How to Make Your Smartphone as Secure as Possible

By Ava McKinneyOnline Safety

How to Make Your Smartphone as Secure as Possible

Mobile phones support voice and text communication, and today, most devices can do much more. Smartphones have become an essential part of daily life due to their portability, multifunctionality, and relatively low cost. These same qualities make them valuable for human rights defenders, who often use smartphones to exchange important data and store sensitive information—tasks that were once reserved for secure computers.

This guide focuses primarily on smartphones—Android and iOS devices with mobile communication features, voice and text capabilities, and often internet access. The list of smartphone features is constantly growing: cameras, digital storage, motion sensors, GPS, Wi-Fi, and easy access to a wide range of apps. Much of this guide also applies to other mobile devices, such as feature phones (basic mobile phones) and tablets, which are often just larger, more powerful smartphones, though they may lack mobile communication features.

What You’ll Learn from This Guide

  • How to manage the risks of increasingly portable important data
  • Why mobile voice and text communication are especially vulnerable to surveillance
  • Steps to improve smartphone security when transmitting and storing data, taking photos, browsing websites, and more
  • How to increase your chances of staying anonymous (if needed)

General Information About Mobile Phones

Smartphones are among the most powerful technologies available to most people. Packed with sensors, almost always within reach, and usually connected to a network, they face most of the security threats we associate with computers—plus additional risks due to portability, multifunctionality, insecure network architecture, location tracking, image capture, and more.

Operating Systems

Most smartphones run on one of two operating systems: Google Android or Apple iOS. Android devices are sold by many companies, and their software is often modified by manufacturers and service providers, who may require or encourage users to stay on their networks. iOS runs only on Apple devices and makes it difficult to run apps not approved by Apple.

One of the main factors affecting Android smartphone security is regular operating system updates. Some cheaper models don’t receive updates, leaving serious security flaws unpatched and making you vulnerable to malware and attacks.

Branded and Locked Smartphones

Smartphones are often sold locked, meaning they work only with a specific carrier’s SIM card. Carriers may modify the operating system and install extra apps on locked phones, sometimes disabling certain features. This can result in apps you can’t remove or restrict, including those with access to your contacts and stored information.

For better security, buy an unlocked smartphone not tied to any carrier. Unfortunately, these are usually more expensive.

Basic Security Settings

Smartphones have many settings that let you manage device security. It’s important to know these settings. You can read more about Android settings and apps in the guide: Android Security Basics.

Installing, Checking, and Updating Apps

The simplest (and usually safest) way to install apps is through Google Play for Android or the App Store for iOS. Log in to your account on the device to download and install apps.

Android apps are available from many online sources, but our default advice is: don’t install apps from random places. Some contain malware. Only install apps from sources you trust, but remember that even trusted people can unknowingly spread malware. Apps in Google Play and the App Store are reviewed by Google and Apple, providing some protection against malicious apps.

Advanced Android users, or those who can’t or don’t want to use Google Play, can use F-Droid, an alternative app repository featuring only FOSS (Free and Open Source Software) apps. Install the F-Droid app from a trusted source, then use it to install other apps. You can also install apps directly from .apk files if you enable the “install unknown apps” feature. This is risky, so only do it if you have no other option and get the .apk file from someone you trust.

Even “official” apps can misbehave. On Android, each app requests permissions for certain actions. Pay attention to what permissions apps request. If something seems illogical, investigate and consider denying the permission or uninstalling the app. For example, if a news app asks to send your contacts to a third party, that’s a red flag. (Some developers collect contact lists for marketing or resale.)

Update your apps regularly and remove those you don’t use. Developers can sell their apps to others, who may add malicious code to updates.

Mobility and Data Vulnerability

Mobile phones we carry everywhere often contain important information: call history, browser history, text and voice messages, contacts, calendars, photos, and more. If your device is lost or stolen, this data can cause a chain of problems. Know where important information is stored on your phone, including online data with automatic access. These data can threaten not only you but also anyone in your contacts, messages, or photo albums.

Once you’ve considered the risks and learned about your device’s security and privacy features, it’s time to take protective measures.

Storing Information on Your Smartphone

Modern smartphones have plenty of storage. Anyone with physical access to your device may be able to extract this information, depending on the device.

Encrypting Your Device and Data

Modern iOS devices have strong encryption enabled by default (as long as you set a strong password). Android also supports device encryption, which you can usually enable. Back up your data before encrypting your device in case something goes wrong during the process.

Android also lets you encrypt data on memory cards (like microSD), if you use them.

When you turn on an encrypted phone and enter your password, you can read and modify data on the device. Anyone with physical access to your unlocked phone can access your data. For extra security—such as when crossing a border or going through airport security—turn off your device completely.

Of course, there are pros and cons. For example, if you might need to make an urgent call, it may be better to leave your phone on and just lock the screen.

If you can’t fully encrypt your device (or need extra security for specific files), try installing a data encryption app. Some apps encrypt their own data, while OpenKeychain lets you encrypt other files. Used with K-9 Mail, you can send and receive encrypted emails (there’s no direct iOS equivalent). These apps can help protect valuable information, but you should still consider full device encryption.

Minimize the amount of valuable data stored on your device, especially if it’s not encrypted. Some phones let you avoid storing call and SMS history. Make it a habit to delete important data from call and message logs.

Secure Password Storage

You can store passwords in a single encrypted file using the FOSS app KeePassDroid. This app uses one strong master password to protect all your other passwords, which can be long and unique for each account. KeePassDroid has a built-in password generator for creating new accounts.

If you use KeePassXC or KeePassX on your computer (as described in the password guide), you can copy your database (.kdbx file) to your mobile device. For iOS, there’s a similar app called MiniKeePass.

Physical Security Tips for Your Phone

The first step to protecting information on your phone is to limit access to the device. Keep it with you and turned on, except in high-risk situations. This applies to SIM cards and memory cards as well. If you’re worried about malware or advanced surveillance, it may be safer not to leave your device unattended—remove the battery and keep the phone with you.

So, enable encryption and keep your phone with you. What else can you do for physical security and to minimize damage if your device is lost or stolen?

Key Steps

  • Always use a strong screen lock code and don’t share it. If you have a basic phone with a default code, change it.
  • Don’t store important information, including phone numbers, on the SIM card, as it can’t be encrypted.
  • Regularly back up important phone data to your computer or external storage. Keep backups in a safe place, as discussed in the file protection guide. With a backup, it’s easier to remember what was on your phone and, if needed, restore factory settings.
  • Phone numbers are often linked to important accounts. An attacker may want your phone to access these accounts or impersonate you. Some carriers let you protect your account with a PIN or password to prevent unauthorized changes or number theft. Use this feature if available.
  • Worried about malware? Consider using a small sticker to temporarily cover your phone’s camera.

Loss and Theft

Mobile devices have a 15-digit International Mobile Equipment Identity (IMEI) code, which identifies the device on the network. Changing the SIM card doesn’t change the IMEI. The code is often printed under the removable battery. Most phones display the IMEI in settings or by dialing *#06#. Write down your IMEI—it can help prove ownership if your phone is stolen.

Consider the pros and cons of registering your phone with your carrier. Reporting a lost phone usually lets the carrier disable it, but registration further links your identity to your phone.

Most Android phones and iPhones have a built-in “find my phone” feature to track or disable the device if stolen. There are also third-party apps for this purpose. These tools involve trade-offs, but if you trust the service provider, you can try this option.

Transferring Your Device to Someone Else

If you’re discarding, giving away, or selling your phone, make sure it contains no information stored on the SIM card or memory card—even if the device hasn’t been used in a while or doesn’t work. Physically destroy the SIM card to dispose of it. Remove the memory card and either destroy it or store it securely. The best way to protect data is to ensure the phone is encrypted, then reset it to factory settings.

Only use stores and repair shops you trust. This reduces the risk to your data when buying used devices or getting repairs. If you think someone might have the resources, access, or motivation to target you by installing malware before you buy a phone, try choosing a random authorized dealer.

If you send your phone for repair, remove the SIM card and memory card.

Mobile Infrastructure, Surveillance, and Eavesdropping

Mobile phones and cellular networks are even less secure than most people think. To send and receive voice and text messages, your phone is always connected to the nearest cell tower. This means your carrier knows—and records—your phone’s location whenever it’s on.

Intercepting Calls and Texts

Mobile networks are usually owned by private companies. Sometimes the entire network infrastructure belongs to the carrier; sometimes, carriers resell service from another company. SMS text messages are not encrypted. Voice calls are either unencrypted or weakly encrypted. Both types of communication are unprotected within the network, so your carrier and the cell tower owner have unlimited access to your calls, texts, and location data. Governments often have access too, even if they don’t own the infrastructure.

In many countries, laws require carriers to record and store customers’ SMS messages. Most carriers do this anyway for business, reporting, and conflict resolution. Some countries have similar rules for voice calls.

Additionally, the operating system on your phone may be designed or modified for a specific carrier, potentially including hidden features that make monitoring even more invasive. This applies to both basic phones and smartphones.

Third parties can sometimes intercept voice and text communications. For example, an attacker can use a cheap device called an IMSI catcher. If placed within range, your phone may mistake it for a real cell tower. (IMSI catchers are sometimes called “Stingrays”—a term used for law enforcement versions.) In some cases, attackers have accessed mobile networks from across the globe by exploiting vulnerabilities in the Signalling System Number 7 (SS7) protocol, which handles international voice and SMS exchanges.

Even if you connect to the internet via Wi-Fi instead of cellular, smartphone operating systems encourage users to share personal data on social networks and cloud storage, and to use global navigation (GPS) and similar features. Many Android and iOS users enjoy this, increasing the chances of personal data leaking online.

Protecting Your Most Important Messages

To protect your most sensitive communications, ask yourself:

  • Who, when, and how often do you communicate with?
  • Who else might be interested in the fact that you’re communicating with this person?
  • How sure are you that your contact is who they claim to be?
  • What is the content of your calls and messages?
  • Who else might be interested in this content?
  • Where are you and your contact located when communicating?

If your answers raise security concerns, consider minimizing these risks. You may need to help your contact learn new technology or software. In some cases, it may be best to avoid using a mobile phone for communication.

Anonymity

Protecting the content of calls and messages can be challenging. Staying anonymous while using a mobile phone is even harder. It’s rarely possible to hide the fact that you’re communicating with a specific person when making a call or sending an SMS. You can use a secure messenger over mobile data or Wi-Fi, but there’s no guarantee of success. Usually, the best you can do is choose which third party will have access to your information and hope they don’t cooperate with those you want to protect your communication from.

To increase anonymity, some people use disposable phones and short-term accounts. This can work in some situations, but it’s not easy to do correctly. The simplest option is for both parties to buy prepaid phones, use them for a very short time, then destroy them. However, you can’t encrypt data this way, and effectiveness depends on many conditions, such as:

  • Both parties buy phones and SIM cards with cash
  • No one tracks them via their real phones during purchase
  • SIM cards are activated without ID
  • Batteries are removed when phones aren’t in use
  • They exchange numbers without drawing attention
  • Phones are used in places they don’t usually visit
  • Phones aren’t brought to places they frequent
  • Voice recognition technology doesn’t outpace expectations

If all these conditions are met, you can try to hide the connection between two parties by making encrypted calls. But doing this effectively requires even more caution, since smartphones and secure messaging apps often require account registration. There’s little point in using an “untraceable” phone to access services already linked to your identity. You can create anonymous email and “disposable” accounts on other services, but this takes time and discipline. Both parties need to understand IP addresses, browser fingerprints, how to use Tor Browser or Tails, and more. You’ll need to spend extra time and money on randomly chosen internet cafes without using real phones.

Eavesdropping

A phone can be set up to store or transmit data from its microphone, camera, or GPS receiver without the owner’s knowledge (applies to both basic phones and smartphones). Most such attacks involve malware, but carriers may also be involved in surveillance of devices on their networks. Some phones can even be remotely activated to spy on their owners while appearing to be off.

If you don’t trust someone, don’t let them access your phone. (This is a common way malware gets onto devices.)

Using your phone in public or in places you suspect are under surveillance makes you vulnerable to traditional eavesdropping and increases the risk of theft.

Encourage those you communicate with about important matters to use the same apps and techniques as you.

Having a private, in-person meeting? Turn off your phone and remove the battery. To avoid revealing the meeting location, do this before you travel. If you can’t remove the battery, leave the phone in a safe place.

Going Online with Your Mobile Phone

Our guides on online communication privacy and how to stay anonymous and bypass internet censorship explain that sending and receiving data online can leave traces revealing who we are, where we are, and what we’re doing. Still, some Android and iOS apps that use the internet for communication are much safer than mobile calls and SMS.

Smartphones let you choose how to go online, usually via Wi-Fi or your carrier’s mobile network. Wi-Fi can reduce the traces available to your carrier, but the same data becomes available to the Wi-Fi hotspot owner and internet provider. In some countries, different rules apply to mobile carriers and internet providers, leading to different “levels of surveillance” by companies and government agencies.

If you connect your smartphone to the internet, use encryption and anonymity tools to protect your data.

Secure Messengers

As mentioned above, calls and SMS are not secure. Voice over IP (VoIP) lets you move away from traditional phone calls, and text messages can also be sent online. There are many modern communication apps that let you securely exchange voice and text messages. What can you use besides Telegram?

Signal is a free, open-source messenger that encrypts one-on-one and group text chats (all participants must use Signal). Two people can also make encrypted voice calls. Signal is easy to install and use, works with your existing contacts, and is available for Android, iOS, and desktop (Windows, Mac, Linux, if Signal is installed on your phone).

Signal uses your mobile phone number as your user ID. Unfortunately, this means you can’t use Signal without a working mobile number, even if you prefer Wi-Fi. Also, to contact someone via Signal, you must give them your phone number. If this is a problem, consider other reputable messengers like Wire (for Android and iOS).

Questions to help you choose a mobile messenger:

  • What do digital security experts say about it?
  • Is it free? Open source?
  • Does it support end-to-end encryption for two users?
  • Does it support end-to-end encryption for group text chats?
  • Does it support end-to-end encryption for group voice chats?
  • Does end-to-end encryption protect shared files?
  • Can you set messages to self-destruct after reading?
  • Does it work with slow internet connections?
  • Who developed the app, and are they trustworthy?
  • Who owns the server, and what is their policy on storing calls and messages?
  • Can you use one account on multiple devices?
  • Are all major operating systems supported?
  • Can you register with an email and username instead of a phone number (to separate your account from your real identity)?
  • Can you use the messenger without giving it access to your contacts?
  • Can you use it on a mobile device that isn’t a phone?
  • Can you (or someone you trust) run your own server and communicate through it?

Sending and Receiving Email on Your Smartphone

If you plan to read important email on your mobile device, make sure encryption is enabled, as described in the Android security basics. (Recent iPhones have encryption enabled by default; just choose a strong password.) This won’t protect your email all the way to the recipient, but it will prevent someone from reading it if your device is lost or stolen. You may also find the communication privacy guide useful.

This guide also covers GPG email encryption on Windows, Mac, and Linux computers. You can send and receive encrypted email on Android devices, though it’s not always easy. (There’s currently no free GPG encryption for iOS.)

Most security experts advise not storing your private encryption key anywhere except your main computer (and definitely not carrying it with you). However, you’ll need this key to read encrypted messages on your mobile device. Android devices are now safer than before, and your private key is protected by a strong password. So, if you really need to send and receive such important data on Android and don’t want to switch to a secure messenger, you can install GPG.

To do this:

  • Install and set up GPG and a key management app, such as OpenKeychain.
  • Copy your private key to the device.
  • Install and set up an email app that works with OpenKeychain, such as K-9 Mail.

More Than Calls and Messages

Mobile phones are multifunctional devices—small computers with their own operating systems and downloadable apps. They offer a wide range of services. Much of what you do on a computer can now be done on a smartphone, and there are many things you can do on a smartphone that you can’t do on a computer.

Browsing Websites

Basic mobile phones can’t connect to the internet, but these are rare today. If you use a browser on your Android device to visit restricted sites, consider using a Virtual Private Network (VPN) or the Orbot app (the Android version of Tor Browser).

VPN on Android Devices

A VPN creates an encrypted tunnel from your device to a VPN server somewhere on the internet, protecting outgoing and incoming traffic. This is especially important if your traffic passes through an insecure local or national network. However, since all your traffic goes through the VPN provider, they can see everything hidden from your local network or ISP. Choose a VPN service you trust, and always use HTTPS when transmitting sensitive data.

In some countries, VPNs are illegal or restricted. Check the laws in the country where you plan to use a VPN. Remember, VPNs don’t hide the fact that you’re using a VPN.

To use a VPN, install a client app and create an account with a VPN provider. The Riseup team offers a free, open-source VPN client for Android called Bitmask and supports the free VPN service Riseup Black. (If you already have a Riseup Red account and know how to manually configure a VPN, you can use the OpenVPN for Android app from the Play Store or F-Droid with your Riseup Red username and password. OpenVPN for Android is free and open source.)

For more information, see the full article at securityinabox.org.

Leave a Reply