NSA Mobile Device Best Practices

Defense links for anyone on government systems that might not have easy access to documentcloud.<p><a href="https:&#x2F;&#x2F;media.defense.gov&#x2F;2020&#x2F;Jul&#x2F;28&#x2F;2002465830&#x2F;-1&#x2F;-1&#x2F;0&#x2F;MOBILE_DEVICE_BEST_PRACTICES_FINAL_V3%20-%20COPY.PDF" rel="nofollow">https:&#x2F;&#x2F;media.defense.gov&#x2F;2020&#x2F;Jul&#x2F;28&#x2F;2002465830&#x2F;-1&#x2F;-1&#x2F;0&#x2F;MOB...</a><p>Corresponding NSA document for OCONUS (travel outside continental US)<p><a href="https:&#x2F;&#x2F;home.army.mil&#x2F;stewart&#x2F;index.php&#x2F;download_file&#x2F;view&#x2F;12526&#x2F;2822" rel="nofollow">https:&#x2F;&#x2F;home.army.mil&#x2F;stewart&#x2F;index.php&#x2F;download_file&#x2F;view&#x2F;1...</a>

&gt;Use strong lock-screen pins&#x2F;passwords: a 6-digit PIN is sufficient if the device wipes itself after 10 incorrect password attempts.<p>im calling BS. NSO and others have demonstrated repeatedly they can (and do) bruteforce these pin based logins quickly and efficiently without triggering the wipe using sidechannel attacks on running services and software over the air and through USB. use a PASSPHRASE.<p>&gt;Consider using Biometrics (e.g., fingerprint, face) authentication for convenience to protect data of minimal sensitivity<p>remember: the fifth amendment does not cover biometrics . if a DUI case can forcibly extract your blood, then you can and will be required to present your face to unlock a laptop. use passphrases.<p>&gt;DO NOT jailbreak or root the device.<p>this often allows people to remove pre-installed spyware just as easily as it can be installed.

I’ve seen most of these recommendations before, but the “mic-drowning case” to muffle room audio is new to me. Certainly makes sense, but are there any common commercial phone cases that advertise this feature?

Having recently switched to iPhone I have been very surprised at finding my wifi and Bluetooth automatically turning on. There could be a better way, but I had to create a shortcut to disable connectivity until I manually turn it back on

Problem with this: keep your phone with you always conflicts with don’t have secure conversations within mic range of your phone. You can’t do both of these.<p>But otherwise this is great and I would probably add “reset and replace devices often.”

Kinda surprised biometrics are recommended. I’ve always thought passcodes were more secure - particularly as the data is not easily accessible by interrogators for example.

&gt; Power the device off and on weekly.<p>Thoughts, HN? I can see how this might be good for performance, but how is it good for security?

I worked for a company where we sent folks onsite to very secure sites.<p>Nothing electronic EVER arrived at the facility or left with you when you left the facility that wasn&#x27;t accounted for. Nothing that ever entered that wasn&#x27;t needed, NO phones allowed ever. You and your vehicle were searched on arrival and exit. We went through a lot of laptops...<p>With the complexity of hardware &#x2F; software involved, I suspect that&#x27;s the only way.

One problem with both Android, and Ios: impossible to disable automatic previews<p>Send yourself a link by SMS, or some popular messenger like Whatsapp.<p>Your phone will automatically make you a browser page preview, and in the process run every browser exploit available.<p>Google added an extremely well hidden option to disable it it Messages few versions ago. Since there is no way to be sure Google does not remove it, and add some kind of another autoplay like feature in the future, I just replaced the SMS app altogether to one which does not peek into my conversations <a href="https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=com.simplemobiletools.smsmessenger" rel="nofollow">https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=com.simplemobi...</a> (google straight tells they can get a copy of your SMSes as per their disclaimer if you use Google Messages for &quot;improving service&quot;)

I&#x27;m curious if anyone has any leads&#x2F;stories on compromised 3rd party devices? Would love to learn more about detecting these things. Like say a USB charging brick that also attempts malware or a keyboard etc?

Sorta have to wonder if it&#x27;s safe to open that pdf locally—the site doesn&#x27;t quite work on the phone.

Well, considering all those restrictions and how it&#x27;s still not secure enough anyway how long before the recommendation will be &quot;Don&#x27;t use your smartphone. Use the landline phone in your office&quot; ?

Why do people need smart phones, really? The only time they come in handy is for driving directions.<p>It turns out my Samsung candy bar phone with no camera, GPS and internet leads the way in security.

Annoyingly, putting your device in a shielded evidence bag without turning it off can cause its various radios to franticly seek connections and even amplify their signals until they completely empty your battery.<p>Useful to have if you are curious about protests or concerts and other gatherings of people with a significant criminal element who could get your IMEI stingray-ed and then palantir-ed.

Surprised they go with &quot;DO NOT&quot; connect to wi-fi, but just &quot;avoid&quot; attaching untrusted hardware devices. That seems backwards.