ADVERTISEMENT

How to set up your iPhone and Android for maximum security, according to CISA

Raging spyware and social engineering attacks have prompted the Cybersecurity and Infrastructure Security Agency (CISA) to update its definitive guidance for iPhone and Android users to protect against sophisticated threats.

android-spyware

Image by Cybernews

Ernestas Naprys
Ernestas Naprys Senior Journalist
Nov 25, 2025 Updated: 8 December 2025 4 min read
Key takeaways:

New recommendations address social engineering attempts

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Add us as your Preferred Source on Google.
Has my data been leaked?
ADVERTISEMENT

How to set up your iPhone?

  1. Enable Lockdown Mode: This feature strictly limits access to certain apps, websites, and features, making some of them unavailable. This reduces the attack surface that could potentially be exploited by threat actors.
  2. Disable SMS fallback for iMessages: Go to Settings, select Apps, then tap Messages and disable “Send as Text Message.” This will ensure end-to-end encryption for messages between Apple users.
  3. Enroll in Apple iCloud Private Relay: This is included in the iCloud subscription. It masks the IP address, uses secure DNS, and reduces any chances that a man-in-the-middle attacker can link browsing behaviour to the user’s identity.
  4. Alternatively, protect DNS queries with free alternatives: CISA recommends using Cloudflare’s 1.1.1.1, Google’s 8.8.8.8, and Quad9’s 9.9.9.9 for encrypted DNS.
  5. Restrict app permissions: Go to Settings, select Privacy & Security to review which apps access sensitive data and sensors. Revoke excessive functionality.

How to protect an Android device?

  1. Prioritize models: “With strong security track records and long-term security update commitments.” These can be found in Android’s “Enterprise Recommended knowledge worker and dedicated devices” list of devices that meet security and update standards. CISA further recommends prioritizing models with hardware-level security features, such as a secure enclave or a hardware security module (HSM), and providing security updates at least monthly and for the next five years.
  2. Ensure Google Messages is configured with end-to-end encryption: Only use Rich Communication Services (RCS) when encrypted.
  3. Protected DNS queries with a high-privacy resolver: Such as Cloudflare’s 1.1.1.1, Google’s 8.8.8.8, and Quad9’s 9.9.9.9.
  4. When browsing, confirm Secure Connection is enabled: All website connections should default to encrypted HTTPS.
  5. Enable Enhanced Protection for Safe Browsing in the Chrome browser: This provides an extra layer of protection against malicious websites, phishing attempts, and harmful downloads.
  6. Confirm if Google Play Protect is enabled: This checks apps for harmful behavior, and attackers often try to trick users into disabling it. Regularly review app scans for potential threats and exercise caution if “sideloading” apps from other sources.
  7. Restrict app permissions: Go to Settings, select Apps, tap Permissions Manager to revoke any unnecessary functionality.

General recommendations for all devices and accounts

  1. Use only end-to-end encrypted communications: Such as Signal or similar apps, which are compatible and interoperable on most systems.
  2. Use phishing-resistant authentication: FIDO (Fast Identity Online) keys, such as Yubico, or Google Titan, offer the strongest form of multi-factor authentication, but passkeys are an acceptable alternative. CISA recommends reviewing all accounts and enrolling them in FIDO-based authentication. Additionally, Gmail users should enroll in Google’s Advanced Protection Program (APP).
  3. Transition from SMS-based multi-factor authentication to safer methods: For less sensitive accounts, you can use authenticator app codes.
  4. Use a password manager: CISA lists Apple Passwords app, LastPass, 1Password, Google Password Manager, Dashlane, Keeper, and Proton Pass as alternatives that automatically alert on weak, reused, or leaked passwords. Choose a strong (long, unique, and random) primary passphrase. Review existing passwords.
  5. Set PIN for mobile phone account (Telco PIN): This reduces SIM-swapping risk.
  6. Regularly update software: Enable auto-update on mobile devices.
  7. Choose the latest hardware from a smartphone manufacturer: One that incorporates the latest critical security features.
  8. Avoid using personal VPNs: Especially free ones, as they shift risks from internet service providers to the VPN provider, increasing the attack surface. (CISA’s guidance is aimed at individuals and organizations that require the highest level of operational security, such as government personnel or those working in highly sensitive environments, who have tightly restricted access to mainstream websites and services. For regular consumers, reputable VPN providers can be a valuable tool for maintaining privacy, shielding IP addresses, preventing ISP-level or other man-in-the-middle tracking, and adding an extra layer of protection on public networks. Leading VPN vendors undergo independent security audits, maintain strict no-logs policies, and prioritize user privacy to a greater extent than many commercial internet service providers in many countries.)

ADVERTISEMENT