Smartphones have become the primary computing devices for many. Living inconspicuously in our pockets, they store our most intimate personal messages and pictures as well as sensitive corporate information and government secrets. This has already motivated widespread adoption of end-to-end encryption for mobile messaging applications, such as WhatsApp and Signal, which protect the confidentiality of messages. However, metadata, such as who has been messaging whom and when, can still be observed by platform operators, local internet providers, and other adversaries tapping into network traffic. This dissertation presents protocols and applications for mobile devices that not only protect the content of messages but also communication patterns.

Anonymity networks provide metadata privacy, but the most popular ones, like Tor, remain vulnerable to traffic analysis, while strong alternatives, like Loopix, use cover traffic at the expense of higher bandwidth and latency. In this context smartphones raise two important challenges: battery constraints dictate conservative power usage and connectivity is often intermittent.

In order to better understand power consumption on modern smartphones we run experiments on real hardware and find that cryptographic operations are cheap while radio transmission can be costly. In particular, popular solutions such as VPN and Tor are practical with negligible impact on the battery life. However, more secure designs using cover traffic are impractical and highlight the need for protocol design that takes energy limitations into account.

The latency and bandwidth requirements of protocols with strong metadata privacy are particularly challenging when sending messages to many recipients---especially on mobile devices where users are often offline. We design Rollercoaster, a multicast scheme for mix networks which incorporates these constraints and allows better utilisation of the underlying network for sporadic group communication. This enables decentralised applications such as group messaging and collaborative text editing while retaining efficient mix parameters.

Finally, we present CoverDrop, a practical system for initial contact between whistleblowers and journalists. CoverDrop integrates into a standard news reader app such that all its users contribute cover traffic to achieve unobservable communication for sources while having negligible impact on battery life. In addition, we implement plausibly-deniable storage to keep previous usage of CoverDrop secret even if the phone is captured by an adversary. To achieve this, our key stretching scheme, called Sloth, uses the Secure Element found in many modern smartphones, preventing the adversary from parallelising brute-force attacks and therefore allowing for shorter, more memorable passphrases.