NSA Mobile Device Best Practices

I stumbled upon this and thought I’d share it on the forum. I am sending this to family members to encourage better security. It is an uphill battle to get people to change habits but I’ll keep trying. :slight_smile:

I also found this statement relevant to our discussions on the side-loading of apps.

! APPLICATIONS Install a minimal number of applications and only ones from official application stores. Be cautious of the personal data entered into applications. Close applications when not using.


Thanks for posting this.

I remember the NSA had a document for securing OS X Tiger at one time. As I recall some of the suggestions were turn on FileVault, permanently turn off WiFi, Bluetooth, etc. and disable all automatic features.

You could sum it up as “Do not use any Mac Power User software or workflows” :grinning:

1 Like

Indeed. I remember several trips to an Asian country where I was advised to turn off my phone. It was then wrapped in foil and placed in the refrigerator. Seriously.


Maybe the NSA has a good use case for this list. But in my experience, giving people a deeper understanding of the real threats helps them more than unnerving them with fantastical ones.

  • Don’t use one password for everything. At the very least, don’t use your email password for anything else, because your email is the gateway to resetting everything else. If your email is compromised, everything else you have is as good as compromised. And if something else is compromised but your email is secure, it’s easy enough to reset the compromised service.

  • Don’t take lightly the warning against opening peculiar links or attachments even from your friends, because you think your friend would never send something malicious. The point is it might not be your friend. A robot or malicious actor might get into your friend’s email, and send you something malicious using their name and actual email address. Or phone number.

  • 111111 is not a secure PIN. Yes, I’m specifically talking to YOU reading this, with 111111 as your PIN.

Tales of Bluetooth and aftermarket cable attack vectors almost feel to me like a disservice to humanity’s collective productivity and mental wellbeing. I don’t want my grandma getting hung up on toggling her Bluetooth 5 times a day.


Nearly all typical users would avoid nearly all security issues by:

Keeping their devices fully patched.
Never reusing passwords.
Using a password manager and random, unique, strong passwords for every service they use.
Never reusing passwords.
Never clicking on a link in an email that wasn’t requrested by themselves.
Never reusing passwords.

There are lots of other things to do/not do, but if I could get my users to just do just these things, my life would be much less “interesting” :smiley:


Isn’t there a bit of irony in looking to the U.S. NSA for “best practices” on device security? Not that it’s necessarily bad advice, coming from the foxes’ mouth as it were.


Perhaps these NSA publications are a way to put a friendly face on the agency. That wouldn’t be unusual, the CIA has been publishing their World Facebook for nearly 50 years.


1 Like

In general, an intelligence agency has more to lose when its “home” is compromise than it stands to gain by compromising others. This is especially true when talking about general practices as opposed to specific high-value assets (such as vulnerabilities that can be used in operations). Even with vulnerabilities, the value to an agency decreases dramatically if there is any reason to suspect that it’s known to anyone else.

It’s worth noting that SELinux has its roots within the NSA. It’s also worth nothing that various agencies have engaged in activities that significantly weakened information security across the board, but again, usually working under the assumption that they are the only ones who know.