Here's a quick list of some simple things you can do to ensure that your mobile devices are running with at least some security. All of these steps are free and raise the bar on both unauthorized use of your device and the integrity of the applications you're running on them. The goal is not to make your device impenetrable, but to raise the bar.
Security Tips for Android Devices
- Turn on disk encryption (not explicitly tied to PIN/screen lock).
- Use biometrics (fingerprint scan) for unlocking normally with a longer passcode (instead of a 4-character PIN).
- Disable developer access (off by default).
- Disable third-party app store access (off by default, but very common)
- Evaluate and uninstall apps with excessive permissions using Android Permission Apps or other tools.
- Install Android platform updates when they become available
- Compare your Android version to recent releases. Is your phone getting updates? If not, it's time for a new phone. (This is hard, because most users will find that Android phones are poorly supported and require more frequent replacements, which end up being more costly than iOS devices over time).
- Do your research before you buy a new phone. Nexus has the best record for security update delivery and support, followed by Samsung, and then by LG. Everyone else is the pits for security updates.
- Turn on "Android Device Manager" for remote location services for lost devices or a third-party "Find my Android" tool if your Android device doesn't support this feature.
- Periodically erase your network settings to forget about old, insecure WiFi networks you don't use anymore.
- When plugging in USB, don't say yes to "Trust this PC" when prompted, unless it is a personally owned system.
- Set a strong Google password, better still, enable two-factor authentication.
- Complain to your cell phone carrier about unwanted applications on device and loss of control. There's no challenge currently, so the carriers do what they want.
- Make sure you update the iOS when new updates come out.
- Periodically erase your network settings to forget about old, insecure WiFi networks you don't use anymore.
- Make sure "Find my iPhone" is turned on for locating or wiping lost devices.
- Use TouchID with a longer passcode in lieu of a 4-digit PIN.
- When plugging in USB, don't say yes to "Trust this Computer" when prompted, unless it is personally-owned.
- Turn off iCloud backup unless you are comfortable with your pictures being stored in the cloud.
- Use iTunes to make a backup with a password to both encrypt and to capture all your settings.
- Set a strong Apple iTunes password.
- Review the Settings | Privacy settings and revoke permissions from apps that unnecessarily use permissions.
- Disable wireless and leave it off unless you're actively using it.
- Install a VPN for when you need to use Wi-Fi, and always use the VPN when connecting to Wi-Fi.
- Only use known Wi-Fi connections, beware of free public Wi-Fi.
- Don't leave your device unattended, treat it like your wallet.
- Use caution lending your device to others, they can quickly make unauthorized changes.
- Disable premium rate messages via your cell carrier!
- Uninstall unused apps.
- Factory reset phones before returning for service
Security Tips for iOS Devices
- Make sure you update the iOS when new updates come out.
- Periodically erase your network settings to forget about old, insecure WiFi networks you don't use anymore.
- Make sure "Find my iPhone" is turned on for locating or wiping lost devices.
- Use TouchID with a longer passcode in lieu of a 4-digit PIN.
- When plugging in USB, don't say yes to "Trust this Computer" when prompted, unless it is personally-owned.
- Turn off iCloud backup unless you are comfortable with your pictures being stored in the cloud.
- Use iTunes to make a backup with a password to both encrypt and to capture all your settings.
- Set a strong Apple iTunes password.
- Review the Settings | Privacy settings and revoke permissions from apps that unnecessarily use permissions.
Security Tips for Both iOS and Android Devices
- Disable wireless and leave it off unless you're actively using it.
- Install a VPN for when you need to use Wi-Fi, and always use the VPN when connecting to Wi-Fi.
- Only use known Wi-Fi connections, beware of free public Wi-Fi.
- Don't leave your device unattended, treat it like your wallet.
- Use caution lending your device to others, they can quickly make unauthorized changes.
- Disable premium rate messages via your cell carrier!
- Uninstall unused apps.
- Factory reset phones before returning for service
Adapted from SANS Institute, Lee Neely & Joshua Wright (https://pen-testing.sans.org/blog/2016/03/10/mobile-device-security-checklist)