Essential Smartphone Security

(Download Essential Smartphone Security PDF for detailed instructions.)

- There is a wealth of very personal information on your smartphone! You need to protect it!

- Consider your own situation and assess the level of security you need. These recommendations are meant to provide basic security for the average person living in an environment with a (relatively) non-hostile government, such as in the U.S.A.

- To understand the reasoning behind and importance of these security steps, see the document "How an Adversary can Use a Smartphone for Surveillance"

-- If you believe you may be a high-profile target or are extra concerned about your information being leaked, then (1) please see the "Hostile Environments" section at the end of the full Smartphone Security PDF document (see link above), and (2) you may want to seek further expert advice besides the basic recommendations offered here.

Everyone: Everyone must follow these basic smartphone security practices:

Software Security

(1) Regularly update the version of software (operating system) on your smartphone, including all regularly released Security Patches. (This is critical; just do it!)

(A) Vulnerabilities are constantly being discovered for every piece of electronic equipment, especially high value targets like smartphones. Updates to software versions patch these vulnerabilities and help secure your device.

(B) iPhones/iOS: When a new version of iOS is offered for your iPhone, update it. (Actually, you should probably wait a week or so to make sure there are no major issues associated with the new version. Do an online search to confirm any negative issues.)

(i) (As of this writing) You should be at iOS version 12 or 13 (with the current update). Anything older than this is considered insecure, as Apple is no longer providing regular updates or security patches for older versions.

(ii) If you have a device that is no longer supported or won’t install the latest iOS version, then it is time to upgrade!

(C) Android: The Android OS is produced and supported by Google, but most Android smartphones are repackaged by a phone manufacturer (e.g. Samsung, LG, etc.) and a cell carrier (e.g. Verizon, AT&T, etc.) before sold to you. A major problem with this distribution model is that manufacturers and carriers control the update process and have been slow to send out security and version updates; you may be forced to live with major vulnerabilities due to unapplied patches. This is not acceptable!

(i) The one exception to the Android update problem is the Pixel smartphone; since Pixel is created by Google, makers of the Android OS, they are updated more regularly, without waiting for your phone carrier, and thus tend to be more secure. 

(ii) If you own a non-Pixel Android smartphone, you must use a phone manufacturer that supplies updates (like Samsung), and use a carrier that provides regular updates (e.g. most major-tier U.S. carriers have started to do this). Check the date of the last “Security Update” on your phone; it should be within the last couple of months. Otherwise, buy a newer Samsung and switch carriers!

(iii) (As of this writing) You must at least be running Android version 7.1.1 with the latest updates. If your smartphone does not support this version or is no longer getting security updates, then get a new smartphone!

(2) Regularly update all apps installed on your smartphone.

(A) Vulnerabilities are constantly being discovered for apps installed on your device. Many updates include security patches as well as new features. You must get those security updates.

(3) Don't click on unsolicited links or attachments sent to you via email or SMS/text messages. (And be wary of links and attachments sent to you by “friends”.) Stop! Think! Act Prudently.

(A) Clicking on a legitimate-looking malicious link (or opening a booby-trapped attachment sent via email or otherwise) is the easiest way to get malware on your smartphone.

(4) Be careful on open/public WiFi networks.

(A) All Internet traffic sent on public WiFi can be captured and read, including all passwords. Whenever doing important things in public, such as entering a password for an online account, banking, etc., you should turn on your Virtual Private Network (VPN) software to encrypt all traffic.

(B) Pop-up messages can be generated by hijacked networking equipment. Never click a pop-up offering to update software or phone settings in a public location, as it may actually install malware.

Physical Security

(5) Set a strong/complicated PIN or Password to lock your phone.

(A) The PIN should be at least 6 digits. If you are really concerned about privacy (or traveling in a hostile environment), then use a more complicated password/PIN, including letters.

(B) If you use a simple passcode (e.g. 1111, 4567, etc.) then it is trivial for someone to hack into your phone. Don't do this!

(6) Set your smartphone screen to lock when it is idle for a certain amount of time.

(A) Based on your risk situation, you may choose 30 seconds or between 1 and 5 minutes.

(7) Set your smartphone to erase all data after 10 wrong PIN attempts.

(A) This keeps someone from hacking into your phone if it is lost or stolen.

(B) Make sure to have a backup of your personal data first!

(C) If you have small children, you may not want to set this security feature. :-)

(8) Encrypt your filesystem.

(A) This is done automatically on the iPhone; it must be initiated on most Android devices (although manufacturers of newer Android phones may be activating this feature by default). See online documentation for your particular device.

Miscellaneous Important Security Practices

(9) Use separate, strong passwords for important apps (email, banking, Facebook, etc.)

(A) Reusing passwords makes it simple for crooks to hack into many of your accounts. This happens all the time; don’t do it! Use strong, unique passwords for any account you want to remain private.

(B) SI suggest you use a password manager program that remembers and encrypts your passwords. Consider using Dashlane, LastPass, or 1Password.

(i) Never let a web-browser remember your passwords as that is easy to hack into.

(ii) Newer versions of iOS [11 or later] offer to store passwords securely in the Keychain. This is secure, and thus fine to use if it works for you, but it is not as full-featured as these other recommended password programs.

(10) Only download Apps from certified sources (Apple Store or Google Play Store)

(A) Please note that some apps (especially free ones) may have viruses that may secretly steal your personal information. Be wary about downloading newer apps that have not been vetted over time. (This is more likely to happen with Android apps than iPhone apps.)    

(B) Android allows you to install apps from other locations. Don’t!

(11) Don't jailbreak your iPhone or root your Android.

(A) If you don't know what this means, then you are good! :-)

(B) Don't jailbreak your device so you can get apps not available in the App store.

(C) Although at one time you (as a techie nerd :-) might have rooted your device to provide more security on your Android, you should no longer do so for any reason I am aware of.

(12) Wipe the data off an old phone before you recycle or sell it.

(A) You should delete all data and set it back to factory default settings before getting rid of it

Optional but Important Security Practices

(13) Run a Mobile Threat Defense (MTD) program (like Antivirus on a computer)

(A) MTD programs defend against malicious apps and network attacks.

(B) Some of the most highly rated and respected in the corporate arena may have free versions, such as: Lookout and Symantec Endpoint Protection (SEP) Mobile.

(14) Backup your data (contacts, docs, photos, etc.). You can backup to your computer, or to an online/Cloud account.

(A) See the smartphone section of my "Simple Backup Strategy for Home Computers" document

(B) If you allow items from your phone to be stored in the Cloud (like Apple’s iCloud, etc.), then make sure to have VERY strong security and password for your Cloud/online account.

(15) Install a Security App to help find your lost phone and remotely wipe data if necessary.

(A) For the iPhone, you can use the built-in "Find My iPhone". Just activate it on your device.

(B) For Android, you need a third-party app to do this. (Consider the Lookout app.)

(C) See Resources in the full PDF document above for links to other anti-theft software

For the Extra "Privacy Conscious" User: If you are especially sensitive about your privacy, please consider the following additional steps:

(16) Manage your Location Settings. Consider which apps you allow to track you, especially when you are not using the app!

(A) Read the permissions an app is asking for when you install it. Be aware and don't give away more information about yourself than you mean to.

(B) Some apps can be configured to only allow location services when you are using that app.

(17) Consider disabling access to "Siri" or "Google Assistant" (etc.) when your smartphone is locked.

(A) The more convenience items you allow into your phone (without entering your PIN) make it easier to find out more information about you and your associates if it falls into the wrong hands. Consider your risk situation versus the convenience you require.

(B) Also, consider, do you always want your smartphone (and thus Apple or Google) listening to everything you say?! (It has to do this in order to hear when you say, "Hey Siri"; think about it.)

Hostile Environments: If you live or operate in a hostile environment (e.g. where your government may oppress freedom of speech, etc.), or if you are especially concerned about security due to the nature of your business, then you should strongly consider the steps listed in the full "Smartphone Security" PDF (link above), besides getting professional consulting for personalized advice.

Spy Software – Be aware that commercially and custom-made spy software is available, especially for repressive governmental regimes. If someone installs this on your smartphone, it is "game over" as far as having any semblance of privacy. If someone gets physical control of your device and installs software like this, you won’t even know it is there. For instance, just read the features of this one as an eye-opening example: