Want to make sure your Android device is safe from attack? Davey Winder delivers ten ways to beef up your smartphone and tablet security.
We love Android – but with dozens of versions of the OS out there, running on thousands of devices contracted to different networks, managing risk for the platform is no easy task.
In the future, Google hopes that machine learning will identify security holes and protect Android from malicious apps. For now, it relies partly upon a pair of in-house tools. For apps, there’s Bouncer – an automated system that analyses apps submitted to the Play Store for malicious or buggy code. To test the OS itself, Google uses a system called Clusterfuzz, which throws random inputs at Android with the aim of exposing bugs in the code. As a fallback, it also operates the Android Security Rewards programme, which pays up to $50,000 for third-party reports that lead to a vulnerability fix.
Unfortunately, whatever good work Google does is undermined by the fragmentation issue. Smartphone manufacturers are quick to drop support for older handsets, with the result that the majority of Android smartphones and tablets in use – which adds up to more than 4,000 different devices – simply aren’t receiving critical security updates.
Even if you’re lucky enough to be using a device that is kept up to date, you need to play your part by being security-minded. Here, then, are ten ways that you can maximise the safety of your Android devices.
1. Don’t sideload apps
“Sideloading” means leaving the safety of the Google Play Store to install apps from other sources, such as untrusted websites. Such sites serve up Android applications in the form of Application Package (APK) downloads, and installing one carries many of the same risks as running an unfamiliar EXE file in Windows. Bypassing the Play Store “Bouncer”, which checks for poor coding or malicious content, isn’t normally a good idea – although it can be safe if you’re sure of the source. Amazon, for example, requires you to sideload apps if you wish to use its Underground store.
Even then, trustworthy sources are known to have become infected, and without automated tools such as Bouncer to inspect the code, it’s possible for such infections to escape notice. Sideloading is only possible if you have permitted Android to install apps from unknown sources in your device’s security settings – the default configuration prevents the installation of apps from sources other than the Play Store. Check this is enabled to save you from accidental sideload syndrome.
2. Encrypt, encrypt, encrypt
Unless you have a seriously underpowered handset, or a seriously old one, there really isn’t any excuse for not enabling encryption. If you have a modern device such as the Nexus 5X or 6P then full-disk encryption (FDE) will be enabled by default – and you can’t disable it.
Why would you want to? Encryption can impair the performance of older devices, making them slower to boot and save files, for example. If you think that your device booting 30 seconds or so quicker is more important than your files being safe from prying eyes should it get stolen or lost, then that’s the risk you take. If you’d rather not have strangers ploughing through your photos, text messages, address books and the like then go to Settings | Security | Encrypt phone. You could rely upon the Remote Wipe function to destroy all your data in case of loss, but would you really want to leave that window of eavesdropping opportunity open when you could keep it securely locked with FDE?
3. Go granular over permissions
Despite the popular perception, Android apps are really quite secure in terms of what data or device functionality they can access by default. All apps are housed in a virtual application sandbox to isolate their data and code execution from other apps. Without explicit additional permission, the only data an app can access is the data that comes with it. Unfortunately, apps will ask for a whole bunch of access permissions to be granted when you download them, and many users grant these without even thinking why a camera app should access your call log, for example.
Android 6 (Marshmallow) brings granular permissions control through Settings | Apps|
4. Use a VPN
Sniffing data across a mobile 4G network is certainly possible, but it requires more sophisticated kit than is required to intercept public Wi-Fi traffic. The general rule of thumb is that if you can’t fully trust a Wi-Fi network, use mobile data instead. Even then, it doesn’t hurt to connect to a VPN before launching something such as a banking app. Android comes with built-in support for both Layer Two Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP) VPNs, and there is a plethora of apps that tie in with third-party VPN services. If you’re more interested in security than anonymity, your choice of such apps is pretty good, ranging from free (which can be very slow) to subscription pricing models. We’d recommend Freedome from F-Secure: it’s fast, secure and anonymous, and offers subscriptions on anything from a daily to annual basis.
5. Install a security app
There are those who insist that security apps are a waste of time and battery life, while others swear by them for keeping handsets free of malicious software. The truth lies somewhere in-between. So while these apps can be heavy on the upselling (VPN, sir? How about a data clean-up app, madam?) and probably won’t save the socially engineered victim from themselves, they do have their uses. Some will notice when there is text in the system clipboard after exiting one app that could potentially be used by another, and offer to delete it. Others will check for Wi-Fi router security problems, offer individual app-locking functionality, or score apps based upon permissions granted. There’s nothing to beat user awareness and best practice, but such apps can provide a helping hand.
Our pick of the Android security apps is Avast Mobile Security: it’s free but fully featured. Basic scanning is quick, but it will check Wi-Fi router security, lock apps, and even warn if you have content in your clipboard that could be leaked.
6. Don’t rely on the default four-digit PIN
Even if you have a fingerprint reader on your phone, you’ll still need a PIN or password when rebooting the device, so make it a big one. Go to Settings | Security | Screen Lock, and choose either PIN or password. The password option is the more secure if you apply the usual complex creation rules and use special characters alongside alphanumerics. You can only stretch up to 16 characters long, but bearing in mind you’ll have to type this in on your phone’s keyboard, that’s probably enough.
A PIN code somewhere between 5 and the maximum 16 allowable digits is still pretty secure. An attacker has no clue how long the PIN is, making it harder to guess the code. Aim for the higher end of the digit limit and you’ll have a pretty secure lockscreen. What you shouldn’t do is use the gimmicky “smart lock” function. This allows ease of use to override sensible security measures by keeping your phone unlocked if it’s in a certain pre-defined Google Maps location, near another pre-defined Bluetooth or NFC device, or even if you show it your face. The latter is the only option that comes near to fulfilling any real security criteria.
7. Make use of screen pinning
Screen pinning is a neat feature that debuted with Android 5 (Lollipop) but one that’s been overlooked by, well, almost everyone. That’s a shame, since it’s actually a very valuable security tool. Simply put, it enables you to hand your phone to someone else to use, safe in the knowledge they can’t start opening other apps and go poking around in your data. You can access it by going to Settings | Security | Screen Pinning. Then, just open whatever screen you want to pin, touch the bottom-right square “overview” button, and swipe up to hit the pin icon. Now, the person you give the phone to will be able to use that app, but no other. If you choose the “PIN required to unpin” option, this will prevent the other person from turning it off themselves.
8. Welcome guests
If you want to let someone securely access more than just a single app on your Android device – to let the kids play games, for example, without getting into your email – then use the guest account function. Use the two-finger swipe down to open the notifications screen and tap on your user account icon top right. This will then give you the option of choosing either your account or a guest account.
Once you’ve selected Guest, the device will switch over to a basic user account that has access to a limited set of apps (as you’d get straight from the factory) but none of your data. To leave Guest mode, follow the same route and tap on your own account again; you’ll need to scan your fingerprint or enter your PIN to access the phone. Note that Guest accounts are available only on selected devices.
9. Back it up
There’s more to data security than preventing the wrong people from getting their hands on your precious files. How about making sure you always have a copy of everything, just in case of unexpected failure or loss? You probably have your network backups sorted; laptop and desktop too. But what about your phone? There are various apps that will automatically copy your personal data into the cloud: Google Photos, for example, will back up all your photos and videos to your Google Drive space. The Android Backup Service (Settings | Backup & Reset) will do likewise with items such as your Google Calendar and Gmail settings, Display Preferences, and third-party app settings.
One way to be sure you have a local copy of what’s important to you is to use a Meem – a charging cable with an integrated backup module that automatically makes incremental backups every time you plug it in to charge, so you simply can’t forget. Contacts, calendars and SMS messages are encrypted with 256-bit AES, while music, photos and video are backed up in plain sight.
10. Wipe your data before disposing of your phone
Some people are handset hoarders, with a drawer full of every device they’ve ever owned. Most of us, however, will trade in or sell our old phone – after all, even an old device can be worth a few bob. It’s easy to forget that your data has a value as well. Before disposing of a handset – and that includes sending it for recycling – securely dispose of the data. First use the full-disk encryption option to encrypt everything on your phone. Then go back to Settings | Backup & Reset | Factory Data Reset – and, having read the warnings about erasing all data and account information, hit the big “Reset Phone” button. All your data, which has already been scrambled, will now be deleted. Just be sure to remove and retain any SIM and SD cards, after which your device is good to go.