The Cybersecurity and Infrastructure Security Agency (CISA) recently published detailed mobile security recommendations to protect “highly targeted individuals,” including senior government and political officials, after widespread attacks on U.S. telecommunications networks by Chinese state-sponsored attackers were uncovered. 

These attacks, connected to the “Salt Typhoon” hacking group, were subsequently verified by CISA and the FBI and show an espionage effort by the People’s Republic of China (PRC). The leaks likely allowed information, including call records of customers and data relating to requests from U.S. police, to be stolen. Responding to this, CISA’s new guidelines seek to strengthen mobile communication security from a user and platform perspective to help prevent users from being exploited in the future by the same bad actors.

The takeaways

More generally, CISA suggests using phishing-resistant authentication tools, ditching SMS-based MFA, using password managers regularly, updating software, etc. Another additional recommended step is encryption, using end-to-end encryption (E2EE) for personal messages. CISA points to messaging platforms such as Signal, which deliver cross-platform E2EE (that is, messages cannot be read in case of interception).

On iPhone specifically, CISA recommends “Lockdown Mode,” “Turning Off SMS,” “Using Apple iCloud Private Relay,” and “Limiting App Permissions.” Android users should only use phones made by manufacturers with a strong security reputation, set up private DNS configurations, and use Rich Communication Services if enabled for E2EE.

During a media briefing, CISA Executive Assistant Director for Cybersecurity, Jeff Greene, called out encryption. “Encryption is your ally,” Greene said, pointing to how encryption protects information from the adversary. He highlighted that E2EE must be implemented as soon as possible to secure against future attacks.

The Salt Typhoon breach once again illustrates the global nature of cybersecurity hurdles. Chinese state hackers have long been blamed for invading U.S. critical infrastructure, but the latest telecom breach reflects an ever-advancing aim. This isn’t just CISA’s advice in the face of such attacks; it’s also advisory against future attacks that could involve the same tactics. Greene spoke of working with allied nations and the private sector to improve international defenses and to prevent attacks from undermining democracy or critical services.

The FBI’s position on encryption has a history of dispute. In the past, the department had decried E2EE as allowing crimes to go unnoticed and instead called for “responsible encryption” that lets police in if necessary. Responding to this split, Greene said he couldn’t speak on behalf of the FBI but that CISA still wants to secure communications via E2EE.

This advice comes as more general worries rise about PRC strikes against U.S. critical infrastructure. Not just personal information but also the wider implications of national security are brought home by CISA’s recommendations. 

Mobile devices have come to be used in campaigns, government projects, and global negotiations, and so are the ripe targets for criminals. As pointed out at the briefing, hackers can end up interfering with government processes or strategic decisions. It is because of this that it is so important for high-value users to consider mobile security not as a personal concern but as part of protecting even far larger interests.

The bigger campaign picture

Greene saw the Salt Typhoon campaign as part of a trend of espionage rather than a singular episode. A second strand of CISA’s suggestions is to acknowledge that current telecommunications infrastructure is inadequate. While the Salt Typhoon attacks revealed a gap in carrier networks, Greene insisted that it was about the active engagement of end-users. 

Federal officials recognize that, until there are systemic changes that improve telecom security, users need to put in hard-wired habits. This escalation toward the responsibility of the individual to secure communications reflects the increasingly obvious reality that cybersecurity is an effort between both infrastructure providers and end-users. Long-term strategic planning for such threats is a must, he insisted.

Although the recent recommendations address very specific user actions, CISA’s guidelines should be a wake-up call for organizations and all users. Cyberattacks involving mobile devices and carriers will become increasingly complex and even more international in nature, so everyone should take added precautions. Most of these strategies—encryption, for example, and phishing-proof authentication—work against everything from identity theft to corporate espionage, according to cybersecurity experts.

Mobile Security Is the Sum of Its Parts: Devices, networks, and apps

CISA’s recommendations provide invaluable guidance for high-value targets to reduce the risk of cyberattacks, setting a global standard for mobile security. However, these measures primarily focus on devices and user habits, leaving a crucial part of the mobile ecosystem—apps—underprotected.

Mobile apps are at the core of modern communication and productivity, yet they can become prime targets for attackers if developers fail to secure them. Without robust safeguards, apps risk exposing sensitive data or even enabling broader breaches of critical systems.

Verimatrix XTD bridges this critical gap by delivering multi-layered protections that defend apps against advanced threats. By stopping attacks like reverse engineering, repackaging, and dynamic modification, and device manipulation, Verimatrix XTD complements and extends CISA’s recommendations, ensuring that mobile security is as comprehensive as the challenges it faces.