Ryan Fahey at InfoSec Institute sent me an article about security tips for Android phones. After I read it, I realized the title of the article implies a scope much narrower than the article offers.
- The tips in this article go beyond just Android – they apply to phones running any operating system.
- And they go beyond phones – tablets need just as much protection since they can carry just as much valuable information as phones.
InfoSec’s Matt Mossman understandably focussed on Android in his article:
As recent reports of rampant malware and Trojans began to surface via media outlets, the average Android user might not know where to turn to address their security concerns. And with market share on the rise, Android is swiftly becoming more attractive to data miners and thieves alike.
Thankfully for us, the Android operating system is open source, which means there are no constraints on security. You can make your device as accessible or as airtight as you see fit.
If malicious hackers follow the same path in mobile that they have in computers, they’ll focus overwhelmingly on the mobile platform with the greatest market share. In computers, that’s Windows. In mobile, that’s Android. So Android device users have a greater need to take security precautions than people who use other platforms.
That said, anybody who owns a mobile device can benefit from the list of tips the InfoSec article offers (paraphrased except where italicized), plus one of my own to lead off the list. Did we miss any tips? Please add them to the comments.
- Know where your device is at all times. Don’t let it slip out of a pocket when riding in a cab. Don’t leave it out of your sight in a public place. In other words, treat your device as you would your wallet.
- Enable your device’s lock screen. The lock screen obliges you to enter a password before you use your device. And if your phone sits unused for a certain amount of time (e.g. ten minutes) the phone should lock itself.
- Don’t store passwords on your device. If you do, you risk handing over the “keys” to your online accounts and identity should your device go missing.
- Synchronize your important information (e.g. calendar, contacts, tasks) with an online service. Should you have to switch to a new device, you can simply download this information to the new device instead of recreating it from memory.
Android syncs with a Google account and Apple’s iOS syncs with iCloud. You can also choose other synchronization services if you like. - Read the fine print. In Matt’s words:
Before you go installing any app you run across be sure to read the applications access request for permissions agreement. This often overlooked agreement contains valuable information regarding specific permissions on how the app is to access your device. These permission requests, such as access to GPS, contacts, external storage, etc; are all coded directly into the Android manifest file. Be mindful of what your application purports to do and what it is that it actually does. Chances are a calculator application does not need access to the Internet or your personal information, so read those permission agreements.
- Don’t do any sensitive surfing on a public WiFi network. For instance, feel free to read news websites while in a coffee shop that offers free WiFi, but wait until you get home to do your banking.
- Turn off geo-location for apps that shouldn’t require it. You’ll need to determine this on an app-by-app basis.
- Keep your operating system and applications up to date. Run all updates when they come to you, since they often contain bug fixes, security enhancements and other improvements.
- Use a device location service such as Where’s my Droid or Find my iPhone. These services help you do things like locate a lost or stolen device or remotely delete everything on that device.
- Back up your device’s data. You may need to install third-party applications to do this, or, in the case of Apple’s iOS, you can simply rely on iTunes to handle backups.
- If circumstances don’t pass the “smell test,” protect your device and its data. For instance, while near-field communications is an exciting new field for business, it’s also ripe with potential for abuse. Don’t install just any app on your device. Get apps from a reputable source. And, of course, don’t reuse passwords for different services. Better safe than sorry
There’s plenty more to learn about mobile device security, but the above tips should keep the average person out of trouble. If these tips aren’t enough for you, check out InfoSec’s mobile phone forensics class.
A hat tip to InfoSec’s Ryan Fahey for sharing this article with me.