This post is from the Apperian blog and has not been updated since the original publish date.
How to Secure an Android Device
Despite what seems to be popular belief these days, the Android operating system is actually very secure. The system is equipped with many layers of security that keep your devices and data safe from malicious software. With that said, as with any mobile device, there are vulnerabilities that you should be aware of, and I’ll explain to how protect your device from those risks.
- Data Sandbox – isolates your app data and code execution from other apps
- App Verification – checks app against Google’s database of malicious software and warns user if it finds something
- Permissions – apps are required to get permission from the user to access system data and resources
- Installation Confirmation – apps require user interaction before installation
- Screen Lock Protection – prevents unauthorized users from accessing the device’s main features and data
- Storage Encryption – protect the confidentiality of data stored on the device
- Device Management – enables the user to locate a lost device or erase the data if stolen
Understanding the Vulnerabilities
When it comes to mobile devices, there are three primary areas of concern.
1. Malicious Software - Any software what disrupts the system and/or gains access to sensitive information without the user’s knowledge is malicious software. As mentioned before, the OS has itself covered for these types of apps with the exception of one major weakness: it can’t control the user. Yes, the malicious software needs to request permission to access your SMS, but what is stopping you from granting it, especially if you decided to circumvent the app verification process. Android gives users the choice to get around most of the protective layers.
2. Physical Intrusion/Theft - Like all mobile devices, Android devices are portable and therefore exposed to the open world. It is one thing if your device is stolen, but what if the thief is able to recover your finance records and personal email? Now, you have to start changing passwords and monitoring your accounts for fraudulent changes in case your data was compromised.
3. Network Sniffing - This is one area most people tend to ignore. With mobile service providers continuing to increase the cost of data plans, consumers are increasingly relying on public Wi-Fi spots to lessen the burden. The issue with public Wi-Fi is that they are often not encrypted. As a result, it is not difficult for hackers to “sniff” out network packets emanating from mobile devices. This can happen all without you ever knowing about it.
How to Protect
Now that we understand what to avoid, let’s go over ways to protect your device. Note: These instructions vary by device, but there shouldn’t be too many differences.
Always use a secure screen lock on your device. This one may sound obvious, but you would be amazed at how many people I notice without any type of screen lock on their device. Most people feel like it’s an inconvenience having to enter a code or pattern every time the turn on the screen. It’s important to understand that this is the main line of defense preventing others from accessing your data or messing around with configurations. Furthermore, you could become a target if a thief notices that you don’t have a screen lock preventing them from having access to your device.
More likely, however, you’ll prevent co-workers from sending emails on your behalf or your kids from setting your ringtone to their favorite sing-along song. Here are some suggestions to lower the inconvenience factor without sacrificing security. There are some nice options in Settings > Lock Screen to lower the frequency of unlocking your screen:
1. Set the Lock Automatically to a higher time period. If you are frequently checking your emails every 5 minutes, try setting the time period to 10 minutes.
2. If you are in the habit of pushing your power button when you are done using your phone, uncheck Lock instantly with power key to maintain the benefits from option 1.
3. If you don’t like using a password or PIN, try the Pattern screen lock for the fast way to unlock. Make sure to uncheck the Make pattern visible option to help prevent others from seeing the pattern drawn out on the screen.
Besides using a screen lock. I also suggest looking at the settings for your apps with sensitive data; e.g. finance apps or text messenger. Most of the time, you will find that these apps have an option to add a PIN or password prompt when starting the app. This is an important option when you sometimes let others use your device but only want them to have limited access. Encryption It is considered good practice for Android developers to encrypt the data they are working with in case someone is able to gain full access to the device and its data. Sadly, there are a lot of cases where developers don’t encrypted their app’s data, and sensitive information is exposed. Luckily most recent Android devices have the option to encrypt the entire device. Before you begin, make sure the device is fully charged, a screen lock is set up, and that you don’t need your device for an hour or so.
1. Go to Settings > Security
2. Under Encryption, touch the Encrypt Device option
3. Read the information about encryption carefully!
4. Touch Encrypt Device - Warning: If you interrupt the encryption process before it's completed, you will lose some or all of your data.
5. Enter your lock screen PIN, pattern, or password and touch Continue.
6. Touch Encrypt Device
Avoid Malicious Software
The first step to avoiding malware is to not download “pirated” apps or apps from shady websites.
If you are using a reputable app store other than Google Play, you probably already checked the Unknown Sources option under Settings > Security. It’s important to also make sure that the Verify Apps option is checked. This feature checks the app against Google’s database of malicious software and warns user if it finds something. Also with recent updates, this feature will continue to monitor your apps for suspicious activities and warn the user to uninstall if it finds something. Network/VPN When it comes to wireless data transmissions on a mobile device, you should always avoid public or unprotected Wi-Fi networks. If you have no choice but to use a public Wi-Fi, it is highly recommended that you use a VPN to avoid network sniffers from reading your unencrypted transmissions. VPNs encrypt data transmissions and tunnel through a private network before reaching the internet. Most companies offer VPNs for employees so they can access files and other resources on the office network without compromising security, but higher quality home routers also offer the ability to set up your own VPN. OpenVPN is another VPN solution that is free and multi-platform supported with setup and configuration intensively documented. Device Locator Another feature of later versions of Android is the device location services. While some people are skeptical of this feature, it is extremely handy if lose your device, or it is stolen.
The Android Device Manager feature can be enabled under Settings > Security > Device Administrators. You also need to turn on Location Reporting in the Google Settings app to get a mapping of the device location.
If your device is ever lost, use another internet capable device and head over to: https://www.google.com/android/devicemanager. There you can get a location, lock, erase, or make your device ring. Apperian just announced support for Android 5.0 Lollipop, you can read the release here: http://bit.ly/Android5LApperian