OPSEC Tutorial #1: Device Security Basics — Securing Your Phone and Computer
Series: Operational Security (OPSEC) Fundamentals
Author: Vivaed
Published: March 27, 2026
Category: Education / Security
Introduction
Your phone and computer contain more sensitive information than ever before—messages, photos, financial data, location history, and access to your online accounts. Securing these devices is not just for security experts; it is a fundamental skill for anyone who values their privacy and safety.
This tutorial covers practical, actionable steps to secure your mobile devices and computers. We reference guidance from the Electronic Frontier Foundation (EFF), official platform documentation, and leading security researchers. All recommendations prioritize free, accessible tools.
Legal Disclaimer: This guide is for educational and protective purposes only. Use these techniques responsibly and in compliance with all applicable laws. Security measures should protect your rights, not facilitate harmful activities.
Part 1: Phone Security (iOS and Android)
Lock Screen & Authentication
What to do:
| Action | iOS | Android |
|---|---|---|
| Passcode | Settings → Face ID & Passcode → Turn Passcode On (use 6+ digits or alphanumeric) | Settings → Security → Screen lock → PIN/Password (6+ digits) |
| Biometrics | Enable Face ID or Touch ID as secondary auth | Enable Fingerprint or Face Unlock |
| Auto-lock | Set to 30 seconds or 1 minute | Set to 1 minute or less |
| Lock screen notifications | Disable sensitive content preview | Hide sensitive content on lock screen |
Why it matters: A strong passcode is your first line of defense. The EFF notes that law enforcement can often bypass biometrics legally (via court orders), but passcodes have stronger constitutional protection in many jurisdictions.
Checklist:
- 6+ digit PIN or alphanumeric password (avoid 123456, 000000, birth years)
- Biometrics enabled for convenience (but understand legal implications)
- Auto-lock set to 1 minute or less
- Lock screen notifications hide message content
- “Erase data after 10 failed attempts” enabled (iOS)
Encryption
Good news: Modern phones encrypt by default when you set a passcode.
| Platform | Status | Verification |
|---|---|---|
| iOS | Enabled automatically with passcode (iOS 8+) | Settings → Privacy & Security → Data Protection |
| Android | Enabled by default (Android 10+) | Settings → Security → Encryption |
Checklist:
- Passcode is set (this enables encryption)
- Phone is running recent OS version (iOS 15+ or Android 10+)
- Backup encryption enabled (iCloud/Google One with 2FA)
App Permissions
What to review:
-
Location Access
- iOS: Settings → Privacy & Security → Location Services
- Android: Settings → Privacy → Permission manager → Location
Set apps to “While Using” instead of “Always” where possible. Remove location access from apps that do not need it (games, calculators, etc.)
-
Camera & Microphone
- iOS: Settings → Privacy & Security → Camera/Microphone
- Android: Settings → Privacy → Permission manager
Review which apps have access. Disable for apps that do not require it.
-
Contacts, Photos, Files
- Grant access only to apps that genuinely need it
- Use “Selected Photos” instead of “All Photos” when available (iOS 14+)
-
Tracking
- iOS: Settings → Privacy & Security → Tracking → Disable “Allow Apps to Request to Track”
- Android: Settings → Privacy → Ads → Delete advertising ID / Opt out of ads personalization
Checklist:
- Location set to “While Using” for most apps
- Camera/mic access reviewed and restricted
- App tracking disabled (iOS) or ad ID reset (Android)
- Unused apps deleted
App Installation Best Practices
- Only install from official stores: App Store (iOS) or Google Play (Android)
- Check app permissions before installing: Does a flashlight app need your contacts?
- Read recent reviews: Look for security or privacy complaints
- Keep apps updated: Enable automatic updates
- Avoid sideloading: Do not install APKs from unknown sources unless absolutely necessary
Part 2: Computer Security (Windows, Mac, Linux)
Full Disk Encryption
Why: If your device is lost or stolen, encryption prevents attackers from accessing your data.
| OS | Tool | How to Enable |
|---|---|---|
| Windows | BitLocker (Pro/Enterprise) or Device Encryption (Home) | Settings → Privacy & Security → Device Encryption → On |
| Mac | FileVault | System Settings → Privacy & Security → FileVault → Turn On |
| Linux | LUKS (during install) or fscrypt | Best enabled during OS installation |
Critical: Save your recovery key in a secure location (password manager, printed copy in safe). If you lose it, your data is unrecoverable.
Checklist:
- Full disk encryption enabled
- Recovery key backed up securely
- Encryption status verified (may take hours to complete initially)
User Accounts
Best practices:
-
Use a standard account for daily use (not administrator)
- Windows: Settings → Accounts → Family & other users → Add account
- Mac: System Settings → Users & Groups → Add account (set as “Standard”)
- Linux: Create non-root user during installation
-
Enable a strong administrator password
- Use 12+ characters with mixed case, numbers, symbols
- Never use the same password across multiple accounts
-
Disable or password-protect guest accounts
Checklist:
- Daily account is “Standard” not “Administrator”
- Admin password is strong and unique
- Guest accounts disabled or secured
- Automatic login disabled
System Updates
Keep your OS and software current:
| OS | How to Enable Automatic Updates |
|---|---|
| Windows | Settings → Windows Update → Advanced → Automatic (recommended) |
| Mac | System Settings → General → Software Update → Automatic Updates |
| Linux | Enable unattended-upgrades (Debian/Ubuntu): sudo apt install unattended-upgrades |
Also update:
- Web browsers (Chrome, Firefox, Safari, Edge)
- Productivity software (Office, LibreOffice)
- Security software
Checklist:
- Automatic OS updates enabled
- Browser set to auto-update
- Critical software updates applied within 7 days of release
Part 3: Browser Security
Private Browsing
What it does: Prevents local history, cookies, and form data from being saved on your device.
| Browser | Private Mode | Keyboard Shortcut |
|---|---|---|
| Chrome | Incognito | Ctrl+Shift+N (Win/Linux) or Cmd+Shift+N (Mac) |
| Firefox | Private Window | Ctrl+Shift+P (Win/Linux) or Cmd+Shift+P (Mac) |
| Safari | Private Browsing | Cmd+Shift+N (Mac) |
| Edge | InPrivate | Ctrl+Shift+N (Win) |
Limitations: Private browsing does NOT hide your activity from:
- Your internet service provider (ISP)
- Your employer/school network
- Websites you visit
- Law enforcement with appropriate legal process
Checklist:
- Use private browsing for sensitive searches
- Understand limitations (not anonymous from network observers)
Cookie Management
Recommended settings:
Chrome:
Settings → Privacy and Security → Cookies and other site data
- Select “Block third-party cookies”
- Enable “Clear cookies and site data when you close all windows” (optional)
Firefox:
Settings → Privacy & Security → Enhanced Tracking Protection
- Set to “Strict”
- Enable “Delete cookies and site data when Firefox is closed” (optional)
Safari:
Settings → Privacy
- Enable “Prevent cross-site tracking”
- Enable “Block all cookies” (may break some sites)
Checklist:
- Third-party cookies blocked
- Tracking protection enabled
- Consider auto-clear on close for sensitive use
Tracker Blocking
Free tools:
| Tool | Type | Platforms | Notes |
|---|---|---|---|
| uBlock Origin | Browser extension | Chrome, Firefox, Edge, Safari | Most efficient ad/tracker blocker |
| Privacy Badger | Browser extension | Chrome, Firefox, Edge | EFF’s tracker blocker, learns automatically |
| DuckDuckGo Privacy Essentials | Browser extension + search | All major browsers | Includes tracker blocking + private search |
Installation:
- Visit your browser’s extension store
- Search for “uBlock Origin” (by Raymond Hill)
- Click “Add to Browser”
- No configuration needed—works out of the box
Checklist:
- uBlock Origin installed
- Privacy Badger installed (optional, complementary)
- Extensions kept updated
Part 4: Essential Security Apps and Tools (Free)
Password Managers
Why: Reusing passwords is one of the biggest security risks. A password manager generates and stores unique passwords for every account.
| Tool | Platform | Cost | Notes |
|---|---|---|---|
| Bitwarden | All platforms | Free (premium optional) | Open source, highly recommended |
| KeePassXC | Windows, Mac, Linux | Free, open source | Local storage, no cloud sync |
| Built-in (iCloud Keychain / Google Password Manager) | iOS/Android | Free | Convenient but less portable |
Getting started with Bitwarden:
- Visit bitwarden.com and create a free account
- Install browser extension and mobile app
- Create a strong master password (write it down and store securely)
- Enable two-factor authentication (2FA)
- Start changing your most important passwords (email, banking, social media)
Checklist:
- Password manager installed on all devices
- Master password is strong and memorized
- 2FA enabled on password manager
- Critical accounts updated with unique passwords
Antivirus / Anti-Malware
Windows:
- Microsoft Defender (built-in, free) — Now ranks among top paid solutions in independent tests
- Ensure it is enabled: Settings → Privacy & Security → Windows Security → Virus & threat protection
Mac:
- macOS has built-in protections (Gatekeeper, XProtect)
- For additional protection: Malwarebytes for Mac (free version available)
Linux:
- Generally lower risk, but consider ClamAV for scanning files that may be shared with Windows users
Mobile:
- iOS: No antivirus needed (App Store sandboxing is effective)
- Android: Stick to Google Play Store; avoid “antivirus” apps that are often scams
Checklist:
- Windows Defender enabled and updated (Windows)
- Malwarebytes installed (Mac, optional)
- Avoid shady “antivirus” apps on mobile
Two-Factor Authentication (2FA) Apps
Why: 2FA adds a second verification step beyond your password.
| Tool | Platform | Cost | Notes |
|---|---|---|---|
| Authy | All platforms | Free | Cloud backup, multi-device |
| Google Authenticator | iOS, Android | Free | Simple, widely supported |
| Raivo OTP | iOS | Free, open source | Local storage, iCloud backup optional |
| Aegis Authenticator | Android | Free, open source | Local storage, encrypted backups |
Setup priority:
- Email accounts (primary email is the key to resetting everything else)
- Password manager
- Financial accounts
- Social media
- Cloud storage
Checklist:
- 2FA app installed
- 2FA enabled on email account(s)
- 2FA enabled on password manager
- Backup codes saved securely
VPN (Virtual Private Network)
When to use:
- On public Wi-Fi (cafes, airports, hotels)
- When you want to hide browsing from your ISP
- When traveling in restrictive regions
Free options (with caveats):
- Proton VPN — Free tier with unlimited data, no ads, based in Switzerland
- Windscribe — Free tier with 10GB/month limit
Warning: Avoid “free unlimited VPN” services—they often sell your data. Paid services like Mullvad, IVPN, or Proton VPN have transparent privacy policies.
Checklist:
- VPN installed if you use public Wi-Fi regularly
- Understand that VPN ≠ anonymity (you are still visible to websites)
- Avoid free VPNs with unclear business models
Part 5: What NOT to Do (Common Mistakes)
Password Mistakes
- Do not reuse passwords across multiple accounts
- Do not use personal information (birthdays, pet names, addresses)
- Do not store passwords in plain text (Notes app, spreadsheets, sticky notes)
- Do not share passwords via email, SMS, or messaging apps
Update Mistakes
- Do not ignore update notifications for weeks or months
- Do not disable automatic updates unless you have a specific reason
- Do not use unsupported software (Windows 7, macOS versions older than 3 years)
App & Download Mistakes
- Do not sideload apps from unknown sources (especially on Android)
- Do not click “Install” on pop-up ads claiming your device is infected
- Do not grant admin/root access to apps unless you understand why it is needed
- Do not install browser extensions from unknown developers
Network Mistakes
- Do not use public Wi-Fi without a VPN for sensitive activities (banking, email)
- Do not leave Wi-Fi or Bluetooth on when not in use (tracking risk)
- Do not connect to networks with names like “Free Airport Wi-Fi” without verification
Phishing Mistakes
- Do not click links in unexpected emails or texts, even from known contacts
- Do not enter passwords on pages you reached via email links
- Do not trust caller ID (it can be spoofed)
- Do not rush—scammers create urgency to bypass your judgment
Backup Mistakes
- Do not rely on a single backup (device + cloud is ideal)
- Do not skip encryption on backups containing sensitive data
- Do not forget to test restoration periodically
Part 6: Quick Reference Checklists
Phone Security Checklist
☐ Strong passcode (6+ digits, not obvious patterns)
☐ Biometrics enabled (understand legal implications)
☐ Auto-lock set to 1 minute or less
☐ Full disk encryption verified (enabled by default with passcode)
☐ App permissions reviewed (location, camera, mic, contacts)
☐ App tracking disabled (iOS) or ad ID reset (Android)
☐ Only official app stores used
☐ Automatic updates enabled
☐ Password manager installed
☐ 2FA enabled on critical accounts
☐ VPN installed for public Wi-Fi use
☐ Unused apps deleted
Computer Security Checklist
☐ Full disk encryption enabled (BitLocker/FileVault/LUKS)
☐ Recovery key backed up securely
☐ Standard user account for daily use (not admin)
☐ Strong administrator password
☐ Automatic OS updates enabled
☐ Browser set to auto-update
☐ Third-party cookies blocked
☐ Tracker blocker installed (uBlock Origin)
☐ Antivirus enabled (Windows Defender / Malwarebytes)
☐ Password manager installed
☐ 2FA enabled on critical accounts
☐ Regular backups configured
Browser Security Checklist
☐ Private browsing used for sensitive searches
☐ Third-party cookies blocked
☐ Tracking protection enabled (Strict mode in Firefox)
☐ uBlock Origin installed
☐ Privacy Badger installed (optional)
☐ Passwords not saved in browser (use password manager instead)
☐ Extensions reviewed and minimized
☐ Browser updated to latest version
Part 7: Sources and Further Reading
Credible Sources Referenced
- Electronic Frontier Foundation (EFF) — Surveillance Self-Defense Guide: https://ssd.eff.org/
- EFF Mobile Security Resources: Mobile devices | Electronic Frontier Foundation
- EFF on Mobile Encryption: “Closing the Gap in Encryption on Mobile” (February 2025)
- NIST Cybersecurity Guidelines: Cybersecurity Framework | NIST
- CISA Cybersecurity Tips: https://www.cisa.gov/shield
- Apple Security Documentation: Apple Platform Security - Apple Support
- Google Security Center: https://safety.google/
- Microsoft Security Documentation: Windows security documentation | Microsoft Learn
Recommended Ongoing Education
- EFF Deeplinks Blog: Deeplinks Blog | Electronic Frontier Foundation
- Krebs on Security: https://krebsonsecurity.com/
- The Verge Security Section: https://www.theverge.com/tech/security
- Ars Technica Security: Category: Security - Ars Technica
For Advanced Users
- Security in a Box (Tactical Tech): https://securityinabox.org/
- Freedom of the Press Foundation: https://freedom.press/
- Open Whisper Systems (Signal) Blog: Signal >> Blog
Conclusion
Device security is not a one-time task—it is an ongoing practice. Start with the high-impact items (strong passcode, encryption, password manager, 2FA) and work through the checklists over time.
Remember:
- Security is about risk reduction, not perfection
- Small, consistent improvements compound over time
- Share this knowledge with friends and family
The next tutorial in this series will cover Secure Communications—encrypting your messages, calls, and emails.
This tutorial was created by Vivaed as part of an ongoing OPSEC education series. Content is based on publicly available guidance from security organizations and platform documentation as of March 2026.
Legal Notice: This guide is for educational purposes. Always comply with applicable laws and regulations in your jurisdiction. Security tools should be used to protect your rights and privacy, not to facilitate illegal activities.