A couple months ago I went for an afternoon stroll with my girlfriend and her old man, when we happened across a very expensive phone with a book-style cover containing driver’s license, debit cards, membership cards, etc. With just the information provided by the phone’s lock screen, we were able to quickly track down the owner and return the phone before our walk was over. However, anyone with malicious intent could’ve used that same data to gain access to this person’s entire online presence, and potentially even their bank account.
Based on my own experiences viewing how people around me use their phones, as well as the many used phones I’ve had to process at work, I noticed many of us tend to make the same security oversights this person did. So here’s a guide with a few things you can do to prepare your phone in case of loss.
Being an Android user myself, this guide will explicitly use Android/Google terminology in some cases, though it can certainly be applied to the iPhone as well.
This probably goes without saying, but yeah, lock your phone. Not all locks are created equal, but any lock is better than none at all. The most secure method is to create a password with a minimum length of 10 characters, consisting of uppercase letters, lowercase letters, numbers, and special characters. Of course, most of us don’t want to type in such a long and complex password just to reply to a text, so it’s best used as a backup to biometric authentication. Just go with whatever method you’re most comfortable with and works best in your situation. Let’s say you’re the type of person to fall asleep in public places with your phone in your hand, then fingerprint scanning probably isn’t for you.
While fingerprint authentication has its faults, like the one scenario described above, it’s still far more secure than Google’s “Smart Lock” offerings. Face recognition is getting better but can still be fooled with a picture. Consider using iris scanning instead if you like this method. GPS-based smart lock is notoriously buggy and has far too large a range to provide any real protection. Keeping your phone unlocked while paired with a bluetooth device isn’t very secure when on the go, but it’s at least a safer alternative to GPS when at home. All in all though, avoid these if you can.
As a result of the many ways to lock one’s phone, the traditional SIM PIN is often neglected. Case in point, when my girlfriend got a new phone, she popped in her SIM, typed in the default 4-digit code, and never bothered with it again.
Since that PIN code is widely known to be the default for her provider, anyone who finds her phone could use that SIM, receive her texts, and likely access the majority of her accounts just like that. Accounts which were all displayed right there on the lock screen. In fact, as she didn’t hide her texts, all her two-factor authentication and password reset keys would be displayed on the lock screen as well, without the need to remove the SIM card.
In its default state, your Android phone is likely to publish all of your notifications’ content right to your lock screen, no passcode required. Texts, emails, your email address, WhatsApp messages, it’s all there for everyone to see.
Notification privacy can be set up on a per-app basis, but I personally suggest using it across all apps. You’ll still get all your notifications, but you won’t be able to see their contents without unlocking the phone. It’s a minor inconvenience that makes a world of difference.
For a while I’d been using my phone’s default notification bar shortcuts, until one day I realized they were all usable without unlocking the phone. That includes turning off GPS and data, thus cutting off my ability to find and wipe the phone remotely using Find My Device. Of course, this can also be accomplished by simply turning off the phone and/or removing the SIM card, but if a person has malicious intent, that might not be in their best interest as it could render the lock screen inaccessible, and also activate the SIM PIN.
You’ll want people to have as little access to your phone’s functions as possible. Even the camera, which is typically usable without unlocking the phone, has been a liability in the past and caused lock screens to crash. One way to keep others from accessing the camera from the lock screen, is to simply install a secondary camera app. You will then be prompted to choose your preferred app, which also activates the screen lock.
Phones with SD card support will typically offer two different modes: internal and external storage. When an SD card is formatted as internal storage, it’s encrypted and made readable only by that specific phone. If you format the SD card as external storage, all your photos, and whatever other sensitive data might reside on there, can be read by any other SD card-reading device.
Most phones come pre-encrypted these days, so this isn’t something you’ll likely have to worry about. In case your phone didn’t, consider doing so, but keep in mind the process could take an hour.
With your phone encrypted, you will now also have the option to use Secure Startup, which requires a passcode to boot up Android. The concept is the same as the above. Without unlocking the phone, you can be certain no other source will be able to read your data.
If somehow you neglected to activate it during the initial setup of your phone, be sure to do so now. Find My Device will allow you to view your phone’s GPS location, ring it, leave a message, and even put up a call-back button. If all else fails, you can wipe your phone remotely when it becomes clear that the new owner has no intention of returning it and you’re not able to track it down yourself.
This is perhaps the easiest and fastest way to get your phone back. Simply leave a permanent message on the lock screen with your contact information. I’ve seen this method used quite often on the phones we get in at work, but people always make the mistake of using their real name and email address. Any information a person has on you can potentially help in gaining access to your phone and accounts, or pose as you when attempting to use social engineering. It’s better to set up a secondary email specifically for this purpose.
While your phone might fall into hands of some good samaritans, it’s better to assume it’ll get datamined and/or sold. So at some point you’re gonna have to accept the phone is lost, and if possible, wipe it and render it unusable.
To prepare for this, be sure to backup your user settings to Google, and use a cloud hosting service to backup all your photos and other documents you don’t want to lose. Of course, using cloud storage for sensitive data is opening up a whole other can of worms, but that’s a little bit beyond the scope of this guide.
I hope this post was useful to someone. If you require step-by-step instructions on how to perform some of these actions, please leave a comment and I’ll add them in. This guide is a bit of a work in progress and will certainly be updated should anything change in the future.
Just some random guy on the internet occasionally writing about tech, gaming, and whatever else is on his mind.