This checklist is designed to help you review your smartphone security so that you can develop a feel for the subject. The list contains concrete suggestions for improving your security. This is the print version of the list. You can tick off the individual points with a pen.
Please be aware that safety always depends on individual risks. Some of the tasks described here may be mutually exclusive. In the end, safety is always a trade-off. There is no such thing as absolute safety.
Very good! Your safety is obviously important to you. Otherwise you wouldn't bother with it. Your first points are safe.
If we manage to increase the security of all people, state surveillance measures will be less worthwhile. This will also benefit your safety. So share this list on your channels or print out the flyer.
Just as technology and this list are constantly changing, your life, your habits and your devices will change in the future. So take time to review this list from time to time.
Cryptoparties are events where you learn how to protect your devices and your communication.
If you are interested in cryptoparties and want to meet like-minded people, you can find out about upcoming events on cryptoparty.in, for example. Or you can follow the guide below and organize one yourself.
You know the most important numbers and names of your friends, family and acquaintances by heart. You can also log into your most important accounts, such as email, by heart. If you lose your phone or all your devices, you have the option of restoring your contacts.
Non-smart push-button devices are often carelessly classified as "secure". However, these often cannot be encrypted and do not offer secure communication.
In the event of confiscation or theft, contacts, text messages and call lists can be read. In addition, dumbphones are just as susceptible to attacks on the mobile network without further protective measures. Dumbphones cannot be encrypted, you cannot install apps such as password managers on them, you cannot clean your pictures of metadata and you cannot use secure messengers. So on the one hand, these phones have disadvantages. On the other hand, however, it should also be noted that non-smart devices completely rule out some dangers. For example, the risk of malware infections is much lower here. However, encryption and secure communication seem so important in the face of inflationary confiscation and surveillance that a smart device is definitely preferable.
There is an inconspicuous number on the back of your SIM card. Scratch it so that you cannot be identified by it and your provider in the event of confiscation.
Please be careful not to destroy the chip. Do not scratch too deeply!
The display on your device switches off automatically after a while. To unlock it again, use complex patterns or alphanumeric passwords.
Encrypt your smartphones with a strong alphanumeric password. This effectively prevents data from being read.
Strong encryption is important. A screen lock is not sufficient. Software like Cellebrite can easily bypass most screen locks via the USB interface. All your data, contacts, call logs, location data, login data and much more can then be collected and displayed by automated software such as Cellebrite Pathfinder via USB. Your encryption password should be particularly strong. Use a very complex pattern or an alphanumeric password for encryption.
Encryption is only effective when the phone is switched off. Therefore, practise how to switch off your phone quickly in stressful situations.
Even if your phone is encrypted, software such as Cellebrite can access it via USB. As long as your phone is switched on, encryption is ineffective. Encryption is only really effective when it is switched off. Be sure to switch off your phone before you give it into someone else's hands! If you want to be on the safe side, you can also attach a killswitch to your phone. This allows you to quickly remove the battery in dangerous situations. The key will then disappear from your device's memory.
You can stick a special film on your display to prevent bystanders or cameras from being able to read it. These films are available for many models.
You should never deactivate the PIN protection on your SIM card. If the PIN is deactivated, authorities or other persons can use the card themselves to gain access to messengers, for example.
Note for anonymous SIM cards: If you use anonymous SIM cards, you often cannot activate the pin lock as you often do not know the pin / PUK associated with the card. You often receive these cards with the pin deactivated. In this case, you should make sure that all your messengers are secured with a second factor (e.g. PIN) and that you do not use the card itself for two-factor authentication.
Memory cards cannot be reliably encrypted on all devices. It is also possible to restore data that was saved on them when they were previously used with other devices. Therefore, only use memory cards if you know what is stored on them and if you have overwritten them beforehand.
Some older Android devices also create a signature of apps used on your memory card by creating separate folders for apps used. This allows conclusions to be drawn about the apps you are using. Caution! Overwriting flash memory is often not 100% possible. Data can still be left behind.
You should never use your fingerprint or face to unlock your phone. Authorities with access to fingerprints or images can otherwise unlock the device. Therefore, use complex patterns or alphanumeric passwords.
Fingerprints and facial recognition are not secure methods for unlocking your device. They are like passwords that you can never change. Data leaks or malware could cause this sensitive information to be lost and put you at a disadvantage. The police can also use your fingerprints to unlock your device. There have already been court rulings on this in Germany and the USA. If you have an iPhone, you can temporarily lock Face ID and your fingerprint by pressing a special key combination. For Android, the lockdown mode is available on some devices with which you can quickly disable these functions in an emergency.
Be sure to deactivate USB debugging if you are familiar with it. Normally, this function is deactivated by default on all devices and must be consciously activated by you.
Only use power adapters and cables for charging that you trust. Mark the cable and power adapter to prevent them from being replaced.
If possible, use a USB cable without data function for charging. Tampered cables or public charging points could read data or install unwanted software. If you are not sure, you can simply switch off your phone for the charging process. This way, nothing can be installed and it will still charge.
Verified Boot prevents tampering with your operating system. You should make sure that your device is secured with it. If you have installed your own system, you should activate verified boot.
Sealing can help you to determine whether hardware has been tampered with after returning your device. For example, put a drop of special sealing wax or nail polish on the seams of your device. This way you can determine whether it has been opened.
In your phone's settings, you will find unique, unchangeable hardware numbers such as the serial number, WiFi Mac address, Bluetooth Mac address and IMEI. Make a note of these numbers. This way, you can always be sure that your device has not been secretly replaced.
Make regular backups of your most important data. Your backup doesn't have to be perfect. A bad backup is better than no backup!
You should also think about important apps such as 2-factor apps or password managers when making your backup. The settings can usually be easily exported from these. If possible, use open source backup software such as "oandbackup" or "Neo Backup". However, these require root rights. A simple regular copy of your most important data on a USB stick is also a good start! Remember that "No Backup, No Mercy" is an arrogant attitude. Not everyone has the knowledge and technical capabilities for backups. Help each other!
If you have the option, you should definitely encrypt your backups to protect them from unauthorized access.
The Android app Neo Backup supports encryption out of the box. However, you can also create encrypted zip archives manually or encrypt entire USB sticks. Under Linux, MacOS and some versions of Windows, this can be done very easily via a graphical interface. You can also use encryption software for your sticks, such as VeraCrypt, which works on most operating systems. If you want to delve deeper into the matter and are not afraid of the command line, you can take a look at professional software such as Restic (Linux) or duplicity (Linux). You will then need to connect your device to a computer.
Get an overview of the importance of your data for your everyday life and store it accordingly. For example, store a copy of your music or picture collection further away with friends. You should have quick access to backups of password managers, 2-factor apps or important documents.
Restoring your data is the most important part of a backup. Practice this situation. This way you can see if your backup is intact. Make sure you can restore your backup without access to password managers and two-factor apps.
In the event of a house search or break-in, all devices are often stolen. Prepare for this by storing unused devices with your friends. That way you'll have a quick replacement.
When a smartphone is confiscated by court order or seized (voluntary surrender), the police often ask for pins and passwords. Say nothing. Do not unlock anything. Contact a lawyer.
Did you buy the phone second-hand? Then you should overwrite the entire memory once to avoid unwanted data being found on your device.
Used phones may contain illegal data that can be recovered and analyzed. To avoid this becoming your downfall, you should completely overwrite the phone once. If you have the possibility, generate large random files and copy them to your phone until it is full. Otherwise, you can also download large test files from the Internet and overwrite your phone's memory with them. Caution! Overwriting flash memory is often not 100% possible. Data may still be left behind.
You should only activate positioning, WiFi, Bluetooth or NFC if you really need it
In certain cases, you can be recognized via WiFi. In the most extreme cases, even your home address can be determined. Some devices reveal the unique hardware number of your WiFi interface as well as the list of your known WiFi networks. On websites such as wigle.net, you can easily search for the physical locations of the networks. However, Bluetooth and other interfaces also harbor dangers. Bluetooth, for example, is susceptible to bluesnarfing (opening ports that are actually closed by commands from outside), bluejacking (sending unwanted messages), bluebugging (exploiting a backdoor), bluesmacking (denial of service) or car whispering (eavesdropping on the hands-free system).
If you want to be sure that you are not being monitored via Bluetooth, you should use a wired connection for your headphones.
Bluetooth devices such as earbuds can potentially be overheard when exchanging their secret keys. Attackers within range could listen in unnoticed.
You should simply cover unused cameras with stickers. For example, if you don't use the selfie camera or only use it rarely.
If you live in Germany, you can order special removable stickers for your smartphone cameras free of charge from the Federal Ministry for Family Affairs, Senior Citizens, Women and Youth (BMFSFJ). Make sure that you do not stick over the inconspicuous brightness sensor! This causes some smartphones to switch off the display because they think they are in a trouser pocket.
A flat rate generally generates less data than a tariff with minute-based billing or itemized bills. This is because these have to be recorded and stored. Flat rates generate less data. Prepaid tariffs generally do not even generate billing data and are therefore very data-efficient.
Many network operators sell your movement data to various advertising companies. You can object to this transfer.
Ask the providers how long the data is stored in the various tariffs and with whom it is shared. There are also extra data protection-friendly providers such as "Wetell" in Germany. Nevertheless, these do not protect against the numerous monitoring possibilities in the mobile network! Anonymous SIM cards are therefore always preferable.
Deactivate mobile data if you don't need it. An activated mobile internet connection leaves a continuous record of the cellular data you use in your provider's traffic data.
If you are not making calls, sending or receiving text messages and not using mobile data, your phone is in an idle state. No history of your radio cell position is then kept by your provider. If an authority or an attacker then wants to find you, they often rely on silent text messages (silent pings).
You should not take your phone with you to the demo or switch it to flight mode some time beforehand and leave it in flight mode for some time after the demo.
This also applies if you use anonymous SIM cards. Targeted tracking (e.g. on the way home) of individual persons with so-called IMSI catchers allows a telephone number to be assigned to a person. Regardless of whether the SIM card is anonymous or not.
Apps that can potentially detect IMSI catchers or silent text messages will not help you in the vast majority of cases. You should avoid these apps and instead learn why they don't do much and what the alternative is.
First of all, there is nothing wrong with apps like "SnoopSnitch" in general. We can be glad that there are people who deal with this matter and build such apps. Nevertheless, you have to understand that such apps are completely ineffective in the vast majority of cases. SnoopSnitch, for example, only works on 2G and 3G networks if your phone is rooted and if a very special chip is installed on the mainboard of your device. You need to understand that communication with the mobile network is a completely opaque black box for your operating system. Your operating system and your apps are not able to control or monitor communication with a radio tower (base station) in detail. This means that the wireless network can communicate with the chip on your device without it being aware of it. This is due to proprietary, commercial hardware that is not open source. This is also why you can be roughly located by silent SMS (stealth ping). The radio chip in your phone registers this, but does not report it to your operating system. Only a few chips have interfaces that allow the operating system to monitor them. SnoopSnitch only exists for this purpose. The only sensible defense is an anonymous SIM card.
Anonymous SIM cards make it much more difficult for state actors and other attackers to choose their targets. Whether silent text messages, IMSI catchers, inventory data information, traffic data information, radio cell evaluations, source monitoring, state trojans or location monitoring. An anonymous SIM card is often the only sensible defense against such surveillance.
The subject of mobile phone surveillance is complex and cannot be dealt with in full within this framework. However, it is important to understand that security apps cannot do anything about such surveillance because, for example, it affects data that is already stored by your provider and not on your phone. Or because the apps themselves do not have access to your phone's proprietary radio chip and therefore cannot see silent text messages, for example. Or because the attack takes place in the wireless network between network providers. Or because your mobile provider simply sells your data on. So relying on apps or changes in behavior won't help. The only defense is anonymous SIM cards. Also bear in mind that in Germany, over 100 government agencies can access people's phone numbers and vice versa without a court order.
Only use your anonymous SIM card in a specific phone. Never use the same phone for another SIM card. This is because the unique number of the SIM and the unique number of your phone are always stored together in the provider's traffic data.
To further increase security, you can often change your anonymous SIM cards. Each time you switch, you should also change the phone used for this purpose.
Since the IMSI always appears together with the IMEI in the traffic data of your network provider, you should also change your phone when you change your SIM card. As you can imagine, it is time-consuming and expensive to change your phone from time to time. You would have to constantly set up your apps again and spend a lot of money on a new phone. To keep costs down, you can work with proxy phones. And this is how it works: You have a more expensive device for your regular use on which all your apps are installed. There is no SIM card in this phone. It is therefore invisible to the mobile network. You get Internet access via an inexpensive second device with a SIM card inserted. This phone does not need much power. However, it can provide you with a WiFi hotspot and therefore Internet. You can also use it to make normal phone calls if you want. This phone can be replaced quickly with the SIM card inserted. The only disadvantage is that you always have two smartphones with you.
You should also obtain the credit for your SIM card anonymously or via intermediaries. Therefore, use sim cards for which you can buy credit in cash at cash registers or ask friends to send you the credit code.
Your anonymous card will only remain anonymous if you do not give your number in connection with your name. In order to still be reachable, you can switch to messengers with a call function that do not require a number or where the number can be hidden.
Anyone who knows your phone number can easily attack you. On sites such as cell-track.com or phone-location.info, for example, it is easy to find out whether a device is abroad or not, or whether a device is currently switched on. All you need is the number. There's nothing you can do about it except keep your number secret. That may not be really dangerous yet. But state actors have other possibilities, such as infecting the device with a zero-click exploit. Only an anonymous SIM card can effectively protect you from state attacks.
Do not use your anonymous SIM card/phone for regular phone calls or text messages. You can see who the target contacts are in the traffic data if they do not also have an anonymous card. This may make it possible to narrow down who you are. If possible, only use the card with other anonymous cards or switch to Internet messengers for messages and phone calls.
You should never order SIM cards and phones directly to your address or pay from your accounts. To leave no trace, you can ask friends to order or collect them for you. Pay in cash.
You are aware that suppressing the phone number only means that it is not displayed on the other party's phone. Your number will still be stored in the traffic data of the providers involved. Use anonymous SIM cards if you need to remain anonymous.
Advanced Mobile Location (AML) has been used in Germany and many other countries since 2019 and is gradually being expanded to locate people in emergency situations. If you don't want this, you should prepare yourself for it.
Before AML, rescue coordination centers only had extremely inaccurate radio cell data at their disposal (if at all) to locate people in emergency situations. AML, on the other hand, is firmly integrated into modern telephones and their operating systems: When an emergency number is dialed, the phone automatically activates GPS and WiFi to determine its own position. This is then automatically transmitted to the control center via the Internet or SMS. This extremely precise location is only activated by dialing the emergency numbers and cannot be used from outside without your active involvement. In most cases, there is nothing you can do to prevent you from being automatically located when you dial these numbers. Unfortunately, this also makes it more difficult to make anonymous reports. You should therefore always consider whether dialing emergency numbers from your own phone is really necessary. You can find a list of all countries with AML on Wikipedia. AML is part of the Play services on Android and can be deactivated via the emergency settings.
With a third-party block, you can prevent apps, websites or scammers from charging costs for subscriptions or other purchases to your phone bill.
If you would like to set up such a block, you can contact your provider online or by telephone.
You should not use your name to accept a call. Use generic phrases like 'hello' instead.
Free Android-based operating systems such as grapheneOS, CalyxOS or DivestOS can help you protect your privacy and are not tied to Google, Apple or Microsoft.
If you are unsure which system you should install, the clear recommendation is currently to install grapheneOS on one of the compatible phones. You can find more information in the links.
Smartphone manufacturers receive millions to billions from Google or Apple for placing their software on your phone. You should definitely remove these apps.
Of course, this is only worthwhile if it has a benefit: The pre-installed software collects data and analyzes your habits. You should therefore remove bloatware (sometimes this is not possible without root permissions) or install a custom operating system such as GrapheneOS.
You should definitely delete your advertising ID, change it frequently (Android) or prohibit your apps from tracking (iOS) if you do not want the data from different apps to be merged and sold again by so-called data brokers.
If you use iOS or Android, your operating system transmits an advertising ID to your apps in the background. This ID can be attached to the data records of individual apps. If the provider of your apps then sells this data, brokers can merge it with other data sets of yours. This creates veritable stockpiles of your personal data and interests that are traded online.
Keep apps and your operating system up to date. Malware and state trojans often exploit vulnerabilities in software. Up-to-date apps and an up-to-date operating system are therefore important.
Your security is increased enormously if you use a different complex password for all services on the Internet. You should save these in a password manager such as KeePass.
Only use official app stores or F-Droid to obtain your apps. If you know your way around, you can also download apps directly from the manufacturers' websites. Always consider whether you need an app at all.
Infected apps have many ways of attacking you. For example, they can steal passwords.
Your flashlight app wants to access the memory? Not a good idea! Always ask yourself why an app needs permissions and only grant them gradually or when necessary.
You can obtain most apps via F-Droid or Aurora Store without logging into Google or without Google services.
Google Play services and Apple services provide central infrastructures for some apps. For example, push messages are sent via these services. Government agencies use this fact to monitor iPhone and Android devices.
You can protect yourself from this by using apps that do not require Google or Apple services. Also avoid alternatives such as microG if you have installed your own operating system. For example, install apps from F-Droid that do not require these services. Messengers such as Telegram, Signal and Matrix offer their own alternatives for centralized push messages.
Use browsers such as DuckDuckGo browser, which do not collect any data about you and at the same time actively protect your privacy.
Root rights allow you to use many unique apps. However, these rights may also apply to malicious apps, which is why you should generally avoid root.
If you don't know what root is, you probably don't have it. Root has to be activated on most devices. Unfortunately, some apps that can potentially increase your security often require root rights. Examples include backup applications such as "Neo Backup", but also apps such as "SnoopSnitch", which try to detect IMSI catchers or silent text messages. You should always carefully consider whether you really need superuser rights on your device. In the vast majority of cases, there is no good reason for this. Apps such as "SnoopSnitch" only work in very few software and hardware constellations anyway. Setting up root for this reason is out of all proportion.
You should definitely use open-source, encrypted messengers such as Briar, Signal, Threema, Element or SimpleX. Avoid insecure commercial messengers such as WhatsApp and co.
If you are unsure which messengers are good or if you need arguments to convince family and friends, you should definitely take a look at Kuketz's messenger matrix. There you can easily compare the individual messengers according to functions and security aspects.
The two-step confirmation (two-factor authentication) prevents your SIM card or copies of it from being used to access your messages.
In some messengers, this works via email. In others, you can assign an additional pin. If you lose your phone number or other people or authorities get hold of your SIM card or a copy of it (sim swapping), they can log in with the phone number and read your messages or write in your name.
You should not use iMessage and keep your Apple ID secret. iMessage has repeatedly been the target of so-called zero-click attacks in recent years.
In the past, specially prepared messages for iMessage have repeatedly been used to install government Trojans on iPhones. You should therefore avoid this software.
You should restart your phone more often. For example, every morning or before critical conversations. Some state trojans do not survive restarts as they are often not persistent. Although new infections are possible later, this strategy can give you a private window of opportunity.
Your two-factor app is installed on a separate device. This means that your second factor cannot be used to log into your accounts if your device is compromised.
Alternative frontends for web services such as YouTube, Twitter, TikTok and other websites can help you protect your data.
Instead of YouTube, for example, you can use one of the many Invidious instances such as yewtu.be. This way you can avoid advertising and protect your privacy at the same time. You can also install LibRedirect for FireFox. This plugin automatically redirects you to an alternative frontend when surfing the Internet.
Passkeys can replace passwords in some applications and apps and make them completely superfluous. Unlike passwords, they cannot be stolen through phishing or data leaks. Use them when they are offered!
You should not bind PassKeys to a biometric unlock. Also remember to back up your PassKeys in case you lose your device.
Many services and platforms on the internet offer to secure logins with a second factor. Use this option whenever possible.
Please also bear in mind that it must be possible to create a backup of your second factor. A cell phone number is not really a good second factor. Firstly, you can potentially lose your number. But it is also possible that other people or authorities can gain access to your number. If you lose your SIM card, you won't be able to access your accounts for the time being. If you use a hardware token as a second factor, please make sure that there is a second one for emergencies! If you use software solutions such as Time-Based-One-Time-Passwords, please make backups in your OTP apps!
Targeted advertising campaigns (microtargeting) are used by intelligence services, among others, to infect individual devices with malware.
But it's not just intelligence agencies that use advertising to track people. Data brokers resell aggregated data about you and create profiles of you.
You can improve your security by using a different name and different email addresses or mobile numbers for registration on all platforms. This way, your accounts cannot be merged through data leaks.
Work with a time delay if you want to share the same message in different channels or groups with different pseudonyms. Otherwise it will be obvious that one person is behind the various pseudonyms.
TOR (The Onion Router) can help you greatly improve your anonymity on the Internet. Use websites via the Tor browser and redirect apps with the Orbot app via the Tor network.
Google, Apple and other manufacturers pass on data to investigating authorities without hesitation. Therefore, use alternative search engines such as duckduckgo.com or stract.com
Many cloud providers cooperate fully with investigating authorities and will not hesitate to hand over your data. Only store encrypted data there.
In general, you should consider whether you need the relevant cloud services at all. For example, you can use apps such as "OpenKeychain" to encrypt files before uploading them to a cloud. If you use an Apple device with your iCloud, activate extended data protection there.
Remember that you have to trust VPN providers. You pay them, so they know your identity. Many VPN services cooperate fully with investigative authorities. If you can, use the TOR network instead.
Your smartphone invisibly attaches metadata such as coordinates, camera type, resolution, smartphone model or operating system to your pictures. With some camera apps, this can be partially or completely deactivated.
If your phone is stolen, this data can provide information about your origin. Use apps such as "Imagepipe" to clean up your pictures before you upload them to the internet. You can install Imagepipe on your Android smartphone via F-Droid. F-Droid is an installable catalog for free and open source software.
Do you take the time to read the privacy policies of new apps and services you register with? Do you care who your data is shared with and what happens to it?
Do you use email? Then you should definitely think about encryption such as GPG/OpenPGP.
Did you know that in Germany, for example, many email providers are considered telecommunications services? This means that authorities can request your inventory data and emails. But even without official surveillance, emails are exposed to many dangers. An email passes through many nodes on its way to a mailbox and can be read at numerous points.
It is important to delete accounts that you no longer need. Take the time to do this once a year. Regardless of whether you needed them for a website or an app. If you haven't used them for a while, you should close them. This minimizes the risk of data leaks.
Personal data is leaked from websites, portals and online stores every day. Those affected are rarely informed. The data is sold, traded or is often freely accessible.
On the website haveibeenpwned.com you can quickly and easily find out whether your email address appears in data leaks. You can also create an account there and be notified automatically when new findings are made.