Improving security for mobile devices: CISA issues guides

Improving security for mobile devices: CISA issues guides

The Cybersecurity and Infrastructure Security Agency (CISA) has released two actionable Capacity Enhancement Guides (CEGs) to help users and organizations improve mobile device cybersecurity.


One of the guides is intended for consumers. There are an estimated 294 million smart phone users in the US, which makes them an attractive target market for cybercriminals. Especially considering that most of us use these devices every day.

The advice listed for consumers is basic and our regular readers have probably seen most of it before. But it never hurts to repeat good advice and it may certainly help newer visitors.

  • Stay up to date. Make sure that your operating system (OS) and the apps you use are up to date, and enable automatic updating where possible.
  • Use strong authentication. Make sure to use strong passwords or pins to access your devices, and biometrics if possible and when needed. For apps, websites and services use multi-factor authentication (MFA) where possible.
  • App security:
    • Use curated app stores and stay away from apps that are offered through other channels. If they are not good enough for the curated app stores, they are probably not good for you either.
    • Delete unneeded apps. Remove apps that you no longer use, not only to free up resources, but also to diminish the attack surface.
    • Limit the amount of Personally Identifiable Information (PII) that is stored in apps.
    • Grant least privilege access to all apps. Don’t allow the apps more permissions than they absolutely need in order to do what you need them to do, and minimize their access to PII.
    • Review location settings. Only allow an app to access your location when the app is in use.
  • Network communications. Disable the network protocols that you are not using, like Bluetooth, NFC, WiFi, and GPS. And avoid public WiFi unless you can take the necessary security measures. Cybercriminals can use public WiFi networks, which are often unsecured, for attacks.
  • Protection. – Install security software on your devices. – Use only trusted chargers and cables to avoid juice jacking. A malicious charger or PC can load malware onto smartphones that may circumvent protections and take control of them. A phone infected with malware can also pose a threat to external systems such as personal computers. Enable lost device functions or a similar app. Use auto-wipe settings or apps to remove data after a certain amount of failed logins, and enable the option to remotely wipe the device.
  • Phishing protection. Stay alert, don’t click on links or open attachments before verifying their origin and legitimacy.


The guide for organizations does duplicate some of the advice given to consumers, but it has a few extra points that we would like to highlight.

  • Security focused device management. Select devices that meet enterprise requirements with a careful eye on supply chain risks.
  • Use Enterprise Mobility Management solutions (EMM) to manage your corporate-liable, employee-owned, and dedicated devices.
  • Deny access to untrusted devices. Devices are to be considered untrusted if they have not been updated to the latest platform patch level; they are not configured and constantly monitored by EMM to enterprise standards; or they are jailbroken or rooted.
  • App security. Isolate enterprise apps. Use security container technology to isolate enterprise data. Your organization’s EMM should be configured to prevent data exfiltration between enterprise apps and personal apps.
  • Ensure app vetting strategy for enterprise-developed applications.
  • Restrict OS/app synchronization. Prevent data leakage of sensitive enterprise information by restricting the backing up of enterprise data by OS/app-synchronization.
  • Disable user certificates. User certificates should be considered untrusted because malicious actors can use malware hidden in them to facilitate attacks on devices, such as intercepting communications.
  • Use secure communication apps and protocols. Many network-based attacks allow the attacker to intercept and/or modify data in transit. Configure the EMM to use VPNs between the device and the enterprise network.
  • Protect enterprise systems. Do not allow mobile devices to connect to critical systems. Infected mobile devices can introduce malware to business-critical ancillary systems such as enterprise PCs, servers, or operational technology systems. Instruct users to never connect mobile devices to critical systems via USB or wireless. Also, configure the EMM to disable these capabilities.

While you may not feel the need to apply all the advice listed above, it is good to at least know about it and consider whether it fits into the security posture that matches your infrastructure and threat model.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.