MOBSEC Kit Checklist (Android)

Initial set-up and configuration:

  • Apply all software updates from a trusted network (office, etc.)
  • Back-up all data to on offline storage device (spare SD card, USB drive, etc.)
  • Turn on phone encryption (including SD card) and establish access PIN
  • Turn off Bluetooth, NFC, Location services, build habit of turning on as needed
  • Set USB Connectivity to Charge Only
  • Uninstall or Disable and turn off mobile-data on all non-critical apps
  • Don't use personal pictures as background or screen savers
  • Sanitize Owner Info on screen lock
  • Ensure that "install applications from unknown sources" is disabled
  • Disable voice search and voice typing ("OK Google" et al).
  • Uninstall Facebook applications and others (use website via browser)
  • Turn off spell checker, voice typing, fast-fill, alt keyboards
  • Disable auto-complete, pre-load, and suggested search in browser
  • Disable print services
  • Install, configure the following applications:
  • OpenKeychain: Easy PGP
    • Establish a PGP key for your phone in OpenKeyChain, upload public key.
    • Install PGP software on your home/office laptop/desktop. Create, upload key.
    • Download public key for home/office to OpenKeyChain.
    • Test encrypting a file on phone and decrypting on home/office machine.
  • Maps.ME
    • If have SD card, configure to use SD storage
    • Download commonly used countries and regions for offline use (if have SD card, do whole world aprox 32GB)
  • Google Translate
    • If have SD card, configure to use SD storage
    • Download commonly used languages for offline use (if SD card, download all available)
  • Microsoft Translator
    • If have SD card, configure to use SD storage
    • Download commonly used languages for offline use (if SD card, download all available)
  • Google Authenticator
    • Install on a secondary device that is left in secure storage
    • Enable MFT (two-factor auth) on all critical accounts where able. Record key on both devices.
  • Simple File Manager
  • Termux Linux CLI
    • Initialize storage by starting it and typing "termux-setup-storage" at command line
    • Update system by typing "apt update && apt upgrade" at command line
  • NetGuard Firewall
    • Purchase in-app NetGuard Pro feature "View blocked traffic log"
    • Configure NetGuard to "Show user apps" and "Show system apps"
    • Individually block both wifi and mobile data for ALL apps.
    • Then deselect the critical constant use apps.
    • Build habit of enabling other apps data access as needed.

Your phone should now be configured to block network traffic for most apps and system utilities, on both wifi and 3G/4G, by default. This will minimize data leakage and many attack vectors. It is also readily used offline for basic navigation and communications in foreign countries, reducing your need to connect to untrusted networks. Reboot your phone and double-check your settings and functionality. The NetGuard firewall should be running after reboot.


Before travel departure:

  • Apply all software updates from a trusted network (office, etc.).
  • Back-up all data to on offline storage device (spare SD card, USB drive, etc.)
  • Change all passwords on accounts from alternate terminal (laptop, desktop, etc.)
  • Purge any unneeded applications, data, or accounts from device
  • Evaluate risk vs. needs of trip (environment, duration, operational needs, etc.)
  • If needs allow, set-up secondary device for travel use with cut-out accounts
  • Download maps, languages, and pre-brief materials for destination
  • Lock down additional configuration options
    • disable wifi, mobile data, auto-time, google back-ups, purge SIM, etc.

Operational use:

  • Ideally use a burner, or alternate phone with local SIM for daily needs.
    • ! Use primary device offline as lookup/reference device.
  • Keep wifi disabled.
    • ! If wifi is needed, lockdown all traffic in NetGuard except single app.
  • If need to move data from trusted device to other devices, use HW write protect USB drive.
    • ! Enable HW write protect switch before inserting into untrusted systems.
  • When need to go dark or when devices are powered off, store in RF shield sack.
  • Never plug trusted device into external USB sources, for power or data transfer.
    • ! Use charging data blocker, vendor charger, provided battery pack, or USB drive.