How to lock down the device you carry everywhere.
Why Mobile Security Matters
Your phone almost certainly holds more sensitive information than any laptop or desktop you own:
| Data on Your Phone | Risk if Accessed |
|---|
| Email | Access to password resets |
| Banking apps | Financial theft |
| Authenticator apps | Bypass 2FA on all accounts |
| Photos | Privacy invasion, blackmail |
| Messages | Private conversations exposed |
| Location history | Stalking, burglary timing |
| Contacts | Social engineering material |
| Health data | Insurance discrimination |
Lock Screen Security
The lock screen is the only thing standing between a stolen phone and everything inside it.
Lock Methods Comparison
| Method | Security | Convenience | Recommended |
|---|
| No lock | None | Maximum | Never |
| Swipe | None | Maximum | Never |
| Pattern | Low | High | No |
| 4-digit PIN | Low | High | Minimum |
| 6-digit PIN | Moderate | Moderate | Good |
| Password | High | Lower | Best for sensitive needs |
| Fingerprint + PIN | High | High | Recommended |
| Face + PIN | High | Highest | Recommended |
Lock Screen Best Practices
| Setting | Recommendation |
|---|
| Auto-lock timeout | 30 seconds to 1 minute |
| Lock after failed attempts | Enable after 5-10 failures |
| Wipe after failures | Consider for very sensitive data |
| Lock screen notifications | Hide sensitive content |
| Emergency info | Add emergency contact |
Biometric Considerations
| Biometric Type | Strengths | Concerns |
|---|
| Fingerprint | Convenient, hard to spoof | Can be compelled by authorities |
| Face ID (advanced) | Very convenient, secure | Same legal concerns |
| Face unlock (basic) | Convenient | Can be fooled by photos |
| Iris scan | Very secure | Limited device support |
A note on legal compulsion: in several US jurisdictions, courts have ruled you can be compelled to provide a fingerprint or face but not a password. The law is unsettled and varies. Worth knowing before you cross a border.
iOS Security
iOS has a tighter security model than most desktop operating systems. The trade-off is less flexibility.
iOS Security Advantages
| Feature | What It Does |
|---|
| App sandboxing | Apps can't access each other's data |
| App Store review | Apps checked before publication |
| Secure enclave | Hardware protection for sensitive data |
| Regular updates | Long support window |
| Restricted sideloading | Apps must come from App Store |
Essential iOS Security Settings
| Setting | Location | Recommendation |
|---|
| Passcode | Settings > Face ID/Touch ID | 6-digit or alphanumeric |
| Auto-lock | Settings > Display & Brightness | 30 seconds to 1 minute |
| Find My iPhone | Settings > [Your Name] > Find My | Enable |
| Erase after attempts | Settings > Face ID/Touch ID | Enable (10 attempts) |
| Lock screen preview | Settings > Notifications | Show When Unlocked |
| USB Accessories | Settings > Face ID/Touch ID | Off (requires unlock) |
iOS Privacy Settings
| Setting | Location | Recommendation |
|---|
| Location Services | Settings > Privacy | App-by-app basis |
| Tracking | Settings > Privacy > Tracking | Allow Apps to Request: Off |
| App Privacy Report | Settings > Privacy | Review regularly |
| Significant Locations | Settings > Privacy > Location | Disable or clear |
| Analytics | Settings > Privacy > Analytics | Disable sharing |
Android Security
Android trades some default tightness for flexibility (sideloading, multiple stores). The security model still works well if you stay inside Google Play and keep updates current.
Android Security Considerations
| Feature | What It Does |
|---|
| Google Play Protect | Scans apps for malware |
| Monthly security patches | Fix vulnerabilities |
| App permissions | Granular control |
| Work profile | Separate work and personal |
| Sideloading possible | More flexibility but risk |
Essential Android Security Settings
| Setting | Location | Recommendation |
|---|
| Screen lock | Settings > Security > Screen lock | PIN, password, or pattern + biometric |
| Auto-lock | Settings > Security | 30 seconds to 1 minute |
| Find My Device | Settings > Security > Find My Device | Enable |
| Google Play Protect | Play Store > Profile > Play Protect | Keep enabled |
| Install unknown apps | Settings > Apps > Special access | Disable for all |
| Lockdown mode | Power menu | Know how to use it |
Android Privacy Settings
| Setting | Location | Recommendation |
|---|
| App permissions | Settings > Privacy > Permission manager | Review and restrict |
| Ads | Settings > Privacy > Ads | Reset ID regularly |
| Location | Settings > Location | App-by-app basis |
| Usage and diagnostics | Settings > Privacy | Consider disabling |
| Autofill service | Settings > Privacy | Use trusted manager |
App Security
App Installation Safety
| Do | Don't |
|---|
| Use official app stores | Install from random websites |
| Check developer name | Install knockoff apps |
| Read recent reviews | Ignore warning signs |
| Check permissions requested | Grant all permissions |
| Keep apps updated | Use outdated apps |
App Permission Best Practices
| Permission | When to Grant |
|---|
| Camera | Photo apps, video calling, QR scanning |
| Microphone | Voice calls, voice recording apps |
| Location | Maps, weather (when using) |
| Contacts | Communication apps you trust |
| Phone | Only if calling features needed |
| Storage | File managers, photo apps |
| Background location | Almost never |
Evaluating App Safety
| Check | Red Flag |
|---|
| Developer name | Unknown or misspelled |
| Review count | Very few reviews |
| Recent reviews | Reports of malware or scams |
| Permissions | Excessive for app function |
| Update frequency | Not updated in years |
| Download count | Very low for established app |
Mobile Malware
Types of Mobile Malware
| Type | What It Does |
|---|
| Spyware | Monitors your activity |
| Banking trojans | Steals financial credentials |
| Ransomware | Locks device, demands payment |
| Adware | Displays intrusive ads |
| SMS fraud | Sends premium SMS messages |
| Cryptominers | Uses phone for cryptocurrency |
Signs of Mobile Infection
| Symptom | Possible Cause |
|---|
| Rapid battery drain | Malware running constantly |
| Excessive data usage | Data being exfiltrated |
| Pop-up ads outside apps | Adware infection |
| Unknown apps appearing | Malware installing more malware |
| Phone overheating | Cryptominer running |
| Strange text messages | SMS malware |
| Slow performance | Malicious background activity |
Mobile Malware Protection
| Action | Benefit |
|---|
| Keep OS updated | Patches vulnerabilities |
| Only use official app stores | Vetted apps |
| Check app permissions | Limit access |
| Don't jailbreak/root | Maintains security model |
| Use built-in security features | Play Protect, iOS security |
| Be cautious with links | Mobile phishing is common |
Lost or Stolen Device
Before It Happens
| Preparation | Purpose |
|---|
| Enable device tracking | Locate if lost |
| Enable remote wipe | Protect data if stolen |
| Record serial/IMEI | For police reports |
| Enable encryption | Protect data at rest |
| Use strong lock | Prevent unauthorized access |
| Set up backup | Recover data on new device |
If Device Is Lost
| Step | Action |
|---|
| 1 | Try to locate with Find My iPhone/Device |
| 2 | Play sound if nearby |
| 3 | Enable lost mode (shows contact info) |
| 4 | If definitely stolen, remote wipe |
| 5 | Report to carrier to disable SIM |
| 6 | Change passwords for sensitive accounts |
| 7 | File police report if stolen |
| 8 | Remove device from trusted devices |
Finding Your Device
| Platform | Service |
|---|
| iPhone | icloud.com/find or Find My app |
| Android | google.com/android/find or Find My Device app |
| Samsung | findmymobile.samsung.com |
SIM Security
SIM Swap Attacks
A SIM swap is social engineering against your carrier. The attacker convinces the carrier to move your number to their SIM, then receives every SMS code that follows:
| Attack Step | What Happens |
|---|
| Information gathering | Attacker collects your personal info |
| Contact carrier | Pretends to be you |
| Transfer number | Your SIM stops working |
| Receive 2FA codes | Attacker gets your SMS |
| Account takeover | Access accounts using SMS 2FA |
Protecting Against SIM Swap
| Action | How It Helps |
|---|
| Add carrier PIN | Required to make changes |
| Ask about port freeze | Prevent number transfers |
| Use authenticator apps | Don't rely on SMS 2FA |
| Minimize public personal info | Less for attacker to use |
| Act quickly if SIM fails | Sign of attack in progress |
Carrier Security Features
| Carrier | Security Options |
|---|
| Most carriers | Account PIN required for changes |
| T-Mobile | SIM Protection feature |
| AT&T | Extra security passcode |
| Verizon | Number Lock feature |
Mobile Payment Security
Digital Wallet Security
| Wallet | Security Features |
|---|
| Apple Pay | Tokenization, Face/Touch ID required |
| Google Pay | Tokenization, screen lock required |
| Samsung Pay | Tokenization, fingerprint required |
Mobile Payment Best Practices
| Do | Don't |
|---|
| Enable biometric authentication | Store card photos in gallery |
| Keep phone OS updated | Use on jailbroken/rooted devices |
| Only add trusted cards | Share phone with others |
| Lock phone when paying | Leave phone unlocked |
| Review transaction notifications | Ignore suspicious charges |
Mobile Backup
Backup Importance
| Reason | Benefit |
|---|
| Device loss | Restore data on new device |
| Device failure | Don't lose photos and data |
| Ransomware | Recover without paying |
| Upgrade | Smooth transition |
Backup Options
| Platform | Built-in | Frequency |
|---|
| iOS | iCloud Backup | Automatic daily |
| Android | Google Backup | Automatic |
| Both | Computer backup | Manual, periodic |
| Both | Third-party cloud | Varies |
What Gets Backed Up
| Typically Included | Often Not Included |
|---|
| App data | Some app-specific data |
| Photos (if enabled) | Downloaded files |
| Settings | Apps themselves (redownloaded) |
| Messages | Some authentication tokens |
| Contacts | WhatsApp (needs separate backup) |
Traveling with Mobile Devices
Before Travel
| Task | Purpose |
|---|
| Back up device | Protect data before trip |
| Enable Find My | Locate if lost |
| Update everything | Latest security patches |
| Consider travel mode | Lock down sensitive apps |
| Note emergency contacts | Accessible even if phone lost |
At Borders
| Risk | Consideration |
|---|
| Device search | Authorities may request access |
| Data seizure | Contents may be copied |
| Forced biometric unlock | May be compelled |
| Encrypted data | May be held until unlocked |
Options for high-risk travel:
| Option | Trade-off |
|---|
| Travel with clean device | Inconvenient but safe |
| Remove sensitive apps | Balance of access and risk |
| Use strong password only | Can't be compelled like biometrics |
| Cloud storage (not on device) | Access after passing border |
Using Phones Abroad
| Issue | Solution |
|---|
| Public WiFi risks | Use VPN or cellular data |
| Charging stations | Use own charger or data blocker |
| Lost phone in foreign country | Have backup contact method |
| Local SIM | Secure your regular SIM |
Key Takeaways
- Lock your phone properly. 6-digit PIN minimum, paired with biometrics.
- Enable Find My. It's the difference between lost and gone.
- Take updates the day they ship. Phone OS updates are mostly security fixes.
- Stay in the official app store. Side-loading is where the malware lives.
- Audit permissions. Apps ask for more than they need.
- Defend against SIM swap. Carrier PIN, port freeze, no SMS 2FA on critical accounts.
- Back up automatically. iCloud or Google Backup, daily.
- Plan for loss before it happens. Remote wipe is only useful if you set it up first.
- Mobile payments are safe. Tokenization protects the real card number.
- Borders are special. Travel mode or a clean device for high-risk crossings.
Next Steps
Continue to 08-privacy.md for the other half of mobile life: limiting how much of you ends up in someone else's database.