expecting anything.

28:16

Push services will let you know,

28:18

will give you a notification, hey you've got a call

28:20

coming in, do you want to answer it yes or no, here's what number it's coming

28:23

from. This has been a game-changer for

28:25

my clients who use iOS and

28:27

rely on VoIP products. They know

28:29

that they should never use their true cell

28:31

phone to give to their friends, their family,

28:34

because their friends and family are going to abuse that,

28:36

they're

28:36

going to store it in securely, it's going to end up in a

28:38

caller ID database, and now everyone knows that's

28:40

your true number and now you're a victim of SIM

28:42

swapping. I have a close friend who wanted

28:45

to jump down this privacy and security rabbit

28:47

hole.

28:48

He has an iOS device and he said

28:50

okay

28:52

tell me more about this VoIP stuff and I told him how okay

28:54

you can buy a number for a buck a month and

28:57

now you have that number and if you use it minimally

28:59

it's a few cents per month, it's pretty cheap, and

29:02

we got carried away and now on

29:04

his Acrobat software I

29:06

think he has about 14 VoIP

29:09

numbers including a toll-free number which he uses for his

29:11

business and even if he hasn't opened

29:13

that app in days and it's dormant and it's closed

29:15

or whatever, the moment anyone

29:17

calls any of those numbers his phone

29:19

rings and he can decide if he wants to take

29:22

that call. Now this comes

29:24

at a cost, you have to pay

29:26

for the application but you don't

29:29

have to pay for an ongoing

29:31

service or license. I think this is

29:33

a very fair deal, the way it works

29:36

is soft phone is the

29:38

junior application and ground wire

29:41

is the premium application. Soft phone I

29:43

believe is $6.99 one time,

29:45

ground wire is $9.99 one-time

29:48

purchase. This isn't an annual renewal,

29:51

it's not a license, it's not something that's going

29:53

to come back and say hey you have to pay us again, it's a one-time

29:55

purchase but with that one-time purchase you

29:58

get unlimited push services. from

30:00

their server to push that out, which

30:03

means you have to register

30:05

your voiceover IP number, like say that Twilio

30:07

or Telnix number within the application. It

30:10

is then going to synchronize that

30:12

SIP connection and encrypted

30:15

SIP credentials on

30:18

the Acrobits server so that they can

30:20

monitor for incoming calls and push it to you.

30:23

I don't have a problem with this because

30:25

A, it's not your credentials to access

30:27

your Twilio, Telnix, or whatever account. It's

30:29

your SIP credentials for that one

30:32

number. B, we must

30:34

remember voiceover IP is not secure

30:36

communication anyway. It's a telephone call. There's

30:38

nothing secure. There's nothing encrypted about it.

30:40

There's nothing private about it. It's used for all that junk

30:42

in our life when we don't want to give out our true cell

30:44

phone number. Therefore, I don't have

30:46

an objection to sharing my SIP credentials

30:50

with Acrobits in order to get that

30:52

push service. Let's pause

30:54

here and digress a bit because I

30:56

want to talk about something which I just updated

30:59

in the mobile devices

30:59

PDF yesterday, Thursday. If

31:02

you are using iOS and if you are using

31:04

GroundWire as your VoIP application,

31:07

you might want to consider VoIP.ms

31:11

as your VoIP provider. If you are

31:13

familiar with my Extreme Privacy Print book and

31:16

earlier editions of the mobile devices PDF,

31:18

you probably know that I recommend not using

31:21

VoIP.ms. The reason

31:23

was at the time, VoIP.ms

31:27

was requiring ID, photo

31:29

government ID, unredacted with the photo

31:32

in order to open an account. I have

31:34

some back and forth email from their sales director

31:36

telling me that you can't open any account

31:39

at VoIP.ms without

31:41

sending your photo ID and letting them see your photo

31:44

and whatever they want to do with that. So I've always not

31:46

recommended them, but I recently reached

31:49

out to their CEO and just said, look,

31:51

is this still the case? I've never been able

31:54

to get an account. I've always been suspended. They've

31:56

always wanted ID. And he says

31:58

they are working on... restricting

32:00

that ID requirement in order to open

32:03

a VoIP.ms account. Basically,

32:05

if you trigger enough fraud warnings

32:08

during the account creation process, you

32:10

get flagged. Then they demand ID

32:13

to make sure you are who you say you are. That's because

32:15

of their own know your customer rules they

32:17

have to obey. If you don't

32:20

trigger those warnings, you will not be asked

32:22

for ID. So for example, if

32:25

you register at VoIP.ms using

32:28

John Doe with

32:29

a burner email behind a VPN

32:32

with a CMRA address, you're

32:34

going to get flagged. You're going to have to

32:37

provide ID to prove you are who you say

32:39

you are. So I don't object

32:41

to using my real name with my

32:43

VoIP accounts. It's kind of like I don't

32:45

object to using my real name at my mail

32:47

drop. That's where all my official mail goes

32:50

to. If I'm using a VoIP provider

32:52

to make phone calls to my friends and family and businesses

32:55

under my name, why would I need to put it under an alias

32:58

name? So I do recommend

32:59

trying VoIP.ms as a service.

33:04

It's 85 cents a month for a phone number

33:07

compared to Twilio's $1.15. It's

33:09

less than a penny a call. The VoIP call

33:11

prices are about the same. Otherwise, when

33:14

you create account, I encourage you to use your real

33:16

name. I encourage you to use a

33:18

business domain name like I discuss in my

33:20

mobile devices book. And I encourage

33:23

you to not use a CMRA

33:25

UPS store PO box, etc. as your address

33:28

that will probably get flagged.

33:29

I'm not saying you should use your home address, but

33:32

you should use a residential address

33:34

knowing that no mail will ever be sent to you at

33:36

that address. I also recommend not using

33:39

a VPN. If you don't flag all

33:41

of these things that they're looking for to detect

33:43

fraud, you should be able to create an account.

33:45

Okay. And if not, you just need to talk to

33:47

them to say, what are my options to prove my identity

33:50

without sending you my driver's license. Now,

33:53

once you have a VoIP.ms account

33:55

and you have ground wire as

33:58

your VoIP application.

33:59

on your iOS or Android phone, you

34:02

can now add messaging to

34:04

that. And this is where VoIP.ms

34:07

is unique from Twilio and Telnix. With

34:09

Twilio and Telnix, you have to have your own web

34:12

server in order to forward incoming

34:14

SMS text messages to an email address,

34:16

or you have to forward them to another number. With

34:19

VoIP.ms, they have a much

34:22

more simple SIP SMS

34:24

messaging system, which allows you to

34:27

basically turn on one toggle within

34:29

the ground wire settings. And

34:31

now you can send and receive any

34:34

SMS messages you want through the VoIP.ms

34:37

service. In other words, for 85 cents a month, you

34:39

can have a number from VoIP.ms.

34:43

That number can be configured within

34:45

your ground wire application on your iOS

34:47

device or on your Android device. That

34:50

application can make telephone calls,

34:52

it can send SMS messages,

34:55

and that application will take advantage of

34:57

ground wires,

34:59

push services to

35:01

notify you

35:02

whenever an incoming SMS text

35:04

message or voice call comes in without

35:06

the app running. And that is

35:09

unique. After talking with the CEO of VoIP.ms,

35:12

we generated a referral link. That referral

35:14

link is in the show notes. If you use

35:16

that link, you'll get some free credits to try out

35:18

their service. And also free credits

35:20

will be thrown towards our shows test account

35:23

so that we can always keep testing things too. If

35:26

you have the Extreme Privacy Mobile Devices

35:28

PDF, you should have just received

35:31

an update yesterday, Thursday the

35:33

6th, which walks you through the

35:35

entire setup of everything with

35:38

VoIP.ms. Whether you are using

35:40

SIPNETIC on Android, whether

35:43

you are using the official VoIP.ms

35:46

SMS application through F-Droid, or

35:48

whether you are using something like ground wire through

35:51

iOS. This is where that

35:53

extra $3 for ground wire as

35:56

an application versus soft phone

35:58

application comes in.

35:59

The cheaper soft phone application

36:02

can make and receive voice calls all you want, but it does

36:04

not handle SMS text messaging. That

36:06

more expensive ground wire application does

36:09

allow SMS text messaging.

36:11

I should note here, Acrobits does have a version

36:13

for Android. So you could replicate

36:15

this on an Android device with push services

36:17

by paying that fee.

36:19

I don't currently use it on my

36:22

Android device. I still do use Sympathetic,

36:24

but

36:25

I don't have incoming calls

36:27

which are unexpected. I don't answer unexpected

36:30

incoming calls. I use it as my

36:33

VoIP on my mobile device as a way to

36:35

call out when needed. I don't care about incoming

36:37

calls. I don't want them during my device, but

36:40

I do have clients who do prefer

36:42

Acrobits on their Android

36:44

devices because of the better notifications

36:47

of when a call is coming in. Like say that the

36:49

school is calling about their kid, they have to get that call.

36:52

So I completely understand that. Look into it, see

36:54

if maybe that is appropriate for you, and

36:56

see if you can justify that cost on your

36:58

end. Next, I get more into

37:00

the data service aspect. In

37:03

Extreme Privacy Mobile Devices, the PDF, I

37:05

talk about wireless data only

37:07

service packages. I originally had talked about

37:09

both Twilio and Telnix. Twilio no longer offers

37:11

that. They've sold that out to a company called Core,

37:14

but Telnix does still

37:17

offer data only packages for,

37:19

I believe it's $2 per month plus

37:22

seven cents per megabyte until

37:24

you reach a couple hundred

37:25

megabytes, and then that price per megabyte

37:27

does go down. So I do

37:30

get more into that. Basically, I've already had

37:32

an entire chapter in the guide dedicated

37:34

to that, but I did get more into it specifically

37:36

for iOS and talking about

37:39

how to switch those SIM connections.

37:41

So maybe you've got that you've got that

37:43

eSIM device, which is your daily driver. Maybe

37:45

it's that prepaid mint, and then you have your physical

37:48

SIM in the device, which might be your Telnix,

37:50

which might be your data only, which you use overseas,

37:52

or you use when you don't have a signal with your provider.

37:55

So I

37:55

do get into that a bit more, but it's

37:58

really just beating the dead horse at that point. because

38:00

we've discussed it so much in the past. From

38:02

there, I spent some more time talking about custom

38:05

application settings. So if you are using Signal,

38:07

ProtonMail, etc., here are the default

38:09

settings and here are the things I would change

38:11

if I were you that just give you a bit more, a

38:14

bit more privacy, a bit more control maybe.

38:16

Remember, with iOS,

38:18

in general, you don't have a lot of control like

38:21

you do with Android. iOS devices

38:23

control everything for you. You're in that walled garden.

38:25

That's for your security. And they don't let

38:27

you really modify a whole lot, where Android

38:30

just says, make it yours, man. Do

38:32

what you want to do with this thing. So I

38:34

did try to talk about various applications which are

38:36

popular in this community like Proton,

38:38

Signal, etc., and the changes I would make

38:40

within their settings, not so much the iOS

38:43

settings. Finally, with iOS, I do

38:45

talk about some of the

38:48

better shortcuts or better

38:50

home launching applications. With

38:53

the Android side, especially Graphing

38:55

OS, I talk about different launchers you can use

38:57

to make it look exactly how you want to look. I

39:00

have a very customized Android screen.

39:03

I like the way it looks. I like the icons.

39:05

I'm very minimalistic and it's very important to me

39:07

to have that clean interface.

39:09

iOS natively doesn't

39:11

let you do that stuff and you cannot install

39:14

another launcher, but you can

39:17

play with shortcuts. So I talk in the

39:19

book about how you can use

39:21

the shortcuts app to generate a shortcut

39:24

to an application and then control exactly

39:26

how that icon looks. Exactly the color

39:29

you want, the placement you want. So you

39:31

have a bit more cosmetic

39:33

control, which probably should not be important,

39:36

but it is for me. After using a custom

39:38

launcher on an

39:39

Android phone with all black and white

39:41

perfect icons the way I want them, and then looking

39:43

at a client's phone with stock iOS

39:46

applications, which all different colors,

39:49

different designs, different logos, some

39:51

are square, some are not, some are transparent,

39:54

drives me crazy.

39:55

So I like to customize

39:58

the screen with the shoulder.

39:59

shortcuts app to create shortcuts to

40:02

the apps I want. There are some caveats with that,

40:04

such as notification badges, but I talk about that

40:06

in the book of how you can maybe get

40:08

around that a bit with being selective

40:10

on how you choose to make your screen look.

40:12

And I give some visual examples of mine within

40:15

the book. All right, I think we touched enough

40:17

on iOS for this show. Again,

40:20

if you have already purchased extreme privacy mobile devices,

40:22

make sure you go get the latest edition, especially

40:24

if you are an iOS user, there's tons of new

40:27

stuff in there. If you've been avoiding

40:29

extreme privacy mobile devices because it's so

40:31

focused on Android, you are an iOS user,

40:34

you're never going to switch from iOS. In the

40:36

past, I've steered you away.

40:38

And I've said this book probably isn't for you,

40:40

no offense. It's just, I don't

40:42

wanna oversell it. I'm walking

40:45

back a bit on that now because I've added so

40:47

much for iOS, ways

40:49

to apply the lessons throughout the book,

40:52

specifically for an iOS device. So now I would

40:54

say, if you don't have the book,

40:56

you're an iOS user and you want to

40:58

get back a bit of that privacy and security control,

41:01

then I would recommend Extreme Privacy

41:03

Mobile Devices, the PDF. The entire

41:05

book will go through the overall

41:07

mobile fundamentals using

41:10

Android as a guide of how to install

41:12

them. And then the final chapter is a very lengthy

41:14

chapter which says, okay, now let's

41:16

take all of those things we talked about through the entire

41:18

book and let's apply them to iOS, even though

41:20

you don't necessarily have all the tools, which

41:23

you would otherwise have with the Android operating

41:25

system. I think it's worth it now. You make

41:27

the call again, purchases receive

41:30

free updates forever and they

41:32

support the show. Let's talk about next week.

41:34

We're doing one more episode before

41:36

we jump back into the self

41:38

hosting series. So next week's episode is a culmination

41:41

of four big things. One,

41:44

the government photo ID available

41:46

in a preferred name, which I teased a couple

41:48

of shows ago should arrive. So I hope to

41:50

discuss my thoughts on that. Number

41:52

two, I'm almost done with the new OSINT

41:54

tool,

41:56

it's a new phone number search method, which

41:58

gives you full subscriber details.

41:59

name, billing address, caller

42:02

ID entry, the presence of it

42:04

within any contact uploads, which might include

42:06

nicknames, the presence of that number within a

42:08

data, breaches, or leak, the current carrier,

42:11

the full porting history, VoIP 911 registration,

42:13

and all marketing records associated

42:16

with that device. It's an all-in-one text-based

42:19

query and response, and

42:21

when it's done, it'll be on my site, but also

42:24

it'll have the option you can self-host it if you want.

42:28

I have some very sensitive travel next week, which

42:30

requires me to bring several sensitive items with

42:32

me, so I picked up the Silent Pocket E3

42:34

Faraday backpack. I'm going to run

42:37

it through its paces, see what works,

42:39

see what doesn't, and I hope to have a full report

42:41

when I get back on how that worked on

42:44

this trip. And finally, one

42:46

leg of my travel will allow me to

42:48

test our brand new second passport

42:51

option, which displays a quote, preferred

42:53

name. Once I'm home successfully,

42:56

that can also finally be explained,

42:58

or if I'm in a foreign jail cell, maybe

43:00

they will let me record a show from there. Either

43:02

way, it should be a very full episode.

43:05

Let's meet back here soon.