National Security Agency | Mobile Device Best Practices

Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the
users can take to better protect personal devices and information.

Airplane mode Bluetooth® Cellular service signal Location Near-field communication (NFC) Recent applications soft key Wi-Fi

PASSWORDS ! Avoid Disable Do Do Not

Use strong lock-screen
pins/passwords: a 6-digit
BLUETOOTH ®1
PIN is sufficient if the
device wipes itself after
Disable Bluetooth ® when 10 incorrect password
you are not using it. Airplane attempts. Set the device
mode does not always to lock automatically
disable Bluetooth ®. after 5 minutes. LOCATION
9:31
! WI-FI Disable location services when
! TEXT MESSAGES not needed. DO NOT bring the
DO NOT connect to public ! APPLICATIONS John Doe device with you to sensitive
DO NOT have sensitive conversations Agree, but we should consider the
locations.
Wi-Fi networks. Disable foreign policy implications...…
31 Install a minimal number of on personal devices, even if you think
Wi-Fi when unneeded. Delete
applications and only ones the content is generic.
unused Wi-Fi networks. Hey, John! Check out the
POWER
from official application foreign policy implications...
https://foreignp0licy.net/
! CONTROL stores. Be cautious of the whitepapers/tradistan- Power the device off and on weekly.
! personal data entered ATTACHMENTS/LINKS energy-forecast.pdf

Maintain physical control of into applications. Close

applications when not using. DO NOT open unknown email
the device. Avoid connecting to attachments and links. Even
unknown removable media. MODIFY
legitimate senders can pass on
SOFTWARE UPDATES malicious content accidently DO NOT jailbreak or root the device.
CASE or as a result of being
Consider using a protective Update the device software compromised or impersonated INSTALL NEW APP?

case that drowns the and applications as soon as by a malicious actor. YES X NO
! POP-UPS
microphone to block room possible.
audio (hot-miking attack). Unexpected pop-ups like this are
Cover the camera when usually malicious. If one appears,
not using. ! TRUSTED ACCESSORIES forcibly close all applications
BIOMETRICS (i.e., iPhone ®2: double tap the
Only use original charging cords or Home button* or Android ®3:
CONVERSATIONS charging accessories purchased click “recent apps” soft key).
Consider using Biometrics
(e.g., fingerprint, face) from a trusted manufacturer. DO NOT
DO NOT have sensitive use public USB charging stations.
authentication for
conversations in the Never connect personal devices to
convenience to protect data
vicinity of mobile devices government computers, whether via
of minimal sensitivity.
not configured to handle physical connection, Wi-Fi,
secure voice. or Bluetooth®.
*For iPhone X ®2 or later, see: support.apple.com/en-us/HT201330 The information contained in this document was developed in the course of NSA’s Cybersecurity mission, including its
responsibilities to assist Executive departments and agencies with operations security programs.
1
Bluetooth is a registered trademark of Bluetooth SIG, Inc.
®

2
iPhone ® and iPhone ® applications are a registered trademark of Apple, Inc. U/OO/155488-20 | PP-20-0622| Oct 2020 rev 1.1
3
Android ® is a registered trademark of Google LLC.
 National Security Agency | Mobile Device Best Practices

WHAT CAN I DO TO PRE VENT/MITIGATE ?

Use Avoid Carrying
Only Install Turn Off Do Not Turn Use Lock Maintain
Update Encrypted Do Not Click Device/No Use Turn Off
Apps from Cellular, Connect Device Mic-Drowning Device Physical
Software Voice/ Links or Open Sensitive Trusted Location
Official WiFi, to Public Off & On Case, Cover with Control of
& Apps Text/Data Attachments Conversations Accessories Services
Stores Bluetooth Networks Weekly Camera PIN Device
Apps Around Device

Spearphishing
(To install
Malware)

Malicious Apps

Zero-Click
Exploits
THRE AT/ VULNER ABILIT Y

Malicious Wi-Fi
Network/Close
Access Network
Attack

Foreign Lawful
Intercept/
Untrusted
Cellular
Network

Room Audio/
Video
Collection

Call/Text/Data
Collection Over
Network

Geolocation of
Device

Close Access
Physical
Attacks

Supply Chain
Attacks

Does not prevent Sometimes prevents Almost always prevents

(no icon)

Disclaimer of Endorsement NSA Cybersecurity

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference Client Requirements/General Cybersecurity Inquiries: Cybersecurity Requirements Center, 410.854.4200, Cybersecurity_Requests@nsa.gov.
herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not Media Inquires: Press Desk: 443.634.0721, MediaRelations@nsa.gov.
constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be
used for advertising or product endorsement purposes.