Not many mobile device users remember the days of rotary phones and other POTS (plain old telephone system) technology. The days when 5-meter telephone cords enabled users to talk on the phone and move about the kitchen at the same time, when a cordless telephone revolutionized the ability of millions of teens to misplace the phone in a pile of laundry, and when answering machines publicly played even the most private of phone messages are long since gone. The rotary and cordless phones have been replaced by cullular technology and password protected voicemail ensures with some confidence that only intended recipients can receive the messages that have been designated for them but many still view a cellular or mobile device as a phone. This simply could not be further from the truth. At this point a deeply technical discussion can be undertaken to discuss analog versus digital technologies or the hardware evolution iterations that have transpired to result in ARM technology; however, we will look at this distinction from a more general view.
Your cellular device is a computer, not a phone. This is made clear by understanding it has all the key features of any computer such as a CPU, an operating system, network interfaces, end-user applications, and so forth. The importance of understanding a mobile device is a cellular-enabled computer and not a phone cannot be understated. The reason for this importance is one of fundamental understanding and respect. A person must understand that any ‘phone calls’ placed using a mobile device are not phone calls at all, they are voice-enabled digital applications that may have all the same vulnerabilities any other apps may experience. As such, any voice data recorded at layer 7 of the network stack (application layer) can potentially be attacked, intercepted, or modified at the same layer or any lower layer by any of the hardware or software present on the same device.
In a similar fashion, the cellular device itself can be attacked much like any other computer with the exception of the added attack surface of the cellular interface. As with any computer, cellular devices must be protected using security features that are designed to protect the sensitive data they hold. An introductory list of my recommendations for protecting cellular devices is as follows:
• Ensure device-level encryption is enabled
• Use a SIM card password
• Use a complex alpha-numeric passphrase of at least 22 characters
• Use anti-spyware, anti-virus, and anti-malware software where available (using reputable vendor software)
•Configure the device to reset to factory condition of the password is entered incorrectly 10 consecutive times.
• Enable a firewall and/or URL filter that blocks-by-default and permits-by-exception. (On apple devices this can be achieved by using an app such as “Lockdown” thenanually blocking all active TLDs.).
• Disable all app permissions that are not absolutely for every app
• Keep all apps and the Operating System updated by installing updates and patches automatically and manually checking for updates weekly to verify updates are being installed.
• Disable cellular connectivity for every app that is not being actively used
• Only install apps that are created and published by known, reputable sources.
• Always try to select open-source software over proprietary software.
• Enable application passwords for every app on your devoce
• Do not use (and totally disable) facial recognition, fingerprint, or other biometric authentication
• Remove or disable all service provider and OS provoded applications and replace them with applications from other trusted vendors where this is possible.
• Disable GPS, Camera, and Microphone access for all software (or at the operating system level) unless it is being actively used.
• Do not use GPS-enabled phone-finding software
• Do not permit apps to retrieve and publish your location data
• Disable background activity permissions for all software that does not require it for functionality
• Use a VPN from a trusted country
• Delete any social media, streaming media, e-commerce, music, or retail apps (some are ok bust most steal a lot of privacy data
• Remove cellular capability from operating system core functionalities
• Use camera covers on the front and back cameras of the device
This list may seem comprehensive but there are some more advanced things that can be performed. Some of them canbbe discovered by exploring the settings while others require jailbreaking or rooting devices (very risky) and replacing the entire operating system with something else. Not all of these recommendations will be appropriate for every user or every situation but I hope some of the recommendations are found to be useful.