Most people don't think of their cell phones when they are trying to be secure or "anonymous" on the internet. This is a huge mistake, so I'm going to make this first post about them.
First things first, your lock-screen
Vital when talking about physical access. This is probably the downfall of many users, since most people think a four-digit passcode is actually useful. It’s not. It might stop your little brother from “hacking” your Facebook, but that’s about it.
You need to realize that your cell phones password needs to stand up to a desktop password. Think about it. They are just as easy to hack and bruteforce, and they contain a huge portion of your personal life. Pictures, GPS data, timestamps to go with your GPS location, emails, contacts, messages, etc. And what’s more, your phone can be used to get whatever else someone might want. Let’s use Twitter. Let’s say you don’t have Twitter on your phone, you’re not signed in, and you haven’t reused that password. Well once someone has access to your phone, they just have Twitter send them a security code to your number and they can reset your password. And notice I said your number, not your phone. Even if your phone is encrypted to hell, an attacker could pop out your sim and stick it in a new one. If they have the right amount of knowledge and money to manipulate SS7, they don't even need access to your phone to do this. Suddenly all your texts and calls are going to their phone instead of yours. Also don’t forget, a lot of apps such as Telegram, WhatsApp, Signal, and Authy use your phone number as your login by default.
So how do we go about securing them?
As I mentioned before, it’s vital that you have a strong password. For androids, use the highest amount of characters your device will allow. I think it’s only 16 for some devices, but some go to 40+. Having a very long password is better than having a short one with symbols and numbers and such. If you’re on iOS you’re in luck. My iOPhone password is currently 40+ characters, and I have no idea what the max is. You may want to check out this website to test the strength of your passwords. Everything is done offline so you don't have to worry about your password being sent anywhere.
Now we need to make sure this password actually does something. For androids, this means encrypting your device. If your device is encrypted, bypassing the lock screen or dumping your data to a computer won’t get them anywhere, since the attacker would still have to bruteforce your password. If your device is not encrypted, an attacker could still access all of the data on your phone without needing your password. Even easier for them if you have adb enabled. So at this point we have our device encrypted, and we have a hella strong password. Invincible right? No.
There are still a few more things to worry about.
I’m just guessing here, but I’d bet that most iOS users are likely to have iTunes installed on their computer. It’s what you used to copy songs over and restore your device if it’s broken. It’s also used to make backups of your devices. If you have a 64000-character password, it will do you no good if all your data is setting on your PC ready to be copied. Yes, you can encrypt your backups if you choose to, but again this can be bruteforced. If your device is being backed up to iCloud or Google Drive, then it’s at the mercy of whoever has access to your account. And as I mentioned before, your online accounts can be taken extremely quickly if someone has access to your phone number or email.
Alright, no insecure backups, got it.
Well now we need to look at a few more things. Is your device rooted or jailbroken? Are you using developer mode/ADB? This can be bad. Now keep in mind that in android’s case, if you know what you’re doing root can be a good thing. But it can also be bad as well. For iOS devices, I would never recommend jailbreaking if you’re worried about security at all. Jailbroken devices and root provide full access to everything. Invisible backdoors could be installed. Your files can be copied. Antivirus disabled, etc.
You should also learn about Cellebrite. Cellebrite is a tool used to break into devices, it’s has a bunch of different was to get into your devices. I’ve never owned or used one, so I’m simply going off of what I’ve learned from reading the manuals. The first mode uses your devices built in functions to basically ask for all of the information it needs. This is why it’s important to disable backups and developer tools as well as keeping your device unrooted/jailbroken. The second mode just copied the files from your device. Just like if you plugged in a flash drive to your computer and copied the contents to a folder. The third mode is a full forensic bit-by-bit extraction (Meaning it can probably see your deleted files too.). The third mode will not be stopped by anything we’ve done above; you have to rely on the strength of your password verses the computational power of your attacker. There’s a bunch of other specific functions this thing can do, but for now I’ll just stop here. The other functions include a password grabber, sim cloner, and various developer tools. The most important thing about this tool is that if can bruteforce your password even if you have a self-destruct set. For example, on androids and iOS there is an option to wipe the device if an incorrect password is entered ten times. This tool can bypass that. Also remember, if your device is jailbreak-able, Cellebrite can jailbreak it and bypass the password.