Essential Smartphone Security
(Download Essential Smartphone Security PDF for detailed instructions.)
There is a wealth of very personal information on your smartphone! You need to protect it!
Consider your own situation and assess the level of security you need. These recommendations are meant to provide basic security for the average person living in an environment with a (relatively) non-hostile government, such as in the U.S.A. If you believe you may be a high-profile target or are extra concerned about your information being leaked, then (1) please see the "Hostile Environment" section at the end of the full Smartphone Security PDF document (see link above), and (2) you may want to seek further expert advice besides the basic recommendations offered here.
(1) Regularly update the version of software on your Smartphone. (This is critical; just do it!)
(A) Vulnerabilities are constantly being discovered for every piece of electronic equipment, especially high value targets like smartphones. Updates to software versions patch these vulnerabilities and help secure your device.
(B) iPhones/iOS: When a new version of iOS is offered for your iPhone, update it. (Actually, you should probably wait a few days [or a week or so] to make sure there are no major issues associated with the new version. Do an online search to confirm.)
(i) You should now be at iOS version 12 (with the current update), but MUST at least be at the latest update from version 10 to maintain any kind of security.
(C) Android: A major problem with most Android smartphones is that the Android OS is repackaged by a phone carrier (e.g. Verizon, AT&T, etc.). The carriers are usually slow to send out Android security and version updates; thus, you are at the mercy of your carrier and may just live with major vulnerabilities. This is not acceptable! If you own an Android smartphone, you must use a phone manufacturer that supplies updates (like Samsung), and use a carrier that provides regular updates (e.g. most major tiered U.S. carriers do this). Check the date of the last “Security Update” on your phone; it should be within the last couple of months. Otherwise, buy a Samsung and switch carriers!
(i) The one exception to Android update problems is the Nexus and Pixel smartphones; since they are created by Google, makers of the Android OS, they can be updated more regularly, without waiting for your phone carrier, and thus tend to be more secure versions of Android.
(ii) You must at least be running Android version 6 with the latest updates. If your smartphone does not support this version or is no longer getting security updates, then get a new phone!
(2) Set a strong/complicated PIN or Password to lock your phone.
(A) The PIN should be longer at least 6 digits. If you are really concerned about privacy (or traveling in a hostile environment), then use a more complicated password/PIN, including letters.
(B) If you use a simple passcode (e.g. 1111, 4567, etc.) then it is trivial for anyone to hack into your phone. Don't do this!
(3) Set your smartphone to erase all data after 10 wrong PIN attempts.
(A) This keeps someone from hacking into your phone if it is lost or stolen.
(B) Make sure to have a backup of your personal data!
(C) Although if you have small children, you may not want to set this security feature. :-)
(4) Set your smartphone screen to lock when it is idle for a certain amount of time.
(A) Based on your risk situation, you may choose 30 seconds or between 1 and 5 minutes.
(5) Use separate passwords for important apps (email, banking, Facebook, etc.)
(A) I suggest you use a password wallet program that remembers and encrypts your passwords. Consider using Dashlane, LastPass, or 1Password.
(B) Newer versions of iOS [11 or later] offer to store passwords securely in the Keychain. This is secure, and thus fine to use if it works for you, but it is not as full-featured as these other recommended password programs.
(6) Backup your data (contacts, docs, photos, etc.). You can backup to your computer, or to an online account.
(A) For more help with backups, please see the Smartphone section of the “Simple Backup Strategy for Home Computers” document found on the ComputerSecurityNorthwest.com website.
(B) If you allow items from your phone to backup to the Cloud (like Apple’s iCloud, etc.), then make sure to have VERY strong security for your Cloud/online account.
(7) Don’t click on unsolicited links or attachments sent to you via email or SMS/text message. (And be wary of links and attachments sent to you by “friends”.) Stop! Think! Act Prudently.
(A) Clicking on and trusting a malicious link (or opening a booby-trapped attachment sent to via email or otherwise) is the easiest way to get a virus on your smartphone.
(8) Be smart on open WiFi networks.
(A) All Internet traffic sent on public WiFi can be captured and read, including all passwords. Whenever doing important things in public, such as banking, etc., you should activate your Virtual Private Network (VPN) software to encrypt all traffic.
(B) For more information on VPNs, please see the appropriate section of the “Essential Security Measures for Home Computers” document found on the ComputerSecurityNorthwest.com website.
(9) Run a Mobile Threat Defense (MTD) program (like Antivirus on a computer)
(A) MTD programs defend against malicious apps and network attacks.
(B) Some of the most highly rated and respected in the corporate arena have free versions, which are: Lookout and Symantec Endpoint Protection (SEP) Mobile (was Skycure).
(10) Install a Security App to help find your lost phone and remotely wipe data if necessary
(A) For the iPhone, you can use the built-in "Find My iPhone".
(B) You need a third-party app to do this for an Android device. (Consider the Lookout app.)
(C) See this site for other iPhone anti-theft software: www.ctia.org/consumer-tips/how-to-deter-smartphone-thefts-and-protect-your-data/ios-anti-theft-apps
(D) See this site for Android anti-theft and antivirus software:
(11) Encrypt your filesystem.
(A) This is done automatic on the iPhone; it must be initiated on most Android devices. See online documentation for your particular device for help.
(12) Only download Apps from certified sources (Apple Store, or Google Play Store)
(A) Please note that some apps (especially free ones) may have viruses or may steal your personal information, even after going through vetting processes. Be wary about downloading brand new apps that have not been vetted over time. (This is more likely to happen with Android apps than iPhone apps.)
(B) Android allows you to install apps from other locations. iPhone will not allow you to do this unless you jailbreak your device; don’t!
(13) Manage your Location Settings. Consider which apps you want to follow you, especially when you are not using the app!
(A) Read the permissions an app is asking for when you install it! Be aware and don’t give away more information about yourself than you mean to.
(B) Some apps can be denied location services, and then you can turn it on only when you are using that app.
(14) Don't jailbreak your iPhone or root your Android.
(A) If you don’t know what this means, then you are good! :-)
(B) Don’t jailbreak/root your device so you can get apps not available in the App/Play store.
(i) Although at one time you (as a techie nerd :-) might have rooted your device to provide more security on your Android, you should no longer do so for any reason I know of.
(15) Consider disabling access to "Siri" or "Google Assistant" (etc.) when your smartphone is locked.
(A) The more convenience items you allow into your phone without entering your PIN make it easier to find out more information about you and your associates if it falls into the wrong hands. Consider your risk situation versus the convenience you require.
(16) Wipe the data off an old phone before you recycle or sell it.
(A) You should delete all data and set it back to factory default settings before getting rid of it.