Think about everything that lives on your phone: personal messages and emails, photos of your friends and family, social media posts, phone numbers, maybe work emails or dating apps. And then there’s your search history and bookmarks, location history, passwords, calendar, call logs … basically, your entire life.
Your phone is designed to invisibly communicate everywhere, all the time, with a number of different infrastructures, and it’s this functionality that enables you to make calls, send messages, and use the internet while on the move. It’s also what makes your phone a fundamentally insecure device.
Still, there are lots of small things you can do to mitigate your security risks. In a few minutes you can, for example, make it near impossible for anyone to get into your phone if you lose it or if it’s stolen. And in less than an hour, you can drastically reduce the dust storm of personal information that’s constantly being vacuumed up by corporations and institutions through your phone.
The nine points below give you some key things to start with. Some are simply technical, but others involve changing habits and making choices: What are the trade-offs involved? What works best for you and your own situation?
Depending on your phone model and operating system version, your settings may look a little different. If you can’t find what you need, dig around a bit—sites like Tactical Tech’s Me and My Shadow project, the Electronic Frontier Foundation’s Surveillance Self-Defense guide, and the Guardian Project can help. (Disclosure: We both work with Tactical Tech.)
1. Strengthen Your Password Settings
The first thing to do is make sure you have a strong password or passphrase for your phone. You want something that can withstand attempts (by either humans or computers) to crack it. IPhone and Android both give you the option of setting a longer password than the one you initially chose at setup. For maximum protection, create a password that’s long and complex, and includes different types of characters. Make sure it’s unique (i.e, not a password you’ve already used for something else) and not personal—your birthday definitely doesn’t count, and the names of your pets aren’t any good, either.
- Set a time period for how long your phone waits before auto-locking. “Immediately” is the safest option. It might be mildly annoying now, but it will be worth it if your phone is ever lost or stolen. It will also prevent anyone being able to take a peek inside if you leave your phone unguarded, even if only for a few minutes.
- Control which of your apps have permission to show notifications on the home screen when your phone is locked. This can be done on a per app basis, or universally.
For extra protection:
- Put a PIN lock on your SIM card. This will prevent anyone else from being able to use your SIM in a different phone. On iPhone you can do this in Settings > Phone > SIM PIN. On Android you’ll likely find this in your Security settings.
- Where possible, put passwords on individual apps. Many apps don’t offer this option, but some, like the secure messaging app Signal, do. This allows you to log out when you’re done using the app. Make sure your passwords are also disabled from being visible!
2. Encrypt It!
Encryption scrambles the contents of your phone, making everything unreadable to anyone who doesn’t have the passcode or password to decrypt it.
- Encrypting your iPhone: If you have an iPhone (4 and up) you’re in luck: Encryption was enabled automatically when you set up your passcode. As long as your phone is locked, your phone is encrypted.
- Encrypting your Android: Most Android phones need to be encrypted manually. Before starting the process, it’s important to create a strong password and make sure you can remember it (otherwise you’ll be locked out of your phone, permanently!), back up important data, and charge your phone or plug it in, so as not to break the encryption process. To get started, go to your phone’s settings.
3. Find Your Phone’s Unique Numbers (EMEI, SIM, etc.) in your settings, and write them down. These numbers are how your phone identifies itself on the network so can help in tracking the phone down if it’s stolen.
4. Consider Disabling Cloud Backups
Both iPhone and Android give you the option of not backing up to Apple’s iCloud or Google’s servers. Instead, you can back up some content manually and store it on your computer or external hard drive. IPhone also allows you to make encrypted backup files using iTunes. Backing up your content locally comes with multiple benefits: It doesn’t have to travel over the internet, and it remains in your hands rather than those of a commercial company. If anyone wanted to get hold of it, they’d basically have to be able to access your device itself.
5. Limit Location Tracking
Location logs alone can tell an incredibly detailed story about your life—where you live and work, what you do in your free time, which doctors you visit, which bars you go to. They show your routines and when you break them—both of which can be incredibly revealing. Taken together with other people’s locations, they can show who you are meeting, how often and for how long, and from that, what kind of relationships you have with those people. Your phone can be tracked in a few different ways, so it’s difficult to keep your location information completely private. But there are some steps you can take to make sure fewer parties can collect it.
- Turn off your phone’s “location” function. Your location gets logged by your device through GPS and Wi-Fi, and this data can be collected by apps with the right access permissions. Turning off Location in your settings will disable certain app functions—particularly when it comes to maps. You can always turn it on again when you really need it. (This won’t completely stop others tracking your phone’s whereabouts—more on that below.)
- Turn off Wi-Fi and Bluetooth when you’re not using them. Your phone uses Wi-Fi and Bluetooth to announce itself to networks and devices in its vicinity. And when networks stretch across large areas—an office building, conference center, or even an entire country—your movements within this zone can be tracked.
- When you want to be 100 percent sure your location isn’t being recorded, just leave your phone at home, or switch it off and take the battery out (if your phone allows this). Another option is to buy or make a Faraday bag or cage, which blocks all signals. There’s no other failsafe way to prevent your phone communicating with the cell towers around it, which it normally does constantly, enabling your mobile network operator to keep detailed records on where you’ve been. Mobile operators are often required by law to store this information for a certain amount of time. The next best thing is to turn off your phone when you don’t need to be connected, or put it in flight mode.
6. Change Your Phone’s Name
If your device’s name is “Bob Smith’s Phone,” well, that’s what’s being announced to devices and Wi-Fi networks in the vicinity, if your Wi-Fi and Bluetooth settings have not been turned off. You might want to change it to something less personally identifying, like “Hello, World.”
7. Minimize Browser Leakage
All those searches, all those website visits … many browsers and search engines collect and save your browsing history by default, not to mention all the trackers that follow you around the internet.
- To reduce the leakage, use a “private browsing” mode. This option is available with Firefox, Safari, Chrome, and Chromium (which browsers you can do this with depends on whether you’re using iPhone or Android)
- Change your default search engine to something like DuckDuckGo or StartPage. These privacy-protecting search engines are noncommercial—they don’t track you or collect personal information or search history.
- Clear your browsing history regularly. If your browsing history is stored in your browser (which in most browsers is the default), it can be collected by a variety of companies as you browse the web. This includes the companies behind certain types of web trackers. Though “Private Browsing” modes are usually set to clear your history automatically, be aware that this normally only happens when you close the browser window, so remember to do this regularly. For added privacy-protection, clear your history as you go.
- Opt out of Google and Apple showing you “personalized ads”: On Android you can find the opt-out in the Ads Settings; on iPhone, scroll down to the bottom of your Privacy settings to Advertising > Limit Ad Tracking.
8. Choose Your Apps, and Manage Their Permissions, Wisely
There’s a lot to say about apps, but in short: All apps are not equal. Some have data collection as their primary raison d’être—that’s how they make their money. Some apps, on the other hand, collect almost no data at all.
- Evaluate your apps: Before you install an app, you should investigate it. What information can it collect? What permissions does it ask for, and why? Which company or group is behind it, and can you trust it? Are you using too many apps owned by a single company? If you use an Android phone, swear by your Gmail account, etc., then Google knows an awful lot about you. You might decide to delete some of your apps, or replace them with better alternatives.
- Control app permissions: For the apps you decide are worth keeping, make sure you control their permissions. Does that maps app really need access to your contacts to function? On both iPhone and later versions of Android, you can control permissions either per app or by type of permission (photos, contacts, etc.).
9. Above All, Keep in Mind: Getting to know your tech is a long game and tends to happen in stages, bit by bit. The important thing is to get started. You might just find that each bit of control you gain is motivation enough for taking the next step.
This article is part of the cybersecurity self-defense installment of Futurography, a series in which Future Tense introduces readers to the technologies that will define tomorrow. Each month, we’ll choose a new technology and break it down. Future Tense is a collaboration among Arizona State University, New America, and Slate.