Mobile devices have become integral parts of our lives—particularly smartphones like Apple’s iPhone and all the variants of Android phones. Smartphones contain unbelievable amounts of extremely personal information including financial data, health data, your personal address book, emails, web surfing history, and access to much more data in the cloud. They also track your location pretty much anywhere on the planet, 24/7, because frankly they have to in order to send you texts and phone calls. If that weren’t enough, smartphones have built-in microphones and cameras that can record everything you do. Your mobile phone may have more personal information on it than any other device you own, even more than your home computer. And make no mistake—a smartphone is a computer, and a very powerful one at that. Do you remember the Deep Blue supercomputer that beat chess champion Garry Kasparov in 1997? The iPhone 8 (now almost 3 years old) has more than 20 times the computing power as Deep Blue, and it fits in your pocket! So, let’s talk about how we can secure these wonderful devices.
iOS Is More Secure Than Android
Let’s get this out of the way: in my not-so-humble opinion, iOS is way safer than Android.1 Unlike Mac OS vs. Windows, the difference between these mobile operating systems is significantly starker. Google is doing some fantastic work in the realm of security, don’t get me wrong. But the Android ecosystem is fundamentally different than that of iPhones, and those differences make Android phones a lot harder to secure.
When Apple came out with the iPhone, the company was really in the driver’s seat. Steve Jobs knew that this device was going to completely change the smartphone world, and he managed to get all the major cell phone carriers to give him maximum control over the software on this device. The problem with Android is not that it’s not secure. The problem is that Google gave too much control over the software to the cell phone manufacturers and service providers. I’m sure there were business realities at play here. Perhaps the cell phone folks felt burned by Apple’s control over iOS and demanded more ability to control the Android OS on the devices they sold. So, you could argue that this isn’t really Google’s fault. But however it happened, the cell phone makers and cellular service providers are an integral part of the supply chain and serve as gatekeepers all software updates to Android phones. As recently as a couple years ago, a study found that almost 30 percent of Android phones weren’t even capable of getting the latest software. Even if the phone makers and service providers want to allow the updates, they have to go through a lengthy process of testing the changes on each device first.
Google has made some changes to Android that will address these problems, but because of the previous problem, it will work only on the very latest phone models. It could be years before most Android phones will be able to stay as up to date as Apple iPhones. A notable exception would be Google’s own Pixel smartphones. In this case, Google is in full control of both the hardware and the software (much like Apple), allowing Google to keep these phones updated with the latest security software and fixes.
iOS Is More Private Than Android
While the security issues are important, to me the real difference between Apple’s iOS and Google’s Android operating systems is privacy. There’s just no comparison: Apple wins hands down. There are two reasons for this. First, Apple’s iOS is a very closed ecosystem, meaning that Apple exerts extreme control over what apps it will allow to run on the phone and what those apps are allowed to do when you can run them. This control is a source of major frustration for a lot of people. They want to be able to do whatever they want to do, even if that means taking more risks. You can have a spirited and healthy debate over the freedom and control aspects here, but the upshot is that Apple’s closed system and restrictive permissions ultimately give you, the user, more protection from malicious and prying apps.
The other reason is that Google is an advertising company. Google’s business model is tied directly to knowing as much about you as possible. It’s a pure conflict of interest that I just can’t reconcile, and it’s the same reason I can’t recommend Google’s Chrome browser. While I firmly believe that Google is doing great things in the realm of security, it has shown time and time again that it will go to insane lengths to track everything you do to command top dollar for its advertising.
Apple is going even further to protect your privacy with the coming release of iOS 14. While iOS already allows you to deny your location information to any app, or to only share your location when the app is the foreground app, iOS 14 will now give you the option to only share your approximate location (within about 10 square miles). You can also limit which photos an app can access, install of all or nothing. Apple is adding a new indicator light to tell you when your camera or microphone is in use by displaying a little green or orange dot at the top of the screen (respectively). And Apple will also be instituting a transparency feature that gives every app a sort of "nutrition label" for privacy, basically forcing app makers to distill their privacy policies down to simple icons.
Wireless Madness
While laptop and desktop computers have their share of wireless technologies, smartphones have more. Modern cell phones have Wi-Fi, cellular data, Bluetooth, near-field communication (NFC), and now even wireless charging. Every one of these wireless interfaces presents a potential chink in your smartphone’s armor—a gap that will allow the bad guys a way into your phone. Let’s quickly review each one.
For Internet access, your smartphone has two options: cellular data and Wi-Fi. Cellular data service comes with nearly every smartphone service plan. They usually sell it to you in monthly chunks of gigabytes (GB), with steep fees for exceeding your limits (unless you opt for the expensive “unlimited” plan). Cellular data is your default connection to the Internet from a smartphone and should be available in most populated areas. But because you are charged for what you use, you have to be somewhat careful about how you use it. Regular email and web surfing is usually fine, but you wouldn’t want to binge-watch your favorite Netflix series using cellular data, even if you have an unlimited plan (most “unlimited” plans will start throttling or limiting your data usage after a certain point). Video services (YouTube, FaceTime, Netflix, etc.) can eat up a lot of data.
So, what if you do want to catch an episode of your favorite TV show on your iPhone? That’s where Wi-Fi comes in. As we discussed in Chapter 2, Wi-Fi is a wireless networking technology, giving you access to the Internet at home, in coffee shops, hotels, airports, restaurants, and other people’s homes. Wi-Fi service is generally unlimited and much cheaper (or free). But as we’ve also discussed, public Wi-Fi hotspots are notoriously bad when it comes to security and privacy. If you’re just going to surf the Web or read emails, I recommend avoiding public Wi-Fi and just stick to using your cellular data plan. You can also use a virtual private network (VPN) service to protect your Wi-Fi traffic, but be aware that services like Netflix will now block you if you’re using a VPN (to prevent people from accessing their services from outside their home country).
Because the whole point of smartphones is to be unencumbered, they use wireless technologies for everything. This is where Bluetooth and NFC come into play. As we discussed in Chapter 2, Bluetooth is used to connect peripheral devices to your phone like headphones and keyboards without the need for pesky cords. NFC, on the other hand, is used for things like mobile payments and pairing of devices (sometimes Bluetooth devices). NFC tries to limit itself by physical proximity—hence the “near” part of near-field communications. The idea is that the user has to place the smartphone near the payment terminal or whatever; it can’t just connect while it’s in your pocket or purse. In reality, though, any radio frequency (RF) technology can work over longer distances in the right circumstances.
The last cord to cut is the power cord. Many smartphones (and other devices like the Apple Watch) have come up with clever ways to transfer power without cables. However, this usually requires very close proximity—like sitting on a special mat or stand—but hey, there are no wires! The appeal is that you don’t have to physically connect the power cord.
Unfortunately, all of these wireless technologies increase your cell phone’s attack surface—they’re just more avenues for hacking in. While these technologies seem fairly simple to use, they are quite complicated under the covers. To do what they need to do, they are quietly and constantly monitoring the airwaves for signals and often replying to wireless queries from other devices automatically. Most of these technologies require a unique wireless identifier to operate. But this has allowed some enterprising retailers and law enforcement types to track your device using this ID and, by extension, track you. Some stores have devices that monitor Wi-Fi and Bluetooth from phones to monitor your movements in their stores—when you enter, how long you linger in front of that sale rack, and when you come back to the store a few days later to buy something. They may or may not be able to tie that wireless ID to your name, but they know it’s the same person each time because the wireless ID of your phone doesn’t change. Actually, because of this very issue, modern Apple and Google devices create random wireless IDs, rotating them frequently—though it’s not clear how effective this really is at preventing tracking.
To Hack or Not to Hack
As we’ve said, smartphones can be much more restrictive on what applications you can run or even what settings you can change. Cell phone makers and cellular providers do this mostly for security purposes—trying to protect people from themselves. But they also do this because they want to protect themselves and their business interests, often at the expense of their customers. It should be no surprise then that enterprising hackers have found ways to circumvent these restrictions, and they’ve made them available to the public via easy-to-use tools that you can find all over the Internet if you take the time to look.
The process of circumventing your smartphone’s built-in restrictions is a form of hacking called jailbreaking or rooting . Like regular computers, smartphones have different levels of permissions. Unlike regular computers, the cell phone makers and cell phone service providers reserve the highest permissions for themselves. Needless to say, this rubs some people the wrong way. “I bought the stupid device. Why can’t I do whatever I want with it?” If you get the right phone and the right hacking tool off the Internet, you can gain full administrator privileges and do whatever you want. While this sounds very tempting, I’m here to tell you that it’s not a good idea.
If you recall, in Chapter 5 I strongly encouraged you to create and use a non-admin account on your computer. This follows the security practice of “least privilege.” You want to restrict what you can do in most cases to be the bare minimum, just in case some bad guy or piece of malware gains access to your account. By using a limited access account, you can limit the amount of damage that can be done if that account is hijacked.
This is the same basic philosophy at work on smartphones. Apple and Google have created elaborate permission schemes on their smartphones that are designed to let you do everything you need to do while simultaneously restricting the damage that can be done by a rogue application or service. While some of these restrictions are more for their benefit (or the cell phone service provider’s benefit), on the whole they are the best mechanism for protecting your data and your privacy. Removing this safety mechanism will allow you to do whatever you want…but it also opens the door for any other application on your device to do what it wants. While I think there’s a strong philosophical argument to be made in favor of removing these restrictions—and I hope in the future cell phone makers return more of this power to the user—right now it’s definitely safer for most users to leave these restrictions in place.
Privacy Matters
For me, privacy is far and away the most important topic related to smartphones today. These devices are with us almost every hour of every day and are in constant contact with the Internet. They know where we are, where we’ve been, who we know, who we talk to, how to access our bank accounts, what news we read, what we buy, what games we play, what pictures we like to look at, what we text and email, what websites we use, what’s on our calendar…the list is endless. Your phone probably contains or has access to credit card numbers, phone numbers, passwords, PINs, birth dates, passport info, and Social Security numbers. We keep all the information of our lives on our smartphones so that we can access it anywhere at any time.
According to a 2016 Pew poll, 28 percent of people still do not lock their smartphones with a PIN or other access control.2 While I hope that number has increased since then, I don’t doubt that a majority of people still haven’t taken this most basic step to secure this treasure trove of information.
Many modern smartphones now come with the ability to unlock your phone using a fingerprint or a face scan. This presents an interesting dilemma. As we discussed in Chapter 4 on passwords, fingerprints and facial features are forms of biometric authentication. As opposed to something you know (a PIN or passcode), biometrics represent something that you are. PINs and passcodes are a pain in the butt; there’s no doubt. Having to enter even four digits to get into your phone all the time is annoying (and honestly, you should be using more than four). Using your index finger or face is much, much easier. But is it really secure?
Let’s consider fingerprints. First, realize that there are multiple ways that someone else can use your fingerprint. The most obvious way would be somehow compelling you to do it for them or knocking you out and pressing your finger to the sensor. But it turns out that it’s actually not that hard to pull a usable fingerprint from a smooth surface.
Second, there’s currently a distinct legal difference between a fingerprint or faceprint and a password or PIN. This is an evolving area of law, and it probably varies country by country, but biometrics have been viewed like a physical key. If law enforcement has a warrant to search your home, they can compel you to open the door with your key. But can they compel you to use your finger to unlock your cell phone? The court cases in the United States are literally all over the map. A 2014 case in Virginia ruled that cops can force you to use your finger to unlock a smartphone, but a 2019 case in California ruled that law enforcement can’t compel a fingerprint or face scan to unlock a phone. On the other hand, the courts so far seem to treat divulging passwords and PINs as a violation of the Fifth Amendment’s protection against self-incrimination, similar to the combination of safe.
So—as is often the case with security and privacy—you need to weigh the tradeoffs with respect to convenience. While it’s much more convenient to use your finger or your face to unlock your smartphone, it doesn’t really offer you any protection from law enforcement or a physical attacker. That’s probably not a concern for most people, however, meaning that in most cases, using biometrics to unlock your phone is a worthwhile trade-off between convenience and security (especially compared to not locking your phone at all). And both iOS and Android now have “lockdown” modes where you can quickly disable biometric access, requiring a PIN or passcode to unlock the phone.
Summary
Our cell phones hold amazing amounts of extremely personal information. We need to realize this and take extra steps to protect this data.
Cell phones are wireless in just about every way and come with a bevy of technologies that allow them to function untethered. However, that also means there are extra avenues of attacks for bad guys.
Cell phone makers and service providers have restricted what users can do with their devices for both security and proprietary reasons. While it’s often possible to download tools that will circumvent these restrictions, doing this can expose you to a great deal of risk.
You should always lock your smartphone, either with a PIN, with a passcode, or with biometrics like a fingerprint or face scan. For most people, a biometric lock is a good balance between security and convenience, but if you’re really worried about your privacy, you need to use a passcode.
Checklist
The cell phone market—particularly the Android phone market—is extremely fractured. By that I mean there are many variants of the Android operating system out there, not only in the underlying version of the operating system itself but also with respect to service providers. The cellular service companies like AT&T and Verizon often make their own customizations to the operating system. Even the smartphone manufacturers like Samsung and LG often customize the OS. This makes it very difficult to provide a definitive, specific step-by-step guide for doing anything on Android OS. Therefore, most of the advice in this checklist is somewhat generic. You may need to search the Web or talk to your cellular service provider to help you find the proper way to do these things.
Android is Google’s mobile operating system, used on devices from many different manufacturers including LG and Samsung (and of course Google).
iOS is Apple’s mobile operating system, used on iPhones and iPads.3
Tip 11-1. Back Up Your Phone
If your phone is lost or stolen, you want to be able to recover the information it held. You can often use these backups to restore all of your apps, settings, and data to a new phone. You can also use the backup to go back to a known-good state if something goes horribly wrong.
You can back up your phone to your computer or to the cloud. Personally, I do both. Computer backups tend to be complete and are best for restoring a device that has been lost or damaged beyond repair, that is, copying all of your apps and data to a new device when you no longer have the original device.
It may cost you some money. Apple and Google provide some minimal cloud storage for free, but it probably won’t be enough to back up your phone. While backing up a 128GB phone will not require 128GB of cloud storage (only data is really backed up—apps and the OS are restored by re-downloading), you will still likely need to buy more storage. However, this is fairly cheap—from one to two dollars a month.
While cloud storage is encrypted, you can’t use your own key. That means that both Google and Apple have full access to anything you put in their cloud storage. This is a major privacy problem. Hopefully they will make this an option in the future.
You can’t restore from an old version of the OS to a newer version. This means you need to keep your OS always up to date (which you should do for security reasons, anyway).
Tip 11-1a. iOS
Back Up to a Mac
- 1.
Connect your iPhone to your Mac using a USB to Lightning cable. You may need to unlock your iPhone and elect to “trust this computer”.
- 2.
Open a Finder window (you can just double-click any folder or your hard drive). Select your device from the left-side panel.
- 3.
Click the “General” tab. Select “Back up all of the data on your iPhone to this Mac”.
- 4.
Click “Back Up Now” button and wait for the process to complete. When done, you can disconnect your iPhone.
Back Up to a PC (Windows)
- 1.
Connect your iPhone to your PC using a USB to Lightning cable. You may need to unlock your iPhone and elect to “trust this computer”.
- 2.
Open the iTunes app on your PC. Click the iPhone button at the top left.
- 3.
Click “Summary”.
- 4.
Click “Back Up Now” button and wait for the process to complete. When done, you can disconnect your iPhone.
Back Up to the Cloud
- 1.
Go to Settings and then click your name at the top to access your iCloud account.
- 2.
Find iCloud Backup and click it.
- 3.
Turn on iCloud Backup. This will back up your phone daily when your iPhone is connected to power, locked and on Wi-Fi. If you want, you can click “Back Up Now”.
Tip 11-1b. Android
For Android, there’s no one easy way to back up your entire phone to a computer, unless you use third-party apps that I can’t really recommend. If you connect your Android device to your computer with a cable, you should also be able to manually copy files from your Android device to your computer, but this is a pretty clumsy option for regular backups.
Settings ➤ Google ➤ Backup.
Settings ➤ System ➤ Advanced ➤ Backup ➤ Backup to Google Drive.
For Samsung Galaxy, try Settings ➤ Cloud and accounts ➤ Backup and restore ➤ Google Account.
This should back up your app data and settings, contacts, call history, device settings, photos, videos, and SMS text messages. Google accounts come with 15GB of free space. You can buy more for a couple bucks a month.
Tip 11-2. Keep Your Device Up to Date
Security problems are found all the time, and mobile device makers release updates on a fairly regular basis. You should be sure to update your device’s software whenever a newer version is available—this includes the operating system as well as applications.
Tip 11-2a. iOS
Apple’s iOS is free and easy to update. On your iPhone, go to Settings ➤ General ➤ Software Updates to check your current version and see whether you have any updates. Select “Automated Updates” and enable the slide switch. As it will tell you on this page, updates will be downloaded automatically and you will be notified before the updates are installed. Updates will be installed when the device is charging and connected to Wi-Fi.
Tip 11-2b. Android
Updating an Android device is not always straightforward. There are OS updates as well as Google Play system and security updates. To check what version you have, go to System ➤ Advanced ➤ System update. You can see your Android version and security patch level. You should receive a notification when updates are available for your device. Note that different manufacturers and cell phone service providers may have different updates and update schedules.
To check your security updates, go to Settings ➤ Security. Select either “Security update” and “Google Play system update”.
Tip 11-3. Lock Your Device
I know this seems like a pain in the butt, but you absolutely need to lock your mobile devices. Anyone who picks up your device can access tons of personal information, so you need to erect a digital barrier—either a PIN or passcode or a biometric lock (fingerprint or face scan). Some devices allow you to enter a full-on password, which is the most secure way to go. However, since unlocking the device requires physical access, a four-digit PIN will be sufficient for most people.
If your phone has the option to wipe all data after a certain number of incorrect attempts to unlock, I encourage you strongly to enable this feature, as well. You can store this PIN/passcode in LastPass if you’re afraid you’ll forget it.
All Apple phones have this feature. Go to Settings, then either “Touch ID & Passcode” or “Face ID & Passcode”, depending on the type of device you have. It should force you to enter your PIN or password to make any changes. Scroll all the way down to the bottom to find the “Erase Data” option and enable it.
Tip 11-4. Don’t Use Biometric Locks for Sensitive Stuff
One of the nifty features on newer mobile devices gives you the ability to unlock it using fingerprint or facial recognition. This is undoubtedly easier than having to type in a PIN or password, but using biometrics is not as secure. Not to sound paranoid, but fingerprint scanners work just fine even if you’re not conscious, for example. Also, while the law is still not 100 percent settled on this, some recent cases have concluded that a law enforcement officer can compel you to unlock a device using biometrics, but they cannot force you to divulge your PIN or passcode.4 But see the next tip for a compromise option.
Tip 11-5. Enabling Lockdown Mode
Unlocking your phone with your finger or face is very convenient. But if you are at all worried about someone else accessing your device by compelling you to use these biometric scanners, you shouldn’t use them. However, both Android and iOS have a “lockdown” feature that lets you disable biometric unlocking quickly, requiring your PIN or passcode.
Tip 11.5a. iOS
To enable lockdown mode on your iPhone, press and hold the power button and either of the volume buttons. You’ll be presented with a screen to make an SOS call, access your medical ID, or power off the phone. Simply click the power button again to turn off your screen. Next time you try to unlock it, you’ll be asked for your PIN or passcode (biometric unlocking will be disabled for this one time).
Tip 11.5b. Android
You must first enable this feature. Go to Settings ➤ Lock Screen ➤ Secure lock settings. Enter your PIN or password. Tap “Show lockdown option”. To lock down your device, present and hold the power button for a second or two, which will bring up the standard menu to power off or restart. But there will now be an option for “Lockdown”. Next time you try to unlock it, you’ll be asked for your PIN or passcode (biometric unlocking will be disabled for this one time).
Tip 11-6. Restrict Application Permissions
Both iOS and Android have gotten really good about forcing application makers to explicitly ask for access to various features of your phone such as the microphone, the video camera, your contact list, your location, and so on. Practice the policy of least privilege and deny permission to any app that doesn’t absolutely need such access. It makes sense for a weather app to want access to your location because you usually care most about the weather where you are. However, why in the world would that same weather app need access to your address book or the microphone? Usually these apps ask for permission when you install them or perhaps when you first run them. At the time of this writing, Apple’s iOS provides a lot more flexibility on what you allow each app to access and give you the ability to change these options after the fact. With Android, it’s often all or nothing, and you may not be able to change your mind later. iOS and the most recent version of Android also allows you to control some things based on whether the app in question is in the foreground (i.e., it’s the app you’re using right now—the one “on top”).
Note that some applications may fail to work after removing permissions—either because they really do need access to the thing you just cut off or because they didn’t design their app to deal with people who want to protect their privacy. So, you may have to go through a little trial and error with these settings.
Tip 11-6a. iOS
For iOS devices (iPhone/iPad), go to Settings ➤ Privacy. There you will find a long list of system devices and data. At the top, you’ll see “Location Services”. Under this menu, you can control which apps have access to your location and whether they can access it all the time or only when the app is the current main app (“on top”). In iOS 14, you should also have the option to only share your approximate location (within a 10-mile square area).
For the other categories like Contacts, Calendar, Microphone, and so on, you can enable or disable access for each application that has requested access. Some categories have more fine-grained controls. At tedious as it sounds, I would take the time to go through each setting once and remove permissions for anything that doesn’t make sense or isn’t absolutely necessary.
Tip 11-6b. Android
All recent versions of Android provide some level of application permissions that can be disabled after first install or use, but the granularity of the permissions will vary depending on the app and your version of Android. Go to Settings ➤ Apps. Click the little three-dot menu at the upper-right corner and then choose App Permissions. You will then be presented with a long list of system devices and data. Some categories have more fine-grained controls than others. At tedious as it sounds, I would take the time to go through each setting once and remove permissions for anything that doesn’t make sense or isn’t absolutely necessary.
Tip 11-7. Limit Ad Tracking
Sadly, both Apple (iOS) and Google (Android) now have some form of ad tracking. You can turn some of this off or down, however.
Tip 11-7a. iOS
Go to Settings ➤ Privacy. Scroll all the way down to the bottom, and then select “Advertising”. Enable the button for “limit ad tracking”. From time to time, you might want to also reset your Advertising Identifier (click the link below the tracking switch).
Tip 11-7b. Android
On Android, you can elect not to log in to your Google account from your phone. However, this will probably prevent you from getting the most out of Google’s services. You should go to Settings and find the “Ads” settings (you may have to search for it). Select “Opt out of Ads Personalization”. From time to time, you might want to also reset your advertising ID (in the same settings panel).
Tip 11-8. Remove Unused Apps
How many apps do you actually use on your smart device? If you’re like me, you’ve probably accumulated dozens of “free trial” or “free today only” apps that you never use. Or maybe you have multiple utility apps that do the same thing (calculator, converter, weather, etc.). You might think it’s harmless to leave those apps sitting dormant on your device, but the truth is that those apps are probably getting automatically updated all the time—and who knows what version 2.0 does? Maybe it has a cool new “friends” feature that contacts everyone in your address book or starts recommending recipes depending on your current location. With every software update, there are potential risks of software bugs that bad guys can exploit, too.
The opposite problem may also bite you: the app is abandoned and never updated. What if there’s a known security bug that goes unfixed?
Bottom line: if you’re not using an app, delete it. You can always reinstall it later if you find that you want it back. In most cases, once you buy it, it’s yours for life, and the app store will allow you to download it again. This will have the added benefit of saving precious space on your device.
Tip 11-9. Enable (Self) Tracking
Both iOS and Android have a built-in utility to help you find a lost device. This feature will even allow you to remotely lock or wipe that device, if necessary. Note that for these features to work, the device must be connected to the Internet somehow. For smartphones, this is usually not a problem, but for Wi-Fi-only devices (like many tablets and devices like the iPod Touch), you need to make a tough choice: either set your device to always try to connect to whatever Wi-Fi it can find (not as secure) or give up on this feature.
Tip 11-9a. iOS
On your iOS device, go to the iCloud settings by clicking your name at the top of the Settings app. Then scroll down to “Find My” and enable “Find My iPhone”. I would also enable the other options: “Enable Offline Finding” and “Send Last Location”.
If you lose your device, you can use another Apple device or the iCloud website to find your device, make it play a sound, or remotely wipe or lock it.
Tip 11-9b. Android
Go to Settings ➤ Google ➤ Security. Under “Android Device Manager” section, make sure the two options there are enabled: “Remotely locate the device” and “Allow remote lock and erase”.
If you lose your device, you can use another Android device or the Google “Find My Device” website to find your device, make it play a sound, or remotely wipe or lock it.
Tip 11-10. Use Firefox Browser
Of course, both iOS and Android devices come with a built-in browser: Safari and Chrome, respectively. Apple’s Safari mobile browser is actually pretty good from a privacy perspective. It has some pretty powerful anti-tracking technology built in. As of iOS 14, Apple will let you choose your default browser on iOS—a very welcome change. While this feature wasn't available at the time of this writing, I'm sure this will be a pretty obvious option in the Settings menu.
Android offers a lot more flexibility here. You can not only install the Firefox browser, you can make it your default browser and even install privacy plugins like Privacy Badger and uBlock Origin. Download and install the Firefox browser from the Google Play Store. Then go to Settings ➤ Apps. Click the little three-dot menu at the upper-right corner and then click “Default Apps”. Then click “Browser App” and select Firefox.
Since Google owns Android, I would still assume that Google has access to your web browsing history on an Android device. But at least you can curb the tracking and annoying ads from the sites you visit.
Tip 11-11. Avoid Cheap Android Phones
There have been several reported cases of cheap Android phones coming preinstalled with adware, spyware, and even straight-up malware—right out of the box. Some of the best-known manufacturers are ZTE, Archos, myPhone, and BLU. Don’t cut corners on buying a smartphone. Stick to well-known name brands. If you’re going to choose Android, I would suck it up and pay for a Pixel so that you’re sure to get immediate security updates.
Tip 11-12. Use Secure Messaging Apps
Signal: https://signal.org
Wire: https://app.wire.com (use the “personal use” version)
There are several other messaging apps that claim to be secure and encrypted, but in many cases the messaging service provider holds the encryption keys—meaning that they can read your messages. And that means they can hand over your messages to law enforcement or intelligence agencies—and they’re open for abuse by employees with proper access. WhatsApp is arguably the most popular “secure” messaging app, but you may not realize that it’s owned by Facebook. The creators of WhatsApp left Facebook after the buyout largely because they didn’t like the way Facebook removed privacy protections.
Tip 11-13. Install (and Use) a Mobile VPN
Virtual private networks aren’t just for laptops. While most banking and shopping apps on your phone already use encrypted connections, your email and web surfing may very well be completely open and unencrypted. And when you’re using the free Wi-Fi at Starbucks, McDonald’s, your hotel lobby, or wherever, any unencrypted data is completely visible to anyone else in the area with a simple wireless monitoring application. If you have a VPN app installed, it should automatically kick in whenever your device tries to connect to an unknown (and therefore untrusted) network.
Fair warning: good VPN services usually cost money. I guarantee you will find situations where it will frustrate you because it won’t connect. This is the usual trade-off between security and convenience. But if you find yourself having problems connecting and you specifically need Wi-Fi (vs. cellular data), you can always elect to temporarily disable the VPN.
One note…don’t use Facebook’s VPN (Onavo). If you select the Protect option in the Facebook app, it will prompt you to install the Onavo VPN, a service owned by Facebook. This gives Facebook complete information on everything you do on the Internet, and its “privacy” policy explicitly says that it will collect and use this info.
Look at Chapter 6 for recommendations on good VPN services. But there is a mobile-only VPN not mentioned there that you might want to consider: Cloudflare’s Warp VPN. This is a rare exception to the “avoid free VPNs” rule.
Tip 11-14. Disable Wi-Fi Auto-Connect
Many mobile devices can connect to Wi-Fi, but sometimes they can be set to automatically connect to any open Wi-Fi (no password) or any Wi-Fi network that it’s connected to before. That can be very convenient for your house or work location, but it can be dangerous for public Wi-Fi like “Starbucks” or “McDonalds” or “Hyatt” or whatever. Because these Wi-Fi network names are well known, bad guys have been known to create their own networks using the same names. If your device is set to automatically connect to remembered networks, you could be inadvertently connecting to a hacker’s network. They could just snoop on your web surfing or perhaps even use this connection to hack your phone.
Tip 11-15. Know Your Rights When You Travel
Tip 11-16. Don’t Hack Your Device
Because mobile devices have so many restrictions on what you’re allowed to do, what apps you can install, and so on, many people have turned to rooting or jailbreaking their devices to get around these constraints. Having “root” privileges on a computer means you can basically do anything you want. The problem is that once you’ve hacked a device and given yourself root access, you have opened the door for other apps to abuse that same privilege level. This exposes you to all sorts of foul play. I strongly recommend you do not jailbreak or root your mobile device.
Tip 11-17. Disable Bluetooth and NFC When You Can
Bluetooth is the odd name of a versatile, short-range, low-power wireless technology that allows your mobile device to connect wirelessly to external devices such as speakers, hands-free headsets, keyboards, and more. You can even use it to unlock your front door! However, leaving Bluetooth on all the time means that rogue devices can also try to connect to your device without your knowledge. These connections can be used to steal your data and potentially even compromise your device. While Bluetooth is fairly secure and these attacks are not common, it’s still a good idea to just disable Bluetooth if you never use it. It will also help you save your battery.
Near-field communication (NFC) is another wireless technology built into many mobile devices, though used less often and at much shorter distances. While Bluetooth can work at distances of dozens of feet, NFC generally is limited to maybe an inch or less (hence the “near” part). It’s usually used to pair your phone with another device—maybe to get a Wi-Fi password or trigger a mobile payment app or even transfer a file from one phone to another. Like any wireless technology, it can be broadcasting and listening all the time to any nearby device, making it a possible “way in” to your phone. Disable this feature if you’re not using it.
Tip 11-18. Erase Your Device Before Getting Rid of It
Like our home computer, our mobile devices are chock-full of detailed personal information. In fact, our cell phones arguably have way more info in (or accessible by) them. So, before you give away or sell or even recycle your smartphone, you should be sure to wipe it completely. If you’ve encrypted the contents, you’re most of the way there already. But it’s still good to wipe it clean.
Tip 11-18a. iOS
- 1.
Back up your data and transfer everything to your new device first. If you’re buying your iPhone from an Apple Store, they can help you through this process in the store. (They can also help you erase your old device.)
- 2.
Sign out of iCloud and the App Store. Go to Settings and click your name/picture at the top to access your iCloud settings. Scroll down to the bottom and tap “Sign Out”. Follow the instructions to delete all your iCloud data from your iPhone.
- 3.
Go to Settings ➤ General and scroll all the way down to the bottom. Select “Reset”. Then select “Erase All Content and Settings”. If you’ve signed up for Find My iPhone, you may have to enter your Apple ID and password to disable this feature. Follow any other prompts to enter passwords, PIN codes, and so on.
- 4.
If you have a physical SIM card, remove it. There’s a little SIM removal tool that came with your iPhone, if you still have it. Otherwise, you may need to use a tiny paper clip or similar to open the tiny SIM slot on the side of your phone.
- 5.
See this helpful Apple article for more info:
Tip 11-18b. Android
- 1.
Be sure to run a full backup of your phone or tablet before you do anything. Assuming you’re getting a new Android device, you should transfer that data to the new device before erasing yourold one.
- 2.
If you have a removable SIM card (the little card the cell phone service provider put in there to identify you), remove it.
- 3.
If you have any removable storage (SD card), be sure to remove it.
- 4.
Log out of any services and accounts you use: email, messaging, social media, cloud storage, music services, and so on. You may do this through Settings, or you may have to do it through each application.
- 5.
If you haven’t encrypted your device, do that now. It will make sure that even if you miss something here that no one else will be able to find it. This should be under the Security settings.
- 6.
Perform a factory reset. Find the Backup and Reset area under Settings. There may be lots of options here—select the ones that make sense. Then find and click the “Reset device” or “Reset phone” button.
Tip 11-19. Enable Medical ID
Because everyone has a smartphone these days, first responders now know to check an unconscious person’s phone for emergency medical information—like the old medical ID bracelets. Here’s how to enter this information on your phone. Just realize that when you enable this, anyone will be able to get this information without unlocking your phone. That’s kinda the point, of course, but this isn’t somehow magically limited to first responders.
Tip 11-19a. iOS
Open Settings and then Health. There you'll find your Health Profile and Medical ID settings. Edit the information there with whatever you want to share. Note that for medications and allergies, if you have none, explicitly say “None”. Don’t just leave the information empty as this will be ambiguous. Then be sure to enable emergency access at the bottom of this screen.
Tip 11-19b. Android
Go to Settings and search for “Emergency information”. Where this is will depend on what phone you have. If you can’t find that, search for “My Info”. Edit the information there with whatever you want to share. Note that for medications and allergies, if you have none, explicitly say “None”. Don’t just leave the information empty as this will be ambiguous.
Tip 11-20. Use a USB Condom
This is going to sound ridiculous, but it’s a real thing—and it’s actually becoming more common. Public cell phone charging ports can be hacked, and hacked USB ports can in turn hack your phone. It’s called “juice jacking.” Public charging stations are becoming much more common these days—at airports, on airplanes, book stores, coffee shops, and restaurants. Even my grocery store has them. USB devices can contain small chunks of software and often our devices trust this software implicitly. And sometimes USB interfaces can be used to bypass security controls.
So what to do? Well, your best bet is to bring your own charger with you—either one that plugs into a wall socket (standard AC plug) or a portable battery charger. But there’s another option you may not have heard about: a USB “condom.” The idea for the USB condom is the same as for a regular condom: you can catch a virus if you’re not prudent about where you stick that thing.
USB cables have four wires in them: two for data and two for power. If you look inside a USB plug (like your cell phone charger cable), you’ll see them. You want to block the data lines but leave the power lines. For this purpose, you can buy a special data blocker adapter or cable—a USB “condom.” Just search Amazon or your favorite electronics online store for a “data blocker.” They’re not expensive. If you get the adapter version, then you just have to put this adapter between your regular phone charging cable and the public USB port. You know, like a condom.