Hackers can threaten your smartphone in lots of ways, and if you want (or need) to lock it down completely, ironclad protection gets a little complicated. Fortunately, you can take some quick and easy steps to make big improvements to your mobile security. They don’t eliminate all risk, but they’re a solid baseline for any smartphone owner.
The first step in any mobile defense plan is to lock your smartphone so no one can get into it if it’s lost, stolen, or left alone for a few minutes. While it's convenient to leave your device unlocked, the security risks far outweigh the benefit. The easiest solution for most people, if your smartphone offers it, is to use a fingerprint or face scanner to lock your device; that way it only takes a touch or a glance to get back in.
Keep in mind that those sensors can be fooled, albeit with a lot of effort. And during an encounter with law enforcement, agents can compel you to open your phone if you rely on those biometric mechanisms. (Pro tip: In iOS 11, you can squeeze the side button and either volume button simultaneously to deactivate Touch ID and Face ID in a pinch.) If that's at all a concern for you, stick with a trusty passcode. Strings of six digits or more are nearly impossible for an attacker to brute force without getting locked out of the device. So use a six-digit code at minimum, or even better, a custom alphanumeric code (not your pet’s name). Unleash the full power of your keyboard! And don’t bother with unlock patterns; they’re generally not as secure as a six-character PIN.
To manage your lock screen security settings in iOS, go to Settings > Touch ID & Passcode. (On an iPhone X, it'll be Face ID & Passcode.) On Android, the wording will vary a little depending on your device, but navigate to Settings, then Lock screen and security to set your PIN.
You’ve probably heard this before, but you need to actually do it, so we’re going to say it again: Download software updates regularly. Update your apps, update your operating system, and even go for it with those seemingly random “update your carrier settings” notifications. Why not! Note: Depending on what handset you have, it can be tough to get Android updates in a timely manner. This is obviously not your fault, but make sure you check what’s available for your device, and consider buying smartphones that run stock Android (Google's Pixel line, specifically, will always have the latest and greatest) so you can always get Google releases right away.
This is an easy one—it just takes a little bit of awareness. If you’re an Android user, only download apps from the Google Play Store. Even this doesn’t completely eliminate your risk of accidentally downloading a malicious app, but it will reduce it significantly. Your iPhone, on the other hand, can't download apps from outside of Apple's App Store unless you jailbreak it—and if you jailbreak your phone, you hopefully already know the risks of downloading software from sketchy sources. While malware-ridden apps occasionally sneak by Apple’s stringent development rules, the App Store is generally a very safe place.
To further reduce your risk on both Google Play and the App Store, stick to mainstream apps with consistently high ratings and known developers. And always navigate directly to the operating system's official storefront too, instead of following links or search engine results that could lead you to imposter pages.
Android and iOS have added increasingly granular tools to make it easier for you to control exactly what each app on your devices can and can’t access. These permissions control data access for things like your contacts list, photos, and calendar, but they also control hardware access to components like your camera and microphone. By limiting the permissions an app has to only the things it really needs to function—or only the features you care about—you can limit an app’s ability to collect more data than you would want, and potentially use its access in ways you don’t foresee.
Some of those problems are theoretical; a security researcher recently demonstrated how Apple's camera permissions could be used to surreptitiously photograph you when you have an app open. Others are more concrete: Flash Keyboard, a popular Android app, sought far more permissions than it needed to operate and last year was caught tracking its users, serving up potentially malicious ads, and transmitting data back to China.
Every time you set up an app, your phone gives you an opportunity to customize its permissions, but it’s also a good idea to check back periodically and make sure everything is set how you want it. On Android, go to Settings > Apps, which will show you a list of what you've got installed. Select your app of choice, then tap Permissions. From there, you can exercise granular control over what the app can and can't access. On iOS, go to Settings > Privacy, where you can see permissions grouped by type to sniff out who's tracking your location at a glance. Or you can go app by app; just tap to Settings and scroll until you hit the app you want to audit.
Taking stock matters because we sometimes grant apps permissions without realizing it, like saying yes to microphone access just because you accidentally hit a dictation button once in a messaging app. Better to turn things off by default, and turn them on again as you run into situations where you actually need them.
More Tips for Civilians: One you lock down your smartphone, master password tips, keep yourself secure from phishers, know how to deal with getting doxed, and, if you have kids, keep them safe online.
Activist? Journalist? Politician? Consider Yourself a Target: Start by encrypting everything, sign up for Google Advanced Protection, take a tour of Tor, and deploy physical measures to increase your digital security.
Professionals Are After You. Time to Get Serious: If you think they’re onto you, remove the mic from your devices, find bugs, and (worst case scenario) dive down the paranoia rabbithole.
