Last Updated on February 11, 2025 by Dave Farquhar
The political climate in the United States means everyone, but especially marginalized groups, need to be thinking about phone security. It’s not just something security professionals and people who handle sensitive information for a living need to worry about anymore. In light of that, I present five phone security tips I wish everyone knew and followed.
Keep your phone up to date is security tip number one
Let’s start with the basics. Your phone wants to apply security updates periodically. Apple phones get updates on an irregular basis. Android phones get them every month. Regardless of which one you have, you need to be applying updates.
Apple marketing claims they have the best security and privacy in the industry. Apple fans will drag me for this, but someone needs to say it. If you are paying a premium for Apple and not applying updates, you aren’t getting what you pay for. If your device isn’t up to date, it’s not secure. And that’s all there is to it. An up to date Android is more secure than an out of date iPhone.
We all have that one retired IT guy we’re connected to on social media who says not to update your devices because you might break something. Don’t listen to him. People like that are also the reason that five companies I do business with got breached in the last 12 months.
I remember the last time a security update broke something for me like it was yesterday. But it happened in 2006. Updates do sometimes break things, but it’s rare.
In the event a system update does break something, more often than not, a later system update or an update to the app will fix it. Especially if it is a popular app. As much of your life as you keep on your phone, it’s not worth the security risk just because of the low possibility next month’s update might break Flappy Bird.
Don’t keep your driver’s license and proof of insurance on your phone
Two Missouri cops were recently charged with stealing photos from women’s phones after routine traffic stops. The women had their proof of insurance on their phones and handed their phones to the cops when asked for proof of insurance. The cops then took the phones back to the patrol car, where they copied whatever photos they wanted.
I’ll get dragged for bringing this up too. But when a cop pulls you over, you have no way of knowing if it’s a good cop or a bad cop. Don’t give a cop your phone. Ever.
If the cop takes your phone back to their car, you don’t know what they are doing with it. They may be looking at all of your photos or your e-mail, or doing any number of things that they shouldn’t be doing.
Get a paper copy of your proof of insurance. What if you don’t have a printer and your insurance provider won’t mail one to you? Several stores can print one for you. Office Max, Office Depot, FedEx Office, and the UPS Store all have that ability. If you don’t want to keep proof of insurance in the glove box because the cop may think you have a gun in the glove box, keep it in your sun visor.
Using a PIN vs face recognition vs fingerprint for phone security
There is a compelling argument that facial recognition or a fingerprint provides better security than using a PIN to unlock your phone. Unlock mechanisms should have lots of entropy, and PINs have significantly less entropy than your face or fingerprint.
But there is a legal deference that overrides the security advantages. In the United States, at least, you cannot be compelled to provide a PIN or a password to unlock your device. However, you can be compelled to offer a face scan or a fingerprint to unlock it. Or an unscrupulous person can disable you temporarily and use your face or your fingerprint to unlock your device without your knowledge or consent.
I recommend using a PIN instead of your thumbprint or face scan. Then, to make it harder to infer your PIN from the smudges on your screen, use a stylus to enter your PIN whenever possible, and clean your screen on a regular basis. The fingerprints on your screen give a very good idea of which numbers you are using in your PIN.
Mixing business with personal use on your phone
Here’s another potential problem. Your workplace will probably want you to load some apps on your phone, and potentially connect your phone to their e-mail system. Be very careful about doing this. In the event of a security incident, your agreement with your employer may give them the rights to your phone, even if the incident doesn’t directly involve you.
There are a multitude of completely valid reasons you don’t want your employer to have unfettered access to the data on your phone.
Carrying two phones around really stinks, but it’s better than risking your employer getting access to your phone because of something that wasn’t involving you, and finding something on your phone that they don’t like.
Be careful what apps you load on your phone
Many businesses will offer discounts or other incentives to get you to load their app on your phone. I never agree to that. There’s no reason to make it any easier for retail stores to track my purchases and make inferences about me based on those purchases. For example, it’s possible for a store to conclude you’re pregnant when you’re not, or you are and don’t realize it. All because you buy a lot of the same stuff pregnant women buy.
I also don’t want them tracking my location. I’m not saying all of those apps track your location, but they have incentive to do so. Knowing how much time you spent looking at light bulbs is just as valuable as knowing that you bought light bulbs.
I don’t know who they are sharing that information with. The attorneys general of a few states would definitely want to know who Wal-Mart thinks is pregnant. And there’s not enough standing in the way of that particular transfer of information.
And in the event the company goes out of business, its customers have no control over who they share that information with and what the new purchaser does with it. One major point of concern when Radio Shack went out of business was who would get their extensive mailing list and what they would do with it. Former Radio Shack customers like me had no say in the matter.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.
Re: not installing security updates. I spent several long days helping clean up after CrowdStrike (Bitlocker was also involved). Painful, and a good lesson on companies testing updates before installation. But saying “no more updates, ever” is the wrong lesson to learn.