SANS Penetration Testing

Mobile Device Security Checklist

By Lee Neely & Joshua Wright

We often get asked for things we can do to help users keep their mobile devices secure. Here's a quick list of some simple things you can do to ensure that your mobile devices are running with at least some security. All of these steps are free and raise the bar on both unauthorized use of your device and the integrity of the applications you're running on them. Our goal here is not to make your device impenetrable to attack, but instead to raise the bar.

image2 (1)

Security Tips For Android Devices

  • Turn on disk encryption (not explicitly tied to PIN/screen lock).
  • Use biometrics for unlocking normally with a longer passcode (instead of a simpler 4-character PIN).
  • Disable developer access (off by default).
  • Disable third-party app store access (off by default, but very common)
  • Evaluate and uninstall apps with excessive permissions using Android Permission Apps or other tools.
  • Install Android platform updates when they become available
  • Compare your Android version to recent releases. Is your phone getting updates? If not, it's time for a new phone. (This is hard, because most users will find that Android phones are poorly supported and require more frequent replacements, which end up being more costly than iOS devices over time).
  • Do your research before you buy a new phone. Nexus has the best record for security update delivery and support, followed by Samsung, and then by LG. Everyone else is the pits for security updates.
  • Turn on "Android Device Manager" for remote location services for lost devices or a third-party "Find my Android" tool if your Android device doesn't support this feature.
  • Periodically erase your network settings to forget about old, insecure WiFi networks you don't use anymore.
  • When plugging in USB, don't say yes to "Trust this PC" when prompted, unless it is a personally owned system.
  • Set a strong Google password, better still, enable two-factor authentication.
  • Complain to your cell phone carrier about unwanted applications on device and loss of control. There's no challenge currently, so the carriers do what they want.


Security Tips for iOS Devices

  • Make sure you update iOS when new updates come out.
  • Periodically erase your network settings to forget about old, insecure WiFi networks you don't use anymore.
  • Make sure "Find my iPhone" is turned on for locating or wiping lost devices.
  • Use TouchID with a longer passcode in lieu of a 4-digit PIN.
  • When plugging in USB, don't say yes to "Trust this Computer" when prompted, unless it is a personally owned system.
  • Turn off iCloud backup unless you are comfortable with your pictures being stored in the cloud.
  • Use iTunes to make a backup with a password to both encrypt and to capture all your settings.
  • Set a strong Apple iTunes password.
  • Review the Settings | Privacy settings, revoking permissions from apps that are unnecessarily greedy with permissions.

Security Tips for For Both iOS and Android Devices

  • Disable wireless and leave it off unless you're actively using it.
  • Install a VPN (proXPN, Private Internet Access, etc.) for when you need to use Wi-Fi, and always use the VPN when connecting to Wi-Fi.
  • Only use known Wi-Fi connections, beware of free public Wi-Fi.
  • Don't leave your device unattended, treat it like your wallet.
  • Use caution lending your device to others, they can quickly make unauthorized changes.
  • Disable premium rate messages via your cell carrier! If you manage cell phones for the organization, turn it off for all.
  • Uninstall unused apps.
  • Factory reset phones before returning for service.

Want to learn more about this topic? You really should check out SEC575: Mobile Device Security and Ethical Hacking. It's an amazing course covering mobile device security attacks and much more!

-Lee Neely

Upcoming SANS Special Event - 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge - KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • "On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team." - @mikehodges
  • "#SANSHolidayHack Confession — I have never used python or scapy before. I got started with both today because of this game! Yay!" - @tww2b
  • "Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa" - @dnlongen


Posted June 28, 2016 at 10:34 AM | Permalink | Reply


Nice article

Posted July 24, 2018 at 6:10 AM | Permalink | Reply

Ident Solutions

This is such a great and very recommendable article for the large percentage of today's mobile phone users are unaware of their phone's security leaving their personal pieces of information vulnerable in the eyes of the hackers. Thank you for this post.

Post a Comment


* Indicates a required field.