You might as well know how to do this, since presumably criminals and terrorists also know just as well. The FBI may one day want to poke their noses into the secrets locked inside your smartphones. How do you keep them out? I’m sure the on-going Apple vs FBI battle may be a cause of concern for some folks.
Perhaps start by not using an iPhone? Oh wait, most Android smartphones are probably worse off in terms of physical security. You see, it is only on new Android smartphones that come with Android 6.0 Marshmallow, and with Advanced Encryption Standard (AES) crypto performance above 50MiB/sec, that full disk encryption is mandatory.
The latest Nexus smartphones, the 5X and 6P, for example, come with full disk encryption turned on by default. This means that if these smartphones fall into the hands of the wrong people, even with physical access, they would have to deal with storage contents that are encrypted.
The encryption, of course, is only useful if you actually setup a suitably secure unlock method for the lock screen. Swipe, for example, doesn’t count. Pattern unlock is too easy to crack. If you choose PIN, then your PIN much be long enough. Make it 16 digit long. It’s the maximum that Android allows, but it’s also the minimum that I think you should use. Passwords would be best, but again you’ve got to choose a good, proper, strong password for it to be useful.
With a suitably secure unlock method setup, your modern Android smartphone that has full disk encryption and hardware-backed credential storage should be able to protect your data. Of course, I’m also assuming the device is not rooted. Rooted devices by themselves are not bad, but you must understand that apps which are granted superuser access have unlimited access to everything inside your device.
On the iPhone, you must understand that the default 4-digit PIN just doesn’t cut it. It suffices now because iOS builds in timed delays and mandatory data reset after 10 successive passcode failures. I’d suggest you go with far longer PINs or passwords, regardless of how the current Apple vs FBI battle pans out.
I’m assuming, of course, in all cases that the operating system itself doesn’t build in some other backdoor that can defeat the sound security that had been originally designed. Massive software vulnerabilities and other zero-day exploits aside, we trust that the makers did not design secret holes, inadvertently or not, into their operating systems.
Moreover, Android really needs to uncouple the FDE unlock code from the device unlock code once it’s booted. Sure, the more security-minded of us can say that a 16-digit passcode should be used, but it’s highly inconvenient to remember a securely generated random passcode and most users will just fall back to something they can easily remember like a phone number, a combination of familiar birthdates, or something equally convenient. This information can be exploited by various forms of social engineering. There already exist root apps that can change the FDE unlock code to be something different from the regular device unlock code, but this kind of functionality should really be baked into Android properly. That way, a potential attacker would need to overcome a complex passphrase on a cold boot, but an authenticated owner would only have to deal with a relatively simple code plus a fingerprint scan on a regular basis. That’s the kind of asymmetric dynamic we want in our device security.