**General Security Practices (Apply to All Users):**
* **Use End-to-End Encryption:** Adopt a secure messaging app like Signal (compatible with iOS & Android).
* **Secure Messaging App Hygiene:**
* Be wary of social engineering attempts (account compromise scams).
* Verify group invitations through separate channels.
* Be suspicious of unexpected security alerts *within* the app.
* Enable message expiration features (check organizational policies first).
* Regularly review and remove unintended linked devices.
* **Enable FIDO Authentication:** Use phishing-resistant MFA (hardware keys like Yubico/Google Titan preferred, passkeys acceptable) for valuable accounts (email, social media, etc.). Disable less secure MFA methods after enabling FIDO.
* **Migrate Away from SMS MFA:** Do *not* use SMS for two-factor authentication. Use authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) as a better alternative, but FIDO is strongest. Disable SMS after enabling an authenticator app.
* **Use a Password Manager:** Store all passwords in a password manager (Apple Passwords, LastPass, 1Password, etc.). Use a strong passphrase to protect the vault. Regularly update passwords with the manager.
* **Set a Telco PIN:** Add a PIN/passcode to your mobile account with your provider to prevent SIM-swapping. Also, change your mobile account password.
* **Regularly Update Software:** Update operating systems and apps weekly; enable auto-updates.
* **Upgrade Hardware:** Use the latest hardware version from your phone manufacturer for optimal security features.
* **Avoid Personal VPNs:** They can increase the attack surface. Use organization-provided VPNs if required.
**iPhone-Specific:**
* **Enable Lockdown Mode:** Reduces the attack surface.
* **Disable "Send as Text Message":** Ensures iMessage (end-to-end encrypted) is used when available.
* **Protect DNS Queries:** Use Apple iCloud Private Relay or encrypted DNS services (Cloudflare, Google, Quad9).
* **Enroll in iCloud Private Relay:** Enhances privacy and security for Safari browsing.
* **Review App Permissions:** Restrict access to sensitive data (location, camera, microphone).
**Android-Specific:**
* **Prioritize Secure Manufacturers:** Choose Android phones from manufacturers with strong security track records and long-term update commitments (check Android Enterprise Recommended).
* **Use RCS with Encryption:** Only use RCS (Rich Communication Services) if end-to-end encryption is enabled (Google Messages).
* **Configure Android Private DNS:** Use a trusted DNS resolver (Cloudflare, Google, Quad9).
* **Enable Secure Connections in Chrome:** Ensure all website connections default to HTTPS.
* **Enable Enhanced Protection in Chrome:** Provides an extra layer of protection against malicious websites.
* **Enable Google Play Protect:** Regularly review app scans for threats. Be cautious with third-party app stores.
* **Review App Permissions:** Restrict access to sensitive data.
* **Use End-to-End Encryption:** Adopt a secure messaging app like Signal (compatible with iOS & Android).
* **Secure Messaging App Hygiene:**
* Be wary of social engineering attempts (account compromise scams).
* Verify group invitations through separate channels.
* Be suspicious of unexpected security alerts *within* the app.
* Enable message expiration features (check organizational policies first).
* Regularly review and remove unintended linked devices.
* **Enable FIDO Authentication:** Use phishing-resistant MFA (hardware keys like Yubico/Google Titan preferred, passkeys acceptable) for valuable accounts (email, social media, etc.). Disable less secure MFA methods after enabling FIDO.
* **Migrate Away from SMS MFA:** Do *not* use SMS for two-factor authentication. Use authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) as a better alternative, but FIDO is strongest. Disable SMS after enabling an authenticator app.
* **Use a Password Manager:** Store all passwords in a password manager (Apple Passwords, LastPass, 1Password, etc.). Use a strong passphrase to protect the vault. Regularly update passwords with the manager.
* **Set a Telco PIN:** Add a PIN/passcode to your mobile account with your provider to prevent SIM-swapping. Also, change your mobile account password.
* **Regularly Update Software:** Update operating systems and apps weekly; enable auto-updates.
* **Upgrade Hardware:** Use the latest hardware version from your phone manufacturer for optimal security features.
* **Avoid Personal VPNs:** They can increase the attack surface. Use organization-provided VPNs if required.
**iPhone-Specific:**
* **Enable Lockdown Mode:** Reduces the attack surface.
* **Disable "Send as Text Message":** Ensures iMessage (end-to-end encrypted) is used when available.
* **Protect DNS Queries:** Use Apple iCloud Private Relay or encrypted DNS services (Cloudflare, Google, Quad9).
* **Enroll in iCloud Private Relay:** Enhances privacy and security for Safari browsing.
* **Review App Permissions:** Restrict access to sensitive data (location, camera, microphone).
**Android-Specific:**
* **Prioritize Secure Manufacturers:** Choose Android phones from manufacturers with strong security track records and long-term update commitments (check Android Enterprise Recommended).
* **Use RCS with Encryption:** Only use RCS (Rich Communication Services) if end-to-end encryption is enabled (Google Messages).
* **Configure Android Private DNS:** Use a trusted DNS resolver (Cloudflare, Google, Quad9).
* **Enable Secure Connections in Chrome:** Ensure all website connections default to HTTPS.
* **Enable Enhanced Protection in Chrome:** Provides an extra layer of protection against malicious websites.
* **Enable Google Play Protect:** Regularly review app scans for threats. Be cautious with third-party app stores.
* **Review App Permissions:** Restrict access to sensitive data.
Two top CISA officials, Bob Lord and Lauren Zabierek, have resigned citing their work on the Secure by Design program, coinciding with White House cuts and a potential shift in the program’s direction. The agency faces significant budget cuts and staff reductions.
The US government initially ended funding for the Common Vulnerabilities and Exposures (CVE) database. However, funding has been restored through the CVE Foundation and CISA. This article covers CVE from the perspective of effects on Android alone.
In the wake of the Salt Typhoon hacks, the US government agencies have reversed course on encryption, urging the use of end-to-end encryption after decades of advocating against it. This is a major turnaround from their previous demands for law enforcement backdoors.
