Android Security for the Average Joe

UPDATE: This article is now very dated, and while there was a lot of good information in this article at the time of its publication, the majority of it is no longer relevant.

For a lot of people, when they think of Android, one of the first thoughts that may come to mind is that Android is insecure. This line of thinking could be attributed to misinformation and F.U.D. (fear, uncertainty and doubt), exacerbated by the media or perhaps by word of mouth. Don't get me wrong, Android has had its share of security vulnerabilities. However, no operating system is 100% secure, and Android, after all, is the most dominant mobile platform in terms of market share and devices in the wild. Because it is the most dominant platform, it is going to be the most targeted for malware.

The point of this article is not to debate the merits of the inherent security of any operating system over the other. Rather, the purpose of this article is to provide step by step instructions for the average Joe (or Jane) to secure their Android device. This guide is geared toward the non-technical or semi-technical user, and it is not designed to protect those wearing tin foil hats from the NSA (good luck with that). Even the new super secure Blackphone is not NSA-proof. However, if you have an Android phone and want to protect it, you'll want to follow the steps in this guide.

Contents

Physical Security

First thing's first, don't misplace your phone, or let it get stolen, or let unauthorized people have access to it. Sounds pretty simple, right? However, accidents do happen, and no matter how careful you try to be, you're not immune to a lost or stolen phone. Some may ask, 'Why is this a big deal? Can't I just get a new phone? I have phone insurance." While yes, you can get a new phone, most people who own a smart phone have a LOT of data on that phone, whether they think they do or not. Chances are, you have contact data (people's names, phone numbers, emails, etc.), GPS data, maybe financial data, and you are probably automatically logged into a number of apps, such as your email client, Google Drive, Facebook, Twitter, etc. If someone steals your phone, and let's say, for example, that you are logged into your email account on the phone, the thief now has access to your email. They can do a number of malicious things with that access, such as send unauthorized emails on your behalf, reset passwords to other accounts, etc. Basically, they could use your lost or stolen phone as a stepping stone to steal your identity.

So what can you do to lessen the blow should you be unfortunate enough to misplace your phone or have it stolen?

The first thing you want to do is make sure that you have a password or at the very least, a PIN on your device. This makes it so that you have to put the password or PIN into the device in order to unlock it. This will stop the casual thief from having complete access to your phone, in theory, because the thief would have to guess your passcode, which could be a number of different combinations. A password is better because it is longer (and therefore harder to crack, especially if you follow good password creation principles). Your password should be a healthy combination of letters and numbers, at least 8 characters long. The longer and more complex the better.

Encryption is another layer of defense that mitigates the risk of a lost or stolen phone. Encrypting the contents of your phone will do two things. It will render the contents of your phone unreadable without the password to decrypt the contents of the phone. This means that if you lose your phone and someone finds it and plugs it into their computer, they cannot read the contents of the device without the encryption password. It will also ensure that if the phone is lost or stolen and remotely wiped, the data will be much more difficult to be forensically recovered. Unfortunately, Android device encryption can be bypassed, but device encryption does at least provide another layer of defense. As a note, beginning with Android 3.0 and above, the encryption key "is protected by AES128 using a key derived from the user password, preventing unauthorized access to stored data without the user device password." What this means to the average user is that you want to make very certain that you use a strong password because the encryption is only as strong as the password to decrypt it.

You can enable device encryption on most Android devices. On the LG G2, you can do it by selecting Security under the Settings menu and then Encrypt Phone. It will be similar on most other modern Android devices. Depending on the size of your phone's storage, encryption could take about one hour. You also have to have the battery charged to about 80% before starting the encryption process. Simply select that you want to encrypt your device, provide your PIN or password, and wait for the process to finish. Some versions of Android (such as KitKat) allow you to encrypt everything, or do a quick encryption on certain parts of the phone. I always opt to encrypt everything.

You also want to ensure that you have enabled remote wipe capabilities for your device. This will allow you to log in from another device and issue a command to remotely erase the contents of a lost or stolen phone - a remote factory reset, if you will. There are third party apps on the Google Play store that can accomplish this, but Google has included a tool called Android Device manager that works wonderfully. As a note, I tend to use Google's apps over third party apps since Android is developed by Google and Google's apps are generally good, but that is just me. Android Device Manager is a free service, and can be accessed from the Security menu within Settings on most Android devices. On the LG G2, for example, simply select System Settings --> Security --> Phone Administrators, and make sure Android Device Manager is selected. Next, open Google Settings from your app drawer, select Android Device Manager, and make sure "Remotely Locate This Device" and "Allow Remote Lock and Erase" are both checked.

Malware Protection

Malware is defined as malicious software "used to disrupt computer operation, gather sensitive information, or gain access to private computer systems". In most cases, malware on Android devices typically comes in the form the Trojan horse. A Trojan horse is a piece of malware that gets installed on your system because it is embedded in or disguised as a different piece of software that the user thinks they are actually installing. For example, let's say that you want to download and install Flappy Bird. Since it is no longer available on Google Play, you Google "Flappy Bird for Android", and you then install one that you find from your search results. However, while that game might look like Flappy Bird, it is really a program that sends premium SMS messages, sends your address book to some remote server controlled by a hacker, and steals your banking login information, all in the background without your knowledge. I realize that this sounds very sensationalist, but because of the more open nature of Android, users can download and install software from any source, not just the Google Play store. While this is great for people who want this functionality and know what they are doing, it is not so good for the average, novice Android user.

What can be done to counter this threat? Fortunately, the risk can be mitigated by doing three things in conjunction with one another. First, open Settings --> Security. Next, make sure "Verify Apps" is checked and make sure "Unknown Source" is unchecked. More often than not, these settings come configured this way from the factory, but it is best to make sure. Next, you can use a reputable antivirus app to give you an extra layer of protection. I use Lookout, which can be found in the Google Play store. It has received generally good reviews, and it does not take up too many system resources. As a quick note, Google is also planning to issue an update through Play Services to enable Verify Apps to constantly scan for malware.

Last but not least, in addition to the things previously mentioned, another way to protect against malware is to use general safe computing principles. Just as you would on your desktop PC or laptop, be diligent about the sites that you go to. Also be diligent about the apps that you install. Even though Google has implemented technology (called Bouncer) that scans the Google Play store for malicious apps, it does not work 100% of the time. It is still prudent to look for things that look fishy about an app. Read the app reviews and look at the ratings for the app. If you stay with mainstream apps from known and reputable developers, you should be fine. However, even if an app is highly rated and from a known developer, remember to look at the permissions for the apps you are installing. The great thing about Android is that all apps in the Google Play store are required to specify what permissions they are allowed to have. For example, a flashlight application should have permission to access the flash on your camera to turn the flashlight on and off. It should never need network access or access to your SMS messages.

As a quick and final note, it is pretty easy to root your Android phone. However, unless you really know what you are doing, stay away from that. If you're reading this and thinking, "What does it mean to root my phone?", rooting is not for you (at least until you learn more about it and have a firm understanding of all of the ramifications thereof).

Safe Browsing and Privacy

From a privacy perspective, when you buy and Android phone (or at least a Google-blessed Android phone), you know that it comes with a certain level of privacy already gone. Really, no matter what brand of phone you choose, if you use any cloud based services, you must accept the fact that the provider, be it Google, Microsoft or Apple, has access to your data. It boils down to trust. Personally, while I get what Google does to make money, I trust that they will protect my data in their cloud, as it is in their best interest to do so. A large scale security incident on their part could cause a ripple effect, whereby people would abandon Google's apps in droves. That said, there are things that you can do to further enhance your privacy. Some of these things are phone specific, and some of them are general computing best practices, since after all, your phone really is a handheld computer.

From a phone specific perspective, you want to limit the usage data being reported back to the phone carrier and manufacturer, as well as limit ad tracking. There are two ways to do this, and it will differ depending on the make/model of Android phone/tablet you use. On the LG G2, first go to Settings --> Back up and Reset --> Collect Diagnostics. Make sure that "allow diagnostics" is unchecked. While this feature is supposed to only phone home with anonymous usage data, you can never be certain what is being sent, and as such, it is best to turn it off. Second, you will want to open your app drawer, open the Google Settings app, then touch Ads. Make sure that "Opt out of Interest Based Ads" is checked.

Next is safe browsing. Aside from the obvious advice with regards to being careful about what sites you visit, there are some settings in Chrome that you should enable to make sure you are browsing the web as safely as possible. If you use Chrome, open Chrome and go to Settings. Make sure Auto Fill Forms and Save Passwords are both turned off. While these two features are convenient, I personally don't trust them. Next, touch Privacy. Make sure that 'Never Send' is the selected option under 'Usage and Crash Reports'. Make sure 'Do Not Track' is turned on. Under Content Settings, for the truly paranoid, you can choose to disable cookies. Unfortunately with Chrome, cookies are an all or nothing proposition. You can either accept all or reject all. A lot of security conscious folks also turn off JavaScript. Doing this is definitely the more secure option, but it could also break functionality in a lot of websites. Lastly, under 'Bandwidth Management', under 'Reduce Data Usage', I made sure that this feature is turned off. Basically, it routes all http traffic through Google servers, where they compress it and speed it up. While they say SSL (HTTPS) traffic and pages visited in Incognito mode are never sent to Google, I am still not comfortable with this concept.

On Android, Firefox is a great alternative for the truly security conscious because you can accept cookies from sites you actually visit, while still blocking third party tracking cookies. Google Chrome on the desktop gives you this option, and I am not quite sure why Google would not give you this option on mobile. Firefox for Android is actually a pretty good browser. It renders pages nicely, and it is quick. It also has features such as 'Do not track'.

Lastly, with regards to privacy, some people opt to turn off GPS entirely. However, doing so will cause a lot of apps like Google Now or Maps to not function correctly. Again, there is a trade off between security and convenience. Personally, I would rather have turn by turn navigation and location based reminders. However, even if you opt to use GPS, it is a pretty good idea to make sure that the GPS data from your photos is turned off. This is especially important if you have kids and post often to social networks. This can be done from within the various photo sharing and social apps, as well as in the camera app. In the camera app for the LG G2, for example, touch Settings, and make sure 'Geotagging' is set to 'off'. In the newly released Google camera app, you can also turn off geotagging.

Miscellaneous

Wi-Fi. Wi-Fi signals are everywhere. Chances are you have a Wi-Fi router at home. Chances are, you have also used a public Wi-Fi connection when out and about, such as at a library, coffee shop or airport. Needless to say, Wi-Fi security is very important, both at home and abroad.

Wi-Fi at Home. Securing your Wi-Fi at home is actually pretty easy. Depending upon what type of router you have, this will either be done with an application (if you use an Apple Air Port Exterme, for example), or you can simply physically connect your router with your computer via an ethernet cable and navigate to your router's IP address (usually something like 192.168.1.1). From there you can configure the settings on your Wi-Fi router.

You'll want to make sure you do a few things. First, set up a really good password to access your Wi-Fi router's admin console/page. It should be a hard to guess, alpha-numeric password. Refer to the section above on passcodes. Next, you'll want to set up encryption on your router, so that all the traffic from each device that connects to the router is encrypted to the router and back. There are different types of encryption alghorithms to choose from, such as WPA, WEP, and WPA-2. You'll want to ensure that you use WPA-2 encryption. There are two types of WPA-2 encryption to choose from: WPA-2 AES and WPA-2 PSK (TKIP). WPA-2 AES is the better of the two algorithms to use. Again, your encryption is only as strong as your encryption key, so you'll want to make sure that you select a really long, really good passphrase. Note, I said passphrase, not password.

Next, you'll want to make sure that you ensure that access to the router's admin console/page can only be accessed via a physical connection from your PC to the router, and not via wireless.

Wi-Fi Abroad. Generally, it is best to avoid unsecured public WiFi hotspots. This is a pretty well known fact that with an unprotected WiFi connection, you run a HUGE risk of your traffic being intercepted. As such, I generally make it a rule that I only use my cellular data (LTE) connection when out and about. Even if you connect to a secure hotspot, you still want to be very aware of the risks that your traffic could still possibly be intercepted.

On a final note, the state of information security is constantly changing. New threats and attack vectors are constantly being discovered. What is relevant today, may or may not be relevant tomorrow. That said, if you come across anything in this article that is inaccurate or out-dated, or if you would like to provide feedback or offer anything additional, please feel free to drop me a line.

Table of Contents