Securing your phone

We take our phones everywhere and trust them with a lot of sensitive information, but have we put enough thought into how to secure them? Liz and Geoffrey discuss different aspects of securing the smartphone you have, including passcodes, location services, notifications, and digital voice assistants. Plus, a question from a caller and a major Supreme Court decision!

Securing your phone episode art

Timeline

  • 1:01 - Question from a caller: "What happens if the password manager company shuts down?"
  • 2:09 - Security news: Supreme Court rules police need a warrant for your cell phone's location data
  • 3:02 - Security news: cell phone location "data brokers"
  • 3:59 - Securing your phone
  • 4:54 - Locking & passcodes
  • 8:56 - Data wiping
  • 9:53 - Encryption
  • 10:40 - Jailbreaking
  • 11:41 - Charging your phone
  • 12:25 - Notifications
  • 13:03 - Texting and calling
  • 14:51 - "Ok, Google" & "Hey Siri"
  • 16:10 - Location Services
  • 17:47 - Network connectivity concerns, including wireless networks and Bluetooth

Show notes & further reading

Passcodes, fingerprints, and self-incrimination

This is a complex subject; in addition to the Lawfare analysis from November 2017, other good articles include an EFF post from April 2017 about whether border patrol can ask you for your passcode, and a 9to5Mac news post and a TechDirt news post both about multiple cases in Florida that have come to different conclusions about whether courts can require you to reveal your passcode. As TechDirt says, "The only thing that's been made clear in multiple cases is fingerprints are worse than passwords when it comes to locking law enforcement out of phone contents."

Still, as we mentioned, remember that a physical attacker can probably just force you to unlock the phone with Touch ID and Face ID. A "physical attacker" doesn't have to be from the government, and probably doesn't even have to be violent: there are multiple stories of children unlocking their sleeping parents' phones, including one where the victim was a cryptography professor! If you're worried about any sort of "physical attacker," a passcode is safer.

Emergency SOS

The iPhone's "Emergency SOS" feature lets you call emergency services (e.g., 911) quickly, whether or not your phone is locked. You can also set emergency contacts who are notified that emergency services have been called.

There's also one very useful side effect of Emergency SOS: bringing up the Emergency SOS screen locks your phone and disables Touch ID and Face ID until it's unlocked with a passcode again. This is a good option if you want to usually avoid the passcode but are worried about attacks on Touch ID / Face ID. Just make sure you have "Auto Call" disabled.

On Android, there isn't a corresponding option yet, but the upcoming Android P release will have a "Lockdown" option that you can enable in settings. Enabling lockdown will disable all authentication mechanisms other than your passcode or pattern.

The exact way Emergency SOS works is a little different on different phones:

  • On iPhone 7 and lower, press the power button five times quickly to bring up the Emergency SOS screen, with a slider for power off, medical ID (if enabled), and an emergency call. Auto Call is disabled by default; if you enable it, it will immediately call emergency services.
  • On iPhone 8 and up, Press and hold one of the volume buttons and the power button (aka the "side button" on iPhone X) to bring up the Emergency SOS screen with sliders. (This is the same sequence you use to power off the iPhone X normally.) If you keep holding them, it will start a countdown to call emergency services and play a loud "countdown sound". You can disable either the Auto Call feature or the countdown sound in settings.

You can also enable the side-button-five-times option on iPhone 8 and up, but on those devices, it will immediately call emergency services, whether or not Auto Call is enabled.

See Apple's official documentation, as well as 9to5mac's article about Emergency SOS on iPhone 8 and X and a how-to from iMore.

There is no way to have Emergency SOS only notify your emergency contacts and not also call emergency services.

Secure messaging

Signal is the standard for secure everyday messaging. There are other "secure messaging" apps of varying quality; many have weaker models (e.g., they don't encrypt group chats, or they don't support "forward secrecy", which means that your old messages can be decrypted if your device is ever compromised) or don't have a security protocol as well-reviewed as Signal's.

Outside of secure messengers, WhatsApp would be our preferred option, as they've integrated Signal's cryptography into the app, including the option to manually verify security codes. Security researcher Martin Shelton has written a guide to installing and securing WhatsApp. (He's also written a guide to getting started with Signal.)

Signal has a desktop app, but the security model of most desktop OSes is much weaker than even that of a poorly-configured mobile phone - in particular, any app can generally read and write private data from any other app. And Signal Desktop is based on Electron, which is a difficult platform to use securely; there were two serious vulnerabilities discovered in May. So for these reasons we recommend avoiding Signal Desktop and using your phone for secure messaging.

In the news

The Supreme Court ruled in Carpenter v. U.S. that searching cell-site location information requires a warrant supported by probable cause. Oyez has a summary.

The Associated Press reported last week that Verizon, and later AT&T, Sprint, and T-Mobile, would stop selling location data to intermediaries, but continue selling directly to users of the data. This comes after a CMU researcher found that one of the intermediaries had a publicly-available free demo that would let you find the location of a user of any of those four carriers - an oversight that was quickly fixed, but raised concerns about the practices of these data brokers.

Transcript

Liz Denys (LD): Geoffrey, do you remember that time in college when I lost my iPhone for a few days?

Geoffrey Thomas (GT): Oh yeah! You were pretty freaked out.

LD: I was so relieved to have found it among extra toilet paper in the bathroom I figured out I must have left it in, but I was also really worried that someone might have stolen it and wiped it, or worse, gotten into one of my accounts.

GT: Good thing you know a whole lot more about securing your phone now, Liz.

LD: I'm definitely glad about that, and to help prevent our listeners from panicking like I did, today's episode is all about phone security.

Intro music plays.

LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,

GT: and I'm Geoffrey Thomas, and we're your hosts.

LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.

GT: In every episode, we tackle a typical security concern or walk you through a recent incident.

Intro music fades out.

GT: Oh, we had a question from a caller! I was on the phone with my dad on Father's Day -

LD: Um, does that really count as a question from a caller?

GT: - and he said, "I listened to your episode about password managers, and it sounds better than what I'm doing now, but what happens if the password manager company shuts down?"

LD: That's a really good thing to be worried about! If your password manager is entirely online, then that's a risk. But most password managers have an app that you can download, either a desktop or mobile app, which will synchronize all your passwords. And then they're stored on the device and available offline.

GT: You can usually also download an export of your passwords, but using an app is safer because the passwords remain encrypted. You can check by putting your phone in airplane mode and making sure you can still see all your passwords. If that works, it will work even if the company shuts down.

LD: This is also another good reason to pick a well-known, reliable company for your password manager. There are a couple new password managers that look promising that we didn't put in the show notes for our first episode - we think that it's great that there's new options in the market, but for most people it's probably less headache to stick with one of the more established options.

Interlude music plays.

LD: Big cell phone privacy news this week: the Supreme Court ruled that police need a warrant to get your cell phone's location data.

GT: Wait, before they didn't need a warrant?

LD: So, your cell phone sends location data to the carrier while it's working, just to keep you connected, and the argument was that the "third-party doctrine" means you don't have an expectation of privacy in anything you send to a third party.

GT: But everyone carries a cell phone basically everywhere! And you can get extremely detailed location information - if you don't have privacy over where you are, do you have any privacy at all?

LD: Right. The court ruled five to four that the privacy invasion of tracking someone's location by cell phone is so large that the third-party doctrine doesn't justify it.

GT: Only five to four?

LD: There was a lot of arguing about what the third-party doctrine means, but one of the bigger dissenting arguments is that this is data the cell phone company uses and also resells for marketing purposes, so it's not really that private anyway.

GT: Right, there was something a month ago where someone discovered you could find anyone's location on the web for free.

LD: Oh, that brings us to the other piece of news. After the existence of these "data brokers" was revealed, there was a lot of public outcry, and now Verizon, AT&T, T-Mobile and Sprint have said they won't sell location information to those data brokers.

GT: So you used to just be able to buy any cell phone user's location? And you still can, for some other carriers?

LD: There are a few legitimate uses, like bank fraud prevention. If your cell phone is nowhere near where your card is being used, that's probably a bad sign. The carriers are going to keep selling location data, just not to these intermediaries that resell it.

GT: Well. I guess there's a lot more I could be hoping for, but the news this past week has been pretty good for securing location data.

LD: There is a lot you can do to secure your cell phone itself, though. Let's get into it!

Interlude music plays.

LD: Today, we're focusing on securing the smartphone you have. If you're in the market for a new phone, get excited, because our next episode is all about comparing Android and iOS's security models in more depth.

GT: So, there's a kind of nihilistic view about how to secure your phone where the main goal is to just have as little sensitive information on it as possible. We're not going to focus on this idea because it's highly impractical to not have sensitive information on your phone.

LD: And honestly, unless you have an extraordinary memory, your phone is probably actually a really good place to keep some sensitive information - if you've got solid encryption on it, it's a lot safer than keeping things in a notebook or a card in your wallet.

GT: Yeah, and modern cell phones are actually very well designed in terms of security, and probably more secure than the computer you have. And I want easy access to applications like my email and Twitter and probably some contacts and messaging.

LD: Yeah, and that's why the philosophy we're focusing on is all about how to keep what's on there as safe and secure as possible.

LD: The first thing you should do to lock down your device is literally to have it lock immediately when idle and open up with a passcode.

GT: Ideally, you'd use a passcode, and not something like Android's "unlock pattern" feature, because swiping across your screen leaves a physical trace that can be used to narrow down how many possible patterns are used.

LD: Android actually supports so many ridiculous options for unlocking your phone. One of them was face matching called "Trusted Face", which isn't as technologically advanced as Apple's Face ID and could probably be unlocked by someone who had a photo of you. Android also has this "on-body detection" thing that would use your accelerometer to figure out when it was in your hand of pocket while you were walking and lock it otherwise, which isn't particularly secure either. They also have another option to unlock when it's near a trusted device or at a specific place that you think is trusted, I guess, like your house? Which, of course, an attacker could go to, or, you know, steal the other trusted device. It can also unlock with your voice, but an attacker could record that, just like in that classic scene in Sneakers. Just please, please, please don't use any of these.

GT: Apple's Touch ID and Face ID are really convenient, but if you're at a particularly high security risk or otherwise really paranoid, you might not want to use them because there is an inherent risk of a physical attack to unlock your phone. Some people say you can claim a Fifth Amendment right to not reveal your passcode, but that doesn't apply to being required to use your fingerprint or your face to unlock something. Uh, the courts haven't quite settled that yet.

LD: Also, there are a lot of other ways you might be forced to use Touch ID or Face ID - someone can just push your finger against your phone, or hold it up to you. If that's an attack you're worried about, then maybe it's better to only use a passcode.

GT: On my iPhone, I have Touch ID enabled for some things, like making purchases, but I have it disabled for unlocking, so I have to enter my passcode in order to get anything done.

LD: I don't think that I'm at a particularly high security risk right now, but I generally think of myself as pretty paranoid. I have an iPhone, and I use Touch ID to unlock my phone most of the time because I have a relatively long passcode that I find frustrating to type sometimes. But there are also some times when I turn Touch ID off, like if I'm traveling. If you find yourself in a situation where you have these biometric unlock options on and want to quickly change your unlocking method to require a passcode, you can do this quickly via iOS's Emergency Mode or in the upcoming Android P, you can turn on "Show lockdown option" in settings. Check our show notes for links with more information on these security features.

GT: You should be using at least a 6-digit passcode, preferably longer. Both iPhones and Androids are supposed to stall after a few guesses to prevent "brute-force" attacks, where someone tries every possible passcode. But there's been news recently about devices that somehow bypass this on iPhones, even though they try to do this protection in separate hardware.

LD: Apple does say they've tuned the encryption to take 80 milliseconds per guess, which is harder to bypass if that's part of how the encryption algorithm is designed. A 6-digit passcode's one million combinations could be cracked through brute force in just under a day, though. A 4-digit passcode could be brute-forced in just 13 minutes and 20 seconds. But brute-forcing an 8-digit passcode would take no less than 90 days, which is a bunch more secure. I'm pretty paranoid, so my current passcode is 12 digits, which should take over 2500 years to guess!

GT: Because of this I think it's fine to use an all numeric passcode, as long as it's long. It's certainly much easier to type on a phone than a passphrase: both Android and iOS will pop up a numeric pad instead of a keyboard if your passcode is all numbers. And even knowing that it's all numbers doesn't help people guess the code any faster.

LD: But if you want to use a longer passphrase that's also fine, especially if you're on Android and you don't know how strong your device's encryption is against brute-force guesses. If you chose to use an alphanumeric code, you'd probably want something fairly human-memorable because your password manager will be behind this passcode. If you used that dice rolling word list from the EFF and grabbed two words, each word takes 5 dice rolls, so there's over 60 million combinations, which would take 55 days to brute force. I say two words because if you're unlocking your phone frequently, that's about the length for it before I'd start getting annoyed about how much I'd have to type it regularly on my phone.

GT: Another thing you could do is enable the option to wipe your phone after several bad login attempts. This is pretty dangerous, though - anyone who gets access to your phone, even a young child, could cause your phone to get wiped, either on purpose or not. And at least some versions of Android have this as a hard-coded feature after 30 attempts, although there's an increasingly long timeout after the first few tries. iPhone has this as an option after 10 attempts. It's probably not a good idea to turn this on unless you're very confident about your backups, and you're unusually worried about someone trying to guess your passcode.

LD: A better option, which you probably should enable, is remote wipe. Both Apple's Find My iPhone and Android's device manager support wiping a phone in your account remotely, so if you lose your phone, you can send it a signal to wipe itself. You'll want to do this as quickly as possible after you lose your phone, in part because it needs cellular or wifi data connections to receive your wipe signal and someone who steals your phone probably knows this. You'll also need to have the feature enabled in your phone before you lose it. It's also important to make sure the data on your device is encrypted. On iOS, if you have a passcode, your data's encrypted, and you should definitely set a passcode, as we, you know, just discussed.

GT: On Android, there's an option in settings to do full-disk encryption, which should be available on every Android, although it might not be enabled by default on some of them. Some newer Android phones also have file-based encryption, which you should turn on for additional protection. It makes sure that your files aren't accessible by someone who doesn't have your passcode.

LD: You also want to be encrypting your backups. Ideally, your phone backups are done locally on your computer because that gives you additional security through requiring physical access to that computer and also some additional legal protections that remote servers don't have.

GT: You probably also want to encrypt the laptop where you keep your backups, if you can, but that's a topic for a future episode on securing your personal computer.

LD: Oh! Your mentioning laptops reminded me that when you have more access to your device in general, you also have more security concerns. So if you root your phone, you probably need to know that you're opening up a can of worms.

GT: There's a lot of cool things you can do when you jailbreak your iPhone or your Android, but fundamentally, the process of jailbreaking it involves weakening the platform's security guarantees - especially on iOS, where part of the security guarantee is that Apple keeps tight controls over what code can run on the iPhone.

LD: Also, it becomes much harder to update your phone and keep the jailbreak working. Fundamentally, rooting your phone involves using a security vulnerability, and the mobile OS authors will try to patch it quickly, because if you can root your own phone, there's a danger that some app or some website can do the same thing without you being aware, too.

GT: Some Android phones come with unlocked bootloaders, and you can install a third-party distribution of Android. If you have to use a very old Android phone, this actually can be a really good choice, because it's probably your only way of getting software updates. But in general, this is probably not as secure of an option as sticking with the built-in OS.

LD: You also need to be careful about how you charge your phone. I know that sounds a little bit extreme, but you don't want to plug it into an unknown USB port, especially when it's unlocked. There's no way to tell if it's just a USB charging port that's just giving you power, or if it's trying to do something malicious, like get files or photos off your device. The best thing you can do is to charge it off something you know you trust - whether that's a wall plug, a portable battery, or your own laptop.

GT: There are also devices called "data blockers." It's a little adapter or a short cable that allows you to plug into an unknown USB port and passes power but not the data pins. If you buy one of these, we recommend you quickly test that it does what it claims to do, by plugging your phone into it through your laptop, and making sure that your laptop and phone don't see each other.

LD: Notifications can be a big source of leaking sensitive information, too, like when you get an important email and the subject, sender, and start of the message itself shows up on the locked home screen by default.

GT: Yeah, the most secure thing would be to turn off all notifications from showing up on your lock screen, but it can be really annoying to track down which app caused the notification when your phone buzzes.

LD: Yeah, instead of totally taking them off my lock screen, I turn off notification previews, which means I just see that there's a new email or a social media alert, but not the content of that alert. [Here's how to do this on Android and iOS.] It still leaks a little bit of information - you know, that I got a new email or a new social media alert - but it's a lot less than showing who sent it and what's in it.

GT: So unfortunately, text messages and phone calls are both inherently insecure. While they go over encrypted connections these days, the encryption isn't super strong, and they're both relatively easy to intercept - especially since, as we've talked about in a previous episode, there are attacks where someone can pretend to be you and go to the cell phone store and just pick up a new SIM card for your account.

LD: You should try to move as much of your communication as possible to secure messaging and calls, and the best app for that right now is Signal.

GT: We're not usually in the business of recommending specific products or applications, but currently Signal is the best secure messaging app. It's fully end-to-end encrypted, so no one but your device and the device of whoever your talking to can read what you're messaging about.

LD: Also, Signal is an open source project run by a not-for profit organization called Open Whisper Systems. Signal is its own system, so you'll need to get your friends to sign up for it, but it's very easy to do that and it's very secure. Open Whisper Systems is also working with Facebook Secret Messaging and WhatsApp to use the same technology, but it's a little less secure - WhatsApp shares users' phone numbers as well as some analytics data with its parent company, Facebook, and Facebook Messenger only uses secret conversations when you enable them, and the security of that is tied to each person's Facebook account, not to their device. That said, WhatsApp is still a better option than just about all of the other non-Signal chat apps out there. There's a good guide to making it more secure that we'll link to in the show notes.

GT: Yeah, I like that Signal's independent of the big tech giants, and I love even more that it's open source because that means anyone can go look at the source code and verify it's doing what it should be.

LD: Most people aren't security experts though, so that might not mean a lot on its own, but Signal is well-respected in the cryptography community: a 2016 audit as well as a 2014 audit of the system that eventually became Signal both found that it was very well-designed.

GT: Voice activated assistants - you know, "OK, Google" or "Hey Siri" - are also a potential source of security risk. While they're supposed to be trained to respond only to your voice, it's safer to just disable them when your phone is locked so no one else can access sensitive information through your phone's voice assistant. There have been regular bugs that allow access to too much information via these voice assistants - there was one discovered this March where you could ask Siri to read your notifications, and it would do so even if you said notifications should be hidden when the phone is locked. So the best thing is to make sure they're completely off when your phone is locked - on Android, you should turn off "Unlock with Voice Match," and on iOS, in your lock screen settings, you can disable access to Siri.

LD: But it's not just an issue of what leaks when someone has access to your phone and tricks your phone into thinking you unlocked some information with your voice - digital voice assistants send their queries to their parent companies, and usually, they're sending a lot of other potentially sensitive data, like your location, along with your question itself. Apple stores Siri requests with device IDs, which can be linked to you, for six months, and an ID-less version of the audio for a total of two years, and we're not actually sure what Google does with "OK, Google" requests. That sort of information, especially accumulated over time, could give hackers a lot of insight into where you live, work, eat out, and so on. Speaking of location information, you want to limit app access to location as much as possible.

GT: Yeah, you don't want apps to be recording where you're going constantly, and if you let an app have access to location all the time, it might try to get your location every time the app does a background app refresh. Apps use location data in wildly varying ways, but it's always in your best interest to limit your location data to "only while you're using the app," if it's essential the app has your location, or to "never" - just in case an app company's servers get breached or subpoenaed.

LD: Background data refreshes are also something you can limit for apps that you don't need to get regular updates from. It's not clear that this improves security, but it saves a lot of battery life!

GT: Phones also let you set a medical ID [Android, iOS], which is handy if you have medical information you'd want paramedics to get to in an emergency. It's worth knowing that the information in your medical ID is available even when your phone is locked.

LD: Yeah, and that also means that any contacts you set in there are essentially public. If you want to be paranoid, you might not want to put the full names on those contacts or something, but we think you're the best judge of how to handle your health and thus, what information is best to put in your medical ID.

GT: Also, note that your phone might automatically call these people if it's in some sort of emergency mode. If you don't want that, make sure you turn that off in settings.

LD: The last major topic for securing your phone is network concerns, and there's a bunch of different subtopics. We'll get back to this after a short break.

Interlude music plays.

LD: Alright, let's dive into network concerns around securing your phone. You should be really careful with which connections you allow access to on a device you have sensitive information on.

GT: Apple's AirDrop is a networking feature that can be easily abused. Not only might you accidentally press the wrong buttons and send something sensitive to someone else, but the default option of receiving AirDrops from anyone opens you up to potentially getting nasty, unsolicited photos.

LD: Ugh, yeah, I can only imagine what strangers on the subway might send my way everyday if I had that on. If you never use AirDrop to share files with friends, family, or coworkers, just turn it off. If you do use it, you should limit it to only receiving from your contacts, and ideally, when you're not using it, you should turn it off.

GT: As with all physical devices, you should be careful when connecting to insecure, public wifi networks, like at coffee shops or hotels.

LD: Generally, a smartphone is a pretty secure device. Most popular apps only ever transfer over secure protocols like HTTPS, and the app structure keeps a lot of your data siloed off. However, when you're on an unsecured network, you should always be careful when browsing sites with insecure HTTP elements or using a game that connects to Facebook or something - it's possible someone could be listening in on those connections.

GT: It's really a shame that HTTPS Everywhere only works on desktop and laptop computers.

LD: Actually, it does work for Mozilla Firefox on Android! Unfortunately, Chrome is generally still more secure in other ways. Oh, there's also another interesting Android feature for unsecured wireless networks, which is in recent versions of Android and supports Pixel and Nexus phones, as well as a couple other Android phone models. It's called "Wi-Fi Assistant" and causes your phone to automatically connect to open wifi networks that Google trusts and then sets up a Google VPN connection so that the insecure, public wifi network can't see what you're doing, only Google's VPN can. This is a pretty neat security feature that helps you conserve how much cellular data you use.

GT: Unfortunately, it doesn't look like there's a way to get that Google VPN encryption without using Wi-Fi Assistant to connect to all such networks. If you manually connect to a wireless network, it won't set up a VPN connection to Google.

LD: Bluetooth is another one of those useful features that's also a potential avenue of attack. Bluetooth security used to be so bad it was practically nonexistent, and it's still very hard to tell just how secure a particular Bluetooth connection is, because a lot of Bluetooth devices want to be backwards-compatible, even though those older protocols are less secure.

GT: I've wanted to get a Bluetooth keyboard for my phone for a while, but I still haven't figured out how to be confident that it's secure. I'll connect my phone to Bluetooth audio sometimes, but even that's risky; a car audio system will try to ask for your contacts or sometimes even try to connect to the internet through your phone. So I make a point of turning off Bluetooth when I'm not using it.

LD: Recent iOS versions have tried to be helpful by automatically re-enabling wifi and Bluetooth some time after you turn them off. If you disable Bluetooth or wifi from the control center, that's just temporary - you have to go into settings to actually turn it off.

GT: Remember that Bluetooth can be turned on from the lock screen, so again, if you have some reason to be paranoid, go through your paired Bluetooth devices and unpair them all. You might have a bunch of old devices you've forgotten about, and you don't know what level of security they've all used for pairing.

LD: Let's talk about one final concern you might have if you happen to find yourself at a protest or other civil disturbance - or even several blocks from one.

GT: In the past few years there's been a lot of news about portable devices that act like fake cell phone towers. The technical term is "IMSI catcher," after the way your phone connects to the cell network, but the first model that was widely known publicly was the "Stingray," so people now use that to refer to any such device.

LD: Much like Bluetooth, the cell network protocol has gotten more secure over the years - from 2G, to 3G, to 4G, to LTE - but cell phones are still compatible with the older standards. And even LTE has modes without security, and phones don't usually tell you what mode the cell network is in. So a fake cell phone tower can just overpower the real one, and force your device to connect to it, unencrypted. Or it can force your phone to use an older standard - which is sometimes a good thing if you're actually roaming, but not if you're in a well-covered city and being tricked into connecting to a Stingray device.

GT: A lot of government agencies have them - even people you wouldn't normally think of as law enforcement, like the IRS - because it makes it very easy to track people. If the data's in your hands, you have it immediately and you don't need to subpoena it from a cell phone company. But just like the iPhone unlockers, we don't know who all have access to them - and unlike the iPhone unlockers, it's pretty well documented how to build a cell tower yourself. There were a bunch of them around the infamous hacker conference DefCon in 2016.

LD: There isn't currently a lot you can do to keep yourself safe from Stingrays. Since they pretend to be a cell phone tower, they can intercept your calls, read and spoof text messages, mess with your network connection, and so forth. It's like connecting to an untrusted wifi network, except your text messages and phone calls are now untrusted, too, and they've got location data for you. So if you suspect you're somewhere near where a Stingray might be used, use some common sense about your data: check for HTTPS, use Signal for text messages and even voice calls that you don't want other people listening in on, don't trust unexpected texts, and so forth. And as for location data, if you don't want to be swept up as someone who attended a protest, maybe just put your cell phone in airplane mode for a bit.

GT: It sounds like maybe you should put your phone in a tinfoil bag!

LD: I mean, honestly, that would block against this attack pretty well. It does take a little more time to switch on and off airplane mode than to stick something into a tinfoil bag - and you'd have to remember to turn airplane mode on and off each time, whereas it's probably easier to just put it back in the bag!

GT: Okay, if we're turning into the tinfoil-bag podcast, I wanted to know how you trust that your phone charger is secure. What if it's got a miniature unlocker in there?

LD: Or a data blocker that usually blocks data, but lets it through if it sees a specific target device?

GT: Oh, that would be nasty. I don't even know how you'd figure out this is happening.

LD: You'd probably need to X-ray your devices to see what's happening, and even then, you might not really know what's going on until you had an idea of what type of attack you should be looking for.

GT: I'm a sort of paranoid person so I'll usually buy devices off the shelf at a store, just because if someone's after me, maybe they'll mess with packages I order online that are shipped to my home, but it's less likely that they'll have put fake devices on the shelves of whatever store I happen to buy from.

LD: But this is definitely going down a pretty paranoid rabbit hole. For most of us, there are some pretty simple steps to keeping your phone secure - set a good passcode, enable encryption, don't jailbreak it.

GT: And make sure to use a secure app for messaging, like Signal, and disable any features you're not using like Bluetooth or voice assistants.

LD: That wraps up how to secure the phone you have! Check back with us in two weeks for an in-depth comparison of Android and iOS's security models.

GT: If you're in the market for a new phone, you won't want to miss it!

Outro music plays.

LD: Loose Leaf Security is produced by me, Liz Denys.

GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.

LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.

GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.

Outro music fades out.