The phone sitting on your desk right now is, in all likelihood, sharing your location with a fitness app you opened twice in February, sending microphone access to a game you forgot you downloaded, and quietly refreshing a shopping application in the background while your screen is dark. None of that requires a hacker. You gave permission for all of it.
The Cybersecurity and Infrastructure Security Agency — the federal body responsible for protecting America’s digital infrastructure — has updated its mobile communications guidance twice in the past seven months, each revision sharpened by an escalating string of breaches. The most recent, issued in response to the Salt Typhoon intrusion campaign that penetrated at least eight U.S. telecommunications companies and gave foreign operatives access to call records and live communications, was blunt about one thing: default phone settings are not designed with your privacy in mind. They are designed for convenience, and convenience, in most cases, means more data flowing to more places.
“Highly targeted individuals should assume that all communications between mobile devices — including government and personal devices — and internet services are at risk of interception or manipulation,” CISA said in its guidance. The agency adds that while those recommendations were initially aimed at high-risk targets — government officials, journalists, executives — they apply to every user. The underlying vulnerabilities are not selective.
The settings that matter most are not buried. They are, in most cases, two or three taps from the home screen. The problem is that most people have never looked.
Location access is the most abused permission on both platforms. On both iOS and Android, applications frequently request “Always” location access — meaning continuous background tracking even when the app is closed. Weather applications, food delivery services, and retail apps with loyalty programs are among the most aggressive requesters. A weather app needs a city, not a GPS coordinate updated every fifteen minutes. On an iPhone, navigate to Settings, then Privacy and Security, then Location Services. On Android, go to Settings, then Location, then App Permissions. For any application where the access level reads “Always,” change it to “While Using the App” unless continuous background access is genuinely necessary — navigation and emergency services are the clearest exceptions. For apps you cannot remember installing in the last year, revoke location access entirely.
Microphone and camera permissions deserve the same audit. Both Android and iOS now include privacy dashboards that log when an application accessed the microphone or camera, and for how long. On iOS, that dashboard lives under Settings, then Privacy and Security, then App Privacy Report. On Android 12 and later, open Settings, then Privacy, then Privacy Dashboard. A dictionary application that accessed your microphone six times last week has no legitimate reason for that access. Remove it. CISA’s guidance is specific on this point: every permission granted to an application is a potential attack surface if that application is later compromised, sold to a third party, or updated with new data-collection terms buried in a policy nobody reads.
The risks are not theoretical. According to research cited by Security Magazine, apps can legally harvest far more data than their core function requires, package it into behavioral profiles, and sell those profiles to data brokers — companies that aggregate and resell personal information with minimal regulatory friction. A fitness app that knows your location, your daily movement patterns, and your sleep schedule is not just a fitness app. It is a data product. Revoking permissions does not delete what has already been collected, but it stops the accumulation.
Background App Refresh is a permission most users have never considered. When enabled, it allows applications to connect to corporate servers, update data, and track usage patterns while the phone is locked and the screen is off. Disabling it for low-priority applications does not prevent them from functioning — it only stops them from running when you are not looking. On an iPhone, that toggle is under Settings, then General, then Background App Refresh. On Android, the equivalent is Battery, then Background Usage Limits, or App Info for individual applications. Security researchers at BGR note that the setting is particularly significant for apps that do not need real-time updates — social media, shopping, games — but leave it enabled because users never turned it off during setup.
Ad tracking and personalization settings are a separate category entirely. Apple introduced App Tracking Transparency in iOS 14.5, requiring applications to ask permission before tracking activity across third-party apps and websites. Many users tapped “Allow” during app setup without reading the prompt. To review those choices, go to Settings, then Privacy and Security, then Tracking, and disable “Allow Apps to Request to Track.” Google’s equivalent on Android lives under Settings, then Privacy, then Ads, where users can opt out of ad personalization and request an ad ID reset. Neither setting eliminates advertising. Both significantly reduce the volume of behavioral data available to ad networks that operate across dozens or hundreds of apps simultaneously.
Two-factor authentication and SMS vulnerabilities are the most underappreciated exposure. Most people treat SMS-based two-factor authentication — the six-digit code texted to your phone — as a meaningful security layer. CISA disagrees. SIM-swap attacks, in which a fraudster convinces a mobile carrier to transfer your number to a device they control, allow an attacker to receive every SMS code sent to your number, bypassing two-factor authentication on banking, email, and social accounts simultaneously. CISA explicitly recommends moving away from SMS-based authentication toward authenticator apps like Google Authenticator or hardware security keys for any account where the consequences of compromise are significant. The agency also urges users to audit the “linked devices” section in messaging applications — a feature that allows accounts to run on multiple devices and which attackers have been documented exploiting after gaining initial access to an account.
Eastern Herald previously reported on the FBI’s ability to recover deleted Signal messages from iPhones, a disclosure that underscored how little separation exists between the physical device in a user’s hand and the data assumed to be gone from it. That case turned on device access, not network interception — a reminder that encryption in transit offers no protection against an unlocked phone, or one whose backup settings push messages to an unencrypted cloud account.
Android users face an additional exposure point specific to their platform. Modern cellular networks occasionally downgrade connections to obsolete 2G standards, which use weak encryption that can be intercepted using commercially available hardware sometimes called Stingray devices. Android phones manufactured after 2021 include a toggle to disable 2G connectivity entirely. It is found under Settings, then Network and Internet, then SIMs, then Allow 2G — and it is off by default on most carrier-distributed phones. Turning it off prevents the downgrade attack. CISA flagged this vulnerability in its updated guidance as a risk that is both real and simple to close.
The deeper difficulty is that privacy settings are not static. Application updates frequently reset permissions to their most expansive defaults. New apps added to an existing phone arrive with whatever permissions the user grants during installation, often in a sequence designed to make approval the path of least resistance. The review process is not a one-time task. It is a practice — something closer to checking a door lock than installing one. CISA’s own language reflects this: the agency frames mobile security less as a configuration problem and more as a behavior problem, one that defaults and convenience have, over years, systematically made worse.
Whether the phone belongs to a federal official or to someone who has simply never thought about what their flashlight app is doing at 3 a.m., the distance between the current configuration and a materially safer one is, in most cases, less than ten minutes. What is not clear is how many people will take those ten minutes before the next breach makes the question more urgent than theoretical.
