CISA Releases Best Practice Guidance for Mobile Communications
CISA has just published their latest recommendations for securing mobile communications, with practical steps to improve security across Android and iOS devices. Whether you’re a privacy advocate or securing devices at scale, these steps are essential.
General Best Practices:
- Use end-to-end encrypted communications only.
- Enable phishing-resistant authentication (FIDO).
- Migrate away from SMS-based MFA.
- Use a password manager to store all passwords.
- Set a Telco PIN to protect carrier accounts.
- Regularly update software.
- Opt for the latest hardware version from your phone manufacturer.
- Do not use personal VPNs (CISA recommends alternatives).
Android Specific Guidance:
- Prioritize models from manufacturers with long-term security updates.
- Use Rich Communication Services (RCS) only with end-to-end encryption enabled.
- Configure Android Private DNS.
- Confirm Always Use Secure Connections is enabled in Chrome.
- Enable Enhanced Protection for Safe Browsing in Chrome.
- Ensure Google Play Protect is turned on.
- Review and restrict app permissions in:
Settings → Apps → Permissions Manager.
iOS Specific Guidance:
- Enable Lockdown Mode for heightened security.
- Disable fallback to SMS when iMessage is unavailable.
- iMessage offers end-to-end encryption between Apple users.
- Protect Domain Name System (DNS) queries.
- Enroll in Apple iCloud Private Relay.
- Review and restrict app permissions in:
Settings → Privacy & Security.
For the full CISA guidance:
CISA Best Practices for Mobile Communications