1

Got Android? Then you had better be on top of your security smarts. With Android cornering more than 80 per cent of the mobile operating system market, it's no surprise that Android devices are the number one target for the mobile malware merchants. Kaspersky Lab reckoned that Android malware attacks increased threefold between 2105 and 2016, and it's a trend it expects will continue. Not that malware is your only worry, everyone from pickpockets to coffee shop hackers, jealous spouses to seasoned cybercriminals, all want to get hold of your smartphone and the data it contains. So how do you stop them? That's where our 13 top tips to secure your Android smartphone come in...

1. Update, update, update.

OK, so that's easier said than done if you are one of the many millions (about half of all 1.4 billion Android users) without a smartphone model that supports both a recent version of Android and the monthly security updates roll out. Although Apple is on top of the operating system update game, with all iPhone users getting the chance to upgrade to the latest iOS , Android is a different kettle of fish. The variables as to when or if you get the latest version are many, and even the monthly security updates aren't guaranteed. If you have the very latest Google branded device (a Pixel whatever) then you are pretty much guaranteed to be first in the update queue; for everyone else it's something of a gamble. The latest Samsung flagship (at the time of writing) the S8, ships with Android 7.0 despite 7.1 being out there for ages. It does, however, get the monthly security updates at least. So if you have so little control over updates, why is it on the list? Because you do have control, over updating your apps at least. Although it's more likely that an app has been updated to increase functionality or fix a UI bug, security also plays a part and it's good practise to install those app updates as they become available.

2. Don't download from dodgy app stores

There are no cast iron guarantees when it comes to the security game. So while it's impossible to say that downloading form the official Google Play Store will protect you from malware or adware infected apps (history has proven this not to be the case) it sure is a lot safer than enabling the 'unknown sources' option is Android security settings and downloading apps from sources other than the official store. Nearly all the cases of Android apps being vessels for malware have been traced back to unofficial stores. Google has its 'bouncer' gateway guardian that serves to keep most bad stuff out of the store, along with a number of other verifications and protections. Third party stores, especially those offering commercial apps at lower prices, should be avoided.

3. Permission not granted

If you are running a recent version of Android then you will be presented with the permissions an app asks for, before you install it. If a mapping app wants access to your text messages, or a recipe app wants to make phone calls, then think twice before clicking through. In fact, I'd ask the developers why they want this access and even then I doubt I would grant permission. Permission changes will also be shown when an app is updating, before the new version is installed, so check these carefully as well. A trick that some dodgy developers use is to sneak additional permissions in for an update and these can be used for nefarious purposes.

4. Don't root it

OK, this one is always going to be controversial. Especially given an audience including developers and tech geeks. However, unless you really understand security and so are able to truly protect your device from all that threat actors will throw at it, then rooting is to be avoided. It used to be the case that you could only get the real functionality you wanted by rooting a device, but those days have pretty much disappeared with the latest versions of both the Android OS and the devices they are installed upon.

5. Don't be dumb: ignore the smart lock

It probably sounded like a great idea to the UI design team, but I imagine that the security team were pulling their hair out. Smart Lock allows your Android phone to remain in an unlocked state based upon a number of variables such as location, device or body. So, you can configure it to remain unlocked if you are in your office or at home. Ditto if you are wearing your smartwatch or even using a pair of Bluetooth headphones. And the same applies to if the smartphone is on your person. They all pretty much stink from a security perspective despite the lockdown defaulting back to a PIN after 4 hours without being used. Even a casually nosy co-worker could have a lot of success if you pop to the loo and leave your smartphone on your desk, let alone someone looking for specific data.

6. Use Google Device Manager

If you lose your smartphone, or it is stolen, then you can use Google Device Manager for some peace of mind. For a start you can configure it so that once you confirm the loss it can play a loud alarm (overriding volume controls) and display a lock screen message if the device is switched on. To finish, if you think the phone has been stolen, you can even remotely wipe all the data by performing a factory reset when it is next powered up. OK, so you don't get your phone back, but you don't run the risk of someone accessing your stuff either.

7. Nullify those notifications

Always ensure that your device is configured so that notification content isn't displayed on the lock screen. Always require authentication to actually read the notification. It's not rocket science, it really doesn't add that much time to the process and it prevents anyone with access to your phone from also accessing potentially valuable data without even being able to unlock it.

8. Lock it

Never use an Android smartphone, or any other for that matter, without activating the lock screen option as a bare minimum. PINs are OK, especially if you use something longer than the four digit default. I recommend a PIN of between 8 and 12 digits, depending upon your memory capability. Of course, you could use a password instead but with most flagship devices now incorporating fingerprint readers I would always suggest using them if available. Not only is it a quick way to access your device, but a secure one. If a criminal is going to go to the lengths of making a latex impression of your fingerprint to try and fool the technology, then you probably have more to worry about than basic Android security matters. The same goes with iris or facial detection that can be found on the Samsung S8. They are a quick and secure authorisation technology in the vast majority of use cases, and while they can be bypassed the hacker has to have a real interest in getting into your particular device; and physical access to it in order for these workarounds to be successful. You may have done all you can to secure access to your smartphone, but what if someone gets access to it anyway? This may be through a careless ten minutes when you leave it unlocked and go into another room, or they may have had success in cracking your PIN or password. Whatever, if someone has access to your device it's pretty much game over. Unless you have added yet another layer of access security to your apps themselves. By locking down individual apps, such as any online banking or commerce ones, or those which contain personal data, you throw more time-consuming spanners in the criminal works. My favourite for doing this is AppLock which lets you assign a PIN (or fingerprint) for individual apps. It also has additional configuration options to prevent the locking app itself from being disabled or deleted. Anything that adds extra time and effort to the task of getting at your data illegally is always going to be in the 'good thing' column in my spreadsheet.

9. A VPN is your friend

Don't use unsecured public wireless networks. Period. That's my advice when I've got my unflinching security nerd hat on. Of course, there are times when you may want or need access into the cyber-ether and a public hotspot is your only option. This is when you can say hello to my little friend: the Virtual Private Network. A VPN creates an encrypted 'tunnel' for your communications that prevents anyone from sniffing the packets that go across it. This would otherwise give them a captured data log, and there are tools that will enable them to quickly uncover login data from within it. There are plenty of VPN services out there, and the accompanying apps make setting them up really easy. Talking of public Wi-Fi, you should also watch out for rogue hotspots. These are access points set up by hackers to resemble a genuine one, in much the same way as a phishing scam, and simply collect all the login data from people using them. They often have believable names such as 'Hotel Guest Network' or some such, so always check with the hotel, train station, airport as to what the genuine free Wi-Fi network is called before connecting. Oh, and never do things like online banking or shopping on an unsecured public network for obvious reasons!

10. Smartwatch smarts

Although smartwatch sales in the Android world have been a little disappointing, to say the least, there are plenty of people who own one. Which is good news if you happen to forget to pick up your phone when you leave the office, hotel, shop or whatever. Using Android Wear, or Tizen in the case of Samsung phones and watches, you can establish a Bluetooth link between the devices which sets off an alarm if it gets broken. I use a Samsung S8+ with a Samsung Gear 3 Frontier watch to do just this, with a vibration alerting me to the fact. OK, so the connection will be strong enough for a good dozen or more metres, but it's still better than getting no warning at all of your memory faux pas.

11. Encrypt it

Depending upon the version of Android and smartphone you are using this option may not be optional at all, or even available. However, encrypting the device itself doesn't add a huge amount of time to the powering up process (and how often do you reboot your phone in reality?) but it does make getting at your data a much harder job for any criminal who has managed to get hold of your device.

12. Turn it off

Turning off your smartphone may make good security sense, after all it's impossible to remotely hack into something that's not switched on, but it's hardly a sensible option. Turning off some of the routes used to hack into your device, such as Bluetooth and Wi-Fi for example, when you aren't actually using them is however.

13. Destroy your data before disposal

This should go without saying, but the number of secondhand smartphones and tablets that I have encountered which still have traces of the previous owner proves it needs to be said. Always delete everything before selling, or recycling or throwing away, your device. If you have followed the 'encrypt it' advice, then a factory reset it enough to ensure nobody will be able to get at your data after you have left the device and moved on.

Ok, so those were out 13 tips in no particular order. Obviosuly that's just the tip of the security iceberg, and there are plenty of other things that can be done. If you have a favourite Android smartphone security tip to pass on, please feel free to add it via the comments section.

Edited by happygeek: typo

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

3
Contributors
7
Replies
49
Views
4 Months
Discussion Span
Last Post by happygeek
0

The last I had heard (in the US), you cannot be forced to unlock a phone that has been locked with a password, however, you are required by law to unlock a phone on request if it is locked via biometrics (fingerprint/facial recognition). While a biometric lock might be more convenient (and might seem more secure), you might not want to rely on that alone.

0

Also, I think we need to separate day-to-day security/privacy issues from 'when law enforcement demands' issues. Keeping your data out of state view is a different kind of security/privacy thing to preventing a family member, hacker or other criminal type from accessing it. Maybe I need to write another primer on hiding your stuff from the man :-)

0

Gour advice is incomplete and biased (Playstore bouncer?).

You said nothing about using an iptables-based firewall or safe repos like F-droid and appwhich warns you of proprietary closed (read potencially malicious code) in apps and provides source code for most apps.

Rooting is absolutely necessarry to secure your phone by eliminating spy apps and bloat apps that are installed into /system/apps etc by the damn manufacturer or cellular carrier. You can always unroot afterward or lockdown Supersu to not ask for permission to elevate privileges for unknown apps.

Simply changing the stock ROM to an alternative one or compiling it yourself after tweaking can improve security since you isolate yourself from tbe cloud, for example by only installing apps you really use or eliminate Google completely from your Android phone which is perfectly possible.

I in fact consider all pre-installed Google apps bloatware and all the playservices crap too along with all the google account-related services in system a d my phone gets superfast. A more reactive, responsive phone is a more secure phone and easier to spot a malware that's slowing it down. It all depends on your idea of malware.

Even if you stay away from rooting, their are many apps and techniques (mostly chinese) to infect an android system with crapware and malware.

I install from apps from my own trusted collection and repo and happily enable Untrusted Apps.

Take care.

2

I repeat:

OK, this one is always going to be controversial. Especially given an audience including developers and tech geeks. However, unless you really understand security and so are able to truly protect your device from all that threat actors will throw at it, then rooting is to be avoided.

0

Hi happy geek, well I guess ignorance is bliss.
I repeat:

Not to be trolling but your advice is incomplete and biased in a way. (Playstore bouncer?). Playstore is littered with junk or duplicate apps.
It's impossible to find the truly good original apps

You also leave out many details about rooting. antivirus will do nothing to fix an already compromised system.

Believe me, I found that out for myself on several china phones like Polaroid, including my girlfriend's to name one. Even if you don't root, there are malware and malicious sites which can "help" you to get malware permanantly on your phone.

It's even easier to people to install malware who just point and click on sites without discretion. Once it's in, a reflash is the only way to get rid of some rootkits unless you can find the root process or hidden binary of the malicious service and elevate your user's priveleges to a high enough level to kill or erase it. This usually means accessing the system user which has higher read/write priveleges than the root user, from what I know. Or simply reflash tne stock from after backing up your precious data.

You also said nothing about using an iptables-based firewall. It's really almost the first thing I do after rooting and installing legit apps from my trusted collection that need root. The first thing I do is install a alternative recovery and backup my phone, especially if it is a china phone.

You also forgot to mention perfectly safe repos like F-droid and it's app which warns you of proprietary closed (read potencially malicious code) before installing apps and provides source code for them. The app has a category filter which helps in narrowing down the search for a specific app.It's impossible to find a malicious app which persists on f-droid repo simply because of the source code element. Also you are free to mod the apps to your needs or contribite to it's development. I've seen many malicious apps on Aptoide but it's just it's nature being controlled by users and of the lack of app screening. F-droid also lets you install previous versión of apps.

F-droid is a repo with a comprehensive collection of free, opensource apps monitored by a free software community, most coming from the GNU linux world. There's an app for almost anything you could think of and each one has a specific solution and most are too good to be on playstore.
Some apps found here are slightly modified versions of their bloated counterparts on PlayStore with their unecesary antifeatures removed like hidden telemetry and maintainance services in Firefox . Or removing play services dependance in Telegram is another example.

F-droid delivers clean apps that do what they'te supposed to do, nothing more, nothing less without unecessary antifeatures and permissions which plague PlayStore apps

An activated unconfigured AFWall firewall would stop malware in it's tracks, especially those that download files from the Internet or upload them secretely.

Actually, rooting is absolutely necessarry to secure your phone by eliminating spy apps and bloat apps that are installed into /system/apps etc by the damn manufacturer or cellular carrier. You can always unroot afterward or lockdown Supersu to not ask for permission to elevate privileges for unknown apps. Again like you said, if you know what you're doing.

Simply changing the stock ROM to an alternative one or compiling it yourself after tweaking can improve security since you isolate yourself from tbe cloud, for example by only installing apps you really use or eliminate Google completely from your Android phone which is perfectly possible.

I in fact consider all pre-installed Google apps bloatware and some actually act like malware (backup service). I use alternatives like k-9 mail and apg to encrypt my data instead of g-mail, firefox, icecat or fennec f-froid instead of chrome, rmaps instead of google maps, skytube instead of youtube, vanilla music instead of playmusic and the list goes on.

I remove all the playservices crap too along with all the google account-related services in system and my phone starts to gets superfast. A more reactive, responsive phone is a more secure phone and easier to spot a malware that's slowing it down. It all depends on your idea of malware. It seems that everytime I buy a new phone, I need to remove up to 50 or more garbage apps. I did stick with the 1944 strikers and SimCity games on the Galaxy S7 though!

Even if you stay away from rooting, their are many apps and techniques (mostly chinese) to infect an android system with crapware and malware.

I install from apps from my own trusted collection and repo and happily enable Untrusted Apps.

I could go on and on about alternative ways one could use to improve Android, especially, it's security but I think I've let you on to a good start.

Take care.

Mark
Android enthusiast, and modder
since birth

0

Mark, did you not read the bit that said "unless you truly understand security" - which the vast majority of users do not - because that's the key here. That advice was clearly not aimed at you. It was aimed at the 99% of Android users who do not understand enough about the technology nor the threatscape to be able to root their device and keep it secure. I can assure you I am far from ignorant when it comes to cybersec issues...

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.