There are companies out there that will pay top dollar for working full chain smartphone vulnerabilities that will lead to a complete compromise (check out Zerodium as an example ). A full zero-click compromise for a patched android phone can net you a cool 2.5M$ (Wired).

Considering how we use smartphones and the information they contain (or can leak), these aren’t just simple electronic tools. Smartphones can be considered a bionic extension of your mind—anyone who can access your phone gains unprecedented access to your mind, life and psyche.

You may doubt the validity of the above statement, but think about it. Your smartphone knows where you are and where you have been. It knows who your friends and colleagues are. It knows whom you interact with. It has access to all your emails and other messaging. It has a camera that can be remotely triggered and a microphone to listen in on any of your private conversations (when was the last time you were more than 6 ft from your smartphone?).

Who is this article for?

The more secure you make something, the less usable it becomes. Security professionals have to tailor their security recommendations based on the risk profile of their customers.

For this article, I am assuming you are a “normal” general computing user that is not subject to elevated risks or custom attacks (aka you aren’t in the intelligence field, a journalist in a less favourable geography, a politician, etc.)

Why is this important? An average user will be targeted by unsophisticated actors (ex-partners, lovers, former angry friends, coworkers, or script kiddies) or medium sophisticated actors (scammers, general hackers, etc.)

An average user is not important enough to merit an attack by state-sponsored actors or organized crime. These advanced actors have more developed capabilities that would require a customized security program built by an experienced security professional.

What are we trying to accomplish?

Whether I am building a multimillion-dollar security program for a large cloud service provider or helping you secure your own smartphone, the goal is always the same.

Absolute security does not exist regardless of how careful you are or how much you spend.

The goal of a solid security program is to be "good enough" to tire your attacker and encourage them to move onto their next victim. Even with the most expensive door lock, a thief can use a battering ram to break down your front door, but they probably won't. You buy a lock that is sufficiently strong to resist breaking with kicks. A good security program is the same.

Let’s begin.

Encrypt your device

If you are running an iPhone with IOS 12 or later, it comes automatically encrypted out of the box. IF you are running an older version, check out these instructions. Most modern Android devices from reputable manufacturers come encrypted as well. If you are running a phone from a lesser-known manufacturer, a phone that comes from a market where encryption is illegal or it is older, check out these instructions to encrypt your phone.

Password or Pin

Since IOS 9, Apple has made a six-digit pin mandatory (although you can still force it back to a four-digit pin). Remember that once an attacker finds your pin code, they are in, and no additional tools are protecting you.

The goal is to make your adversary’s life as difficult as possible. A 4 digit pin means your attacker will have to try 10,000 possible combinations. It may seem significant to you, but remember, they have tools to automate this process. Simply moving to a six-digit mixed password means there are 1,000,000 possible combinations.

If you choose to implement a passphrase instead, you make it more difficult for you but you also make it more difficult for an attacker to crack.

Fun fact, approximately 25% of all smartphones can be cracked by using one of these pin codes:

• 1234

• 1111

• 0000

• 1212

• 7777

• 1004

• 2000

• 4444

• 2222

• 6969

• 9999

• 3333

• 5555

• 6666

• 1122

• 1313

• 8888

• 4321

• 2001

• 1010

Most phones also support a feature that wipes all the data from your phone after a certain number of wrong attempts have been made. This eliminates the threat of automated attacks.

Remotely wipe your phone

. If you feel someone else may be in possession of your phone, and it is connected to the internet, you may be able to remotely wipe the data.

On Android it is normally called Find My Device

On iPhone it is called Find My iPhone.

You can log into the manufacturer portal to find your device or wipe it if necessary.

Find my device links

• Android : https://support.google.com/accounts/answer/6160491?hl=en

• IOS : https://support.apple.com/explore/find-my

Two Factor Authentication

Remember that your phone is an extension to your online Google or Apple ID. It is very important that you protect these from unauthorized access. You should be using a long, complex, non-dictionary, passphrase to log in. You should also enable two-factor authentication to add another layer of protection to your account in case your password is compromised.

The easiest is to use Time based One Time Authentication codes.

On Apple devices, you will use your smartphone (or any other Apple device connected to your account. The Apple instructions are here.

Google users can use a software TOTP system with any one of the free TOPT clients available. The cleints I recommend are :

• Google authenticator

• Authy

• andOTP

or some password managers (e.g. 1Password) also offer this as a function. The most secure option is to use a hardware token (e.g. Yubikey) but this is slightly more demanding and I won’t be covering it here.

Update and uninstall

Most attacks are against old vulnerabilities that remain unpatched. If you have a phone from a manufacturer that does not regularly deliver (monthly) security updates or the updates for your phone have stopped then it is time to buy something else.

You must update your phone operating system and all the apps on it regularly. Doing this will reduce your attack surface (ake make an attackers life more difficult).

Remember that applications may have undiscovered or unpublished vulnerabilities. In addition to updating them using the Apple AppStore or Google Play, you should uninstall any applications you do not regularly use. Many of these apps are stying on your anyway but they could be the weak gateway an attacker gains access to your phone.

Where possible, use the web version of services. As an example, instead of using a Twitter app (on most of my devices), I use the PWA website at mobile.twitter.com. This gives me full functionality without needing an app (that can track me or compromise by device).

Only install apps from official apps stores (Apple AppStore or Google Play). Apps in these stores are cryptographically signed to prevent impersonation by attackers. If you are a little more adventurous (on Android), you can also check out the F-Droid alternative app store.

Reboot often

We have seen many attacks in the last 3 years that are not persistent. This means they go away after you reboot your device. This is why it is a good idea to regularly reboot your device. I typically try to reboot it every 8 hours or so (while I am awake).

Turn off your phone

A phone that is off can’t be attacked.

An unsophisticated attacker will not be able to compromise your phone’s baseband chip and turn on your phone.

It is a good idea to turn off your phone when you can (at night or when you will be away from it from a while). Plus turning it off while charging will often allow your phone to charge a bit faster.

Install a firewall

You may not know it but if you use a Windows or macOS device, there is a manufacturer-provided firewall on your device. Unfortunately, smartphones do not come bundled with them but they are extremely useful.

It seems every week we read about another couple hundred apps (on IOS and Android) that made it to the app store but that were malicious. A firewall will define what apps will be permitted to use WIFI and/or LTE.

The best firewall for Android is Netguard and the best one for IOS is called Lockdown.

These apps can work in 2 modes:

• blacklists mode, is where you choose what apps should not be allowed to communicate

• whitelist mode, is where no apps can communicate unless you specifically allow them to

Obviously whitelist mode is the most secure but may require a little bit of tweaking when an app just doesn’t work right.

Due to recent societal changes, expect the authors of these apps to change the above terms shortly. Blacklist will be changed to blocklist and whitelist will be changed to allow list.

Disable WIFI and Bluetooth

Anytime you are out of a trusted location (home or work), turn off WIFI and Bluetooth. Also make sure that any feature that would automatically turn them back on is disabled (e.g. Automatically connect to public networks).

Attackers can set up a malicious network and easily trick your device into connecting to it. This is trivial but not part of this discussion so I won’t explain how to do it here.

Many public venues (e.g. malls use your phones Bluetooth beaconing to track you as you walk around. This works without any intervention from you. When you don’t need Bluetooth, turn it off.

Remember that public WIFI is evil. Any WIFI that you don’t control can be used to steal your information. If you have to connect to untrusted WIFI, use a VPN. Please use a good VPN and know that good VPNs are never free or extremely cheap. You get what you pay for.

Many will recommend TOR but it is slow and most users would find the experience painful. So I stopped recommending TOR for most users.

Browsers

Browsers are dangerous. Dangerous. Dangerous. They run code delivered to your device from another computer which means it could be a wonderful way for someone to compromise your device remotely.

If you don’t believe me, read this article China hacked iPhones and Android devices to target Uyghur Muslims.

For iPhone users, I recommend sticking with the built-in Safari. Apple has done a relatively good job with it and it should be secure enough.

On Android, my browser of choice is Bromite . Bromite has native support for the uBlockOrigin adblock engine( the best in my opinion). It supports DNS over HTTPS, to encrypt your DNS queries. It is always in incognito mode and it offers many more wonderful security-friendly features. Remember to turn on HTTPS everywhere in it and disable Javascript.

Is IOS more secure than Android?

To close out this article, I will quickly touch on the question I receive the most often.

For this discussion, we have to separate privacy and security. This article was written to improve your security not your privacy. They do not usually go hand in hand.

For a general user looking for a no worry relatively secure platform then IOS is probably the way to go.

For a general user that doesn’t mind a little work and that wants good security, Android is the way to go. IT offers more customization options to make your device more secure.

For a more security-conscious geek, then I recommend going to GrapheneOS. GrapheneOS will require some work (you have to install it) and will make you uncomfortable (does not come with any Google services or the Google Play store) but it is the most secure consumer option right now.