Got Android? Then you had better be on top of your security smarts. With Android cornering more than 80 per cent of the mobile operating system market, it's no surprise that Android devices are the number one target for the mobile malware merchants. Kaspersky Lab reckoned that Android malware attacks increased threefold between 2105 and 2016, and it's a trend it expects will continue. Not that malware is your only worry, everyone from pickpockets to coffee shop hackers, jealous spouses to seasoned cybercriminals, all want to get hold of your smartphone and the data it contains. So how do you stop them? That's where our 13 top tips to secure your Android smartphone come in...

1. Update, update, update.

OK, so that's easier said than done if you are one of the many millions (about half of all 1.4 billion Android users) without a smartphone model that supports both a recent version of Android and the monthly security updates roll out. Although Apple is on top of the operating system update game, with all iPhone users getting the chance to upgrade to the latest iOS , Android is a different kettle of fish. The variables as to when or if you get the latest version are many, and even the monthly security updates aren't guaranteed. If you have the very latest Google branded device (a Pixel whatever) then you are pretty much guaranteed to be first in the update queue; for everyone else it's something of a gamble. The latest Samsung flagship (at the time of writing) the S8, ships with Android 7.0 despite 7.1 being out there for ages. It does, however, get the monthly security updates at least. So if you have so little control over updates, why is it on the list? Because you do have control, over updating your apps at least. Although it's more likely that an app has been updated to increase functionality or fix a UI bug, security also plays a part and it's good practise to install those app updates as they become available.

2. Don't download from dodgy app stores

There are no cast iron guarantees when it comes to the security game. So while it's impossible to say that downloading form the official Google Play Store will protect you from malware or adware infected apps (history has proven this not to be the case) it sure is a lot safer than enabling the 'unknown sources' option is Android security settings and downloading apps from sources other than the official store. Nearly all the cases of Android apps being vessels for malware have been traced back to unofficial stores. Google has its 'bouncer' gateway guardian that serves to keep most bad stuff out of the store, along with a number of other verifications and protections. Third party stores, especially those offering commercial apps at lower prices, should be avoided.

3. Permission not granted

If you are running a recent version of Android then you will be presented with the permissions an app asks for, before you install it. If a mapping app wants access to your text messages, or a recipe app wants to make phone calls, then think twice before clicking through. In fact, I'd ask the developers why they want this access and even then I doubt I would grant permission. Permission changes will also be shown when an app is updating, before the new version is installed, so check these carefully as well. A trick that some dodgy developers use is to sneak additional permissions in for an update and these can be used for nefarious purposes.

4. Don't root it

OK, this one is always going to be controversial. Especially given an audience including developers and tech geeks. However, unless you really understand security and so are able to truly protect your device from all that threat actors will throw at it, then rooting is to be avoided. It used to be the case that you could only get the real functionality you wanted by rooting a device, but those days have pretty much disappeared with the latest versions of both the Android OS and the devices they are installed upon.

5. Don't be dumb: ignore the smart lock

It probably sounded like a great idea to the UI design team, but I imagine that the security team were pulling their hair out. Smart Lock allows your Android phone to remain in an unlocked state based upon a number of variables such as location, device or body. So, you can configure it to remain unlocked if you are in your office or at home. Ditto if you are wearing your smartwatch or even using a pair of Bluetooth headphones. And the same applies to if the smartphone is on your person. They all pretty much stink from a security perspective despite the lockdown defaulting back to a PIN after 4 hours without being used. Even a casually nosy co-worker could have a lot of success if you pop to the loo and leave your smartphone on your desk, let alone someone looking for specific data.

6. Use Google Device Manager

If you lose your smartphone, or it is stolen, then you can use Google Device Manager for some peace of mind. For a start you can configure it so that once you confirm the loss it can play a loud alarm (overriding volume controls) and display a lock screen message if the device is switched on. To finish, if you think the phone has been stolen, you can even remotely wipe all the data by performing a factory reset when it is next powered up. OK, so you don't get your phone back, but you don't run the risk of someone accessing your stuff either.

7. Nullify those notifications

Always ensure that your device is configured so that notification content isn't displayed on the lock screen. Always require authentication to actually read the notification. It's not rocket science, it really doesn't add that much time to the process and it prevents anyone with access to your phone from also accessing potentially valuable data without even being able to unlock it.

8. Lock it

Never use an Android smartphone, or any other for that matter, without activating the lock screen option as a bare minimum. PINs are OK, especially if you use something longer than the four digit default. I recommend a PIN of between 8 and 12 digits, depending upon your memory capability. Of course, you could use a password instead but with most flagship devices now incorporating fingerprint readers I would always suggest using them if available. Not only is it a quick way to access your device, but a secure one. If a criminal is going to go to the lengths of making a latex impression of your fingerprint to try and fool the technology, then you probably have more to worry about than basic Android security matters. The same goes with iris or facial detection that can be found on the Samsung S8. They are a quick and secure authorisation technology in the vast majority of use cases, and while they can be bypassed the hacker has to have a real interest in getting into your particular device; and physical access to it in order for these workarounds to be successful. You may have done all you can to secure access to your smartphone, but what if someone gets access to it anyway? This may be through a careless ten minutes when you leave it unlocked and go into another room, or they may have had success in cracking your PIN or password. Whatever, if someone has access to your device it's pretty much game over. Unless you have added yet another layer of access security to your apps themselves. By locking down individual apps, such as any online banking or commerce ones, or those which contain personal data, you throw more time-consuming spanners in the criminal works. My favourite for doing this is AppLock which lets you assign a PIN (or fingerprint) for individual apps. It also has additional configuration options to prevent the locking app itself from being disabled or deleted. Anything that adds extra time and effort to the task of getting at your data illegally is always going to be in the 'good thing' column in my spreadsheet.

9. A VPN is your friend

Don't use unsecured public wireless networks. Period. That's my advice when I've got my unflinching security nerd hat on. Of course, there are times when you may want or need access into the cyber-ether and a public hotspot is your only option. This is when you can say hello to my little friend: the Virtual Private Network. A VPN creates an encrypted 'tunnel' for your communications that prevents anyone from sniffing the packets that go across it. This would otherwise give them a captured data log, and there are tools that will enable them to quickly uncover login data from within it. There are plenty of VPN services out there, and the accompanying apps make setting them up really easy. Talking of public Wi-Fi, you should also watch out for rogue hotspots. These are access points set up by hackers to resemble a genuine one, in much the same way as a phishing scam, and simply collect all the login data from people using them. They often have believable names such as 'Hotel Guest Network' or some such, so always check with the hotel, train station, airport as to what the genuine free Wi-Fi network is called before connecting. Oh, and never do things like online banking or shopping on an unsecured public network for obvious reasons!

10. Smartwatch smarts

Although smartwatch sales in the Android world have been a little disappointing, to say the least, there are plenty of people who own one. Which is good news if you happen to forget to pick up your phone when you leave the office, hotel, shop or whatever. Using Android Wear, or Tizen in the case of Samsung phones and watches, you can establish a Bluetooth link between the devices which sets off an alarm if it gets broken. I use a Samsung S8+ with a Samsung Gear 3 Frontier watch to do just this, with a vibration alerting me to the fact. OK, so the connection will be strong enough for a good dozen or more metres, but it's still better than getting no warning at all of your memory faux pas.

11. Encrypt it

Depending upon the version of Android and smartphone you are using this option may not be optional at all, or even available. However, encrypting the device itself doesn't add a huge amount of time to the powering up process (and how often do you reboot your phone in reality?) but it does make getting at your data a much harder job for any criminal who has managed to get hold of your device.

12. Turn it off

Turning off your smartphone may make good security sense, after all it's impossible to remotely hack into something that's not switched on, but it's hardly a sensible option. Turning off some of the routes used to hack into your device, such as Bluetooth and Wi-Fi for example, when you aren't actually using them is however.

13. Destroy your data before disposal

This should go without saying, but the number of secondhand smartphones and tablets that I have encountered which still have traces of the previous owner proves it needs to be said. Always delete everything before selling, or recycling or throwing away, your device. If you have followed the 'encrypt it' advice, then a factory reset it enough to ensure nobody will be able to get at your data after you have left the device and moved on.

Ok, so those were out 13 tips in no particular order. Obviosuly that's just the tip of the security iceberg, and there are plenty of other things that can be done. If you have a favourite Android smartphone security tip to pass on, please feel free to add it via the comments section.

Edited by happygeek: typo

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2 Months
Discussion Span
Last Post by happygeek

The last I had heard (in the US), you cannot be forced to unlock a phone that has been locked with a password, however, you are required by law to unlock a phone on request if it is locked via biometrics (fingerprint/facial recognition). While a biometric lock might be more convenient (and might seem more secure), you might not want to rely on that alone.


Also, I think we need to separate day-to-day security/privacy issues from 'when law enforcement demands' issues. Keeping your data out of state view is a different kind of security/privacy thing to preventing a family member, hacker or other criminal type from accessing it. Maybe I need to write another primer on hiding your stuff from the man :-)

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.