Editors note: This is Motherboard's comprehensive guide to digital security, which will be regularly updated and replaces some of our old guides. It is also available as a printable PDF. It was last updated on November 14, 2017.
MOBILE THREAT MODELING
Most people use passcodes, passwords, or patterns to “lock” their phones. If you don’t do this, you absolutely should! (Patterns are far easier to guess or “shoulder surf” than pins or passcodes, however, according to a recent study one of the biggest mobile threats is someone who has physical access to your phone and can unlock it. This means your security is only as good as your passcode: If at all possible, avoid giving out your code or password, and avoid using easily guessed passcodes such as your birthday or address. Even simple passcodes and passwords are great to stop pickpockets or street thieves, but not so great if what you’re worried about is an abusive partner who knows your PIN, for example.
With that in mind, here's a few basic things you can do to prevent other common threats to your cellphone.
GET AN iPHONE
Pretty much everyone in the world of cybersecurity—except perhaps the engineers working on Android—believes that iPhones are the most secure cellphone you can get. There are a few reasons why, but the main ones are that iOS, Apple’s mobile operating system, is extremely locked down. Apps go through extensive checks before getting on the App Store, and there are extensive security measures in place, such as the fact that only code approved and digitally signed by Apple (a measure known as code-signing) and the fact that apps are limited from reaching into other apps (sandboxing). These features make it really hard for hackers to attack the most sensitive parts of the operating system. Because Apple controls the iOS infrastructure, iPhones get immediate, regular security updates and patches from Apple; critical security updates for many Android devices can take weeks or months to be pushed to users. Even the iPhone 5s, which was launched in 2013, is still supported.
So if you are paranoid, the iPhone is the most secure cellphone out of the box. But unless you have a really good reason for it, do NOT jailbreak it. While the jailbreaking movement and the hackers behind it have contributed to make the iPhone more secure, jailbreaking an iPhone at this point doesn’t really provide you any feature that’s worth the increased risks. In the past, hackers have been able to target at scale only jailbroken iPhones.
Nothing is unhackable though. We know some governments are armed with million-dollar hacking tools to hack iPhones, and perhaps some sophisticated criminals might have those too. Still, get an iPhone, install the updates, and don’t jailbreak it and you’ll probably be fine.
BUT I LOVE ANDROID! FINE...
Android has become the most popular operating system in the world thanks to its decentralized, open-source nature and the fact that many handsets are available at prices much lower than iPhones. In some ways, this open-sourced nature was Android’s original sin: Google traded control, and thus security, for market share. This way, critical security updates depend on carriers and device manufacturers, who have historically been lackadaisical about pushing them out.
The good news is that in the last two years this has improved a lot. Google has been pushing partners to give users monthly updates, and Google’s own flagship devices have almost the same kind of regular support that Apple provides to iPhones, as well as some of the same security features.
So your best bet is to stick to Pixels or Nexus phones, whose security doesn’t depend on anyone but Google. If you really don’t want a Google phone, these cellphones have a good track record of pushing security updates, according to Google itself.
Whatever Android phone you own, be careful what apps you install. Hackers have traditionally been very successful at sneaking malicious apps on the Play Store so think twice before installing a little-known app, or double check that the app you’re installing really is the one you want. Earlier this fall, a fake version of WhatsApp was installed by more than a million Android users. Also, stick to the Play Store and avoid downloading and installing apps from third-party stores, which may very well be malicious. On most Android phones, installing third-party apps is not enabled by default, leave it that way.
To protect the data on your Android phone, make sure full disk encryption is enabled. Open your Settings app, go to “Security” and click on “Encrypt Phone” if it’s not enabled already. (If this doesn’t work on your device, Google for instructions on your specific handset).
Finally, while not mandatory, it might be a good idea to install a mobile antivirus such as Lookout or Zips. While these can be effective against criminal’s malware, they probably won’t stop government hackers.
LOCK-UP THAT SIM CARD
Recently we revealed that hackers had been exploiting a nasty bug on a T-Mobile website to pull the personal data of customers in an attempt to gather data that they could then use to impersonate the victims and socially engineer T-Mobile support technicians into issuing new SIM cards. These kind of attacks, known as “SIM swapping” or “SIM hijacking,” allow hackers to take over your cellphone number, and in turn anything that’s connected to it. SIM hijacking is what makes two-factor authentication via SMS so dangerous.
Your phone number is likely the gateway to multiple other, perhaps more sensitive, parts of your digital life: your email, your bank account, your iCloud backups.
As a consumer, you can’t control the bugs that your carrier leave open for hackers. But you can make it a bit harder for hackers to impersonate you with gullible tech support employees. The solution is easy, although not that many people know about it: a secondary password or passcode that you need to provide when you call your cellphone provider. Most US carriers now offer this option.
Call your provider and ask them to set this up for you. Motherboard confirmed that Sprint, T-Mobile, Verizon and U.S. Cellular all give customers this option. Verizon and U.S. Cellular have made this mandatory, according to their spokespeople. Of course, make sure you remember this phone password, or better yet, write it down in your password manager.