Ask a security trainer: How do I get secure phone backups?

Welcome to “Ask a security trainer,” the column where the Digital Security Training team at Freedom of the Press Foundation (FPF) answers your burning questions at the intersection of journalism and security. Submit yours here! Let’s jump right into this week’s question.

Dear DST,

In your training, you spoke about backing up your phone. But doesn’t that make my data available in the cloud? Can’t the cloud provider see the files and photos and videos on my phone for work?

Signed,

Memory Dump

Hi Memory,

It’s true, whether it’s Google Drive for Android or iCloud on your iPhone, cloud providers do get access to your photos and videos by default. But it doesn’t need to be that way. With local backups, as well as some baked-in features on your device, you can prevent third parties from being able to read your data.

If you’re using an Apple device, you are probably familiar with iCloud. Certain types of data stored in iCloud are end-to-end encrypted, meaning not even Apple can read them. This includes information backed up from your Health app or passwords stored in your iCloud Keychain. You can see a list of these data types here.

However, many types of data here are not end-to-end encrypted by default, and this includes your photos and videos, and files stored in iCloud Drive. The good news is that Apple offers a feature called Advanced Data Protection, which will allow you to apply end-to-end encryption to nearly every type of data stored with iCloud.

In my experience, this feels essentially identical to the regular iCloud experience, but you will need to take some steps to ensure you won’t lock yourself out of your account in case of an emergency. If this sounds interesting, learn to set it up here.

You can also make password-protected local backups of your phone right on your own computer, using iTunes for Windows, or the Finder app on Mac. Just connect your phone to the computer with a USB cable, follow these quick instructions, and you’re off! As always, you’ll want to protect the backup with a long, unique password — ideally one generated with a password manager.

If you’re using a computer for backups, you’ll also want to protect the computer itself by encrypting the disk drive. This is pretty straightforward: Go into your computer’s security settings and enable BitLocker for Windows or FileVault for macOS. Afterward, your disk will be encrypted whenever you power the device down.

Let’s pivot to Android. Right now, there is no Android equivalent to iCloud’s Advanced Data Protection. Instead, photos and videos are backed up with encryption at rest, meaning they are legible to Google’s servers. However, Google’s documentation says, “Your backups are uploaded to Google. Some of your data is end to end encrypted with your device’s screen lock PIN, pattern, or password.”

We don’t have a list of the kinds of data Google will encrypt in this way, so it’s hard to be certain which parts of an Android backup are legible to the company. But we do know photos, videos, and media sent through traditional text messages are not end-to-end encrypted.

I’d like a cleaner story to tell about Android backups. That would make my job easier.

The alternative route is to just make a copy of the files you want from the device and keep a backup on your computer or external storage, such as a USB thumb drive or SD card. On a Windows computer, connect your Android device through USB and copy the files to your local device. As mentioned above, if you’re using this computer for backups, you’ll want to enable disk encryption by using BitLocker for Windows or FileVault for macOS.

At the time of writing, transferring files from Android to a Mac has become more challenging, as Google has discontinued support for Android File Transfer for Mac. This was previously the officially supported way to move your files, and we’re hoping Google will support these features again down the road.

In the meantime, the most reliable way to make a local-only backup is low-tech: Stick a USB drive with the appropriate adapter right into your Android and copy local files into USB storage using your Files app. You can transfer this data over to your computer.

If you’re looking to back up selected files, there are also third-party tools that offer end-to-end encryption, such as Proton Drive and Tresorit. They offer mobile apps as well, so you can transfer directly from your phone.

All right, now you have no excuses. You officially have way too many options to back up files privately. But journalists in need of assistance can always reach out to our team.

Best,

Martin Shelton