How to keep your smartphone safe from spying

  • Greg, your average internet user using a modern smartphone for online banking, internet browsing and social media
  • Jane, an IT consultant, worried about keeping their client/organisational information safe
  • Emma, a management consultant who travels regularly for work. Emma’s company works with governments and large financial institutions
  • Roberto, an investigative journalist working on a big negative story about a nation state and it’s top leadership
Smartphone cybersecurity (picture of smartphone with padlock)

Your average Greg

Greg might not think about cybersecurity at all, but if he does, he likes the idea of privacy, and no one being able to read their messages, and also want to do his part to keep his friends/family safe. Greg has a paranoia level of 3/10.

  • use a unique password for each account — ideally a password manager (a free one built into browsers would be best for Greg) or a physical written password book
  • enable multi-factor authentication (MFA) on their important accounts where possible — at least email accounts, but also their main social media accounts, where they can, also in apps like WhatsApp
  • complete updates for their smartphone and all the apps on it quickly — Apple and Android devices generally have updates on by default
  • use biometrics (facial or fingerprint) to unlock their smartphone, if their smartphone has that
  • only download and install apps from the official app stores — never jailbreak/root the device, and turn on Play Protect if using Android
  • turn on cloud backups of their photos and data — Apple’s iCloud and Google Drive should do this free or cheaply
  • turn on features like Apple Find My as available from the provider — these systems allow Greg to lock or remote wipe the device if lost/stolen
  • malicious Wi-Fi while out and about — Greg could invest in a cheap Virtual Private Network (VPN) to protect his smartphone, but are more likely to select a malicious VPN provider than he is to run into malicious Wi-Fi
  • technical compromise of his phone through physical modification, physical tampering, or remote compromise from spyware like Pegasus
  • optical surveillance of his PIN, passcodes or passwords
  • audio surveillance of him giving his password to someone else over the phone — although a reasonable example could be Netflix, but for 99.99% of the time, passwords should never be shared!
  • physical loss of their device — a thief who steals Greg’s phone will likely wipe it or factory reset it to sell the device

An independent IT consultant

This is Jane, an independent IT professional consulting across a range of clients some of whom have a lot of intellectual property Jane has access to. Jane has a paranoia level of 5/10.

  • configure her browsers to limit the use of plain-text protocols such as HTTP — using something like HTTPS Everywhere
  • prefer hardware MFA, such as FIDO tokens, where available, and TOTP MFA or passwordless logins through an application on her smartphone, rather than SMS MFA
  • use an encrypted DNS protocol (DNS-over-HTTPS, or DNS-over-TLS) and malware filtering DNS service such as NextDNS (affiliate link) on her smartphone — and enable more daring DNS features such as blocking Newly Registered Domains (NRDs)
  • use commodity large-scale solutions for their IT systems that have global threat systems built-in — such as Microsoft 365 with the Defender suite of products or Google Workspace with advanced email/attachment protection turned on. These systems defend millions of emails and devices on a daily basis, and will stop a large amount of malware and spearphishing
  • ideally leave her work devices at home when travelling — if she needs to work on the go, take a smartphone/tablet only, not a laptop
  • think about ‘blast radius’ and use different virtual or physical devices (as their budgets permit) for personal use versus work — Jane as a consultant may not be the target, but the organisation she is working with might be, segmenting activity stops ‘blasts’ in both directions
  • consider using iVerify for Individuals if using an Apple device — iVerify has a comprehensive checklist across a number of categories, its a good guided checklist in addition to some on-device indicator of compromise checks
  • periodically review unused accounts and apps — close the accounts and uninstall the apps
  • technical compromise of her smartphone through physical modification, physical tampering, or remote compromise from spyware like Pegasus
  • optical surveillance of her PIN, passcodes or passwords
  • audio surveillance of her giving a password to someone else over the phone
  • physical loss of her device — a thief who steals her phone will likely wipe it or factory reset it to sell the device. Jane should enable the remote wipe or lock using systems such as Apple Find My as soon as possible and revoke any existing authentication sessions (such as email).

The travelling management consultant

This is Emma, a management consultant who frequently travels for work. Emma’s company has a range of clients including governments, charities and large financial institutions. Emma has a paranoia level of 8/10.

  • follow the guidance and advice from her employer
  • follow Being safe on hostile Wi-Fi/mobile networks on her personal smartphone while travelling — and also on her work equipment, if for some reason their employer isn’t providing adequate work equipment
  • protect backups of her smartphone like the smartphone themselves — or turn off smartphone backups entirely
  • frequently check for device management ‘profiles’ on her smartphones
  • turn smartphones entirely off and on again (aka reboot) once a day — in modern smartphones this triggers the secure boot process
  • temporary (burner) devices and accounts — that includes new email, iCloud, Dropbox etc but ponder signing into existing social media from the burner (communicate these before you start using them using an existed trusted way, so use your formal email to tell colleagues about a temporary account including when it should stop being used and information not to send to it, etc)
  • use an encrypted filtering DNS service
  • use a VPN — a high-quality trustworthy logging VPN service — in addition to a filtering/logging DNS service will provide defences on local Wi-Fi in coffee shops (etc) and also provide a bunch of technical logging information to be used if there is any future suspicion or indication of compromise
  • use a new temporary SIM card and mobile number
  • use mobile data, not Wi-Fi
  • use your own chargers, and data-blocking USB cables
  • avoid biometrics [for apps containing sensitive data], use a complex passcode
  • turn off the smartphone entirely when travelling through borders or security checkpoints
  • reject any SIM updates received
  • use a screen cover that obscures visibility based on screen angle — this will help offset some optical surveillance risks
  • don’t leave the smartphone unattended in untrusted spaces (hotel rooms etc) — if you need to do so, use tamper-evident bags so you know whether it has been physically viewed or manipulated in some way
  • prefer a cloud-based workstation such as Microsoft Windows 365 Cloud PC or AWS WorkSpaces — these systems can be connected to remotely, but keep the computer actually accessing data/information in the cloud, making it harder to compromise locally as the local device is acting as a relatively trivial conduit
  • Emma’s employer should consider using iVerify on their IT managed smartphones

Investigative journalist

This is Roberto. An investigative journalist working on an international story over a number of months, with key sources and important evidence. Roberto has a paranoia level of 10/10.

  • carefully split out his personal life from his work life — he should have a personal phone and personal accounts that he keeps obscured from work, and be discreet about handing them out to only their closest friends and family
  • use multiple accounts, numbers and smartphones for full work — he should potentially have a single phone associated with his core journalistic identity, and use separate accounts and personas on a per project basis
  • change his personal mobile number if he feels they have a sudden uptick in sms/email phishing or odd phone calls — Roberto’s personal number is likely not so personal
  • treat his public email/number (for tips, etc) as burner — the device should be treated as if it could be compromised at any time, and while it may be hard to keep changing the smartphone and phone number, this may be possible between major stories
  • the being safe on hostile Wi-Fi/mobile networks post says to disable automatic updates for apps and the smartphone itself
  • follow instructions (and use security services) provided by his journalistic organisation and networks
  • Enable Apple’s Lockdown Mode if the interruptions to user experience (FaceTime, etc) make sense (Inserted July 2022)

Person of global intelligence interest

There is a persona we are choosing not to write about. This person would have a paranoid level of 25/10. We will say that most of you who think that you fall in this category… probably do not fall into this category.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store