How to keep your smartphone safe from spying
This post discusses four personas, the technical threats to them and their information via their smartphone, and some theory on how to defend against an increasingly capable and focused threat actors.
If you find yourself matching one of these personas, following the recommendations below may serve you well if you feel that is proportionate to your individual threat profile.
If you provide IT or cybersecurity services to other people who may fit these personas, double check that what you offer and how you offer it is proportionate to the threats you’re helping to protect them from. Hopefully you have all of our recommendations covered!
This is definitely not an exhaustive guide and is developed based on article(s) linked and our combined years working in technology and cyber security.
- Greg, your average internet user using a modern smartphone for online banking, internet browsing and social media
- Jane, an IT consultant, worried about keeping their client/organisational information safe
- Emma, a management consultant who travels regularly for work. Emma’s company works with governments and large financial institutions
- Roberto, an investigative journalist working on a big negative story about a nation state and it’s top leadership
The capability of threat actors and the probability of targeting varies enormously from indiscriminate sms/email phishing through to individual targeting using commercial spyware such as NSO Group’s Pegasus, ‘zero day’ exploits and physical tampering of the device. The level of effort and complexity rapidly increases, as do the inconveniences of trying to deter, defend and limit the impact of such attacks.
This post is co-written with Michael Brunton-Spall. Michael is the author of CyberWeekly (a weekly roundup of interesting tech / cyber security content presented with a small amount of editorial comment).
Your average Greg
Greg might not think about cybersecurity at all, but if he does, he likes the idea of privacy, and no one being able to read their messages, and also want to do his part to keep his friends/family safe. Greg has a paranoia level of 3/10.
Greg is highly unlikely to change his mobile number and/or smartphone itself may only change every few years, and maybe not to the latest model at the time, and may choose a manufacturer who invests less in security or perhaps is less “trustworthy”.
In general, Greg is at risk from bulk attacks that are non targeted. In terms of adversarial attacks, the attackers likely don’t care about Greg themself, and if there is any difficulty, they will move on to another target.
The most likely attacks will come from attackers who use stolen or leaked credentials from one site against another, and fraud based phishing attacks. Fraudsters using the internet and criminals affecting the way the internet works are the most likely to run across Greg’s details as part of their campaigns.
In general, Greg should:
- use a unique password for each account — ideally a password manager (a free one built into browsers would be best for Greg) or a physical written password book
- enable multi-factor authentication (MFA) on their important accounts where possible — at least email accounts, but also their main social media accounts, where they can, also in apps like WhatsApp
- complete updates for their smartphone and all the apps on it quickly — Apple and Android devices generally have updates on by default
- use biometrics (facial or fingerprint) to unlock their smartphone, if their smartphone has that
- only download and install apps from the official app stores — never jailbreak/root the device, and turn on Play Protect if using Android
- turn on cloud backups of their photos and data — Apple’s iCloud and Google Drive should do this free or cheaply
- turn on features like Apple Find My as available from the provider — these systems allow Greg to lock or remote wipe the device if lost/stolen
Outside of Greg’s threat model
Greg should not overly worry about the following attacks, because they are outside of their threat model, and would be very unlikely to affect him.
- malicious Wi-Fi while out and about — Greg could invest in a cheap Virtual Private Network (VPN) to protect his smartphone, but are more likely to select a malicious VPN provider than he is to run into malicious Wi-Fi
- technical compromise of his phone through physical modification, physical tampering, or remote compromise from spyware like Pegasus
- optical surveillance of his PIN, passcodes or passwords
- audio surveillance of him giving his password to someone else over the phone — although a reasonable example could be Netflix, but for 99.99% of the time, passwords should never be shared!
- physical loss of their device — a thief who steals Greg’s phone will likely wipe it or factory reset it to sell the device
An independent IT consultant
This is Jane, an independent IT professional consulting across a range of clients some of whom have a lot of intellectual property Jane has access to. Jane has a paranoia level of 5/10.
Jane, like Greg, is likely annoyed by sms/email phishing and scam phone calls. Jane is far more tolerant of taking additional technology steps for a more private or ‘secure’ setup. Jane does think about cybersecurity, and is not only worried about herself and her friends/family, but also her professional reputation and their client data .
Jane may have sensitive client information, including unpublished strategies or product research and development that would be reputational damaging to the client if revealed, disrupt the client’s commercial endeavours or potentially affect their share price if publicly listed.
Jane doesn’t travel abroad for work except for occasional conferences and holidays.
In general, Jane like Greg will fall into bulk attacks that are non targeted. In terms of adversarial attacks, the attackers likely won’t care about Jane as an individual, and would-be attackers largely depend on their ability to figure out what client information or systems Jane has access to. The thought process for the attacker may be to identify the target, then Jane as a consultant to that target, such as how FIN4 operate.
Any targeted attacks won’t warrant millions in real cash/time invested on the part of the attacker. The most likely attacks will come from attackers who use stolen or leaked credentials from one site against another, fraud based phishing attacks and spearphishing.
Jane should do all the things Greg should do, but with more vigor and completeness (spend a bit more time making sure all their accounts has MFA enabled, etc)
Advice for Jane is layered and cumulative on top of our advice for Greg.
In general, Jane should (in addition to our advice for Greg):
- configure her browsers to limit the use of plain-text protocols such as HTTP — using something like HTTPS Everywhere
- prefer hardware MFA, such as FIDO tokens, where available, and TOTP MFA or passwordless logins through an application on her smartphone, rather than SMS MFA
- use an encrypted DNS protocol (DNS-over-HTTPS, or DNS-over-TLS) and malware filtering DNS service such as NextDNS (affiliate link) on her smartphone — and enable more daring DNS features such as blocking Newly Registered Domains (NRDs)
- use commodity large-scale solutions for their IT systems that have global threat systems built-in — such as Microsoft 365 with the Defender suite of products or Google Workspace with advanced email/attachment protection turned on. These systems defend millions of emails and devices on a daily basis, and will stop a large amount of malware and spearphishing
- ideally leave her work devices at home when travelling — if she needs to work on the go, take a smartphone/tablet only, not a laptop
- think about ‘blast radius’ and use different virtual or physical devices (as their budgets permit) for personal use versus work — Jane as a consultant may not be the target, but the organisation she is working with might be, segmenting activity stops ‘blasts’ in both directions
- consider using iVerify for Individuals if using an Apple device — iVerify has a comprehensive checklist across a number of categories, its a good guided checklist in addition to some on-device indicator of compromise checks
- periodically review unused accounts and apps — close the accounts and uninstall the apps
Blocking Newly Registered Domains (NRDs)
Malware campaigns often do use ‘aged’ domains, so NRD rules won’t apply. However in my (Joel’s) experience, every URL sent to me via sms-based phishing matches the NRD rule in NextDNS and keeps me and my smartphone safe — using such DNS services like this are never going to be workable for the average Greg, it’s why we should make URLs less important.
Unused accounts and apps
Closing unused accounts may lead to some data retention with the account provider but in general this should require the provider to delete information. Removing unused apps is a big deal, it keeps the ‘surface area’ as thin as possible (less to attack and go wrong) and mitigates any future malicious updates due to poor development practices or perhaps even sale of who controls the app.
Outside of Jane’s threat model
Jane should not overly worry about the following attacks, because they are outside of their threat model, and would be very unlikely to affect her.
- technical compromise of her smartphone through physical modification, physical tampering, or remote compromise from spyware like Pegasus
- optical surveillance of her PIN, passcodes or passwords
- audio surveillance of her giving a password to someone else over the phone
- physical loss of her device — a thief who steals her phone will likely wipe it or factory reset it to sell the device. Jane should enable the remote wipe or lock using systems such as Apple Find My as soon as possible and revoke any existing authentication sessions (such as email).
The travelling management consultant
This is Emma, a management consultant who frequently travels for work. Emma’s company has a range of clients including governments, charities and large financial institutions. Emma has a paranoia level of 8/10.
Emma, like Greg and Jane, is likely annoyed by sms/email phishing and scam phone calls.
Emma is not a technologist so is not as appreciative of more rigid cyber security, but she understands what is required of them by their employer, and ultimately clients.
Emma does think about cybersecurity, and is not only worried about herself and her friends/family, but also her professional reputation and her client’s data — for example, information unpublished information including market moving sensitive financial information or work in progress government policy.
In general, attackers will likely target Emma if they can determine who Emma’s clients are and have an indication or suspicion that she has access to the client information they are looking for. They will use spearphishing and other types of targeted attacks.
Any governments wanting to gain access to Emma’s organisational or client information may utilise lawful access mechanisms when Emma’s smartphones are within their national boundaries or lawful reach. This is particularly true if the government is not shy about using intelligence means to steal intellectual property or financial data. In these cases, these countries using on-street pick pocketing or access to hotel rooms when unattended are also on the table.
Emma should do all the things that Greg and Jane should do, but with even more vigor and completeness (spend a bit more time making sure all their accounts have MFA enabled, etc). Emma’s employer should provide a friendly IT and security team to make these tasks easier and more streamlined — this may include a robust swap out process for devices that have been abroad. Emma’s employer should make sure that their IT systems require MFA, as opposed to leaving it up to Emma to figure out what to do.
Emma has to travel frequently for work so not taking her work laptop and smartphone with her is not possible. Emma’s employer is primarily responsible for ensuring that these devices are able to defend themselves, and train Emma on how to use IT systems safely (while enabling her to do her job efficiently, but also safely) and detect obvious types of attacks — such as the tamper seal on her laptop has been broken or changed.
Advice for Emma is layered and cumulative on top of our advice for Greg and Jane.
When travelling abroad to high risk countries, in general, Emma should (in addition to our advice for Greg and Jane):
- follow the guidance and advice from her employer
- follow Being safe on hostile Wi-Fi/mobile networks on her personal smartphone while travelling — and also on her work equipment, if for some reason their employer isn’t providing adequate work equipment
- protect backups of her smartphone like the smartphone themselves — or turn off smartphone backups entirely
- frequently check for device management ‘profiles’ on her smartphones
- turn smartphones entirely off and on again (aka reboot) once a day — in modern smartphones this triggers the secure boot process
The guidance when travelling should cover the following areas:
- temporary (burner) devices and accounts — that includes new email, iCloud, Dropbox etc but ponder signing into existing social media from the burner (communicate these before you start using them using an existed trusted way, so use your formal email to tell colleagues about a temporary account including when it should stop being used and information not to send to it, etc)
- use an encrypted filtering DNS service
- use a VPN — a high-quality trustworthy logging VPN service — in addition to a filtering/logging DNS service will provide defences on local Wi-Fi in coffee shops (etc) and also provide a bunch of technical logging information to be used if there is any future suspicion or indication of compromise
- use a new temporary SIM card and mobile number
- use mobile data, not Wi-Fi
- use your own chargers, and data-blocking USB cables
- avoid biometrics [for apps containing sensitive data], use a complex passcode
- turn off the smartphone entirely when travelling through borders or security checkpoints
- reject any SIM updates received
- use a screen cover that obscures visibility based on screen angle — this will help offset some optical surveillance risks
- don’t leave the smartphone unattended in untrusted spaces (hotel rooms etc) — if you need to do so, use tamper-evident bags so you know whether it has been physically viewed or manipulated in some way
- prefer a cloud-based workstation such as Microsoft Windows 365 Cloud PC or AWS WorkSpaces — these systems can be connected to remotely, but keep the computer actually accessing data/information in the cloud, making it harder to compromise locally as the local device is acting as a relatively trivial conduit
- Emma’s employer should consider using iVerify on their IT managed smartphones
The VPN will protect the communications on the phone from being intercepted by malicious Wi-Fi or local telecom providers. The downside to a VPN is that you are simply transferring trust from the underlying network provider to the VPN provider, so you need to be able to pick a good one (which is quite hard to do) — this is why most people probably don’t need to use a VPN.
The VPN service should log all IPs, ports, HTTPS SNI headers, request types and request sizes (request content may be a little moot, as the VPN should only be seeing encrypted traffic such as encrypted DNS or HTTPS). This information is very useful if needed later to identify/confirm any visits to malware command and control systems (and so on) without leaving Emma exposed by decrypting their activity.
Choosing a good VPN provider is very hard given the slew of nonsense providers out there. Even when you do find a good VPN provider (TunnelBear has independent assessments) they are generally ‘no log’. In this scenario, Emma’s employer should be providing a good VPN service, if not, Emma may have to make do with a ‘no log’ service such as TunnelBear paired with NextDNS (affiliate link).
Avoiding biometrics is a major convenience issue (time, errors typing into keyboard etc) but mitigates any attacks to fake the fingerprint or face ID.
Complex passcodes increase the amount of optical surveillance required to capture the passcode which may put off a would-be attacker. If this is too difficult for Emma, then the half-way is using biometrics for regular device unlocks day to day, but complex passcodes for sensitive apps — such as unlocking the password manager vault.
Device management ‘profiles’
While it is non-trivial to install a profile from outside of the corporate mobile device management system without user intervention/permission, it is possible for this to happen as humans click through things. An unexpected profile will be hard to detect particularly amongst a number of expected profiles from Emma’s employer.
Profiles are quite easy to detect on non-corporately managed (i.e. personal) devices, because generally speaking, none should be installed.
Profiles are powerful, they can redirect network traffic, override security/privacy settings and install encryption certificates to allow for decryption.
Why do we recommend protecting backups? Well, it’s hard to physically get hold of your phone to get data out, and if you carry out these protections, then the next easiest thing for an attacker to do is grab all of the data on your phone from your backups.
Given that many of us live in a world where our email, documents, and photos are all synced with the cloud anyway, backing up the phone itself may not be adding much, but is further exposing your data to another attack vector. We think that turning off backups for the phone can lower your risk without drastically affecting your usability. If you don’t wish to turn off backups, ensure that you know where they are backed up, make sure that MFA is enabled for your backups, and that they are encrypted when stored.
Virtual cloud desktop systems are quite awkward to use from smartphones but workable from large-screen tablets or laptops. The cloud-based desktop is what is used to access data and systems. The local device then has very little actual data stored on it, and acts as a ‘thin’ system to access the cloud desktop.
This is Roberto. An investigative journalist working on an international story over a number of months, with key sources and important evidence. Roberto has a paranoia level of 10/10.
Roberto, like Greg, Jane and Emma, is likely annoyed by sms/email phishing and scam phone calls. However, Roberto fears that these are targeted particularly at him.
Roberto will take significant additional technology steps for a more private or ‘secure’ setup — and may be supported by his journalistic organisation or network to do so.
Roberto does think about cybersecurity, and is not only worried about himself and his friends/family, but also his professional reputation, his journalistic information and his sources — the need to keep his developing story a close guarded secret while it is unpublished and his sources may be compromised (including loss of life or detention) if revealed.
Roberto could be sent malware targeting him by a ‘tip’ contact or even someone he knows professionally as that person has malicious intent or their own smartphone/account has been compromised. Roberto should think long and hard about what the ‘blast radiuses’ could be — a malicious message could expose the entire smartphone, including all other contacts (like their sources).
Roberto’s organisation should be taking efforts to protect Roberto and his smartphones, but journalists can sometimes freelance, and some organisations may only have a couple of journalists in this threat model, so he needs to take some additional personal responsibility for the security of his smartphone.
In general, in terms of adversarial attacks, attackers could target Roberto using a variety of complex and expensive techniques including surveillance (optical and audio), technical attacks (modifying the smartphone, swapping it with an identical one), as well as cyber attacks, such as deploying Pegasus.
Governments would use their intelligence capabilities primarily within their national borders — ‘borderless’ cyber attacks are also on the table.
Roberto is not just facing commodity threats, but commercial and state spyware using unpatched/unknown vulnerabilities (Apple/Android etc have not yet fixed them, aka ‘zero days’). Depending on stories being covered, he could also face attacks by private investigators on behalf of companies, organisations and individuals impacted by his stories.
Roberto should do all the things Greg, Jane and Emma should do, but with complete vigor and completeness (spend a time making sure all their accounts has MFA enabled, etc) — the security controls have to be in place and stay in place.
Advice for Roberto is layered and cumulative on top of our advice for Greg, Jane and Emma.
At home or abroad, in general, Roberto should (in addition to our advice for Greg, Jane and Emma):
- carefully split out his personal life from his work life — he should have a personal phone and personal accounts that he keeps obscured from work, and be discreet about handing them out to only their closest friends and family
- use multiple accounts, numbers and smartphones for full work — he should potentially have a single phone associated with his core journalistic identity, and use separate accounts and personas on a per project basis
- change his personal mobile number if he feels they have a sudden uptick in sms/email phishing or odd phone calls — Roberto’s personal number is likely not so personal
- treat his public email/number (for tips, etc) as burner — the device should be treated as if it could be compromised at any time, and while it may be hard to keep changing the smartphone and phone number, this may be possible between major stories
- the being safe on hostile Wi-Fi/mobile networks post says to disable automatic updates for apps and the smartphone itself
- follow instructions (and use security services) provided by his journalistic organisation and networks
Tips and Organisational work
Roberto’s organisation should ensure that tips, especially from sensitive sources are sent to organisationally managed accounts. Roberto’s journalistic organisation/employer should consider setting up tools such as SecureDrop, which are actively designed for journalistic use, and they need to consider how they get information to and from the SecureDrop computer.
Documents, such as PDFs can contain malware, or metadata that enables the sources to be identified, so in a perfect world documents should be retyped by hand, rather than transferred digitally onto the journalist’s computer. However there are tools that take images of PDFs into a new PDF file, this gives you good assurance all metadata is lost and the processing system should be able handle and remove any PDF-based malware. These types of defensive systems should be provided and managed by Roberto’s organisation.
Applying software updates
Roberto should only apply updates for apps and the smartphone itself when at work, or on otherwise secure and managed Wi-Fi and Internet. He should always disable automatic software updates while travelling.
Disabling automatic updates is workable for high-risk travel on a short term basis but on a long term basis automatic updates should generally be left enabled (and applied quickly) — even with the risk of state-level influence of software update systems.
We know that attackers like to use update mechanisms to get their malware installed on devices. They may well poison the local internet caches, they might takeover the network itself, and in some cases they have even signed updates to software. Installing software almost always prompts the user for administrative privileges, and it’s impossible for the user to know whether or not this is legitimate. An example of this sort of attack is carried out by DarkHotel APT on visiting and travelling executives.
Person of global intelligence interest
There is a persona we are choosing not to write about. This person would have a paranoid level of 25/10. We will say that most of you who think that you fall in this category… probably do not fall into this category.
We’re just going to leave this link here https://edwardsnowden.substack.com/p/ns-oh-god-how-is-this-legal
Thanks to Dan for his review.