The no-freakout guide to Android security

I believe any rational discussion of Android security should have two goals. The first is to not freak out the reader. I see no need to instill with you panic, to drum up ominous clouds of doom, or to paint a picture of imminent peril associated with even glancing sideways at an Android device.

The second goal, which works well with the first, is to assure you that I have nothing to sell. The ideal malware panic message touted by the major media is invariably followed by cautious words of advice from some lab coat-wearing nerd who just happens to work for such-and-such major anti-malware software developer. Oh, and by the way, they have a solution ready for their happy, safe subscribers.

I don’t mean to downplay security as an issue. It’s important. It’s vital. Your phone or tablet contains sensitive information. That includes email, data for apps, media, your schedule, and other private data. In a triumph of usability over security, the device’s web browser might automatically retrieve website passwords. The Bad Guys would dearly love some free stuff courtesy of poor security or user laziness. Yet it’s possible to accept these things without having one hand clutching your chest while the other is pulling out your wallet.

landscape locked

A password-protected device is a safer device.

Basic security

Android comes amply supplied with all the basic security measures you need. You don’t need to buy extra apps to employ some simple, safe practices such as applying a secure screen lock, beefing up browser security, and keeping your user accounts separate.

Your first line of defense on an Android device is to use a secure screen lock. Yes, the pattern lock is really cool, but it’s not secure. When you want security, lock your phone or tablet by using a Password screen lock. Apply all the same password rules as you would for anything: longer is better, mix up numbers and symbols, upper and lower case.

Next to the password, a PIN screen lock is best. It’s just numbers, short and sweet. That’s not as beefy as a full-blown password, but it works. Eschew any other type of screen lock.

lock settings

Always set a password or PIN on your lock screen.

Screen locks are set by opening the Settings app and choosing either the Security or Screen Lock item.

If I were a bad guy who had just gotten hold of an Android phone, my first stop after unlocking the screen would probably be the web browser. Web apps such as Chrome retain user passwords – but only when you let them.

Set the web browser app’s security by summoning its Settings screen. In Chrome, touch the Action Overflow icon and choose the Settings command. Change the setting for Autofill Forms to Off; set the Master Control on the Autofill Forms screen to OFF. Likewise, disable the Save Passwords feature.

Finally on the basic security front, and specifically for Android 4.3 or later, I recommend configuring separate accounts when more than one person uses the device. Lock each account with a Password or PIN screen lock, and keep your email, social networking, and other accounts separate.

The Malware Issue

Unlike PCs, an Android devices can’t be compromised by opening email attachments. The only way you can install evil software on an Android device is to do so deliberately. Either you pick up a bad program from the Google Play store or you disable app security to allow software to be installed from other sources.

Odds are low that you’ll find a compromised app at the Play Store. Always check the user recommendations and reviews. Generally speaking, the more downloads you see for an app, the better the odds that it’s legitimate. Also, scrutinize the App Permissions screen before you touch the Accept button. Ensure that the phone or tablet features accessed by the app serve a legitimate purpose. For example, why would an app that displays a silly animation need to use the phone’s text messaging service? When in doubt, don’t install the app.

The cases of actual malware arriving via the Play Store are extremely rare. When it has happened, Google has been successful at remotely disabling the app.

If you find yourself overly paranoid regarding malware, you probably won’t bother allowing app installation from unknown sources. Most of the sources, such as the Amazon App Store or Samsung apps, are legitimate, but I wouldn’t bother looking anywhere else. Specifically, don’t allow installation from unknown sources when someone sends you an app or app link via email or SMS. That action can lead to the deliberate installation of malware I mentioned earlier.

Given the remote possibility of an Android infection, the question still looms on whether you can benefit from installing an anti-virus or anti-malware app. My first thought is “No,” mostly because the need for an anti-virus program seems to stem from the necessity of a PC requiring that software. Tablets and phones are different creatures. Even so, if it makes you feel better, go ahead and get one.

Do remember that malware is most successful via social engineering. Even with an anti-virus app installed, if you opt to deliberately install a rogue app or heed an onscreen direction to disable the device’s anti-virus software, you’re still screwed.

Anti-virus apps also may not protect against dialing a reverse-charge number or various SMS scams. For example, no app can prevent you from signing up for an SMS service that charges your credit card to send you jokes or a horoscope.

Lost and Missing Devices

The worst thing imaginable is that your beloved Android device is either lost or stolen. The first thing you want to do is to find your missing phone or tablet. If that’s not possible, then the next best thing would be to remotely erase the device or somehow render it completely useless to anyone who has it.

The first step toward rendering the device useless is to apply a password. Not a PIN, but a full-on password like you’d apply to any secure computer or account. After all, how can you be serious about protecting your technology when you don’t even bother to lock the front door?

The next step, which doesn’t require extra software or a service, is to encrypt your mobile device. An Android phone or tablet can be completely encrypted, but it first requires that you have a secure screen lock. To perform the encryption, open the Settings app and choose Security. Select the Encrypt Device command.

The encryption process takes a while. The screen says an hour, but I would initiate the procedure before going to bed: Plug in the phone or tablet to ensure it has an ample charge. Then encrypt its data, which includes your account information, settings, apps, media, and all the files.

If you’re hesitant to encrypt your Android device, don’t be: You can decrypt is as well. Just choose the Decrypt Device command from the Security screen in the Settings app. If you don’t encrypt, however, the next best step in mobile device security is to rely upon a third party app to assist with locating a lost or stolen device and, potentially, erasing that device remotely.

Perhaps the most popular Android security app is Lookout from Lookout Mobile Security. It has a free version you can try, which does include a tool to locate a missing device. As with most of these services, you need to sign up for an account. The good news is that Lookout only mildly bothers you to upgrade to the full, paid version of the app. It does offer more detailed features, including safe browsing and more thorough monitoring of apps that can access sensitive data. These features are right in line with what a security-minded phone or tablet owner would need.

If you have a newer Samsung phone or tablet, then you can use the Find My Mobile feature. It also helps locate a lost or missing device. As with other such apps, you need a separate account to fully use Find My Mobile. In this case, you need to have a Samsung account. You can also use the Android Device Manager to remotely lock or wipe your device.

Some corporate account information can be removed from a lost or stolen Android device. If all hope is lost, contact your organization’s IT Department. Have them use the Exchange Service to remotely wipe your Outlook information from the phone or tablet. This trick doesn’t remove other account information, and in fact it might be a required policy at your organization anyway. Check with the IT guys to confirm.

Threat level: Low

Overall, I would consider the malware threat rather low for an Android phone or tablet, and I would also consider that security software is amply available for those who need it. This is all good news.

What would be the best news, of course, would be to get the cellular providers on board with a bricking system that wouldn’t require extra effort on behalf of the user. It could work simply: You lose your phone or tablet, call the cellular provider and they kill it, instantly turning the device into a brick. That would not only make users feel better about their mobile devices, it would be a great deterrent to theft. Until that day comes, consider employing some of the suggestions in this article to keep your Android device safe.

To comment on this article and other Greenbot content, visit our Facebook page or our Twitter feed.
Related:
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.