Here's what I do with my phone before heading to DEF CON (yes, I don't bother with burners anymore):
1) Make sure it has an Apple logo on the back and is up to date. I'm serious on this one. Too many Android phones don't get updated by the carrier and that's why I'm not a fan. Yes, if you have the latest phone from Google, you are fine. From another manufacturer, very questionable. The sheer number of Android phones which have connected to my open research WiFi networks over the years and exposed some secret is just tragic, from user PINs thanks to a carrier installed warranty app to e-mail passwords thanks to broken Samsung KNOX TLS middling implementations.
2) Shut off all background activity from apps when not on and in front of me: settings -> general -> background app refresh. Slide that one to off for everything.
3) Turn off WiFi and Bluetooth.
4) For added paranoia, put it in airplane mode when not being used.
5) Make sure it doesn't have any information or accounts on it which I'd not like to be made public.
6) Back it up.
7) A quick audit of apps I'll be using at the con to ensure they are reasonably secure on the wire by using working TLS exclusively. Yeah, very few people will ever do this but thankfully 1-6 should be sufficient.
There was also this one for which I had involvement: http://www.falseconnect.com/ which while impacting nearly every major technology vendor was particularly bad for Apple. Pretty much anyone who'd been using a proxy service (which includes some VPN providers like TorGuard) for privacy with iOS or macOS opened themselves up to full compromise of the cryptographic channel. The thing is, Apple recognized it was a big problem and got it patched and that patch distributed to all impacted devices in under 45 days from the first report. A similar flaw I reported to Samsung a few years earlier is still not patched on every Android phone impacted because some carriers didn't push the patch.
What good is the magically secure Apple logo on top, when you actually have a Broadcom doing the work down in the metal? I doubt this was the only existing hole: http://thehackernews.com/2017/07/android-ios-broadcom-hackin... (but Apple updated fastest, I do concede that)
Indeed, the same Broadcom chip used in a bunch of Android phones and to my original point, yes Apple was not only the quickest to patch, but there's a good chance a large number of Android phones will never get a patch.
1) Make sure it has an Apple logo on the back and is up to date. I'm serious on this one. Too many Android phones don't get updated by the carrier and that's why I'm not a fan. Yes, if you have the latest phone from Google, you are fine. From another manufacturer, very questionable. The sheer number of Android phones which have connected to my open research WiFi networks over the years and exposed some secret is just tragic, from user PINs thanks to a carrier installed warranty app to e-mail passwords thanks to broken Samsung KNOX TLS middling implementations.
2) Shut off all background activity from apps when not on and in front of me: settings -> general -> background app refresh. Slide that one to off for everything.
3) Turn off WiFi and Bluetooth.
4) For added paranoia, put it in airplane mode when not being used.
5) Make sure it doesn't have any information or accounts on it which I'd not like to be made public.
6) Back it up.
7) A quick audit of apps I'll be using at the con to ensure they are reasonably secure on the wire by using working TLS exclusively. Yeah, very few people will ever do this but thankfully 1-6 should be sufficient.