Six mobile device security tips

Note: this blog post is quite old

We have since released our new website, perhaps this page doesn’t look quite like you expected.

If you think this post is still a useful resource, and it doesn’t look or work as expected, please send us a message.

Your smart phone contains a lot of your private data. But do you know how and where your data is stored? Who has access to it? How do you protect your data from third parties that are trying to collect it?

Smart phone operating systems do not give you much control over your data by default, but with minimal effort you can gain control over your data and your mobile device's behaviour. Following up the six tips below will make it a lot harder for data hoarding advertising networks to get to your private data and helps protect you against dragnet surveillance.

TIP 1: Prepare for loss or theft

One of the most likely scenarios to lose data is losing your mobile device. Whether by theft or by accidentally leaving it on the table of a terrace after lunch, you lose your valuable data and a third party may get access to it.

✔ Always have a recent backup

✔ Set a password of at least 8 digits (longer is preferable)

✔ Setup your device to destroy data after too many password attempts (don't if you have small children ;))

✔ Encrypt your data, so snoopers can't access it

✔ Write down your serial numbers for an insurance claim

TIP 2: Software updates and preventing malware

This topic is also very basic but very essential: keep your device's software up to date! Outdated software is often vulnerable to a variety of attacks.

✔ Install updates regularly

✔ Only download apps from the official app stores, apps from those stores are better checked for malware

✔ Don't click on links in e-mail or texts, or open attachments from senders you don't know

✔ Only open attachments you are expecting

TIP 3: Public Wifi

Rule number one with public wifi: do not use public Wifi. The network might be spoofed, your data might end up in the hands of an attacker or they might redirect you to a fake website to steal your user names and passwords.

But if you have no choice but to use public Wifi:

✔ Use a VPN to connect to a trusted network

✔ A device like NetAidKit can help make VPN easy to use

✔ Make sure websites you visit use HTTPS before submitting any personal data

✔ Install a firewall to block incoming connections

TIP 4: Cloud services

Be careful what you upload to "the cloud". Some devices upload all your pictures to cloud services by default. If you want this, then at least set a strong password for your cloud service's account.

Remember this; whenever we say "cloud", what we actually mean is "somebody else's computer".

If you think your data should not be put on somebody else's computer, don't use cloud storage!

Note that a lot of data is not encrypted on cloud services and can be potentially accessed by hackers, employees of the service and authorities.

TIP 5: Location services

Limit the extent to which location services can be used on your mobile devices. Make a conscious choice between convenience and security, only allow trusted apps access to your location. On Android this means, only install apps [that use your location] you are sure can be trusted with your location. On iOS and on Android from version 6 you can deny apps access to your location.

Both platforms make a detailed log of your location by default. Sometimes these are even stored in the cloud. You can disable these logs in the settings of your mobile device.

TIP 6: Communication

Use only apps that provide "end-to-end" encryption, which means messages are encrypted on your device and can only be decrypted on the receiver's device and the other way around. A service is only "end-to-end" encrypted if the service provider is not able to see the communication's content.

The content is not the only data that can be leaked, there is also data about your data which is called metadata. Metadata describes who calls or messages to who, for how long and how many times, at what time, from which location, etc. It is said that metadata tells the real story. You can send messages containing false information but metadata does not lie. It can tell a lot - if not more about you and the person on the other end of the connection than content. Obscuring metadata is hard. None of the apps mentioned here will fix the metadata problem completely, please keep this in mind.

Use only renowned apps like Signal, Threema or Wickr. WhatsApp may be used to send private messages too but note that Whatsapp leaks a lot of metadata to Facebook. Signal can also be used to make secure phone calls.

Some apps can be used with an anonymous ID or username instead of your phone number or e-mail address. This allows you to make an anonymous account. But remember, your service provider, the maker of the app and (by extension) the authorities can still see your metadata.

Final thoughts

If you suspect, or know you are under targeted surveillance, these simple steps won't protect you. You will probably be better off not using a mobile device at all. We advise you to seek help from a professional security trainer and do an extensive course.

Below you will find a list of interesting links to make it easier to find out more about some of the tips discussed on the front of this page. As well as some links to apps you can install that will improve your mobile security.

Mobile security resources

Security in-a-box
Bits of Freedom Toolbox (Dutch)
Privacy International - what is metadata?
What does Facebook have to do with Whatsapp?

Apps for your mobile device

Messaging
Services Smartphone locator services iPhone
Services Smartphone locator services Android

Cloud storage services

VPN