Brief notes on opsec re: phones

These are some notes I wrote in the process of securing my phone.

The “most secure phone” doesn’t exist. Any current phone carries some level of security risk, and not carrying one at all is the safest option. However, this isn’t really a viable choice for people today, so the following notes are for those that want a phone but are concerned about their opsec.

For a phone, I recommend any iPhone that is newer than the 5S. Older iPhones don’t contain Trusted Platform Module (TPM) chips that are responsible for encrypting your phone storage.

I don’t recommend Android phones. Google makes it’s profit off of data mining users, and Android leaks far too much information. Copperhead OS will probably offer you the most security, but this is limited to Google Pixel devices and requires a fair amount of technical knowledge to install. For a balance of security and convenience, I’d always recommend iOS.

In order to fully secure your iPhone, there are a few things that need to be done:

  • create a new Apple ID that is tied to that phone only. Use a unique, long, alphanumeric passphrase for the account.
  • disable Touch ID or Face ID. While convenient, it’s been shown that fingerprints are not treated like passwords at customs, and you will be forced to surrender them upon being asked.
  • for the Apple ID security questions, use additional passwords. Don’t set simple questions like “what is your mother’s maiden name”, as a lot of this can be guessed or found out with little effort from an attacker.
  • disable Siri. She’s awesome, but leaks too much information and bypasses the passcode for many functions.
  • Bluetooth (off completely in Settings. If done via the Control Center it only sets BT into a standby mode)
  • disable Control Center on Lock Screen.
  • disable Spotlight Siri suggestions.
  • disable Handoff and App Suggestions.
  • disable CarPlay
  • disable Voice Dial
  • disable everything that is listed under “Allow Access When Locked"
  • disable everything related to iCloud except for Find My iPhone. If you keep iCloud Backup enabled for iMessage all of your encrypted messages will be kept as plaintext, so best to turn this off even you intend on using a different messenger.
  • disable Notification Previews.
  • disable “Send as SMS” for messages (not end-to-end encrypted like iMessage)
  • disable Javascript for Safari. This will trackers and other malicious JS from executing in webpages.
  • disable Browsing Cookies and History.
  • Enable Erase Data after 10 failed passcode attempts
  • Ensure your iPhone is up to date with the latest software version, and that all of your installed apps are up to date (more on this later)
  • Enable Two-Factor Authentication on your Apple ID (and all of your other accounts, but more on this later). This ensures that your device is secure even if your password is compromised.

When using your device:

  • carry a USB Condom or a battery pack for charging, or only use your own wall-plug charger (and mark it with your name). Do not plug your phone into any ports that you do not trust. With newer iPhones that have wireless charging capabilities, you could potentially go as far as filling the lightning port with cement or hot glue to disable port access to the phone.
  • Use encrypted Notes (make Note in "On my iPhone", then tap the share button in top right corner, "Lock Note"). Please note: the first line of the note is kept unencrypted as the title, so keep this blank! An alternative is using the Standard Notes app which encrypts all of your notes by default.
  • in saying this, try to avoid installing non-native apps and keep them to a minimum. Having more apps potentially increases the attack surface for gaining access to the phone, so keep everything up to date.
  • if you must use Javascript with your web browsing, use Brave as your Javascript-enabled browser. It has HTTPS Everywhere and ad blocking enabled by default.
  • avoid email for communication. Everything is plaintext by default, so use iMessage, Signal or Wire for communication. Other messaging services make far too many major compromises to be considered secure (see post re: messengers for further information)

If you can, use Signal for all of your communication. It is open source, fully audited, and backed by some of the best security researchers in the world. When setting it up:

  • enable Screen Security
  • Show Sender Name Only for notifications
  • disable Debug Log
  • “Pre-warm” conversations with the people you expect to communicate with during your trip. Don’t message people out of the blue without knowing where they are at beforehand. You can take the time to verify each other’s “fingerprints” prior to sending any messages.
  • take a screenshot of your fingerprint QR (long tap on the name of a conversation), and send it to yourself (and verify the fingerprints between your two phones). You'll want to put that on your out-of-office email. You can also check that the fingerprints of the people you talk to match the ones you see on your main phone.

If you are going to be logging into other accounts via your phone, make sure you have secure passwords for each, with two-factor authentication enabled on everything.

I highly recommend using 1Password to generate and manage your passwords (everything except your Apple ID, as this is something you need to know and be able to type with relative ease).

You'll only receive email when they publish something new.

More from Tom
All posts