Our smartphones have become essential devices. We can’t leave it more than 10 feet away without going into some catatonic state. Tech companies know his. Advertisers, hackers, and sinister and oppressive governments know this, too. From our personal data being gathered and sold to data brokers to, in extreme cases, governments and spyware companies snooping on your phone.

After the news of major U.S. telecommunication companies allegedly being hit by the Chinese Communist Party, the federal agency known as CISA released guidance in December 2024 to help American citizens and companies protect their data on their mobile devices.

I talked about this in recent videos on Instagram and TikTok just before the end of 2024, but wanted to bring attention to the threat foreign and domestic. And I wanted to add this info into the blogosphere.

I will review some of the highlights of that release. You can also check out my TikTok and Instagram accounts, and find the videos.

1. Encrypt your messages. Encryption keeps your typed conversations or imagery from being intercepted while in transit AND at rest.
   • Apple’s iMessage protocol allows for end-to-end encryption to prevent eavesdropping on your messaging, but not at rest by default. You will have to turn on something called Enhanced Data Protection for iCloud. This makes sure that messages, as well as most content, are encrypted when they are not in transit. Click here to see how to turn it on. Data on the mobile device (e.g iOS, iPadOS) is encrypted at rest by default, and can be encrypted by enabling File Vault on macOS.
   • Android uses the RCS protocol which does handle end-to-end encryption of messaging while using Google Messaging, according to Google. You can also enable it be encrypted at rest either by full-disk or file-based encryption.
   • It’s also worth noting that SMS (normal text messaging) is not encrypted. These messages can be intercepted.
2. Use MFA – FIDO is better
   • I’m not talking about a dog, but the standard. It’s stronger and more secure than text-messaging-based MFA.
     • SIM-swapping has become a common method of cyber criminals to get your text MFA codes, especially for those who have cryptocurrency.
   • FIDO is phishing resistant. “Passwords, SMS and other One-Time Passwords (OTP), security questions and even push notifications, contrary to popular belief, are not considered phishing resistant mechanisms as they are all susceptible,” according to Yubico.
   • If possible, and if a service offers it, use something like a hardware key or passkey instead of the aforementioned methods. Maybe use the others for less valuable accounts.
3. Use a password manager
   • Instead of solely writing down your passwords and placing them where someone can snoop in your desk and grab them, use a trusted password manager. Examples include Apple’s Passwords app, 1Password, and Bitwarden. Many of these, except for Apple if you are on a Windows or Linux device, have browser plugins to make it easy to retrieve your passwords when you login. Just be sure you have a strong password and strong MFA. If those login methods are weak, threat actors would have EVERYTHING.
4. Set a PIN with your cellular provider
   • To greatly lower the risk of your phone being SIM Swapped, set a PIN for your wireless provider ask you when you make changes to your account.
   • It’s also good to make sure you have a strong password and MFA set up on your account.
5. Update your phone!
   • I know those update notifications are annoying, but they are designed to not only give you the latest features and bug fixes. They also plug the security holes in your device.
   • If you can’t update your phone to the latest OS and get security updates, it’s highly recommended to upgrade your device.
     • Your wireless carrier – especially the Big Three – may have upgrade deals where you can get a new smartphone for as low as $0 for as long as you maintain cellular service on the device for a period of time. Check with your carrier for details.
6. VPNs – Maybe not the best…
   • You may have seen the ads for free or next-to-nothing Virtual Private Network (VPN) services claiming to encrypt your data and protect you from hackers or snooping governments.
   • There is a saying that goes something like this: “If something is free, you are the product.” In other words, there is a chance that these VPN services can use your data in not-so-ethical ways. They could sell your information to a third party data broker, which will throw out the whole privacy thing.
   • Do your research. Check the background of the VPN company and read their privacy policies.
   • CISA notes that VPN’s from your employer are different.
     • If, for example, you work remotely, you’ll likely need to use a VPN to access company resources. This is fine to use.
     • Just remember that your employer could see your website visits when you are using their VPN.
7. DNS
   • What is DNS?
     • Think of Domain Name Systems (DNS) as a phone book (here’s what one looks like for the younger crowd).
     • Odds are good that you are not going to know the IP address for a website. Hell, I don’t.
     • That’s where DNS comes in. It finds the IP address for any website (e.g. google.com, Facebook.com, wikipedia.com, etc.)
     • Once it finds the IP address to the website from the “phone book,” it takes you to the website and stores that information.
   • But DNS can be “poisoned.”
     • Imagine if someone graffitied the phone book. Instead of the book giving you the number to a very important hotline, it shows another number for a different…hotline. Like…something spicy.
     • That can happen to DNS, too. Except of taking you to google.com, a poisoned DNS can take you to a malicious website.
   • You can set DNS on your phone and routers.
     • Depending on your phone and internet router, you can change those settings. Well, that’s if you are comfortable and tech savvy enough to make those changes.
       • Check your phone and routers documentation for details.
     • This is so that DNS is pointing to a trusted DNS server or servers.
     • Encrypted DNS servers are better. Examples include:
       • Cloudflare: 1.1.1.1
       • Google: 8.8.8.8
       • Quad9: 9.9.9.9
8. Review and modify app permissions
   • We really don’t think about the apps we download sometimes. Some apps want your data to make money off of the service they are providing.
     • Sometimes, there are malicious apps that sneak their way through the App Store review processes.
   • Think about these:
     • Does this app really need to know my location all of the time?
       • Need my camera and microphone?
       • Need my health data?
       • Need access to my wifi network info?
   • Look through your app’s permissions in your OS and ensure that it’s what’s needed for it to function.
   • Review the app’s privacy policy if you need to.
   • Some of these apps sell information such as location and health data to third-party providers where anyone with some cash can use that for either advertising or something more sinister.

I’m sure there are more, but those are the big ones. Be safe out there!