Five Security Tips for Android Phones and Tablets

Tuesday, July 31, 2012

Nicholas Cifranic

942fc2242e6b54c078c5bb19c9fbf154

SecureState’s Profiling Manager, Tom Eston, published an article in last month’s newsletter titled, “Top 5 Security Settings for Apple iPhones and iPads.”

In his piece, Eston explains how to implement security practices for iOS devices. For all of you Android fans, we have decided that it would only be fair to take a look at other end of the smart phone spectrum.

Securing your Android device is just as important as securing your computer, which is why it’s important to address the security precautions below:

#5.  Wild West Application Marketplace - Watch What You Download!

Android app stores such as Google Play have little or no security implementation, so anyone with a developer account may publish applications. Although Google has been attempting to enforce more controls to detect malicious apps, hackers are still publishing malware disguised as popular applications like Angry Birds.

Many malicious applications are published outside of trusted app stores such as Google Play and the Amazon Marketplace, so make sure you’re downloading apps from legitimate sources.

Additionally, always read the application’s access request for permissions agreement. Many apps requests GPS, contacts, external storage, etc. Be mindful of what your application purports to do, and what it is that it actually does.

#4.  Keep Up! - Update Operating System and Apps Regularly

Many ask themselves,” why should I update my device?” The answer is quite simple: by keeping your operating system up to date, you will reduce the risk of security vulnerabilities.

Your Android device will usually prompt you when an update is available. Most Android updates are carried out “over-the-air,” therefore, it’s crucial that you are first hooked up to either your mobile network or Wi-Fi before initiating the update. To check for updates, go to Settings -> System Updates -> TapFirmware Update

#3.  Cover Your… Apps! - Backup and Remote Wipe

God forbid your device has been lost or stolen, what should you do? What if the thief attempts to gain access to those embarrassing pictures of you? No need to panic, there’s an easy fix. By adding a remote wipe feature, you can erase those humiliating pictures (and all other data) remotely before the phone thief gets his grubby hands on them.

Unlike Apple devices such as the iPhone or iPad, Android devices do not natively incorporate features such as Remote Wipe and Backup; however, many third party applications such as SeekDroid AntiTheft or Lookout Mobile Security may be used.

SeekDroid AntiTheft is a fantastic application to carry out remote wipes. If lost or stolen, just log into the SeekDroid website and from there you can track down your phone’s location.

Additionally, you can keep track of the calling activities of the person who found your phone. SeekDroid is available on Google Play Store for $2.99. The Lookout Mobile Security application will give your phone remote locking and wiping capabilities, as well as enhanced backup and antivirus capabilities. Currently, there is a free and a premium version.

#2.  Keep a Secret! - Use Encryption

Encryption is known as the translation of data into a secret code. Before data may be accessed, a key or password must be entered. For the sake of your data, it is extremely important to enable disk encryption. Enable data encryption by tapping Settings -> Security -> check Enable Encryption.

By enabling this option, you make it difficult for someone to pull readable data from your phone if the device is lost or stolen. You might believe that enabling a password is sufficient for data protection, but this is not true.

Additionally, specific folders containing sensitive data should be encrypted using apps such as Droid Crypt ($2.89) or AnDisk Encryption ($3.99). These apps allow users to encrypt their files using 128-bit AES encryption. It is also recommended that you consider encrypting your outgoing phone calls and text messages. Quality apps for automatically encrypting calls include RedPhone and TextSecure.

#1.  Lock it Down! - Enable Screen Lock

Setting a password upon use of your device is hands down the most important security setting to enable. For someone who is looking to compromise your device, this is the first barrier they encounter.

Not having a password is like having no door on your house; you allow for thieves walk in and take whatever they desire. It is recommended that you do not use Pattern Lock because people can potentially trace your swiped fingerprints. Instead, enable a passcode that is greater than 4 characters, mixed with alphanumeric and special characters. Do not use passcodes such as your ATM Pin, or your birthday.

To enable a passcode, go to Settings -> Security -> Change Screenlock -> Tap Password

Even after enabling a passcode, malicious users can get lucky and guess the proper code. The chances of guessing on the first try are not very high, so the hacker will likely have to try multiple attempts; this technique is known as brute force.

You can prevent someone from brute forcing your password by enabling an option called secure wipe that will erase your device’s contents after X amount of failed password attempts. This feature is native to Android version 3.0 or greater.

Keep unauthorized people out of your phone – enable secure wipe, set a unique password and make sure it is not easy to guess.

Possibly Related Articles:
23235
Cloud Security PDAs/Smart Phones
Information Security
Encryption Application Security Security Awareness Access Control Backups Mobile Devices Android Critical Patch Updates Permissions
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.