websec.gr logo websec.gr Guides & Defensive Playbooks
Mobile guide

High-risk phone checklist

Patch strategy, safer workflows, and a calm response plan for people who may face targeted phishing or spyware attempts.

Difficulty: intermediate Time: ~25 min Updated: 2025-12-30

Who this is for

This checklist is for people who may be targeted by high-end actors: executives in sensitive sectors, activists, journalists, investigators, security staff, or anyone who has credible reasons to expect targeted phishing, social engineering, or spyware attempts.

If your threat is mainly “random criminals”, the GrapheneOS baseline + good account hygiene is usually enough. This guide adds extra friction because high-risk users often face more persistent attackers.

Fast wins in 60 minutes

Do these first

  • Update OS and all apps. Reboot after updates.
  • Reduce apps: uninstall anything you don’t need.
  • Review permissions: remove “Always” location, disable mic/cam for non-essential apps.
  • Enable strong account MFA (prefer hardware keys or authenticator apps).
  • Turn on full-disk encryption (default on modern phones) and use a strong unlock method.

Safer daily workflow

High-risk defense is mostly workflow. Attackers love predictable routines: “tap this link”, “open this PDF”, “install this helper app”. A safer workflow reduces those traps.

Workflow patterns that reduce compromise

  • Treat unexpected links/attachments as hostile until verified through a second channel.
  • Separate identities: use different profiles for risky apps vs sensitive comms.
  • Keep browser surface small: one primary browser, no random extensions.
  • Prefer app installs from official stores. Avoid “APK from a message”.
  • Make updates boring: weekly check even if auto-updates are on.

Comms: encryption plus endpoint safety

End-to-end encryption is necessary but not sufficient. If the device is compromised, the attacker can read messages before encryption or after decryption. Your job is to keep the endpoint clean and minimize what apps can access.

Comms hygiene

  • Use a trusted messenger, keep it updated, and verify safety numbers where applicable.
  • Restrict notification previews on the lock screen for sensitive chats.
  • Disable “cloud backups” for messengers unless you understand the encryption model.
  • Be careful with “device linking” features and periodically review linked devices.

Travel and high-risk events

Travel often increases exposure: unfamiliar networks, rushed decisions, and higher physical risk. The simplest defense is to reduce what you carry and keep access controlled.

Travel baseline

  • Minimize sensitive data on the device before travel. Keep critical data in encrypted storage you control.
  • Use separate profiles or a secondary device for high-exposure scenarios when practical.
  • Avoid unknown charging ports (use your own charger or a data-blocking adapter).
  • Prefer known networks. If you must use public Wi-Fi, keep OS and browser fully patched.

Signals of targeting

High-end attacks may look “normal” to the victim. Still, some patterns matter:

  • Highly tailored messages that match your real context (projects, colleagues, travel).
  • Repeated pressure to open a file/link quickly, or install a “security update” from a message.
  • Account alerts: new logins, MFA fatigue prompts, or device-linking events you did not approve.

Important

Battery drain or crashes alone are not proof of spyware. Use them as “increase caution” signals, not as conclusions.

If you think you are compromised

Response is about minimizing harm and preserving facts. Don’t improvise. Don’t panic.

Response checklist

  • Stop sensitive comms on that device. Use a known-clean channel/device for urgent messages.
  • Write down a timeline: symptoms, suspicious messages, account alerts, travel, risky actions.
  • Change passwords and rotate tokens from a clean device, starting with email and password manager.
  • Update the device and review high-risk permissions (Accessibility, admin apps, unknown profiles).
  • If stakes are high, engage a trusted incident response team or forensics lab for guidance.

How to measure success

  • Fewer apps installed and fewer “always on” permissions.
  • Updates applied quickly and consistently.
  • Separation: sensitive comms are not mixed with high-risk apps in the same profile.
  • A tested backup and account recovery plan.

References

  • Mobile threat models: endpoint compromise vs network interception.
  • Security update discipline: patch cadence and supported devices.
  • Account takeover defense: MFA, recovery keys, and device linking review.

Scope note

This guide focuses on defensive hardening and incident readiness. Guidance about hiding wrongdoing, destroying evidence, or evading lawful investigation is intentionally not provided.