Mobile Hardening Guide

Ensure the safety and security of your mobile devices with guidelines tailored for Android and iOS.

Threat Model Context

Some advice may be overly cautious for everyday users. Wireless exploits are rare, and modern encryption protects most public WiFi. However, for high-threat environments (military, journalists, targeted individuals), these precautions are vital. Know your threat model.

---

Official Security Guidance

Authoritative recommendations from government agencies.

NSA Best Practices Essential one-page infographic.

CISA Mobile Guidance Latest 2025 best practices.

NIST SP 800-124 Enterprise management guidelines.

CIS Benchmarks Technical configuration details.

---

Critical Recommendations (2024-2025)

E2EE Messaging

CISA strongly recommends Signal for all communications.

Kill the SMS 2FA

Do NOT use SMS for MFA. SIM-swapping increased by 1,055% in some regions in 2024.

Personal VPNs

CISA advises against commercial VPNs for personal use as they often simply shift risk to the VPN provider.

Modern Hardware

Use the latest hardware; software updates alone cannot provide hardware-level security features.

---

Platform-Specific Hardening

iOS (Apple)

Critical iOS Settings

1. Enable Lockdown Mode: Settings → Privacy & Security → Lockdown Mode. (For high-risk targets).
2. Stolen Device Protection: Settings → Face ID & Passcode → Enable.
3. USB Accessories: Settings → Face ID & Passcode → Require Unlock.
4. Significant Locations: Disable in Privacy → Location Services → System Services.

App Management

• Only install from the Official App Store.
• Review Tracking Permissions regularly.

Android (Google)

Hardened Android OS

For maximum security, consider a hardened ROM:

• GrapheneOS: The gold standard for security (Pixel only).
• CalyxOS: Privacy-focused with broader support.

Stock Android Settings

1. Google Play Protect: Enable in Play Store → Profile.
2. Find My Device: Enable in Settings → Security.
3. Unknown Sources: Keep disabled in Security settings.
4. Developer Options: Keep disabled unless actively debugging.

F-Droid Store

Use F-Droid for privacy-respecting, open-source apps.

---

Universal Security Checklist

1. Strong PIN: Use 6+ digits (avoid birthdates/sequences).
2. Weekly Reboot: NSA recommends restarting at least once per week.
3. Auto-Lock: Set to 5 minutes or less.
4. SIM PIN: Prevent your SIM from being used in another device.
5. App Minimalist: Delete unused apps and minimize permissions.

---

Recommended Apps

Passwords

Bitwarden or KeePassDX.

Authentication

Aegis (Android) or 2FAS (iOS).

Messaging

Signal or Element.

Privacy

ProtonMail and DuckDuckGo Browser.

---

References

• NSA Mobile Best Practices
• CISA Mobile Guidance
• GrapheneOS FAQ
• Privacy Guides - Mobile