I recent reviewed an article about US Customs requiring a NASA employee to unlock their phone and taking a data dump of the device.
This was of great concern to a law firm client of mine. I drafted the following guidance:
I reviewed the article, that is concerning that they force individuals to unlock the phone, as that’s always been the best defense in the past and is the means in which the device is encrypted.
The only way around this I see is to delete your mail accounts (under settings) from your phone before you travel abroad, then re-add the account once you make it through any big-brother-inspired checkpoints, and do the same procedure again before and after you go through any checkpoints. This assumes there is not a ton of meta-data or left behind data from email accounts that are deleted, but even if there is, deleting the account would likely raise the bar in terms of efforts by big brother to get the email from a potential data dump they may take of the device.
It may also be helpful to adjust the setting in terms of how much email is kept on the device. Two weeks is generally the default setting, I would leave it at two weeks or one month rather than a longer time period. This at least limits the amount of data available for compromise.
As far as other applications, it really varies by individual if they install apps on the phone where they keep important data. I generally don’t have any important data in apps that I can think of. All my important data is in the email accounts on the phone (contacts, calendar, inbox). I would unselect holding contacts/calendar/etc in iCloud on the phone as well.
I’d like to hope a data dump of a phone does not contain cached logon credentials for online banking etc, I would imagine phones would be designed so that information is encrypted in the data dump.
As a general rule, iPhone is better designed and more secure in virtually every scenario than Android is.
On a side note, I think it would be good to enforce a policy firm wide to require 6 digit unlock on phones, this increases the encryption strength exponentially and helps prevent access if phones are stolen or hacked. People can still use the thumbprint unlock so they aren’t necessarily having to type in 6 digits, but the underlying pin is 6 digits long. We can generally enforce this from the server side. I think next steps would be to put some written and server-enforced policies in place to help.
Note: these strategies may increase your security but do not completely protect you in these unprecedented situations.