Security configurations and best practices to protect your mobile device (ITSM.80.002)

In today’s digital landscape, mobile devices play a pivotal role in our daily lives, aiding in productivity, enabling seamless communication, and facilitating transactions. Their significance extends beyond personal use, impacting the efficiency and success of businesses as well. Despite the numerous benefits of mobile device, the surge in their usage has also heightened the risk of security threats and highlights the need to protect them.

At a personal level, individuals rely heavily on mobile devices like smartphones, tablets, and laptops to store important information such as contacts, passwords, emails, and personal data. Consequently, it is imperative protect these devices against unauthorized access. Similarly, within organizations, mobile devices are essential tools for communicating, collaborating, and accessing corporate data. However, the inherent vulnerability of these devices makes them attractive targets for threat actors. A security breach not only puts clients’ and employees' personal data at risk but also has significant consequences for the organization. Unauthorized access could potentially compromise confidential business information, client and employee data, and other proprietary information and amplify the severity of a breach.

This publication outlines the fundamental best practices for securing mobile devices, with the objective of preserving the integrity of sensitive information and protecting users and organizations from potential breaches.

1 Introduction

With the increasing reliance on mobile devices for both personal and professional use, it is crucial for organizations to ensure the security of mobile devices. Mobile device security involves implementing measures and practices to defend against a variety of threats, including privacy breaches and unauthorized access to sensitive data. Mobile device security also includes a range of strategies and technologies aimed at ensuring the confidentiality, integrity and availability of information stored on mobile devices.

1.1 Importance of mobile device security

Mobile device security is critical for organizations due to their widespread use, where employees often access work-related data and correspondence. These devices are vulnerable to various security threats such as malware, data breaches and unauthorized access. Many organizations have specific compliance and legal requirements for protecting client and employee information.

Failure to secure mobile devices can result in legal consequences and reputational damage. Implementing proper mobile security measures is an important step in preventing data breaches, safeguarding sensitive corporate information, and protecting client and employee data. A security breach on a mobile device could result in substantial financial implications associated with data recovery and legal implications. Mobile security measures are also crucial for compliance and for maintaining trust, credibility and the overall integrity of your organization.

The following publications from the Cyber Centre encompass a range of strategies, guidelines and best practices for enhancing mobile security measures within organizational frameworks:

• Device security for travel and telework abroad (ITSAP.00.188)
• Mobile device guidance for high profile travellers (ITSAP.00.088)
• Mobile devices and business travellers (ITSAP.00.087)
• Security considerations for mobile device deployments (ITSAP.70.002)
• Securing the enterprise for mobility (ITSM.80.001)

1.2 Types of mobile security threats

Understanding the various types of threats is essential for protecting both your devices and the valuable data they store.

The threat landscape for mobile devices is multifaceted and encompasses:

• malicious applications (apps)
• network-level vulnerabilities
• exploits that target weaknesses within both the device and the mobile operating system (OS)

The following section provides an overview of common threat vectors.

1.2.1 Malicious applications and malware

When downloading and using applications, you may inadvertently download malware and infect your mobile device and, possibly, the environment to which they connect. Even apps downloaded from mobile device app stores, can pose a threat by disguising themselves as legitimate. They can perform malicious functions, such as gaining remote access, intercepting text messages, compromising sensitive data or taking control of the device. Trojans are among the most common threats. This type of malware disguises itself as legitimate code or software and is frequently involved in ad and click scams.

Threat actors use malware loaders to inject malicious code into seemingly secure applications, slipping through initial security measures before they are detected and removed. Once a mobile device is compromised, these applications can execute various invasive actions, such as activating key loggers, accessing the camera and audio functions, and obtaining extensive permissions on your device.

Besides trojans, threat actors may target mobile devices using diverse malware threats, including:

• mobile ransomware that encrypts data for a ransom
• mobile phishing or smishing using deceptive links
• voice phishing (vishing) through phone calls
• spyware that secretly monitors user activities
• adware that displays intrusive ads

These threats exploit vulnerabilities, use social engineering and compromise user privacy.

1.2.2 Browser-based malware

Browser-based malware is malicious software that exploits vulnerabilities in web browsers, using web technologies to compromise the mobile device. Unlike apps downloaded from official app stores, which undergo malware scans and inspections, browser scripts execute arbitrary code sent by remote servers without prior vetting or inspection. This makes browser attacks highly effective. Even though modern browsers implement security measures such as sandboxing to mitigate the impact of browser exploits, existing vulnerabilities may still allow the malware to evade these measures and potentially compromise the mobile device. A subset of this threat involves "web apps" that can be downloaded from application stores. These web apps can be downloaded from a mobile app store, contain minimal code downloaded to the mobile device, and run on a web browser via a custom user interface. The code opens an instance of the system browser and displays a custom web page that may initially pass vetting because the benign content is provided remotely, but later switch to delivering malicious content.

1.2.3 Network attacks

Network attacks targeting mobile devices present an array of cyber threats that exploit vulnerabilities in communication channels. These attacks can take various forms, such as adversary-in-the-middle (AitM) attacks and Wi-Fi eavesdropping, each of which pose distinct risks.

1.2.4 Adversary-in-the-middle attacks

In AitM attacks, threat actors intercept the information exchange between 2 parties without their knowledge. This can occur in various ways, including online transactions, email communication or data transfers over networks. Threat actors engage in these attacks to manipulate information, steal data or introduce malicious software.

Mobile devices are particularly susceptible to AitM attacks, as opposed to web traffic which commonly employs encrypted HTTPS for secure communication. You can often determine if a website is secure by looking for the lock symbol within the address bar, which provides additional information about the site's security. Conversely, text messages (SMS) and many mobile apps used for voice and text communication often lack encryption, making them susceptible to interception.

1.2.5 Wi‑Fi eavesdropping and spoofing

Wi-Fi eavesdropping occurs when threat actors intercept Wi-Fi traffic, especially on a public unsecured Wi-Fi network. This can potentially result in data theft, unauthorized access or the installation of malicious software. Mobile devices connecting to open Wi-Fi networks are particularly susceptible to these intrusions.

Wi-Fi protection access 3 (WPA3) represents the current standard for Wi-Fi security, addressing some shortcomings of the previous version, Wi-Fi protection access 2 (WPA2). While WPA2 remains generally suitable for most use cases, it lacks protection against de-authentication attacks— a type of cyber attack on wireless networks. In a de-authentication attack, threat actors force devices on a Wi-Fi network to disconnect. This disconnection can then be exploited to force the device to reconnect, allowing the threat actor to observe the initial connection. If someone with the network password observes this initial connection, they can decrypt the WPA2 protection, exposing all transmitted data. This vulnerability may enable threat actors to gain unauthorized access to the device or exploit opportunities for malicious activities.

Both WPA2 and WPA3 are vulnerable to spoofing attacks. Such attacks occur when someone with the network password creates a spoofed network impersonating the real access point and gains access to the traffic being transmitted over the network. You can mitigate this risk by configuring WPA3 to use the Simultaneous Authentication of Equals protocol with Public Key Cryptography (SAE-PK). In this configuration, even if a threat actor has the network password, they will still need the corresponding private key to successfully authenticate. Unfortunately, this capability has not yet been widely adopted, and many access points still operate with weaker defaults.

1.2.6 Advanced jailbreaking and rooting techniques

Users who want more privileges for greater control over their devices may use jailbreaking and rooting techniques. This involves removing software restrictions imposed by the operating system to gain higher privileges, essentially allowing users to access and modify parts of the device's file system that would otherwise be restricted. This process allows users to remove unwanted default applications or install applications from unofficial stores.

In essence, while jailbreaking and rooting may offer users increased customization and control, it exposes devices to heightened security risks. If users do not implement strong alternate security controls, threat actors may exploit these vulnerabilities to access more data and inflict greater damage than they would if users keep the default operating system permissions.

1.2.7 Multi‑factor authentication bypass attacks

Multi-factor authentication (MFA) typically involves the use of multiple verification methods to enhance the protection of sensitive data and systems. These can include one-time passwords, digital tokens or biometric authentication.

MFA bypass attacks encompass a range of tactics employed by threat actors to evade the additional layers of security implemented by MFA systems. This includes voice phishing, or "vishing", a form of social engineering where threat actors employ phone calls to trick you in divulging MFA codes or sensitive details like personal information or financial data. In contrast with traditional phishing through emails, vishing relies on manipulating individuals through voice communication. Criminals often use caller ID spoofing and voice-changing programs to create convincing pre-recorded messages.

Additionally, MFA bypass attacks may:

• exploit flaws in the implementation of one-time passwords
• intercept or manipulate communication channels
• compromise biometric authentication systems
• leverage social engineering techniques to trick users into revealing their authentication credentials

Another MFA security threat to be aware of is the MFA fatigue attack, also known as MFA bombing or MFA spamming. In this social engineering cyber attack, threat actors overwhelm the target with numerous MFA requests until that person approves the login attempt. The goal is to pressure the victim into confirming their identity through the notifications, providing an opportunity for attackers to gain unauthorized access to the victim's account or device.

2 Mobile device security best practices

Securing data on mobile devices is crucial to protecting your personal information and your organization’s sensitive data. Mobile devices are attractive targets for threat actors due to the amount of personal and potentially sensitive information they contain. A compromised mobile device has the potential to allow unauthorized access to your organization’s network, placing not only your own information at risk, but also that of your organization.

The following section provides guidance on mobile device security configurations and best practices users and organizations can implement to enhance their security posture.

2.1 Mobile device security configuration recommendations

This section describes the various configuration features available on mobile devices and provides insights into how users can selectively activate or deactivate them to maximize the security of their devices.

2.1.1 Enable multi‑factor authentication

One of the most effective ways of securing your mobile device involves implementing strong passwords and multi-factor authentication, preferably phishing-resistant MFA, in the login process. While enabling MFA on your mobile device may include receiving an SMS with a code on your phone, it's important to note that SMS text codes are not considered a strong second authentication method because they can be intercepted and potentially compromised by malicious software on the device. Opting for more secure MFA alternatives, like authenticator apps, passkeys, hardware tokens, near-field communication, or biometrics such as fingerprint, face or retina scans, is a better approach to authentication.

Introducing this additional step in the login process enhances security by providing an extra layer of protection. It makes it more challenging for threat actors to access your account, even if they are aware of your password.

It's crucial to avoid using identical passwords across multiple accounts. Choosing unique ones and regularly updating them will enhance security. To mitigate potential risks, particularly in the event of device loss, refrain from storing passwords in browsers or writing them down and storing the paper in your device case.

For more on passwords, passphrases and MFA refer to:

• Best practices for passphrases and passwords (ITSAP.30.032)
• Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)

2.1.2 Use the built‑in virtual private network

In instances where using public Wi-Fi is unavoidable, consider implementing extra security measures, such as using your mobile device’s built-in virtual private network (VPN) to encrypt Internet activity. This provides an additional layer of protection to data transmission and helps shield against potential threats on public networks. Understand, however, that while using a VPN is beneficial, it may not offer foolproof cyber security when accessing public Internet. Avoid using third-party VPN services as they may introduce security vulnerabilities that can compromise user privacy and overall network security. By avoiding third-party VPNs, you reduce the risk associated with trusting external providers with your network traffic and data.

2.1.3 Use encryption

Enable the built-in encryption feature on your mobile device to protect stored data from unauthorized access. This security measure encrypts your data, ensuring it is accessible only to authorized users. By using the built-in encryption feature, you can protect your device against potential compromise and unauthorized access, especially in situations like theft.

2.1.4 Update devices and applications regularly

To prevent threat actors from accessing your devices and exploiting vulnerabilities in software and apps, you should turn on automatic updates and periodically check for manual updates to ensure both the OS and installed applications are current. OS and app updates typically include security patches and fixes that address known vulnerabilities. Implementing these updates not only improves functionality and performance but also minimizes the risk of data loss due to crashes or errors. If you fail to enforce software updates or neglect application patches, you can create opportunities for threat actors, who closely monitor software vulnerabilities, to breach your network.

Consult How updates secure your device (ITSAP.10.096) for more information on the advantages of keeping your OS and applications up to date.

2.1.5 Turn on screen lock

Given the susceptibility of laptops and smartphones to loss or theft, especially in public spaces, it is important to ensure that the device has a screen lock. Screen lock serves as a layer of defence, requiring authentication such as a PIN, password or biometric to access the device and its contents. This not only safeguards personal and sensitive data, but also helps prevent unauthorized use of the device, reinforcing overall device security.

2.1.6 Exercise caution when granting permission

Exercise caution when granting permissions to mobile applications and evaluate whether the permissions align with the app’s intended functionality. Regularly review and manage app permissions to restrict unnecessary access to sensitive data. Only allow the minimum necessary access for the app to perform its designated functions. Avoid granting permissions that seem unrelated to the app’s actual purpose, especially to things such as location, camera and microphone. Unnecessary access to sensitive information may pose privacy and security risks.

Thoroughly evaluate terms, conditions and privacy statements, as data collection under these terms is considered legitimate across all mobile platforms. Users and enterprises should not rely on anonymization mechanisms as foolproof ways of preventing data leaks or safeguarding user identity. Any information that an application gains permission to access should be considered beyond enterprise control and already disclosed.

2.1.7 Deactivate and turn off automatic connections

To reduce the risk of potential security threats, you should deactivate Bluetooth and Wi-Fi when you are not actively using them. By doing so, you can minimize your exposure and reduce the attack vectors and access points that threat actors may exploit.

When using Bluetooth, enable the "ask before connecting" option to prevent automatic connections. Bluetooth-enabled devices, while convenient, are susceptible to various mobile security threats, such as compromised privacy and gaining access to encompassing contact lists, personal information, credentials, email, and message content. The following are some of the risks you may incur when you enable Bluetooth on a mobile device:

• unauthorized device control
• disruptions in functionality
• eavesdropping on audio connections
• compromise of smart locks and security devices used to protect facilities and vehicles
• spoofing attacks leading to nuisance and denial of service
• injection of malicious commands and data

Deactivating automatic connection to public Wi-Fi enhances overall security by preventing unauthorized access, minimizing the risk of cyber attacks and preserving user privacy. It allows users to make conscious and informed choices when connecting to networks, reducing vulnerability to potential security threats associated with public Wi-Fi environments.

Deactivating Bluetooth and Wi-Fi requires intentional effort, emphasizing the importance of ongoing awareness and active management of these features.

2.1.8 Turn off location tracking

Location tracking on a mobile device is a feature used to monitor and record your geographic location. You can control and manage location settings through your device's system preferences or settings menu. While enabling location tracking can enhance the functionality of services, such as mapping, navigation and location-basned applications, it's important to note that when this feature is active, the device constantly collects and stores location data. This may pose a potential risk if accessed by unauthorized individuals. To safeguard your privacy, you should deactivate location tracking settings when they are not needed.

It's worth noting that in the latest OS releases, many devices offer the option to choose between precise or approximate location tracking. While approximate location tracking may offer a degree of privacy, not all applications may function correctly with this option selected. Even when approximate location tracking does work, it should not be solely relied upon, particularly when the location data of an individual is considered sensitive.

2.1.9 Turn off autofill

The password autofill feature is found in most browsers and password managers and is used to automatically populate login credentials on websites and applications. Threat actors can hide behind compromised websites and gain access to saved passwords and personal information stored in autofill, leaving users vulnerable to identity theft and other forms of cyber attacks. You can prevent this by disabling this feature on your device.

2.1.10 Keep wireless connection on hidden mode

When your wireless connection is in hidden mode, it adds an additional layer of privacy and security because others won't see your network listed when scanning for available Wi-Fi networks. In general, keep your wireless connection on hidden mode unless you specifically need to be visible to others.

2.1.11 Turn off USB debugging

To prevent unauthorized access to your device via USB connections, turn off USB debugging when not needed. USB debugging is a feature that allows your device to communicate with a computer via a USB connection. Keeping USB debugging activated when it is not actively in use can create a potential entry point for threat actors to exploit vulnerabilities and gain unauthorized control of your device.

2.1.12 Configure browser settings

You can enhance your browsing security by configuring browser settings to block pop-ups, activate the do not track feature and manage cookies. Cookies, which can store login information, may be compromised if accessed by threat actors. You should regularly update your browser to the latest version to address potential vulnerabilities and always exercise caution when navigating the web.

2.2 Additional best practices

The following are additional tips you should consider when using your mobile devices. These are not mobile configuration suggestions but rather overall best practices that can help improve the security of your mobile devices and safeguard your privacy.

2.2.1 Use password managers

Managing numerous passwords can be tedious, frustrating, and often leads to difficulty in remembering them. As previously mentioned, we recommend turning off the password autofill feature on your device. Additionally, it is important to avoid storing credentials in unprotected apps. Instead, adopt the use of a password manager – a secure repository for all your passwords, protected by an exclusive "primary" password accessible only to you. This not only simplifies password management, but it also helps generate strong passwords, mitigating the risk associated with creating predictable ones. To further enhance your mobile password security, consider integrating a password manager with an MFA application.

Consult Password managers: Security tips (ITSAP.30.025) for guidance on using a password manager.

2.2.2 Back up your data

If your mobile device is compromised or if it falls into the wrong hands, you risk losing all data, including contacts and photos. Having a cloud-based solution that automatically performs backups not only ensures data recovery but also enhances overall information security and facilitates retrieval in the event of a compromise. Automating backups makes it convenient, allowing backups during periods of low phone usage. While an automated cloud backup is generally suitable for personal data, you should verify this feature’s compatibility with enterprise cloud data service policies (for example, on retention, data residency or encryption) before enabling it for enterprise data.

It's important to know that remote backups are vulnerable to potential threats. To help mitigate these risks, you should incorporate encryption practices into the backup process. This can be achieved by choosing secure backup solutions with built-in encryption features, ensuring end-to-end encryption for data security during transmission and storage. Prioritizing client-side encryption adds an extra layer of protection by encrypting data on the user's device before transmitting it to the remote backup server. This approach ensures that even in the event of server compromise, the encrypted data stored in the cloud remains indecipherable without the corresponding decryption key.

2.2.3 Use preventative security tools

When you download compromised apps or files on your mobile device, you risk downloading malware. Once malware is activated, threat actors can exploit it to compromise your data, thereby putting your security and privacy at risk. To mitigate this risk, make sure your device is equipped with up-to-date and reputable preventative security tools. These tools include antivirus software, firewalls, and intrusion detection and prevention systems. Certain antivirus applications offer additional features, such as:

• wiping data in case of a lost device
• tracking and blocking suspicious callers
• identifying unsafe applications
• clearing browsing history
• deleting cookies

Firewalls should be activated whenever possible to enhance the protection of your device. Incorporating intrusion detection and prevention systems into mobile security practices can help you detect, respond to, and mitigate advanced threats that may bypass firewalls. This can strengthen the overall security posture of your mobile ecosystems.

2.2.4 Beware of untrustworthy applications

It is important to exercise caution when installing or using apps and to avoid those deemed untrustworthy. Be vigilant and selective about the apps you choose to install or to which you grant permissions. This can help minimize potential risks to your device and personal data. You should download mobile applications exclusively from official application marketplaces or app stores. However, you should not solely rely on application store vetting or approval, as many applications may collect significant data and pose a threat due to the scope and breadth of data collected.

Be aware that some applications could disguise themselves as web applications where the content is remotely delivered as a web page. As previously mentioned, the remote content delivered at the time of vetting could be totally benign but can later change to malicious web content containing a browser-based exploit.

We recommend that, before you include any application in an enterprise app store, you should use third-party vetting services and app reputation services and conduct an internal app inspection.

2.2.5 Log out

Regularly check your device's accounts and log out from unused accounts. Make it a habit to log out from mobile applications every time you have finished using them. In addition to logging out of your applications, you should power down your mobile device and turn it back on a weekly basis as an additional mitigation against some cyber attacks, like spear phishing and zero-click exploits.

2.2.6 Do not leave devices unattended

Leaving mobile devices unattended increases the risk of unauthorized access and theft, potentially compromising sensitive data. It's important to always keep mobile devices with you or store them securely when not in use to mitigate these risks effectively.

2.2.7 Avoid public charging stations

If possible, you should avoid charging your mobile devices in public charging ports or stations. They can be a possible vector for threat actors to gain access to your device. If you have to charge your device using a public port, consider using a USB data blocker to block and prevent data being transferred from your device when you plug it into a charging port.

2.2.8 Avoid bypassing security features

Manufacturers incorporate security restrictions and features on their devices to protect users' devices and data. As mentioned earlier, bypassing security features (known as jailbreaking or rooting) removes these features. If you do not intend to implement strong alternate security controls, avoid bypassing these manufacturer security features, as doing so may expose the device to increased vulnerability to malware and other security threats.

2.2.9 Erase your device before disposing of it

Erasing your device before disposal is a critical step to protect sensitive data from unauthorized access. This involves securely wiping or deleting all data to prevent privacy and security risks such as identity theft or financial fraud. Proper data erasure methods include performing a factory reset, using specialized software or physically destroying the device.

2.2.10 Ignore unsolicited emails

Threat actors often send fraudulent emails, aiming to replicate legitimate sources and trick individuals into revealing personal information. This tactic is widely known as phishing. Avoid clicking on any links embedded in emails, as threat actors can create fake links that may compromise your security.

Similarly, threat actors use SMS in a tactic called smishing to lure victims into sharing personal or financial information, clicking on malicious links, or downloading harmful software or applications. To avoid falling victim to smishing, refrain from clicking on any links in unsolicited messages. Instead, if you're uncertain about the legitimacy of a message, verify the information directly through official sources like company websites, portals, listed phone numbers or official apps.

For additional guidance, refer to:

• Spotting malicious email messages (ITSAP.00.100)
• Don't take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)

2.2.11 Use secure network connections

When possible, use public secure networks as they are safer than public insecure networks. Insecure networks can be accessed without passwords and authentication, making them accessible without the need for security encryption keys. This vulnerability exposes them to various security risks, such as malware attacks, denial-of-service attacks and AitM attacks.

As previously mentioned, connecting your mobile device to public Wi-Fi exposes you to potential eavesdropping by malicious actors, jeopardizing sensitive information like credit card numbers, bank account details, passwords and other private data. To mitigate these risks, activate WPA3 or preferably WPA3 with SAE-PK when possible. Additionally, using your mobile device's built-in VPN adds an extra layer of protection by encrypting Internet activity.

2.3 Additional resources on mobile security

For more information on mobile security best practices, refer to the Cyber Centre’s publication Using your mobile device securely (ITSAP.00.001). Additionally, the Cybersecurity and Infrastructure Security Agency’s Mobile device adoption best practices (PDF) offers best practices for mobile device users to implement alongside the policies already established within their organizations.

3 Summary

Maintaining good security practices for mobile devices is imperative to mitigate the growing risks of data breaches and unauthorized access. The importance of protecting sensitive data on smartphones, tablets and other mobile devices is highlighted by the evolving threats posed by threat actors seeking to gain unauthorized access and compromise privacy.

The best practices outlined in this publication aim to strengthen the security posture of mobile devices. Combining technical measures with user habits creates a comprehensive approach to mobile security and can help maintain the confidentiality, integrity and availability of information. By adhering to these guidelines, you can significantly minimize the threats to your mobile devices and better safeguard your personal information and that of your organization.

Effective date

This publication takes effect on May 4, 2026.

This is an UNCLASSIFIED publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, email or phone our Contact Centre:

• contact@cyber.gc.ca or
• (613) 949-7048 or 1-833-CYBER-88

Revision history

1. First release: May 6, 2026