How to set up your iPhone and Android for maximum security, according to CISA

Raging spyware and social engineering attacks have prompted the Cybersecurity and Infrastructure Security Agency (CISA) to update its definitive guidance for iPhone and Android users to protect against sophisticated threats.

A year ago, the FBI and CISA urged Americans to use encrypted messaging apps, such as Signal or WhatsApp, instead of text messages. Now CISA is warning about hackers targeting these same apps with spyware. Did the recommendation backfire?

No. The recommendation to use Signal or a similar encrypted messenger still stands, albeit with some adjustments.

CISA has updated its guidance with four additional protection practices for messaging application users, particularly those in highly targeted government, military, or political positions.

New recommendations address social engineering attempts

First, be aware that hackers often rely on social engineering, so hardening devices’ security settings alone will not guard against crooks who bypass most security measures by manipulating users psychologically.

Hackers often falsely claim that an account is compromised to trick victims into taking actions that allow cybercriminals to take control of the account.

CISA urges users to avoid scanning group-incitation links or QR codes from unknown sources and to verify the authenticity of group invitations. This can be done by contacting the group creator or administrator through separate communication channels.

“Remain suspicious of unexpected security alert messages, even within the application itself, and especially if the message requests authentication (e.g., PINs or one-time codes),” the second recommendation reads.

CISA also now recommends enabling message expiration features – these automatically delete sensitive messages after a set expiration period.

“For employer-issued devices, verify that applicable records retention policies allow for this

setting to be enabled and that doing so is consistent with the law.”

The last recommendation is to verify all the devices in the “linked devices” section of the messaging apps. Hackers actively abuse this feature, which enables the app to be used on multiple devices concurrently, according to Google’s report.

“Limit the linked devices to only those necessary. Immediately remove any unintended devices,” CISA urges.

How to set up your iPhone?

For highly-targeted iPhone users, CISA recommends enhancing these protections:

1. Enable Lockdown Mode: This feature strictly limits access to certain apps, websites, and features, making some of them unavailable. This reduces the attack surface that could potentially be exploited by threat actors.
2. Disable SMS fallback for iMessages: Go to Settings, select Apps, then tap Messages and disable “Send as Text Message.” This will ensure end-to-end encryption for messages between Apple users.
3. Enroll in Apple iCloud Private Relay: This is included in the iCloud subscription. It masks the IP address, uses secure DNS, and reduces any chances that a man-in-the-middle attacker can link browsing behaviour to the user’s identity.
4. Alternatively, protect DNS queries with free alternatives: CISA recommends using Cloudflare’s 1.1.1.1, Google’s 8.8.8.8, and Quad9’s 9.9.9.9 for encrypted DNS.
5. Restrict app permissions: Go to Settings, select Privacy & Security to review which apps access sensitive data and sensors. Revoke excessive functionality.

Additionally, implement General recommendations, applicable to all devices and accounts (below).

How to protect an Android device?

Highly-targeted Android users are recommended to do the following:

1. Prioritize models: “With strong security track records and long-term security update commitments.” These can be found in Android’s “Enterprise Recommended knowledge worker and dedicated devices” list of devices that meet security and update standards. CISA further recommends prioritizing models with hardware-level security features, such as a secure enclave or a hardware security module (HSM), and providing security updates at least monthly and for the next five years.
2. Ensure Google Messages is configured with end-to-end encryption: Only use Rich Communication Services (RCS) when encrypted.
3. Protected DNS queries with a high-privacy resolver: Such as Cloudflare’s 1.1.1.1, Google’s 8.8.8.8, and Quad9’s 9.9.9.9.
4. When browsing, confirm Secure Connection is enabled: All website connections should default to encrypted HTTPS.
5. Enable Enhanced Protection for Safe Browsing in the Chrome browser: This provides an extra layer of protection against malicious websites, phishing attempts, and harmful downloads.
6. Confirm if Google Play Protect is enabled: This checks apps for harmful behavior, and attackers often try to trick users into disabling it. Regularly review app scans for potential threats and exercise caution if “sideloading” apps from other sources.
7. Restrict app permissions: Go to Settings, select Apps, tap Permissions Manager to revoke any unnecessary functionality.

Additionally, implement General recommendations, applicable to all devices and accounts (below).

General recommendations for all devices and accounts

CISA strongly urges reviewing and implementing these best practices.

“While no single solution eliminates all risks, implementing these best practices significantly

enhances protection of sensitive communications against nation-state-affiliated and other malicious cyber actors,” CISA said.

1. Use only end-to-end encrypted communications: Such as Signal or similar apps, which are compatible and interoperable on most systems.
2. Use phishing-resistant authentication: FIDO (Fast Identity Online) keys, such as Yubico, or Google Titan, offer the strongest form of multi-factor authentication, but passkeys are an acceptable alternative. CISA recommends reviewing all accounts and enrolling them in FIDO-based authentication. Additionally, Gmail users should enroll in Google’s Advanced Protection Program (APP).
3. Transition from SMS-based multi-factor authentication to safer methods: For less sensitive accounts, you can use authenticator app codes.
4. Use a password manager: CISA lists Apple Passwords app, LastPass, 1Password, Google Password Manager, Dashlane, Keeper, and Proton Pass as alternatives that automatically alert on weak, reused, or leaked passwords. Choose a strong (long, unique, and random) primary passphrase. Review existing passwords.
5. Set PIN for mobile phone account (Telco PIN): This reduces SIM-swapping risk.
6. Regularly update software: Enable auto-update on mobile devices.
7. Choose the latest hardware from a smartphone manufacturer: One that incorporates the latest critical security features.
8. Avoid using personal VPNs: Especially free ones, as they shift risks from internet service providers to the VPN provider, increasing the attack surface. (CISA’s guidance is aimed at individuals and organizations that require the highest level of operational security, such as government personnel or those working in highly sensitive environments, who have tightly restricted access to mainstream websites and services. For regular consumers, reputable VPN providers can be a valuable tool for maintaining privacy, shielding IP addresses, preventing ISP-level or other man-in-the-middle tracking, and adding an extra layer of protection on public networks. Leading VPN vendors undergo independent security audits, maintain strict no-logs policies, and prioritize user privacy to a greater extent than many commercial internet service providers in many countries.)

While these recommendations are tailored for highly targeted individuals, CISA says they’re applicable to all audiences.

---

Unlock more exclusive Cybernews content on YouTube.