If you will be traveling internationally, you might be wondering how to protect your privacy and securely use your mobile devices (especially phones and tablets) while abroad.
First, you must understand and accept that EVERY place you visit (including your home city) is potentially hostile; this is not an isolated problem that only travelers must face.
There is no such thing as “zero risk” to a device.
However, there are certain things travelers can do when preparing for travel, while traveling, and after travel. Performing these steps can help reduce your risk and information footprint while traveling.
In this three-part series of software-agnostic advice, we will explore the information security aspects of:
Part Three – How to “Clean-up” Your Mobile Devices After International Travel
Who Are You Protecting Yourself From?
Thieves, Competitors, Governments, Scammers, Intelligence Officers, Spies, Fraudsters, Militias, Insurgents, Unscrupulous Border Patrol Agents.
What Are the Risks?
If you have sensitive, confidential, private, PII, or perhaps more important data, it is your responsibility alone to protect this data.
These tips can help reduce your risk at any time, not just travel. Keep in mind that, as is common in security, there are always trade-offs, and many of these tips can be slightly inconvenient, take more time, or just be annoying. Such is the price we seem to have to pay for privacy.
You’ve Returned From Your Trip, What Do You Do Now?
If you’re lucky, nothing has happened to them, you didn’t get pwned, and your comms were encrypted and through the VPN at all times, so no one saw anything you did while you were abroad.
If you kept your devices on you, they probably haven’t had any hardware added or messed with.
The goal after travel is to wipe any changes you made in preparation for travel and return your devices to a “known good” state.
Assume, whether correct or not, that your devices have been rooted and must be rebuilt anew.
Assume that everything on your devices has been compromised. You may want to recover some of the data, you may not.
Evaluating the Condition of Your Device
Was the device ever out of your sight? Did you plug unknown USB cables into it? Did you fail to use a USB condom when connecting to a USB plug for charging?
One method for detecting physical tampering that you can use is to weigh your device before and after your trip; if there is any discrepancy, assume it has been compromised physically. This is much more serious than logical compromise.
Offloading New Data You Want to Retain
You will want to make sure you have backed up any photos or important documents created or gained during your travel that you want to keep.
One option is to put them in a cloud-based server associated with one of the burner accounts that you created in Step One.
Why use cloud storage? Because you are going to want to “pull” the data from a third party (non-compromised asset) into your trusted computing area. Also, cloud providers like Google Photos sometimes use their own anti-malware scanning. A neutral 3rd party storage is a safer bet than offloading these files directly to a local storage device.
NOTE: You DO NOT want to “push” data from the ‘compromised’ device to a trusted computer/device that did not travel with you.
You also DO NOT want to restore compromised data back onto your device after it’s been wiped.
All files should be scanned by anti-virus and anti-malware tools when being pulled into your real accounts.
You should import those files carefully, perhaps by reviewing each file before downloading it. These files will stick with you, and if they contain malware, spyware, or other bad things, those bad things will also stick with you.
Restore Your Device to Factory and Re-Install the Operating System
You’ve backed up the minimal important photos and documents, so now it’s time to wipe the device and re-install the operating system (OS).
This is the same activity for what to do to your device before selling it, and that’s my recommended phrase for Googling instructions for your specific device.
iOS Instructions: https://support.apple.com/en-us/HT201351
It’s not quite as cut-and-dry for Android devices, so you will want to do some research. But here are some instructions and warnings about data (tl;dr use encryption): https://www.digitaltrends.com/mobile/how-to-wipe-android-phone-or-tablet/
Pixel or Nexus Instructions: https://support.google.com/pixelphone/answer/4596836?hl=en
Microsoft device Instructions: https://support.microsoft.com/en-us/help/10547/microsoft-account-remove-deregister-device
Blackberry Instructions: https://www.youtube.com/watch?v=dQw4w9WgXcQ (you still use a blackberry???)
Change Your Passwords, Re-Add Original Accounts
In Step 1, you removed your “real” accounts for iCloud, Microsoft, Google, etc and added “travel” accounts so your device would function. Now that you’ve wiped the device and have a fresh, clean install of your mobile OS, it’s time to re-add your “real” accounts.
Continue setup as usual, and see “About Backups” in this article.
It’s okay to restore to a backup that was created BEFORE your trip, when everything was normal and your device was likely uncompromised.
However…. Be sure you DO NOT restore a backup that was created DURING or AFTER your trip, as it is considered compromised at this point.
Scan Your Devices
There is a security scanner of one type or another for every platform. On Android, they can look for viruses and malware, for example, and let you know when permissions need to be locked down. Install and run security tools on your device (I like Comodo on Android) to scan for problems.
AppChoices is a great iOS app for maintaining privacy for Cookie opt-out (somewhat unrelated to international travel)
If your privacy and security are your primary concern, these tips will help you, but there is no such thing as “zero risk”.
It should be noted that some of these tips may actually arouse suspicion if you are being watched, questioned, or detained, even if you are doing absolutely nothing wrong, illegal, or shady.
This is a lot of info, and really only applies to your devices, although some of these tips are good for your personal safety. You’re probably not going to be able to maintain full OPSEC for the entirety of your trip. The goal is to decrease your risk, not eliminate it entirely. Do your best.
These tips are being provided for the security and privacy of your data on your devices. This advice is not legal advice, and these tips are not being given to avoid or subvert US law or any other laws. There are numerous legalities and nuances that you should familiarize yourself with, before you travel or if you have other goals.
EFF has a great article series on your rights and what to expect at a border: https://www.eff.org/wp/digital-privacy-us-border-2017
I’m not a lawyer, and this is not legal advice — It’s never a good idea to break the law, and it’s always best to cooperate fully with border agents and people in authority.