National Security Agency | Mobile Device Best Practices
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Airplane mode Bluetooth® Cellular service signal �ocation Near-field communication (NFC) �ecent applications soft key Wi-Fi
PASSWORDS ! Avoid Disable Do Do Not Use strong lock-screen pins/passwords: a 6-digit BLUETOOTH®1 PIN is sufficient if the device wipes itself after Disable Bluetooth® when 10 incorrect password you are not using it. Airplane attempts. Set the device mode does not always to lock automatically ® disable Bluetooth . after 5 minutes. LOCATION 9:31 ! WI-FI Disable location services when ! TEXT MESSAGES not needed. DO NOT bring the DO NOT connect to public ! APPLICATIONS John Doe device with you to sensitive DO NOT have sensitive conversations Agree, but we should consider the Wi-Fi networks. Disable foreign policy implications...� locations. 31 on personal devices, even if you think Wi-Fi when unneeded. Delete Install a minimal number of the content is generic. unused Wi-Fi networks. applications and only ones Hey, �ohn� Check out the from official application foreign policy implications... POWER https://foreignp0licy.net/ stores. Be cautious of the whitepapers/tradistan- Power the device off and on weekly. ! CONTROL energy-forecast.pdf � personal data entered ATTACHMENTS/LINKS into applications. Close Maintain physical control of DO NOT open unknown email the device. Avoid connecting to applications when not using. attachments and links. Even MODIFY unknown removable media. legitimate senders can pass on SOFTWARE UPDATES malicious content accidently DO NOT jailbreak or root the device. CASE or as a result of being INSTALL NEW APP? Consider using a protective Update the device software compromised or impersonated YES X NO case that drowns the and applications as soon as by a malicious actor. ! POP-UPS microphone to block room possible. audio (hot-miking attack). Unexpected pop-ups like this are usually malicious. If one appears, Cover the camera when not using. ! TRUSTED ACCESSORIES forcibly close all applications BIOMETRICS (i.e., iPhone®2: double tap the Only use original charging cords or Home button* or Android®3: CONVERSATIONS Consider using Biometrics charging accessories purchased click “recent apps” soft key). (e.g., fingerprint, face) from a trusted manufacturer. DO NOT DO NOT have sensitive authentication for use public USB charging stations. conversations in the convenience to protect data Never connect personal devices to vicinity of mobile devices of minimal sensitivity. government computers, whether via not configured to handle physical connection, Wi-Fi, secure voice. or Bluetooth®. *For iPhone X®2 or later, see: support.apple.com/en-us/HT201330 The information contained in this document was developed in the course of NSA’s Cybersecurity mission, including its responsibilities to assist Executive departments and agencies with operations security programs. 1Bluetooth® is a registered trademark of Bluetooth SIG, Inc. 2iPhone® and iPhone® applications are a registered trademark of Apple, Inc. U/OO/155488-20 | PP-20-0622| Oct 2020 rev 1.1 3Android® is a registered trademark of Google LLC. National Security Agency | Mobile Device Best Practices
WHAT CAN I DO TO PREVENT/MITIGATE?
Use Avoid Carrying Only Install Turn Off Do Not Turn Use Lock Maintain Update Encrypted Do Not Click Device/No Use Turn Off Apps from Cellular, Connect Device Mic-Drowning Device Physical Software Voice/ Links or Open Sensitive Trusted Location Official WiFi, to Public Off & On Case, Cover with Control of & Apps Text/Data Attachments Conversations Accessories Services Stores Bluetooth Networks Weekly Camera PIN Device Apps Around Device
Spearphishing (To install Malware)
Malicious Apps
Zero-Click Exploits
Malicious Wi-Fi Network/Close Access Network Attack
Foreign Lawful Intercept/ Untrusted Cellular Network
Room Audio/ Video Collection
THREAT/VULNERABILITY Call/Text/Data Collection Over Network
Geolocation of Device
Close Access Physical Attacks
Supply Chain Attacks
Does not prevent Sometimes prevents Almost always prevents (no icon)
Disclaimer of Endorsement NSA Cybersecurity The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference Client Requirements/General Cybersecurity Inquiries: Cybersecurity Requirements Center, 410.854.4200, [email protected]. herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not Media Inquires: Press Desk: 443.634.0721, [email protected]. constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.