Expert Mobile Device Security Best Practices in Just 6 Steps

Mobile device users love the convenience of their phones and tablets. However, while we take full advantage of apps, portability, and fast communication, we forget that these same features sacrifice security.

As threats to our mobile devices increase in scope and complexity, we must take steps to protect our mobile data and information. Our phones carry access to a mass of sensitive personal data, yet this highly portable device continues to be overlooked in terms of effective mobile security hardening.

Although we can’t predict or prevent a data breach that affects the companies we do business with, we can do things to mitigate our risks online and better protect ourselves and our personal information.

Netcetera recommends the following steps to support Mobile Security Hardening.  If you can only implement some of these changes, you will still improve your security posture. However, when you increase security, you typically lose functionality and convenience, so it is essential to find a balance that works for you.

Email Breach Inspection

• Do not open unknown email attachments or links. Even legitimate senders can pass on malicious content accidentally or as a result of being compromised or impersonated by a malicious actor. Tip: Touch and hold the link to see the true destination before clicking it.
• Pop-Ups: Unexpected pop-ups are usually malicious. If one appears, forcibly close all applications (i.e., iPhone®: double tap the Home button or Android® click “recent apps” soft key).

App and Device Access Cleanup

• Review accounts and remove any devices which no longer need access.
• Beware of applications. Install a minimum number of applications and only ones from official application stores. Be cautious of the personal data entered into applications and close all applications when not in use.
• Check Google app/device access: https://myaccount.google.com/security and remove anything that is no longer required.
• To remove unused applications on your iPhone: Go into > Settings > Select Name > Scroll down to view devices, remove anything that is no longer required.

Online Account Review and Lockdown

• Review online accounts you frequently use such as Banking, Social Media, shopping, etc., remove any you no longer use.
• Review your lockdown privacy settings, visibility, and tracking at regular intervals
• Change passwords at regular intervals and enable MFA.

Mobile Device Security Measures

• Disable Bluetooth® when not in use. An open Bluetooth® connection can allow hackers to gain unauthorized access to your device. Airplane mode does not automatically disable Bluetooth®.
• If you suspect your Apple device has been compromised, check your iCloud setting to confirm all the application data you want to keep has synch turned on.  Then do a factory reset.  After the reset, do not restore from the Cloud. Instead, choose “Don’t Transfer Apps and Data.” Everything that previously had synch turned on will resynch to your iPhone.
• Avoid public Wi-Fi. Disable Wi-Fi when not needed and delete all unused Wi-Fi networks.
• Passwords should be strong lock-screen pins/passwords or passphrases. A 6-digit pin is sufficient if the device wipes itself after ten incorrect password attempts. Set the device to lock automatically after 5 minutes.
• Go random with your pin. Not your birthdate, phone number, etc.
• Do not use the same password for multiple accounts and devices. Using different passwords limits your exposure if you do get compromised.  Use a password manager to keep track of all your passwords.
• Use a Multifactor Authentication (MFA) application like Google Authenticator, Authy, Duo, etc.  Do not use SMS for MFA.  If you fall victim to a SIM swap attack, the attacker will access your SMS authentication rendering your MFA useless.
• Avoid connecting to unknown removable media such as USB drives, CDs, floppy disks, etc.
• Protect your SIM by putting a PIN code on it. Then, if your phone is stolen, attackers will not be able to use it. Or, put the SIM in another unlocked phone to request an SMS code for resetting your passwords.
• Get a USB data blocker if you plan on charging at public stations in the airport, coffee shops, etc. The data blocker allows the phone to be charged but blocks the data lanes in the connection to prevent the installation of malware or theft of your data. Alternatively, you can enable USB restricted mode in the passcode setting. As long as the phone is locked while charging, you will be protected.
• Be wary of using Auto Join Networks because it could connect you to a rogue access point with an SSID similar to one you know. This situation could potentially allow a “man in the middle” attack, where a hacker captures your data as you communicate through their access point.

Training and Awareness

• Never leave your mobile device unattended in a public place.
• Update software. Update the device software and applications as soon as possible.
• Use biometrics (e.g., fingerprint or face) authentication for convenience and to protect your data, or better yet, use a secure PIN / or passphrase (see above section 4.)
• Text messages. Do not have sensitive text conversations on personal devices, even if you think the content is generic.
• Power off your device weekly. Restarting (hard reboot) your phone will clear bad data and free memory from a misbehaving app.
• Do not modify your device with “jailbreak” or “root.” Doing so removes security layers and makes your phone less stable, may cause system crashes, and could disable your phone completely.
• Enable Secure Voice. Do not have private conversations in the vicinity of mobile devices that are not configured to handle a “secure voice” to avoid eavesdropping.  Turn off voice assistants (e.g., Siri, Amazon Echo, etc.)
• Use trusted accessories. Only use original charging cords or charging accessories purchased from a trusted manufacturer. Do not use public USB charging stations. Never connect personal devices to government computers, whether via a physical connection, Wi-Fi or Bluetooth®.
• Disable location services when not needed; otherwise, malicious software can use this feature to track your location.
• Consider using a protective case that drowns the microphone to block room audio. And cover the camera when not in use.  A protective case can prevent malicious code from using your microphone or camera to listen in or do a video capture of what you are saying or doing.
• Wipe your phone clean before selling, giving away, or recycling it.
• Learn to spot warnings of Phishing or Smishing. If you receive a message that does not look right or is unexpected, confirm first with the source to make sure it is legitimate.
• If it doesn’t feel right, it probably isn’t. Trust your Spidey sense.

Mobile Device Protection Software

• Install mobile protection software such as iVerify (Trail of Bits) or Intercept X  (Sophos)

Contact Netcetera if you have questions about this guide or if you have an emergency, a question, need advice, or are thinking about making a technology change.

We’d love to hear from you!

Sources:  National Security Agency and Netcetera’s own knowledge and experience.