Smartphone Security Tips from CERT-FR and CISA – Little Practical

The French CERT and the US CISA have analyzed the security of smartphones and the threat landscape of the past ten years. From this, the institutions derive how the devices should be secured. However, the tips from France, at least, go a bit too far in the end.

The CERT-FR provides interested parties with a 40-page PDF, while CISA limits itself to a manageable five pages in its PDF. This starts with trivialities, such as using multi-factor authentication and FIDO sticks, as well as the use of password managers. The IT experts advise against SMS as a 2FA mechanism. Furthermore, users should set a PIN, for example, to unlock the SIM card, and regularly install software updates.

It continues by recommending the use of the latest hardware from smartphone manufacturers -- and among them, manufacturers who are known to care about security and promise long security update periods should be preferred. CISA also rejects the use of “personal VPN software” as it shifts residual risks from the internet provider to the VPN provider and often increases the attack surface. However, this refers more to VPN providers, which are often used to bypass geoIP restrictions, and not to professional organizational VPNs. For the iPhone, CISA specifically recommends the Lock-Down Mode -- which restricts certain apps, websites, and functions and reduces the attack surface, but also usability.

Pitfall: “Everything goes” doesn't always help

The French go further. “Deactivate Wi-Fi when not in use,” they write the same for Bluetooth and NFC in their recommendations. Users should activate the “Advanced Protection Mode” introduced with Android 16, which works similarly to iOS's Lock-Down Mode. There are also recurring tips like “do not connect your mobile phone to unknown USB ports and devices.” The assigned permissions of all apps should also be checked and adjusted.

The tips are not fundamentally wrong, of course. But CISA already points out that the catalog of measures is aimed more at “highly targeted individuals.” A clarification of the restrictions that each measure entails compared to the expected benefit would help interested parties to get a better picture and to weigh the potential benefits in an informed way. If someone were to implement all the proposed measures, they would, to put it exaggeratedly, be holding a retro phone rather than a smartphone with which they can (with luck) still make calls. For example, the Lock-Down Mode of iOS wards off many of the known spyware campaigns, but also prevents things and actions that many use in everyday life.

In the end, the advice is aimed more at high-ranking individuals who must assume they are targeted by cybercriminals or other state actors. However, for the broad mass of users, many of the configuration tips go too far and make smartphones almost unusable for them. As an overview of what protective measures are feasible, the summaries are also a good start -- but they still lack explanations about the further implications.

(dmk)