Android Security & Privacy tips.
As per the global stats counter website, the market share of Android Operating System currently stands a 72.72%.
From November 2007, the first android version was released and from there rest is history. We have seen android evolve and to this day, android is coming up with more user friendly features and flexibility to the masses. Almost all sorts of smart gadgets that we are surrounded, like phones, tablets, TVs, watches & cars that are powered by android operating system.
With that timeline from the launch of android operating system, there have also been incidents of android malwares surfacing and impacting users in various ways - compromising Confidentiality, Integrity & Availability of user’s data in simple to complex ways. Hackers have always been on the lookout for targeting android operating by exploiting various OS bugs. On the other hand, android developers have been constantly working and providing updates and related fixes for the discovered vulnerabilities.
We all have witnessed the various android upgrades from version 1.0 till now android 11 we have been witnessing various features as well as security upgrades on our devices.
Even with the upgrades, we still can see on a daily basis about attacks on android devices in some way or another. Here, in this small write-up we will discuss some important points that you can use in your daily lives to improve your android security and keep your device secure against a majority of existing threats.
While most of the security tips discussed in this article can be very straightforward and might seem boring, they still are relevant and effective in securing your device. We must understand that security in itself is not something that you can ‘fit and forget’, it is actually something that you need to continuously review at regular intervals to stay secure.
Let us get started with the points where we look and understand how we can go on securing our android operating system.
Keep your Android device updated
While this is the most common piece of advice that we all are familiar with and have been regularly listening to or reading in articles by experts there are still people who do not consider upgrading their device to the most recent patches released by google.
The catch here is that, when google releases a patch or security update for a specific android version, it takes some time to merge the released patches to main stream for mobile vendors as they need to re-apply the customisation and release the patch to their respective vendor upgrade streams. So, when a patch is released by google on say ‘x’ day, and the release and the mobile vendor will take an additional of ‘y’ days to fix & merge the patch into its main upgrade stream then the end user will get the update on (x + y) days which will have a security impact depending on the type of the discovered vulnerability. In simple words, the more delay in getting patches, the more will be the risk on the device. If you are interested in getting more information on this cycle, then i will recommend this article for indepth study.
Hence, keeping your android smartphone to the latest security patch level is crucial here also adding whenever you buy an android device, consider the update speeds provided by the mobile vendors. You can refer this android security bulletin to know more. Let us admit the fact that nothing is perfect, so our best bet for this will be to regularly update our android device as a first line of defense.
Demo on Android Update
Updating Installed Apps
After updating the Base OS of your device, the next important part comes are the apps that are installed on your device. That actually is much easier as your playstore takes care of it.
However, it does so happen that many installed apps that get updates will be specific to the base OS version. Say for instance, if you are running a version android 10 on your device & the app installed has a newer version say 3.5 which will be only upgradable on devices running android 11 then there is a possibility that the upgrade for the app wont be available to you and you might run an older or perhaps vulnerable version of the app on your device.
Hence, upgrading your base OS plays an important role in keeping apps on your android device updated and secure.
Install Apps from trusted sources
Google play store is the official repository for downloading apps for your android device. However, there are other unofficial stores from which you can download apps with ‘tweaked’ / ‘premium’ features which is risky from a security perspective, as we have seen from our independent research on android apps from these sources that the apps with so-called ‘tweaked’ features contain lots of backdoors and privacy issues.
With time, google play store has evolved with checking and verifying the apps for security and privacy concerns but still it is not perfect as we can still come across reports from independent research that shows huge privacy issues and sensitive data theft done by apps that are found on play store.
Invest in a reputable Anti-virus solution
To make things simpler, for you a quick way to get yourself covered is to install a ‘reputable’ antivirus solution. This recommendation comes because the antivirus products do simplify the security and privacy settings for an end user and helps them set the required controls quickly. As still today, many security and privacy controls are deep inside the android settings menu and can be sometimes cumbersome for a casual user to control their privacy and security as they desire.
In case you are curious about comparing and deciding on what mobile antivirus solutions you should go for, then this resource will help you zero in on the best antivirus product for you.
Here, we are deliberately using the word ‘invest’ because this will certainly go a long way in protecting your security and privacy by investing in a small amount of money in your antivirus product.
Now the above tips are some of the most important and basic tips that you MUST follow and draw a baseline into securing your android device.
Now lets see how we can make some changes into the default settings of your device and make more custom changes as per your requirements into securing your android device. We will also explain along the way about the settings and the rationale behind it.
Considering the fact that these days our mobile devices do contain a lot of sensitive information in all forms about ourselves and protecting the information is now of vital importance. We must consider the fact that the more we work towards securing & controlling our privacy, the better it will be.
Phone locking & Physical security
Modern devices these days provide a lot of security features for locking & unlocking your device using either PIN / password / pattern / fingerprint / facial recognition / proximity sensors, etc. It is highly recommended to implement these security features available with your android device.
Additionally, there is another mode called the ‘lockdown’ mode where the device will get locked and will require a PIN ONLY to unlock as it can be the case when someone might try to use biometrics to bypass the device’s security.
Lockdown your Android Device - Press the Power button
Avoid Clicking random links
This advice has been given since a long time by all the experts. Infact, the majority of reported incidents start by clicking a malicious link to start a chain reaction of unwanted events. Most of the SMShing attacks where the fraudsters lure the victim into clicking malicious links to download malicious content or collect sensitive information via phishing. SMShing is not just limited to text messages, the malicious links do get forwarded on all sorts of communication channels / platforms.
Regularly check for harmful apps
Another useful feature offered by android OS is in-built scanning for malicious apps (if they are installed in your device). When you install any app, google play protect will scan the application and check for any unwanted or malicious signature in the app and then download and install on the device if the app passes the check.
If you want to check if this feature is enabled, you can do this by viewing this small clip.
Play Protect - Scan your apps
Clear app data cache
While this is not directly connected to security of your android device, this goes a good way to improve performance of your device and helps keep your device running smoothly. Have a look at the small clip on how you can clear up temporary / cached data from your apps.
You should be mindful if you are to choose the option ‘Clear Storage’ as this will clear out all your signin data and other information that you might have saved.
Clear App cache
Review Privacy & app permissions
With newer versions of android operating systems, you can review the privacy settings and permissions that an app uses based on the permission category granted to the app. Based on the app and its utility in use, you should be able to make a judgement on what permissions will be allowed to the app. Let us take for instance that if you have a calculator application which performs calculations for you then there should not be any use of granting permissions for reading SMS or accessing your microphone or camera.
We have seen such applications during our course of android application testing that some shady applications do ask for too much permissions. Hence, it will be very important for you to frequently review app permissions as most applications require runtime permissions and these permissions stay that way if the user does not revoke permissions after its designated use. Let's have a look at how we can go about setting permissions for the apps and revoking permissions when done.
Check & review app permissions
Setup 2 Factor Authentication
While this feature has been there with almost all the services we use, many of us still do not use this feature. Setup 2 Factor Authentication for your google as well as other accounts that you use. This will ensure and add another layer of security for your account as well as for the android device.
You can use SMS based authentication, App authentication codes from Google Authenticator app or ‘Tapping a prompt’ for your account security. A detailed description on setting up 2 Factor authentication can be found here on this google page.
Setup Find My Device
From your android settings menu, enable the ‘Find my device feature’. This will enable you to locate your device, remote wipe the device.
Now the catch here will be that the device will be linked to your google account and you will be required to sign in to locate your device. Now considering an instance where you have lost your device and all the 2nd Factor authentication will be pushed to your device, then you will not be able to login without 2nd Factor authentication. And ultimately, you will not be able to use the feature.
As an extra and very much needed layer of recovery you can add is to setup the ‘Google Authenticator App’ to another device along with the app ‘Find my device’ to another device / tablet with your phone’s google account in that device. This will make sure that even though your device is lost, you can sign in to the ‘Find My Device’ service by entering the 2nd Factor i.e the 6 digit code from your Authenticator app and sign to locate and control your device.
Find My Device - Setup & configure correctly.
Connection to untrusted networks
As a general recommendation, we must avoid connecting to public networks such as coffee shops, railway stations, airports, malls etc. that provide you with FREE wifi. As these networks are not safe and your data passing back and forth through these networks is potentially vulnerable to Man-in-the-middle attacks. It would be better if you use your Mobile network for accessing the internet as it is relatively better than untrusted public networks. For an added layer of security, you can always use a VPN for robust security for data in transit.
These were some of the most important & basic security measures that you can take to secure your android device. However, it should be noted that the settings must be reviewed on a timely basis and tweaked accordingly.