User Guidance

Advise users to only connect mobile devices to PCs when a justified need exists (e.g., mobile app development and debugging).

Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.

Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.

Encourage developers to protect their account credentials and enable multi-factor authentication if available. Encourage developers to protect their signing keys.

iOS 9 and above requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store. Users should be encouraged to not agree to installation of applications signed with enterprise distribution keys unless absolutely certain of the source of the application. On Android, the "Unknown Sources" setting must be enabled for users to install apps from sources other than an authorized app store (such as the Google Play Store), so users should be encouraged not to enable that setting.

Users should be told that it is very rare for an app to request device administrator permissions, and that any requests for the permissions should be scrutinized.

Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.

If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.

Users should be advised to be extra scrutinous of applications that request location permissions, and to deny any permissions requests for applications they do not recognize.

Users should be weary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration and accessibility permissions requests.

Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.

Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning).

Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.

Encourage users to protect their account credentials and to enable available multi-factor authentication options.

Encourage users to protect their account credentials and to enable available multi-factor authentication options.

Encourage users to protect their account credentials and to enable available multi-factor authentication options.

Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required.

Users should be instructed to use forms of multifactor authentication not subject to being intercepted by a SIM card swap, where possible. More secure methods include application-based one-time passcodes (such as Google Authenticator), hardware tokens, and biometrics.

Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.^[1]

Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.