[throwaway122916]

This is a crazy list.

1. IPhone is closed source and any kind of rootkit can be installed by Apple/NSA secret court system. I suggest not using a smartphone if you are serious about security.

2. Good but difficult to anonymize

3. Good

4. Google Chrome is a botnet effectively and users lose their expectation of privacy there. Should switch to Firefox and use Chromium (Not Chrome) as a backup. Ideally Tor browser though.

5. Why? It's great for sharing encrypted files. Certainly if you trust Apple, why not trust Dropbox?

8. Signal transmits metadata that Google/Apple and by extension NSA/FBI/CIA/DEA know about now. Use something else that protects your anonymity and is secure. Something like cryptocat/Pidgin OTR is better.

9. You can use email to send encrypted information.

10. Unnecessary. Good strong password is good enough and you don't have a centralized password storage app. Another benefit is avoiding all the frustration that comes with using it when you are on someone else's computer.

11. Commercial AVs are better than Microsoft's native solution as repeatedly shown on independent tests. If you are tech literate, you're probably fine with the native solution or no solution at all.

12. Good idea. Best not to have a smartphone at all.

13. That's crazy. Just know your email app. Attachments should be read only and if your software is updated, it's very very unlikely you'll be compromised. If the email isn't signed and you are worried, use an alternative app to open common document formats. PDF.js for PDF, Libre Office for documents.

[quanticle]

    IPhone is closed source and any kind of rootkit can be installed by 
    Apple/NSA secret court system. I suggest not using a smartphone if you are 
    serious about security.

I absolutely disagree. While you are correct that in theory an iPhone can have rootkits and other backdoors installed on it by the NSA, in practice, I've found that the average user's computer can be compromised far more easily than their smartphone. Remember, we're not dealing with security professionals. We're not even dealing with people who can use PGP to secure their e-mail. We're dealing with rank newbies. In such a situation, it's far better for them to take incremental steps today to secure themselves (e.g. by using Signal to communicate, rather than e-mail) than it is for them to spend a year learning about encryption and having PGP key signing parties before they can set up a secure infrastructure.

Comments like these are why I have a deep frustration with the "security community". It's letting the perfect be the enemy of the good.

[egh5oon]

> It's letting the perfect be the enemy of the good.

We are talking activists facing state-sponsored attackers, where "good" security is not enough.

[guitarbill]

It's a silly argument anyway, as in the famous xkcd comic, technology probably isn't the weakest link. And if a state really wants to snoop on you in particular, they will.

Meanwhile, as mentioned elsewhere, Android is vulnerable to several key-extraction techniques and the speed of security updates depends on which model you have.

[astrodust]

Literally every other phone on the planet is vulnerable. Even some garbage flip-phone you got at Wal-Mart thinking it's not smart and therefore secure is likely a joke for anyone to crack into. That software hasn't changed in years. It's full of unpatched holes.

This is why Snowden wanted people to put their phones in the freezer to avoid eavesdropping: https://thelede.blogs.nytimes.com/2013/06/25/why-snowdens-vi...