Mobile Hardening Guide
Mobile Hardening Guide
Section titled “Mobile Hardening Guide”Comprehensive security guidance for mobile devices. For activists and rapid response volunteers, securing your phone is critical for protecting yourself and your community.
Official Security Guidance
Section titled “Official Security Guidance”| Source | Document | Description |
|---|---|---|
| NSA | Mobile Device Best Practices (PDF) | One-page infographic covering essential practices |
| CISA | Mobile Communications Best Practice Guidance | Latest guidance addressing telecom intrusions |
Critical Recommendations
Section titled “Critical Recommendations”Use End-to-End Encrypted Messaging
Section titled “Use End-to-End Encrypted Messaging”SimpleX Chat — HIGHLY RECOMMENDED
- No phone number or email required — Can be set up completely anonymously
- Works on wifi-only devices — Perfect for a child’s iPad or an old phone without service
- Multiple profiles — Different identities for different purposes
- No central servers — Decentralized, harder to surveil or shut down
- Available: iOS | Android | Desktop
Signal — Good option, CISA-recommended
- Cross-platform, encrypted voice/video calls, group chats, disappearing messages
- Requires phone number — Less anonymous than SimpleX
- Available: iOS | Android
For protest coordination: Use SimpleX over Signal when possible. Your phone number is a unique identifier that can be traced.
Avoid SMS for Multi-Factor Authentication
Section titled “Avoid SMS for Multi-Factor Authentication”Do NOT use SMS for multi-factor authentication. SMS is vulnerable to SIM-swapping attacks.
Use instead:
- Hardware security keys (FIDO2/WebAuthn) — Best option
- FIDO passkeys
- Authenticator apps (Aegis, 2FAS)
Disable 2G Network Connectivity
Section titled “Disable 2G Network Connectivity”How to disable 2G:
| Platform | Steps |
|---|---|
| Android 12+ | Settings → Network & Internet → SIMs → [Your SIM] → Allow 2G → Turn OFF |
| Samsung | Settings → Connections → Mobile Networks → Network Mode → Select LTE/5G only |
| Pixel | Settings → Network & Internet → SIMs → Allow 2G → Turn OFF |
| iPhone | iOS does not allow disabling 2G directly. Use Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) which prevents 2G downgrade attacks. |
Why this matters: Stingrays force phones to connect via 2G by jamming stronger signals. With 2G disabled, your phone cannot be forced onto the weaker, interceptable network.
When In Doubt, Turn It Off
Section titled “When In Doubt, Turn It Off”Before a protest or high-risk situation:
- Consider leaving your phone home or in your car
- If you must bring it, power it off before entering the area
- Only power on when you need to make a specific call or capture evidence
- Power off again immediately after
iPhone emergency lock: Press side button 5 times rapidly — This disables Face ID and requires passcode
Android lockdown: Most Android phones have a “Lockdown” option in the power menu that disables biometrics
Keep Hardware Current
Section titled “Keep Hardware Current”Newer hardware often incorporates critical security features that older hardware cannot support. Software updates alone cannot provide maximum security benefits.
Comprehensive Security Checklist
Section titled “Comprehensive Security Checklist”Device Configuration
Section titled “Device Configuration”- Enable full device encryption
- Set strong PIN/password (6+ digits, not sequential or birthdates)
- Configure auto-lock (5 minutes or less)
- Enable “wipe after failed attempts” (10 attempts)
- Disable lock screen notifications for sensitive apps
- Disable biometrics for unlocking (PINs have more legal protection)
Software & Updates
Section titled “Software & Updates”- Enable automatic OS updates
- Enable automatic app updates
- Remove unused applications
- Review and minimize app permissions regularly
- Only install apps from official stores
Authentication & Accounts
Section titled “Authentication & Accounts”- Use a password manager (Bitwarden, KeePassXC)
- Enable hardware-based MFA where possible
- Use authenticator apps instead of SMS for 2FA
- Set a SIM PIN to prevent unauthorized SIM changes
- Contact carrier to add account PIN for porting protection
Communication
Section titled “Communication”- Use end-to-end encrypted messaging (SimpleX preferred, Signal acceptable)
- Disable SMS fallback in messaging apps
- Use encrypted email (ProtonMail)
- Set up SimpleX on children’s devices for family emergency communication
Privacy
Section titled “Privacy”- Disable Advertising ID / Reset it regularly
- Turn off personalized ads
- Disable always-on virtual assistants (Siri, Google Assistant)
- Review location permissions; use “While Using” instead of “Always”
- Disable location services for apps that don’t need it
iOS-Specific Hardening
Section titled “iOS-Specific Hardening”Lockdown Mode (For High-Risk Users)
Section titled “Lockdown Mode (For High-Risk Users)”Apple Lockdown Mode is extreme protection for users who may be targeted by sophisticated cyberattacks (journalists, activists, targeted individuals).
When enabled:
- Blocks most message attachment types except images, video, audio
- Disables link previews in Messages
- Blocks incoming FaceTime calls from unknown contacts
- Requires device unlock to connect accessories
Enable: Settings → Privacy & Security → Lockdown Mode → Turn On
iOS Security Settings
Section titled “iOS Security Settings”| Setting | Location | Recommendation |
|---|---|---|
| Stolen Device Protection | Face ID & Passcode | Enable |
| USB Accessories | Face ID & Passcode | Require unlock |
| Significant Locations | Privacy → Location Services → System Services | Disable |
| iPhone Analytics | Privacy → Analytics | Disable all |
| Apple Advertising | Privacy → Apple Advertising | Disable |
Android-Specific Hardening
Section titled “Android-Specific Hardening”Stock Android Security
Section titled “Stock Android Security”| Setting | Location | Recommendation |
|---|---|---|
| Google Play Protect | Play Store → Profile → Play Protect | Enable |
| Find My Device | Settings → Security | Enable |
| Unknown Sources | Settings → Security | Keep disabled |
| Developer Options | Settings → About → Build Number | Keep disabled |
| USB Debugging | Developer Options | Keep disabled |
Privacy-Focused Android Operating Systems
Section titled “Privacy-Focused Android Operating Systems”For maximum privacy, consider replacing stock Android:
| OS | Focus | Best For |
|---|---|---|
| GrapheneOS | Maximum security | Security-focused users (Pixel only) |
| CalyxOS | Privacy + usability | Transition from stock Android |
F-Droid: Alternative App Store
Section titled “F-Droid: Alternative App Store”F-Droid is an open-source app repository:
Recommended Apps:
- Aegis - 2FA authenticator
- KeePassDX - Password manager
- Element - Matrix messenger
- TrackerControl - Monitor app tracking
SIM Security & Swapping Prevention
Section titled “SIM Security & Swapping Prevention”SIM swapping attacks have increased dramatically. Protect yourself:
Protection Measures
Section titled “Protection Measures”-
Set a SIM PIN
- iOS: Settings → Cellular → SIM PIN
- Android: Settings → Security → SIM card lock
-
Add Carrier Account Security
- Contact your carrier to add a unique passcode
- Request a “port freeze” or “number lock”
-
Never Use SMS for High-Value 2FA
- Banking, email should use authenticator apps or hardware keys
-
Monitor for Warning Signs
- Sudden loss of cellular service
- Unexpected “SIM changed” notifications
- Unable to make/receive calls or texts
Recommended Apps
Section titled “Recommended Apps”Password Management
Section titled “Password Management”| App | Platforms | Notes |
|---|---|---|
| Bitwarden | All | Open-source, self-hostable |
| KeePassXC | Cross-platform | Offline, open-source |
Two-Factor Authentication
Section titled “Two-Factor Authentication”| App | Platforms | Notes |
|---|---|---|
| YubiKey | Hardware | Best security |
| Aegis | Android | Open-source |
| 2FAS | iOS, Android | Open-source |
Avoid:
- SMS-based 2FA
- Google Authenticator (sync not E2EE)
- Authy (requires phone number)
Secure Communication
Section titled “Secure Communication”| App | Purpose | Phone # Required? |
|---|---|---|
| SimpleX | Most private messaging — PREFERRED | No |
| Signal | Encrypted messaging (CISA-recommended) | Yes |
| Element | Matrix client, decentralized | No (email optional) |
| ProtonMail | Encrypted email | No |
For children and devices without cell service: SimpleX works on wifi-only devices like iPads and old phones, making it ideal for family communication plans where children need a secure way to contact parents.
For Rapid Response Work
Section titled “For Rapid Response Work”Before Going to a Response
Section titled “Before Going to a Response”- Phone fully charged
- Backup battery available
- Clear storage for video recording
- Lock screen set to PIN (not biometrics)
- Know how to quickly lock your phone (power button 5x on iPhone)
- Sensitive apps behind additional authentication
- 2G disabled to prevent Stingray surveillance
- SimpleX installed for anonymous coordination
- Know how to power off quickly if needed
During a Response
Section titled “During a Response”- Keep phone powered off unless actively needed
- Power on only to record or communicate
- Power off immediately after
- If you feel unsafe, turn it off — This forces passcode on restart
If Your Phone May Be Seized
Section titled “If Your Phone May Be Seized”- Turn it OFF immediately — This requires passcode to access
- Do NOT unlock it
- Say “I do not consent to a search”
- Your PIN is legally protected (biometrics may not be)
- A powered-off phone is significantly harder to extract data from
- Consider giving phone to trusted person before potential arrest