I’ll show you here that mobile security and privacy are possible. Much like a driver’s license, you’ll learn the rules to keep your phone and apps under your control. It doesn’t matter if you use an iPhone, Android or Linux phone.

You can apply everything you learn here to your mobile phone. At the end of the article, you will find a collection of links to essential articles on the subject. I welcome any comments, questions or feedback.

Why is a private and secure mobile phone important?

Almost everything in daily life can be done with a mobile phone or tablet. Cell phones are therefore more important to us today and easier to use than a PC. Since we usually carry our mobile phones with us 24 hours a day, we are always online.

During this time, our devices generate a wealth of information about our activities. This activity metadata is collected, analyzed, and shared or even sold to third parties by the manufacturers of our phones, our carriers, and the makers of the apps we use.

For example, do you use an iPhone with Deutsche Telekom as your carrier and regularly use apps such as WhatsApp, Google Maps and Search, LinkedIn, Paypal, Instagram, Amazon, and Twitter? You are allowing these companies to

  • Identify your social network and create behavioral profiles of you
  • Know your political views, sexual orientation, and interests
  • Analyze your financial situation
  • Reconstruct encrypted and private conversation content with metadata

These companies sell this data to advertisers and data brokers. It is also very likely to end up in the investigative systems of police and intelligence agencies such as the NSA. Because protecting this data is secondary and expensive, cybercriminals can steal it. Your data has often been stolen from Facebook or LinkedIn.

If you are thinking: “Never mind, I have nothing to hide anyway,” I suggest you read the following article.

Basic Behaviors

Everywhere in offline life there are rules or behaviors we follow. Some are required, and others we intuitively follow because it is simply better or safer for us. For example, signaling when changing lanes on the highway, using the emergency brake when parking, or not leaving valuables in the car.

Similar recommended behaviors exist in digital life, when using a cell phone. But there is still no “driving school”, no training and no safety instructions. Before you continue, take a quick look at the 10 essential rules for your online life.

So, what should you be aware of?

Automatic Operating System Updates – In addition to fixing general bugs and improvements, operating system updates always fix security problems. Many updates are only necessary because security vulnerabilities have been discovered. It is therefore very important that you update your phone, preferably automatically.

Lock With Passcode – The passcode unlocks and decrypts your phone. If you lose your phone, or if someone wants to search your phone at a border, for example, it is very difficult to do so without a passcode. This is why it is important to choose an individual and unique passcode and keep it secret.

Security experts and cryptanalysts would tell you that your passcode needs to be as secure and long as possible-preferably a long, alphanumeric password phrase. But do you manage to enter this passcode into your phone all the time in your daily life?

I’d say start with a really random 6-digit number. If that works well, take the next step and create a longer, alphanumeric passcode.

Read the article on strong passwords and password phrases from BaseCamp.

Write down your passcode on a blank index card. Put it somewhere where it won’t be noticed. If you already have a program that manages all your passwords (password manager), enter the passcode there.

Unlock with your fingerprint or Face ID? – Many phones offer fingerprint or facial recognition unlock. Your passcode is then linked to your face or fingerprint. This is a very convenient and practical way to enter a long, secure passcode quickly and easily.

However, if you use this option, it is not impossible that someone could hold your iPhone up to your face or force you to enter a fingerprint. Mobile phone searches, especially at borders, are now common in many countries.

You now have two options to deal with this problem:

a) Don’t use facial recognition and fingerprint to unlock the device, just to access online banking, password manager, or wallet more easily when it’s already unlocked. This is my advice.

b) or you can also use facial recognition and fingerprint to unlock the device, but you must remember to disable facial recognition/fingerprint unlock before traveling abroad, for example.

A Different Password For Each Account – Assign a unique, strong password or passphrase for each account, access, and provider.

Password Manager – Install a trusted password manager to keep track of all your passwords. That way, you only need to remember one strong password. The password manager’s password.

Since the password manager allows you to enter your passwords on your phone and in your browser at the same time, your online life will be much easier.

Take only pictures and videos without location information – As a general rule, you should not give your camera access to your location in your phone’s privacy settings. This will prevent your location from being stored in pictures and videos.

Avoid the clouds… from Apple, Google, Microsoft and others – Cloud services are actually a great thing. Think of them as invisible servers on the Internet. All your devices can access it. You can use it to back up your pictures and keep your contacts and email synchronized across all your devices. And of course you can store all your other documents there as well. So much for the theory…

Whether this information remains confidential depends on who owns the server/cloud service on the network.

Ideally, a cloud provider will only receive your data in encrypted form, and will therefore have no knowledge of your data. Only you, for example when viewing the data on your mobile phone, can decrypt and read it. This is called “zero knowledge”.

I recommend to avoid the clouds of Apple, Google, Microsoft and Co. completely. Take a look at the CloudPirate toolbox and check out trustworthy alternatives.

Bring Your Apps Under Your Control

Apps extend the functionality of your phone. And there’s nothing like trying out a new app. A fun game, a better weather forecast, a link to your fitness tracker, or a great route planner for biking or hiking.

What do you need to know?

Most apps do a little bit of work on the side in addition to their main task (e.g., displaying the weather forecast). They collect a lot of private information about you. They transmit this data to their developer/manufacturer. Much of this data is marketed, aggregated into a personal profile, and misused for online advertising or sold to data vendors.

App developers often argue that they need this data to provide you with better or more accurate results. You have to look closely. Obviously, a navigation app like Google Maps needs your location. A weather app, where you can easily change the location for your weather, never needs your exact location.

What private information can apps collect?

In addition to your actual user data (who are you?), your app usage (what are you doing?, what are you typing?), app makers are especially interested in your real-time location, your contacts, and data from your phone’s sensors. These include

  • GPS sensor – your exact location every day and every hour
  • Camera – pictures, movies
  • Microphone – conversation, background noise, mood, voice recognition
  • Motion – vibration, location, walk, up and down motion, your fitness level
  • Proximity – proximity of objects, via electromagnetism or infrared
  • Bluetooth & Ultra Wide Band – Who is nearby? Short range data transmission

What can you do?

For many things, you don’t even need an app – just use your phone’s browser instead of installing a new app every time! For example, you don’t need the BBC app on your phone to read the BBC news. You can go to the BBC website using your mobile browser and read the news there.

A new app can be more of a threat to your privacy and security, whereas a secure and trusted browser will protect you.

For example, as an alternative to the app, I bookmark the links to my news sites (e.g. the BBC) in my browser. Some browsers (e.g. Safari) also allow you to save website links directly to your phone’s screen. Then it looks like an app, but it’s just a link.

Keep the number of apps to a minimum – Take it one step at a time, deleting a few each day. Replace them with on-screen bookmarks or links. In particular, delete social media apps like Twitter, Instagram, WhatsApp, Telegram, Facebook Messenger, TikTok and SnapChat. Dating apps also belong off your phone.

Limit app access to sensors – Make sure only a few, hand-picked apps have access to your sensors. And only while you are using the app! You should also check this from time to time, and then cut back hard.

You shouldn’t even confirm silly requests from an app to access your location at any time. Instead, consider whether you would rather delete the app.

If possible, use only privacy-friendly apps – in my BaseCamp Privacy Toolbox I have presented privacy-friendly and open source apps for the most important application areas. They have been reviewed by experts, tested by me and kept up to date. Most of them are an integral part of my online life since 2016.

Check the privacy rating – If you hear about another cool app, check its privacy rating before installing it. Both the Apple App Store and Google PlayStore now offer a privacy rating. If you are not sure, don’t install it or look for open source solutions.

PS: In the Android world, there is an app store called F-Droid. There you will only find free and open source apps that protect your privacy per se.

Don’t let them sell you new accounts – Often, after installing a new app, it turns out that you can’t use it without an additional app account. Of course, you have to decide how important the feature is to you. When I come across something like this, I usually delete the app right away.

In general, such providers cannot protect your data. They will get hacked eventually. Save yourself the trouble.

Must it Always Be an iPhone?

Now that I’ve given you a quick guide to using cell phones, I’d like to suggest two phones that you can use to implement these behaviors. But first, a brief excursion into cell phone safety in general.

Cell Phone Safety

In the development of cell phones such as the iPhone or Android phones, user safety has been a fundamental component from the beginning. They include concepts such as

Sandboxing – Each application is “locked” in its own sandbox and not allowed to play with the “other kids”. Simply put, this is designed to limit the spread of malware.

Verified operating system startup – Only the unmodified operating system that has not been modified by “strangers” can be started. This is also known as Advanced Verified Boot (AVB).

Modern Exploit Defense Mechanisms – A kind of caries profilaxe for as yet undiscovered security holes, actual programming errors or insufficiently tested functions by the manufacturer.

As a result, our cell phones are already much better protected by default than our PCs, for example. maidanSecurity and Privacy Advice | Madaidan’s Insecurities

Option 1 – A Google Pixel with GrapheneOS

A Google Pixel phone with GrapheneOS as the operating system is a secure and trustworthy combination.

But no matter how good and secure the technology is. Your behavior and discipline affect your security and privacy by 100%.

Why choose a Pixel from Google?

Pixel phones have stronger hardware security than any other Android device on the market today. They also offer Advanced Verified Boot for third-party operating systems (e.g. GrapheneOS) and have Google’s Titan security chips on board. Google guarantees 5 years of security updates starting with the Pixel 6″.

GrapheneOS is an Android operating system with no Google components. The developers of GrapheneOS have included many features to protect your privacy right from the start.

Want to know more? Then just read the article Throw Your Smartphone Overboard – And Install a Privacy Phone with GrapheneOS.

Option 2 – A current iPhone running the latest iOS operating

A current iPhone is technically a secure phone. However, you may be entrusting your privacy and some of your private data to Apple. In this article I explain which settings and applications you can use improve your iPhone privacy and security.

Other Options?

Why not use a “regular” Android phone? – You should not use a standard Google Android phone, such as a Samsung or Huawei. In my opinion, it is difficult to impossible to protect your privacy (and data) from Google.

Why not another “de-Googled” Android? – GrapheneOS combined with the Google Pixel is a safe and private thing. Almost anyone can install it. It is a good combination precisely because GrapheneOS focuses only on this one technically good phone.

Nevertheless, I would like to introduce the following two “de-googled Android” operating systems:

LineageOS – offers hardware support for many smartphone manufacturers. Unfortunately, it is difficult for a layman to install. Unfortunately, it does not work at all on some phones and series. Security and privacy are not as strong as with GrapheneOS out of the box. For me this was a dead end.

CalyxOS – a promising project for a secure and private Android.
If you want to compare CalyxOS with GrapheneOS, you can do so here and here.

Why not a “professional” security phone? – I consider a GrapheneOS phone in particular, but also a carefully configured and up-to-date iPhone – always in combination with apps that support security and privacy – to be a better alternative for everyone, suitable for everyday use. You can buy “professional” security phones with Sirin Labs, Silent Circle or Purism.

Sources, Tips and Links for Further Reading