This checklist is designed to help you review your smartphone security. The list contains specific suggestions for improving your security. This is the print version of the list. You can tick off the individual tasks with a pen.
Your safety is obviously important to you. Otherwise you wouldn't continue reading here. The first step towards greater security has been taken.
Not all the tasks in this list are relevant to you. Think about your current threat situation and prioritize the tasks using the icons on the tasks! You can find a legend at the top. This will give you a better overview and prevent you from being overwhelmed.
If we manage to increase the safety of all people, surveillance measures will be less worthwhile. This will also benefit your safety. Share this list in your channels or print out the flyer.
Just as technology and this list are constantly changing, your life, your habits and your devices will change in the future. So take time once a year to review this list.
Cryptoparties are events where you learn how to protect your devices and your communication.
If you are interested in cryptoparties and would like to meet like-minded people, you can find out about upcoming events at cryptoparty.in, for example. Or you can follow the linked guide and organize a cryptoparty yourself.
You know the most important numbers and names of your friends, family and acquaintances by heart. You can also log into your most important accounts, such as email, by heart. If you lose your phone or all your devices, you have the option of restoring your contacts.
Remove the battery from your device or store it away to protect confidential meetings.
Remember that other people cannot know how well you know your own phone. It is therefore always a sign of mutual trust to keep phones out of sensitive conversations. The general rule should be: Trust people rather than their devices.
The NO STALK app from the Weisser Ring can help you to document unwanted events such as calls, text messages and chat messages in a court of law.
You can find all further information on the NO STALK APP website.
Apple devices such as iPads or iPhones can become a problem for some people if they do not want to be found. Protect other people by deactivating the location services on your devices or not using them at all.
Especially in contexts such as women's shelters or stalking, tiny AirTags are sometimes used to locate people, devices or vehicles in Apple's network. Apple devices register nearby AirTags and automatically share their location with the Apple network. It is therefore particularly important not to provide Apple's network with any further information. Turning off the location services on Apple devices can help, but unintentional activation or visitors with such devices can put people in danger again. Avoiding such devices and raising the awareness of those around you therefore play a key role here.
Non-smart push-button devices are often carelessly classified as "secure". However, these often cannot be encrypted and do not offer secure communication.
In the event of confiscation or theft, contacts, text messages and call lists can be read. In addition, dumbphones are just as susceptible to attacks on the mobile network without further protective measures. Dumbphones cannot be encrypted, you cannot install apps such as password managers on them, you cannot clean your pictures of metadata and you cannot use secure messengers. So on the one hand, these phones have disadvantages. On the other hand, however, it should also be noted that non-smart devices completely rule out some dangers. For example, the risk of malware infections is much lower here. However, encryption and secure communication seem so important in the face of inflationary confiscation and surveillance that a smart device is definitely preferable.
There is an inconspicuous number on the back of your SIM card. Scratch it so that you cannot be identified by it and your provider in the event of confiscation.
Please be careful and take care not to destroy the chip. So don't scratch too deeply! Of course, this only applies to physical SIM cards. eSims do not have such a number.
The display on your device switches off automatically after a while. To unlock it again, use complex patterns or alphanumeric passwords.
Your password should be at least 20 characters long.
In your smartphone settings, you can specify what is displayed on the screen when your device is locked. Disable lock screen notifications completely so that no chat messages or other sensitive information are displayed.
Encrypt your smartphones with a strong alphanumeric password that is at least 20 characters long. This prevents data from being read very effectively.
Strong encryption is important. A screen lock is not enough and is not the same as encryption. Activate encryption in your settings! Professional mobile forensic software like Cellebrite can easily bypass most screen locks via the USB interface by exploiting security holes or trying to guess your pin. All police departments in Germany have this software. All your data, contacts, call logs, location data, login data and much more could then be automatically collected, processed and visualized via USB. Your encryption password should therefore be particularly strong. Use a very complex pattern or an alphanumeric password for encryption! But what is the difference between encryption and a pin or password? Put simply, password or pin protection is like a locked room. Attackers can still break through the window or wall to access your data. With encryption, on the other hand, the entire room is hacked into small pieces and scattered evenly across the floor. It is not possible to read this data chaos without the right key that sorts everything again.
Encryption is only effective when the phone is switched off. Therefore, practise how to switch off your phone quickly in stressful situations.
Even if your phone is encrypted, professional mobile forensic software such as Cellebrite can access it via USB. As long as your phone is switched on, the encryption is ineffective as the data is decrypted. Encryption is only really effective when it is switched off. Be sure to switch off your phone before you give it into someone else's hands! If you want to be on the safe side, you can also attach a killswitch to your phone. This allows you to quickly remove the battery in dangerous situations. You can find more details on this idea in the further information.
You can apply a special film to your display that prevents bystanders or cameras from being able to read it. These films are available for many models. They use optical effects that mean your display is only visible from a certain angle.
You should never deactivate the PIN protection on your SIM card. If the PIN is deactivated, authorities or other persons can use the card themselves to gain access to messengers, for example.
Note for anonymous SIM cards: If you use anonymous SIM cards, you often cannot activate the pin lock as you often do not know the pin / PUK associated with the card. You often receive these cards with the pin deactivated. In this case, you should make sure that all your messengers are secured with a second factor (e.g. PIN) and that you do not use the card itself for two-factor authentication.
Memory cards cannot be reliably encrypted on all devices. It is also possible to restore data that was saved on them when they were previously used with other devices. Therefore, only use memory cards if you know what is stored on them and if you have overwritten them beforehand.
Some older Android devices also create a signature of apps used on your memory card by creating separate folders for apps used. This allows conclusions to be drawn about the apps you are using. Caution! Overwriting flash memory is often not 100% possible. Data can still be left behind.
You should never use your fingerprint or face to unlock your phone. Authorities with access to fingerprints or images can otherwise unlock the device. Therefore, use complex patterns or alphanumeric passwords.
Fingerprints and facial recognition are not secure methods for unlocking your device. They are like passwords that you can never change. Data leaks or malware could cause this sensitive information to be lost and put you at a disadvantage. The police can also use your fingerprints to unlock your device. There have already been court rulings on this in Germany and the USA. If you have an iPhone, you can temporarily lock Face ID and your fingerprint by pressing a special key combination. For Android, lockdown mode is available on some devices, allowing you to quickly disable these functions in an emergency.
Be sure to deactivate USB debugging if you are familiar with it. Normally, this function is deactivated by default on all devices and must be consciously activated by you.
Only use power adapters and cables for charging that you trust. Mark the cable and power adapter to prevent them from being replaced.
If possible, use a USB cable without data function for charging. Tampered cables or USB sockets in hotels, buses or trains could read data or install unwanted software. If you are not sure, you can simply switch off your phone for the charging process. This way, nothing can be installed or read out and it will still charge.
Verified Boot prevents tampering with your operating system. You should make sure that your device is secured with it. If you have installed your own system, you should activate verified boot.
You can find out whether your device supports verified boot or not from the manufacturing company. If you have installed your own operating system on your device, you should make sure that verified boot is supported for your device.
Sealing can help you to determine whether hardware has been tampered with after returning your device. For example, put a drop of special sealing wax or nail polish on the seams of your device. This way you can determine whether it has been opened.
In your phone's settings, you will find unique, unchangeable hardware numbers such as the serial number, Wi-Fi Mac address, Bluetooth Mac address and IMEI. Make a note of these numbers. This way, you can always be sure that your device has not been secretly replaced.
Make sure that you store these numbers in a secret place. It is best to store them in encrypted form. This way, you don't have to worry that these numbers will be used in the future to assign a specific phone to you.
Make regular backups of your most important data. Your backup doesn't have to be perfect. A bad backup is better than no backup!
You should also think about important apps such as 2-factor apps or password managers when making your backup. The settings can usually be easily exported from these. If possible, use open source backup software such as "oandbackup" or "Neo Backup". However, these require root rights. A simple regular copy of your most important data on a USB stick is also a good start! Remember that "No Backup, No Mercy" is an arrogant attitude. Not everyone has the knowledge and technical capabilities for backups. Help each other!
If you have the option, you should definitely encrypt your backups to protect them from unauthorized access.
The Android app Neo Backup supports encryption out of the box. However, you can also create encrypted zip archives manually or encrypt entire USB sticks. Under Linux, MacOS and some versions of Windows, this can be done very easily via a graphical interface. You can also use encryption software for your sticks, such as VeraCrypt, which works on most operating systems. If you want to delve deeper into the matter and are not afraid of the command line, you can take a look at professional software such as Restic (Linux) or duplicity (Linux). You will then need to connect your device to a computer.
You should definitely store your backups decentrally and outside your home so that you can access them quickly in the event of theft or confiscation.
Get an overview of the importance of your data and store it accordingly. For example, store less important copies of your music or picture collection further away with friends. Critical backups of access data or important documents should be stored redundantly and close to you. In general, you should also keep a copy of your backups outside your home.
Restoring your data is the most important part of a backup. Practice this situation! This way you can see if your backup is intact. Make sure that you can restore your backup without access to other backups, password managers and two-factor apps.
Wondering how to do this if everything is encrypted? Here's an idea: create a separate password database. Put all the important main passwords for your computer, phone, other password databases and also for your backup archives in this database. Now create a list of 10-20 personal questions that only you can answer. The answers to the questions together form your master password for emergencies. Copy this critical database to a USB stick and store the questions next to it. If you want, you can also work through the questions together with your partner, friends or family members. This way, you can recover your data even if something should happen to you.
In the event of a house search, burglary, flooding or other emergencies, all devices are often stolen or destroyed. Prepare for this by storing unused devices with your friends. That way you'll have a quick replacement.
The police often ask for pins and passwords when seizing a smartphone on a court order or when seizing a smartphone. Do not say anything. Do not unlock anything. Contact a lawyer.
You should also not react if you receive a letter from the police asking you to hand over your PIN. The police may also try to put you under verbal pressure. They may tell you that giving them your password will mitigate your punishment. Or they may tell you that you will get your phone back more quickly. Or they claim that it can be expensive for you to have your smartphone cracked professionally. Stand firm and refuse to hand it over! If in doubt, contact a lawyer. Please bear in mind that your phone may be searched when you enter other countries such as the USA or China. You may be forced to hand over your password. In this case, you can take a freshly reset phone with you that can be safely searched. Reinstall all apps after crossing the border.
Did you buy the phone second-hand? Then you should overwrite the entire memory once to avoid unwanted data being found on your device.
Used phones may contain illegal data that could be recovered and analyzed. To avoid this becoming your downfall, you should completely overwrite the phone once. If you have the possibility, generate large random files and copy them to your phone until it is full. Otherwise, you can also download large test files from the Internet and overwrite your phone's memory with them. Caution! Overwriting flash memory is often not 100% possible. Data can still be left behind. With more modern Android devices and iPhones, this is usually not necessary due to the encrypted file system. In this case, however, make sure that the phone has been properly reset to factory settings. If you are not sure, you can still overwrite it.
You should only activate positioning, Wi-Fi, Bluetooth or NFC if you really need it.
In certain cases, you can be recognized via Wi-Fi. In the most extreme cases, even your home address can be determined. Some devices reveal the unique hardware number of your Wi-Fi interface as well as the list of your known Wi-Fi networks. You can easily search for the physical locations of Wi-Fi networks on websites such as wigle.net. Google and Apple use their market power to store the locations of neighboring Wi-Fi networks through their devices in their own databases. Do you operate your own Wi-Fi? Google, Apple and all the secret services know its coordinates. But Bluetooth and other interfaces also harbor dangers. Bluetooth, for example, is susceptible to bluesnarfing (opening ports that are actually closed by commands from outside), bluejacking (sending unwanted messages), bluebugging (exploiting a backdoor), bluesmacking (denial of service) or car whispering (eavesdropping on the hands-free system).
If you want to be sure that you are not being monitored via Bluetooth, you should use a wired connection for your headphones.
Bluetooth devices such as earbuds can potentially be overheard when exchanging their secret keys. Attackers within range could listen in unnoticed.
You should simply cover unused cameras with stickers. For example, if you don't use the selfie camera or only use it rarely.
If you live in Germany, you can order special removable stickers for your smartphone cameras free of charge from the Federal Ministry for Family Affairs, Senior Citizens, Women and Youth (BMFSFJ). But normal stickers will also do the job. Make sure that you don't stick over the inconspicuous brightness sensor! This causes some smartphones to switch off the display because they think they are in a trouser pocket. If you have problems with stalking or are being followed by ex-partners, you should completely cover your cameras to be on the safe side.
A flat rate generally generates less data than a tariff with minute-based billing or itemized bills. This is because these have to be recorded and stored. Flat rates generate less data. Prepaid tariffs generally do not even generate billing data and are therefore very data-efficient.
Many network operators sell your movement data to various advertising companies. You can object to this transfer.
Ask the providers how long the data is stored in the various tariffs and with whom it is shared. There are also extra data protection-friendly providers such as "Wetell" in Germany. Nevertheless, these do not protect against the numerous monitoring possibilities in the mobile network! Anonymous SIM cards are therefore always preferable.
Deactivate mobile data if you don't need it. An activated mobile internet connection leaves a continuous record of the cellular data you use in your provider's traffic data.
If you are not making calls, sending or receiving text messages or using mobile data, your phone is in an idle state. Your provider will then have no history of your cell position. Only the last so-called location area is known to the wireless network. This is a network of a large number of radio towers that does not provide any reliable information about your exact location. If an authority or an attacker wants to find you, they often rely on silent pings. Only then will your phone be reconnected to a specific cell.
You should not take your phone with you to the demonstration or switch it to flight mode some time beforehand or switch it off completely and leave it like this for some time after the demonstration.
The reason is that many phones are simply seized or confiscated by the police. But so-called IMSI catchers are also a problem. This also applies if you use anonymous SIM cards. Targeted tracking (for example on the way home) of individual persons with IMSI catchers allows a telephone number to be assigned to a person. Regardless of whether the SIM card is anonymous or not. IMSI catchers can be found in backpacks or even on drones. An IMSI catcher creates a fake cell to which your phone connects because the signal of the IMSI catcher is stronger than that of the surrounding real cells. If you are tracked long enough, the attackers only have to check which phone has been logged in the longest. Your IMSI is then known to the attackers. This can then be used as the basis for radio cell evaluations, telecommunications surveillance or other measures. As a rule, you have no easy way of determining whether your phone is connected to a fake cell.
Apps that can potentially detect IMSI catchers or silent text messages will not help you in the vast majority of cases. You should avoid these apps and instead learn why they don't do much and what the alternative is.
First of all, there is nothing wrong with apps like "SnoopSnitch" in general. We can be glad that there are people who deal with this matter and build such apps. Nevertheless, you have to understand that such apps are completely ineffective in the vast majority of cases. SnoopSnitch, for example, only works on 2G and 3G networks if your phone is rooted and if a very special chip is installed on the mainboard of your device. You need to understand that communication with the mobile network is a completely opaque black box for your operating system. Your operating system and your apps are not able to control or monitor communication with a radio tower (base station) in detail. This means that the wireless network can communicate with the chip on your device without it being aware of it. This is due to proprietary, commercial hardware that is not open source. This is also why you can be roughly located by silent SMS (stealth ping). The radio chip in your phone registers this, but does not report it to your operating system. Only a few chips have interfaces that allow the operating system to monitor them. SnoopSnitch only exists for this purpose. The only sensible defense is an anonymous SIM card.
Anonymous SIM cards make it much more difficult for state actors and other attackers to choose their targets. Whether silent text messages, IMSI catchers, inventory data information, traffic data information, radio cell evaluations, source monitoring, state trojans or location monitoring. An anonymous SIM card is often the only sensible defense against such surveillance.
The subject of mobile phone surveillance is complex and cannot be dealt with in full within this framework. However, it is important to understand that security apps cannot do anything about such surveillance because, for example, it affects data that is already stored by your provider and not on your phone. Or because the apps themselves do not have access to your phone's proprietary radio chip and therefore cannot see silent text messages, for example. Or because the attack takes place in the wireless network between network providers. Or because your mobile provider simply sells your data on. So relying on apps or changes in behavior won't help. The only defense is anonymous SIM cards. Also bear in mind that in Germany, over 100 government agencies can access people's phone numbers and vice versa without a court order.
Only use your anonymous SIM card in a specific phone. Never use the same phone for another SIM card. This is because the unique number of the SIM and the unique number of your phone are always stored together in the provider's traffic data.
To further increase security, you can often change your anonymous SIM cards. Each time you switch, you should also change the phone used for this purpose.
Since the IMSI always appears together with the IMEI in the traffic data of your network provider, you should also change your phone when you change your SIM card. As you can imagine, it is time-consuming and expensive to change your phone from time to time. You would have to constantly set up your apps again and spend a lot of money on a new phone. To keep costs down, you can work with proxy phones. And this is how it works: You have a more expensive device for your regular use on which all your apps are installed. There is no SIM card in this phone. It is therefore invisible to the mobile network. You get Internet access via an inexpensive second device with a SIM card inserted. This phone does not need much power. However, it can provide you with a Wi-Fi hotspot and therefore Internet. You can also use it to make normal phone calls if you want. This phone can be replaced quickly with the SIM card inserted. The only disadvantage is that you always have two smartphones with you.
If you are traveling with friends, acquaintances, family or comrades, you should not use your anonymous SIM card.
You should not use it to make calls, send text messages or use your mobile internet connection. Remove it from your phone to be on the safe side. If you move through identical cells with other people over a longer period of time, it is theoretically possible to narrow down who you could be or who your family or friends are. The same applies to a possible second SIM card registered in your name. For example, if you have a second non-anonymous phone with you. If this SIM card moves through an area together with the anonymous SIM card, it is known who the anonymous card belongs to based on the same cell changes. The cell changes may be logged in your provider's traffic data. Have friends provide you with a Wi-Fi hotspot when you are traveling and use it with a VPN or Tor. If you are traveling with a larger group, only one person should create a hotspot. Everyone else should remove their SIM cards for this time.
Anyone who knows your phone number can easily attack you. Keep your number secret if possible. If you still want to be reachable, you can use messengers with a call function that do not require a number or where the number can be hidden.
On sites such as cell-track.com or phone-location.info, for example, it is easy to find out whether a device is abroad or not, or whether a device is currently switched on. All you need is the phone number. There's nothing you can do about it except keep your number secret. State actors also have other options, such as infecting the device with a zero-click exploit (state trojan). Only an anonymous SIM card and keeping your number secret will effectively protect you from government attacks.
Do not use your anonymous SIM card/phone for regular phone calls or text messages. You can see who the target contacts are in the traffic data if they do not also have an anonymous card. This may make it possible to narrow down who you are. If possible, only use the card with other anonymous cards or switch to Internet messengers for messages and phone calls.
You should never order SIM cards and phones directly to your address or pay from your accounts. To leave no trace, you can ask friends to order or collect them for you. Pay in cash.
You should also obtain the credit for your SIM card anonymously or via intermediaries. Therefore, use sim cards for which you can buy credit in cash at cash registers or ask friends to send you the credit code.
You can suppress your phone number when you make calls. This means that the person you are calling cannot see your own number. You can set this for certain people or for all calls.
You should suppress your number, especially if you are being stalked. This is because your number can be used in a variety of ways to attack you. Also be aware that suppressing your number will only mean that it will not be displayed on the other party's phone. Your number will still be saved in the call logs (traffic data) of the providers involved. The authorities can therefore trace your call even if your number is suppressed. Use anonymous SIM cards if you need real anonymity.
Sensitive information about you or your relationships could be left as a voice message on your voicemail at any time and without your knowledge. Therefore, deactivate your voicemail for security reasons.
Information that other people speak to your voicemail could reveal relationships and sensitive information such as names. In Germany, voicemail monitoring is part of telecommunications surveillance (TKÜ), which can be carried out by the police.
Advanced Mobile Location (AML) has been used in Germany and many other countries since 2019 and is gradually being expanded to locate people in emergency situations. If you don't want this, you should prepare yourself for it.
Before AML, rescue coordination centers only had extremely inaccurate radio cell data at their disposal (if at all) to locate people in emergency situations. AML, on the other hand, is firmly integrated into modern telephones and their operating systems: When an emergency number is dialed, the phone automatically activates GPS and Wi-Fi to determine its own position. This is then automatically transmitted to the control center via the Internet or SMS. This extremely precise location is only activated by dialing the emergency numbers and cannot be used from outside without your active involvement. In most cases, there is nothing you can do to prevent you from being automatically located when you dial these numbers. Unfortunately, this also makes it more difficult to make anonymous reports. You should therefore always consider whether dialing emergency numbers from your own phone is really necessary. You can find a list of all countries with AML on Wikipedia. AML is part of the Play services on Android and can be deactivated via the emergency settings.
With a third-party block, you can prevent apps, websites or scammers from charging costs for subscriptions or other purchases to your phone bill.
If you would like to set up such a block, you can contact your provider online or by telephone.
You should not use your name to accept a call. Use generic phrases like 'hello' instead.
Free Android-based operating systems such as grapheneOS, CalyxOS or DivestOS can help you protect your privacy and are not tied to Google, Apple or Microsoft.
If you are unsure which system you should install, the clear recommendation is currently to install grapheneOS on one of the compatible phones. You can find more information in the links.
GrapheneOS is an Android operating system with a particularly high level of protection and numerous security features and is therefore listed here as a separate task.
A free operating system is always the right choice if you want to be independent of large corporations such as Google or Apple. However, an operating system called GrapheneOS stands out with its numerous security features and is therefore highly recommended for activist purposes. For example, Graphene supports an LTE-only mode that can prevent various attacks on the mobile network. You can also deactivate all of the smartphone's sensors. GrapheneOS only supports a few devices. You can find out what these are and what else it can do on the GrapheneOS website.
Smartphone manufacturers receive millions to billions from Google or Apple for placing their software on your phone. You should definitely remove these apps.
Of course, this is only worthwhile if it has a benefit: The pre-installed software collects data and analyzes your habits. You should therefore remove bloatware (sometimes this is not possible without root permissions) or install a custom operating system such as GrapheneOS.
You should definitely delete your "mobile advertising ID" (MAID), change it frequently (Android) or prohibit your apps from tracking (iOS) if you do not want the data from different apps to be merged and sold again by so-called data brokers.
If you use iOS or Android, your operating system transmits an advertising ID to your apps in the background. This ID can be attached to the data records of individual apps. If the provider of your apps then sells this data, brokers can merge it with other data sets of yours. This creates veritable stockpiles of your personal data and interests that are traded online.
Keep apps and your operating system up to date. Malware and state trojans often exploit vulnerabilities in software. Up-to-date apps and an up-to-date operating system are therefore important.
Your security is increased enormously if you use a different complex password for all services on the Internet. You should save these in a password manager such as KeepassXC or Bitwarden.
Remember that your password manager needs a particularly strong password. Also remember to make a regular backup copy of your password database. If you have trouble coming up with strong passwords, you can use the Diceware method. Below you will find a link with instructions. All you need is a dice.
Only use official app stores or F-Droid to obtain your apps. If you know your way around, you can also download apps directly from the manufacturers' websites. Always consider whether you need an app at all.
Infected apps have many ways of attacking you. For example, they can steal passwords.
Your flashlight app wants to access the memory? Not a good idea! Always ask yourself why an app needs permissions and only grant them gradually or when necessary.
You can obtain most apps via F-Droid or Aurora Store without logging into Google or without Google services.
Google Play services and Apple services provide central infrastructures for some apps. For example, push messages are sent via these services. Government agencies use this fact to monitor iPhone and Android devices.
You can protect yourself from this by using apps that do not require Google or Apple services. Also avoid alternatives such as microG if you have installed your own operating system. For example, install apps from F-Droid that do not require these services. Messengers such as Telegram, Signal and Matrix offer their own alternatives for centralized push messages.
Many popular apps track your habits and preferences. Find out about privacy-friendly alternatives and check the trackers beforehand!
On privascore.org you will find alternative apps and services for numerous topics. For example, use browsers such as the DuckDuckGo browser, which do not collect any data about you. The εxodus project also provides you with information about the trackers and permissions used by many apps. For example, map apps such as Organic Maps or Magic Earth do not use trackers at all and are therefore a good alternative to Google Maps.
Root rights allow you to use many unique apps. However, these rights may also apply to malicious apps, which is why you should generally avoid root.
If you don't know what root is, you probably don't have it. Root has to be activated on most devices. Unfortunately, some apps that can potentially increase your security often require root rights. Examples include backup applications such as "Neo Backup", but also apps such as "SnoopSnitch", which try to detect IMSI catchers or silent text messages. You should always carefully consider whether you really need superuser rights on your device. In the vast majority of cases, there is no good reason for this. Apps such as "SnoopSnitch" only work in very few software and hardware constellations anyway. Setting up root for this reason is out of all proportion.
You should definitely use open-source, encrypted messengers such as Briar, Signal, Threema, Element or SimpleX. Avoid insecure commercial messengers such as WhatsApp and co.
If you are unsure which messengers are good or if you need arguments to convince family and friends, you should definitely take a look at Kuketz's messenger matrix. There you can easily compare the individual messengers according to functions and security aspects.
The two-step confirmation (two-factor authentication) prevents your SIM card or copies of it from being used to access your messages.
In some messengers, this works via email. In others, you can assign an additional pin. If you lose your phone number or other people or authorities get hold of your SIM card or a copy of it (sim swapping), they can log in with the phone number and read your messages or write in your name.
Some messengers such as Signal or Threema offer you the option to automatically delete old messages. Use this function to prevent messages from being read in the future, e.g. through confiscation.
You should not use iMessage and keep your Apple ID secret. iMessage has repeatedly been the target of so-called zero-click attacks in recent years.
In the past, specially prepared messages for iMessage have repeatedly been used to install government Trojans on iPhones. You should therefore avoid this software.
Lockdown mode (blocking mode) can be used on the iPhone to prevent malware infections. Some features are severely restricted in order to protect the system.
A similar feature is not available for Android.
You should restart your phone more often. For example, every morning or before critical conversations. Some state trojans do not survive restarts as they are often not persistent. Although new infections are possible later, this strategy can give you a private window of opportunity.
You should reset your phone to factory settings if you no longer trust it. This method is effective against common spy apps from the app store that may be hiding on your device.
This method usually removes unwanted spying or stalking apps from your phone. These apps may have been installed by people close to you when they had direct access to your device. Please be aware that these apps are not comparable to professional state trojans, which can potentially be reinstalled remotely even after resetting your phone. Nevertheless, this option is a good start to get out of toxic relationships or to prevent stalking. Please back up your most important data before resetting.
Some smart TVs take screenshots and audio recordings and upload them automatically and unintentionally to the internet. Protect yourself by not pairing your smartphone with a smart TV.
When scanning QR codes, pay attention to the authenticity of the target page and check exactly where the code takes you. Be skeptical if you are asked to enter personal data or bank information after scanning.
QR codes are repeatedly pasted over at charging stations or vending machines, for example. However, they are sometimes also sent with letters. This is how people are tricked into entering personal information on fake websites or installing malicious apps. So check the target carefully. Be skeptical of stick-on codes. QR codes should be designed in such a way that they are forgery-proof. For example, they should be placed behind a pane of glass to prevent them from being replaced.
You should not carry or store your bank card right next to your smartphone. Malware could read and send the data via NFC. Alternatively, use RFID protective covers for your cards and deactivate NFC.
Malware can use your smartphone's NFC interface to read data from bank cards. You can protect yourself by not keeping your cards right next to your smartphone. You can also order special RFID protective covers online that can protect you.
You should think carefully about what personal information you share online. For example, are you easy to find via search engines? If so, you should try to remove this data.
Specialized agencies and data brokers collect public information and information from data leaks about you and sell it on to intelligence agencies, for example. Companies such as PimEyes, which specialize in facial recognition, use your personal images to train their AIs. This captures the biometric features of your face and you can be identified in other images in a fraction of a second. Try to find yourself on the internet, identify the services and try to remove your personal data from them. For example, use Google Alerts to be automatically informed via email as soon as your name or other personal data appears on the internet. You can also sometimes use DMCA takedown requests to have your data removed from US websites.
Alternative frontends for web services such as YouTube, Twitter, TikTok and other websites can help you protect your data.
Instead of YouTube, you can use one of the many Invidious instances such as yewtu.be in your browser or the FreeTubeAndroid app. This way you can avoid advertising and protect your privacy at the same time. You can also install LibRedirect for FireFox. This plugin automatically redirects you to an alternative frontend when surfing the internet. Large companies such as YouTube go to great lengths to make alternative frontends unusable or block them again and again. Don't give up if it doesn't work on the first try!
Passkeys can replace passwords in some applications and apps and make them completely superfluous. Unlike passwords, they cannot be stolen through phishing or data leaks. Use them when they are offered!
You should not bind PassKeys to a biometric unlock. Also remember to back up your PassKeys in case you lose your device.
Many services and platforms on the internet offer to secure logins with a second factor. Use this option whenever possible.
Please also bear in mind that it must be possible to create a backup of your second factor. A cell phone number is not really a good second factor. Firstly, you can potentially lose your number. But it is also possible that other people or authorities can gain access to your number. If you lose your SIM card, you won't be able to access your accounts for the time being. If you use a hardware token as a second factor, please make sure that there is a second one for emergencies! If you use software solutions such as Time-Based-One-Time-Passwords, please create backups in your OTP apps! The Android app Aegis, for example, offers automatic backups.
Your two-factor app is installed on a separate device. This means that your second factor cannot be used to log into your accounts if your device is compromised.
Targeted advertising campaigns (microtargeting) are used by intelligence services, among others, to infect individual devices with malware. Protect yourself with ad blockers!
But it's not just intelligence agencies that use advertising to track people. So-called data brokers also sell aggregated data about you from various apps and websites. There are various ad blockers that you can try out at different levels. Network-wide solutions such as eBlocker and Pi-hole protect all devices in your home network. AdAway protects your smartphone and uBlock Origin is a plugin for the Firefox browser.
You can improve your security by using a different name and different email addresses or mobile numbers for registration on all platforms. This way, your accounts cannot be merged through data leaks.
Work with a time delay if you want to share the same message in different channels or groups with different pseudonyms. Otherwise it will be obvious that one person is behind the various pseudonyms.
Your internet access providers (Telekom, Vodafone, Telefonica, 1&1, etc...) can see which websites you visit. Tor (The Onion Router) can help you greatly improve your anonymity on the Internet. Use websites via the Tor browser and redirect apps with the Orbot app via the Tor network.
Google, Apple and other manufacturers pass on data to investigating authorities without hesitation. Therefore, use alternative search engines such as duckduckgo.com or stract.com
Many cloud providers cooperate fully with investigating authorities and will not hesitate to hand over your data. Only store encrypted data there.
In general, you should consider whether you need the relevant cloud services at all. For example, you can use apps such as "OpenKeychain" to encrypt files before uploading them to a cloud. If you use an Apple device with your iCloud, activate extended data protection there.
Remember that you have to trust VPN providers. You pay them, so they know your identity. Many VPN services cooperate fully with investigative authorities.
If you can, use the Tor network or free VPNs instead, such as RiseupVPN, which do not collect any data about you.
Your smartphone invisibly attaches metadata such as coordinates, camera type, resolution, smartphone model or operating system to your pictures. With some camera apps, this can be partially or completely deactivated.
If your phone is stolen, this data can provide information about your origin. Use apps like "Imagepipe" to clean up your pictures before you upload them to the Internet. You can install Imagepipe on your Android smartphone via F-Droid.
Do you take the time to read the privacy policies of new apps and services you register with? Do you care who your data is shared with and what happens to it?
Do you use email? Then you should definitely think about encryption such as GPG/OpenPGP.
Did you know that in Germany, for example, many email providers are considered telecommunications services? This means that authorities can request your inventory data and emails. But even without official surveillance, emails are exposed to many dangers. An email passes through many nodes on its way to a mailbox and can be read at numerous points. In addition, numerous freemail services such as GMX.de or WEB.de probably use the content of your emails to show you targeted advertising.
It is important to delete accounts that you no longer need. Take the time to do this once a year. Regardless of whether you needed them for a website or an app. If you haven't used them for a while, you should close them. This minimizes the risk of data leaks.
Personal data is leaked from websites, portals and online stores every day. Those affected are rarely informed. The data is sold, traded or is often freely accessible.
On the website haveibeenpwned.com you can quickly and easily find out whether your email address appears in data leaks. You can also create an account there and be notified automatically when new findings are made.
You should check the authenticity of emails, chat messages and text messages, especially if they ask or request you to take an action. For example, if you are asked to enter your personal details or password.
You should also thoroughly check the request to transfer money. You can do this by contacting the person or company in a separate way. For example, simply give them a call. This way you can make sure that the message is genuine. Be skeptical if you are told that a call is not possible. The type of scam described here is also known as phishing. Real-looking messages are sent to certain people in the form of emails, text messages or chat messages in order to steal login details or bank details, for example. Perpetrators sometimes try to enrich their messages with real information about the target person to make them appear more genuine. This data can come from data leaks from various platforms. It also happens that supposedly trustworthy accounts of friends or family are misused to persuade you to take action. In important matters, always contact the people or companies again via a different channel!