Guys "digital life" wiped out.

[sqlbullet]

Or avoid using hotspots/WIFI.  I am grandfathered in on unlimited data on my phone, so I don't even turn Wifi on. I hadn't considered tunneling back to home and then routing all traffic over the tunnel...And probably won't since the 4g on my phone is far faster than the DSL at my house.

Sucks to live in a city that won't get on the fiber bandwagon.  Friends in other nearby towns have 40 meg connections both ways for half what I pay for 7/1.5 dsl.

[harrygunner]

I'm securing my phone for obvious reasons, then there's the fun. Smart phones are not very useful to me, but now that I have one, might as well play with it. I didn't sign up for an Internet plan, but I can still get to the Web over wireless. I don't expect to be using phone to access the 'net much. But, I can check email from a coffee shop if I don't have my laptop.

I installed a stripped down version of 64 bit Linux onto a virtual machine (VM). Used OpenSwan for the VPN and 'tinyproxy' for the proxy. The VM will be hosted on a Linux OS using KVM. But, one could create the functional equivalent within a Windows environment. (I don't do Windows, so haven't worried how.)

Took some interesting tweaking since I didn't load the X Window System or any GUI onto it. Had to configure a serial tty by hand for me to log onto it when needed.

I went to the trouble since my Android "smart phone" has a VPN client program. It's simpler to set up SSH proxy, but haven't rooted the phone yet.

Essentially, any Wi-Fi Internet or Wi-Fi phone calls will be tunneled to the VM proxy before entering the Web, bypassing potential hot spot lurkers.

I bought a 64GB microSD since I'm considering dual booting and installing a secure Android OS on the microSD.

Our friendly government agency, the NSA, has provided some help, similar to the help of SELinux for the Linux OS. http://selinuxproject.org/page/SEAndroid

Maybe after all this, I can have a phone only I am using.   

[REDLINE]

I'm securing my phone for obvious reasons, then there's the fun. Smart phones are not very useful to me, but now that I have one, might as well play with it. I didn't sign up for an Internet plan, but I can still get to the Web over wireless. I don't expect to be using phone to access the 'net much. But, I can check email from a coffee shop if I don't have my laptop.

I installed a stripped down version of 64 bit Linux onto a virtual machine (VM). Used OpenSwan for the VPN and 'tinyproxy' for the proxy. The VM will be hosted on a Linux OS using KVM. But, one could create the functional equivalent within a Windows environment. (I don't do Windows, so haven't worried how.)

Took some interesting tweaking since I didn't load the X Window System or any GUI onto it. Had to configure a serial tty by hand for me to log onto it when needed.

I went to the trouble since my Android "smart phone" has a VPN client program. It's simpler to set up SSH proxy, but haven't rooted the phone yet.

Essentially, any Wi-Fi Internet or Wi-Fi phone calls will be tunneled to the VM proxy before entering the Web, bypassing potential hot spot lurkers.

I bought a 64GB microSD since I'm considering dual booting and installing a secure Android OS on the microSD.

Our friendly government agency, the NSA, has provided some help, similar to the help of SELinux for the Linux OS. http://selinuxproject.org/page/SEAndroid

Maybe after all this, I can have a phone only I am using.   

Wish I had a mind for even just half of what you said there.  Other than that I think I can say;  Great Job!

[harrygunner]

There needs to be a simple way to armor smart phones. They are insecure, yet can offer up a lot of information to the unscrupulous.

People download "apps" without understanding what they might be doing. Recently both presidential candidates offered campaign apps to constituents. Those apps were capturing phone contacts and GPS coordinates and uploading the information. Probably the same company created both versions of the app (with different looks and logos). Keystroke loggers in apps are a serious problem.

Until being recently outed, several phone companies issued phones with an app from a company called CarrierIQ. That app uploaded user data to the phone companies. That fact was known, but it continued until CNN wrote about it. Innocent or not, customers weren't notified and it caused a scandal.
   
Some people think NFC is cool, not realizing strangers in a crowd can transfer nefarious code to other phones and capture info off their phones. (Related, but similar, I fell off my chair when a friend told me her credit card has a NFC chip in it. Shows how common it is to completely disregard customer data security.)
   
I've heard people say they do on-line banking from their phones. Healthcare providers access patient info from such phones.

Nothing new. New tech, new opportunities for crooks.

[The_Shadow]

Yes in deed, too many unknown things being transfered electronicly without the user even knowing or being educated by the product designers or applications being used.  Although some features can be disabled some can not! 

Just look at the spam e-mail and phone calls that find their way to your computers and phones.

[harrygunner]

A good percentage of Google hosted 'apps' are gathering personal information.

http://www.darkreading.com/mobile-security/167901113/security/privacy/240012705/more-than-25-of-android-apps-know-too-much-about-you.html

[harrygunner]

I have trouble judging the level of difficulty some might ascribe to this, but I wanted to present the high points of my VPN+proxy virtual machine (VM) I use to tunnel traffic from my "smart phone".

If anyone starts this project and has questions, I'll answer them as best I can.

One could run a virtual machine on a Windows box at their home if they have a static IP address. Once a connection is made to a hot spot at a cafe or hotel, traffic is tunneled between the phone (or laptop) and your home Internet access. This thwarts the people sitting, sipping coffee while capturing packets from other people using the hot spot.

The bottom line, I have a virtual IP address that shows up on my phone or laptop to access the proxy on the VM. The VPN carries the traffic between my devices and the VM's virtual network. Then, the proxy carries traffic between the VM's virtual network and the Internet.

I'm a Linux guy, so I built a small VM from a Redhat Enterprise clone OS. I used to use CentOS, but when they had a significant lag behind Redhat, I moved to Scientific Linux. (CentOS has caught up and stayed current since then.)

I went with Linux KVM as the virtual host, but VirtualBox or VMware are easier to use to build a VM. VMware Player and VirtualBox are free.

There was no need for a GUI or many services, so I made a fairly basic installation. (However, you may want a GUI if you don't use a serial console to log into the VM.) I always make /home, /tmp and /var/tmp separate partitions so I can have them mounted in a way where no programs can run on them (noexec, nosuid, nodev to defeat some malware methods).

The two main services running on the VM are OpenVPN and tinyproxy. 'tinyproxy' is all I need since I only built access to phones owned by my immediate family. No need to cache sites, etc. OpenVPN is more straightforward to configure than OpenSwan. There are plenty of OpenVPN client phone apps. (For my laptop, I installed OpenVPN and configured it as a client.)

I assigned a single NIC, one CPU and 512M of RAM to the machine. I configured OpenVPN on the server (VM) to assign a "non-routable" IP address to the client and to create virtual IP addresses on the server. Then, I configured 'tinyproxy' to listen to all IP addresses, but only allow connections from this virtual network. In other words, the outside can't access the port that 'tinyproxy' listens to. One must go through the VPN to get to that port. 'tinyproxy' also adds some autonomy in that I can limit which packet headers will be presented to websites I visit. That makes my connects look more generic.

The part some may be uncomfortable with is building the private keys and public certificates for the VM and for each phone. Essentially, one creates one certificate authority (CA), then uses that CA to create/sign public/private key pairs for each party. I created a separate pair for my devices and for each of my family. OpenVPN has a pair that only resides on the server, each phone has a pair that only resides on the phone. Each party also stores the public certificate for the CA. This authenticates parties as having keys signed by the same CA.

Finally, I have a firewall on the VM that blocks entire continents filled with the usual suspect hackers, protects local services, etc. It also forwards local traffic to/from the virtual 'tun' network that OpenVPN creates.

I can elaborate on any of the steps if someone is interested.