Hello my fellow forum users! I was reading and doing research on general android security. It seems android has some security issues, so I am writing this to help educate my fellow members on how to stay as secure and clean as possible!
To give you a little bit of background information, I have been a white hat "Hacker" for about 4 years, mostly working on Apple/Linux open source projects. I love open source, and the GNU team, and helping them is helping myself.
This will be split into two sections, One will be "Physical security" focusing on how to lock down your phone to keep it secure in the real world. This will focus on how to secure your phone if the "attacker"(Thief) has physical access to your phone, and what you can set up to help stop him. The other section will focus on "Software security", and as you probably guessed; This focuses on securing your phone's system.
Without further delay, lets move on!
Physical Security
As we all know, we lose things, it just life. But now that we are in the digital age, losing a device is compared to leaving a wallet, your leaving everything an attacker needs to steal enough info to steal your identity! Follow these steps to help secure/track/recover the device.
CHECK TO MAKE SURE YOUR PHONE IS WITH YOU BEFORE YOU LEAVE SOMEWHERE! This is probably the biggest and simplest mistake someone can make. If you check to make sure you have your phone before you leave somewhere, chances are you will never need to worry.
LOCK THE PHONE SCREEN WITH A PASSWORD OR PATTERN! Doing this will trump any petty thief's attempt to get access to your phone. This will help keep your data safe and secure about 75% of the time. Most of them just want to sell the device, which is better then selling your identity! They will probably flash the device anyway, so this will really help you out. But there is some who know exactly what they are doing.
WHEN YOU GO OUT, ENABLE GPS! I cannot stress this enough, even if your a tinfoil hat; DO IT! If you lose it VM can track it and you will have an idea where it is, or at least the last location the phone was at before it was turned off. This will give VM and the Police a better chance to find the thief.
TREAT YOUR PHONE LIKE YOUR WALLET FILLED WITH GOLD! Your phone has enough data to actually be worth this, treat it as such and you won't forget it!
ENCRYPT SENSITIVE FILES! If you have an sensitive documents on your phone, ENCRYPT, ENCRYPT, ENCRYPT, ENCRYPT, ENCRYPT!!! Everyone has something they want to keep private, keep it private permanently by using encryption. You can get apps on the market that will lock/encrypt Files/Folders. This will always keep your phone secure, as encryption is almost impossible to break.
DON'T SHARE YOUR SD CARD! It can take seconds for someone to steal the Data off of the SD card.
THINK BEFORE YOU PLUG! Only plug your phone into a computer you trust, if the computer is infected it could harm your phone.
Software Security
We all know about malware, and malware that runs on android, but what about android hacks? Anything can be use to exploit your phone for it to leak it contents or even hand root over! Be smart and think before you run any type of software or visit a questionable website. Follow these steps to help keep your phone as "Hack Free" as possible!
STAY INFORMED! Always keep an eye out for android news, not just to see the coolest apps, but security! When you see a new hack or bad app out, read about it and make sure you have an idea how to identify the hack/app. Common sense is the best security tool!
INSTALL FROM THE MARKET AS MUCH AS POSSIBLE! No this is not an ad, its to help you! Even though the Market can have hacks, its best to see if someone has noticed anything, read the reviews and check the rating. Look to see if anyone has anything to say about something suspicious or questionable. Like above Common sense is the best security tool!
DO NOT GO ON QUESTIONABLE SITES! We all know this, but this applies the most to android, most android hacks come from the stock browser. If you hate using 3rd party browsers and prefer the stock, only go on sites you can completely trust. Do not surf the web on it, one bad link could hand your phone over!
ADS KILL! Free apps can sometimes display ads that can hold hack, to be safe make sure you only install popular free apps. This usually reduces the chance for a hack, as Google and the Dev will really keep their eyes out for that app's security.
ENCRYPT ALL THE THINGS! If you have something you dnt want copied, ENCRYPT IT! If your phone ever does get rooted(RootKit), your sensitive data will still be seen as encrypted.
REBOOT! Rebooting clears the RAM from the phone, this not only helps performance, but it clears passwords. This will help reduce the chance of encryption keys, or general passwords from being stolen.
DNT INSTALL QUESTIONABLE APPS! If you see your app on a google search result, make sure you see it in about 3 - 4 places. If you don't, there is a good chance that site is trying to fool you, google is ALWAYS your best friend!
DONT JUST HAND OVER ROOT! ALWAYS, ALWAYS, ALWAYS, ALWAYS, ALWAYS, ALWAYS, make sure you know what you are doing when you let an app run as root. If you let an app that is actually malware, it can do ANYTHING to your phone. Make sure you know what the app will do before you run it as root!!!
COMMON SENSE! STAY INFORMED! DONT FALL FOR TRICKS! <--- That
This is my advice to the people on this forum to keep yourself secure and "hack free" as possible. Always do as much as you can to keep yourself secure, there is always chance you can be hacked, but make it a challenge!
Last edited by RoujinKarma; April 12th, 2012 at 12:25 PM.
The Following 9 Users Say Thank You to RoujinKarma For This Useful Post:
Nice write up. A lot of it should be common sense, which is sadly uncommon. Thanks for taking the time on this, I'm certain it will come in handy for newer users who may not be familiar with smart phones yet.
Nice write up. A lot of it should be common sense, which is sadly uncommon. Thanks for taking the time on this, I'm certain it will come in handy for newer users who may not be familiar with smart phones yet.
Newbie here. Yes, thank you.
You said always enable GPS when we go somewhere because VM can find it.
What's VM? I have Lookout. Not Premium.
What should I have?
And, I surf with the factory browser all the time.
But I shouldn't?
You mean I should use...what? Dolphin or something?
Please straighten me out here, okay?
I'll do whatever you tell me to.
(Except encrypt anything. One, I have nothing that anybody would want. And two, I don't have a clue how. Well, I do have a bank account - Greendot. What encrytion app do you reccommend? I'm sure I could figure it out if I used a simple one).
Thank you
I appreciate it.
__________________
Sent from my SGH T-989 via Tapatalk
Device(s): LG Optimus V (Previously), Motorola Triumph (Currently)
Carrier: Not Provided
Thanks: 38
Thanked 28 Times in 18 Posts
Quote:
Originally Posted by sleedeane
Newbie here. Yes, thank you.
You said always enable GPS when we go somewhere because VM can find it.
What's VM? I have Lookout. Not Premium.
What should I have?
And, I surf with the factory browser all the time.
But I shouldn't?
You mean I should use...what? Dolphin or something?
Please straighten me out here, okay?
I'll do whatever you tell me to.
(Except encrypt anything. One, I have nothing that anybody would want. And two, I don't have a clue how. Well, I do have a bank account - Greendot. What encrytion app do you reccommend? I'm sure I could figure it out if I used a simple one).
Thank you
I appreciate it.
VM is Virgin Mobile, lookout is fine, no, you shouldn't surf with mobile really at all except for the select sites you know are safe. But if you feel lucky, surf to your hearts content, and a 3rd party is any browser you installed yourself, not stock. Have fun.
Sent from my LG-VM670 using Tapatalk 2
The Following User Says Thank You to TheDirectorFur For This Useful Post:
Newbie here. Yes, thank you.
You said always enable GPS when we go somewhere because VM can find it.
What's VM? I have Lookout. Not Premium.
What should I have?
And, I surf with the factory browser all the time.
But I shouldn't?
You mean I should use...what? Dolphin or something?
Please straighten me out here, okay?
I'll do whatever you tell me to.
(Except encrypt anything. One, I have nothing that anybody would want. And two, I don't have a clue how. Well, I do have a bank account - Greendot. What encrytion app do you reccommend? I'm sure I could figure it out if I used a simple one).
Thank you
I appreciate it.
VM = Virgin Mobile
Stock browser is known for being targeted for attacks. If you like to randomly browse and surf the net, you can put yourself at risk for using the stock browser. You can prevent this by using 3rd part browsers, Opera Mobile is the best(imo), it is the full opera desktop browser, but for Android .
And if your just checking your bank account on your phone using the browser you are fine, the bank's servers encrypt your connection .
The Following User Says Thank You to RoujinKarma For This Useful Post:
Hey guys, me again.
I can't really tell what the difference is between Opera Mobile and Opera Mini.
I do most of my web browsing sitting in front of my wifi, so I guess I don't care about how "compressed" anything is as far as racking up any data.
And I don't have a computer to "link" up to or anything like that.
Which one should I use?
Hey guys, me again.
I can't really tell what the difference is between Opera Mobile and Opera Mini.
I do most of my web browsing sitting in front of my wifi, so I guess I don't care about how "compressed" anything is as far as racking up any data.
And I don't have a computer to "link" up to or anything like that.
Which one should I use?
Thank you
I prefer opera mobile, just because its the full opera browser.
The Following User Says Thank You to RoujinKarma For This Useful Post:
Device(s): Samsung Galaxy Victory 4G LTE, Kyocera Rise [Retired], LG Optimus V [Retired]
Carrier: Virgin Mobile USA
Thanks: 28
Thanked 6 Times in 6 Posts
Quote:
Originally Posted by sleedeane
Hey guys, me again.
I can't really tell what the difference is between Opera Mobile and Opera Mini.
I do most of my web browsing sitting in front of my wifi, so I guess I don't care about how "compressed" anything is as far as racking up any data.
And I don't have a computer to "link" up to or anything like that.
Which one should I use?
Thank you
I prefer ninesky browser myself.
Sent from my LG Optimus V running OM_MLS v2.2.2-EXT using Tapatalk 2 Beta-6
I use the stock browser just because thus far every browser I've tried sucks as much as it. So I figured I'd go with the one that takes up the least space. I have been meaning to try something else again, if for no other reason than to make backing up book marks easier.
Device(s): LG Optimus V, Samsung Galaxy Tab 10.1 (neither is rooted)
Carrier: Not Provided
Thanks: 41
Thanked 90 Times in 67 Posts
Quote:
Originally Posted by RoujinKarma
How to "Harden" Your Android phone (2.2 - 2.3)
Very nice summary. (Really! )
My only suggestion (esp. if this thread does get “stickied”) would be to tweak the title (quoted above). It seems to me that this very useful advice is not so much about hardening (as traditionally understood), but more about best practices to keep a phone and its information secure. In addition, the advice is not specific to certain Android versions (or even Android in general, the same applies to iOS and Windows Phone).
My only suggestion (esp. if this thread does get “stickied”) would be to tweak the title (quoted above). It seems to me that this very useful advice is not so much about hardening (as traditionally understood), but more about best practices to keep a phone and its information secure. In addition, the advice is not specific to certain Android versions (or even Android in general, the same applies to iOS and Windows Phone).
Just food for thought, I hope …
I was thinking the same actually, but ICS offers newer and better security features compared to 2.2-2.3. So I just thought it would be a bit more relevant
ENCRYPT SENSITIVE FILES! If you have an sensitive documents on your phone, ENCRYPT, ENCRYPT, ENCRYPT, ENCRYPT, ENCRYPT!!!
I've got a better solution - don't put any sensitive documents on your phone.
On my home computer I've got documents with my passwords, bank information, credit cards, etc. But not on any portable computers or my Android. It just isn't worth the risk, even if it is encrypted. I consider it an axiom that anything portable could "grow legs" and get lost or stolen.
There's a couple of other common sense things you should do -
Any financial transactions should be done at home using a hardwire connection, or at minimum WPA2 encryption if you're using a WiFi network. While I could transfer money from savings to checking using my Android I don't - even if the bank says the transaction's secure. Why take the extra risks?
Use separate passwords for your phone, especially ones which may need to be used on a strange computer. For example, Lookout is one of the best free apps for helping you find a lost phone. One time I realized that I had misplaced my phone and was able to borrow a computer. I logged on to the Lookout website with my phone number and password and it gave me the GPS coordinates for my phone (not surprisingly the most recent stop that day). I was glad that I used a separate password for Lookout. While it's not likely that the computer I borrowed was logging my keystrokes the fact that the password was different from my other passwords gave me some added assurance. If i was really paranoid in tin-hat mode I would have changed the Lookout password afterwards.
I've got a better solution - don't put any sensitive documents on your phone.
On my home computer I've got documents with my passwords, bank information, credit cards, etc. But not on any portable computers or my Android. It just isn't worth the risk, even if it is encrypted. I consider it an axiom that anything portable could "grow legs" and get lost or stolen.
There's a couple of other common sense things you should do -
Any financial transactions should be done at home using a hardwire connection, or at minimum WPA2 encryption if you're using a WiFi network. While I could transfer money from savings to checking using my Android I don't - even if the bank says the transaction's secure. Why take the extra risks?
Use separate passwords for your phone, especially ones which may need to be used on a strange computer. For example, Lookout is one of the best free apps for helping you find a lost phone. One time I realized that I had misplaced my phone and was able to borrow a computer. I logged on to the Lookout website with my phone number and password and it gave me the GPS coordinates for my phone (not surprisingly the most recent stop that day). I was glad that I used a separate password for Lookout. While it's not likely that the computer I borrowed was logging my keystrokes the fact that the password was different from my other passwords gave me some added assurance. If i was really paranoid in tin-hat mode I would have changed the Lookout password afterwards.
Well some people live on their phone more then their computer, so they need to use their phone as that device, not trying to hate on you, just stating.
Also when you visit and encrypted webpage any transmission that is contacting that server will be in an encrypted TCP packet, so you can do it on 3g without worry of packet sniffers. Would love to see someone try to crack a 256 AES
The Following User Says Thank You to RoujinKarma For This Useful Post:
ADS KILL! Free apps can sometimes display ads that can hold hack, to be safe make sure you only install popular free apps. This usually reduces the chance for a hack, as Google and the Dev will really keep their eyes out for that app's security.
You can help kill two birds with one stone by rooting and running DroidWall. Really helps with apps that shouldn't need Internet access and only have it to load ads. Also, who doesn't love a good firewall?
The Following User Says Thank You to aldamon For This Useful Post:
Another app that is really good is LBE Privacy guard. It will allow you to set the permissions that an app can have. It does not matter what the developer has given it. You can allow or disallow any and all privileges. You would be shocked to see all the privileges a developer sometimes gives an app, like the ability to gain access to your call logs and system and to change them or make calls, etc.
This is way better than a firewall. I deleted my firewall because it was no longer needed and was just taking up space.
It will not work on non-rooted phones.
The best way to achieve the most security on an android phone is to gain root access. You can then fix most all the security holes using custom ROM's and rooted apps designed to solve most all the security problems that Froyo ROM's have. The biggest security risk would then be the apps that you download from sources other than the market.
Without root access your stuck in a security Swiss cheesed ROM (Froyo)
Last edited by AndyOpie150; April 19th, 2012 at 04:40 AM.
The Following 2 Users Say Thank You to AndyOpie150 For This Useful Post:
Another app that is really good is LBE Privacy guard. It will allow you to set the permissions that an app can have. It does not matter what the developer has given it. You can allow or disallow any and all privileges.
Keep in mind that the app will not work on non-rooted phones. All it will be able to do is tell you what permission you have inadvertently given each app.
Keep in mind that the app will not work on non-rooted phones. All it will be able to do is tell you what permission you have inadvertently given each app.
It didn't work well on a roots phone either. It pretty much broke everything. I couldn't send or receive SMS or mms or browse the net or view my contacts.
Works great on my phone. I have it set to prompt me to allow everything but access to phone ID, I have to choose to allow or disallow that in the settings for each individual app. Everything still works for me. I make sure I allow those apps that really need to use the Phone ID. And disallow those that don't.
If set in this manner it will work great. Not only that, but you will know when an app is doing something you would not normally have known about. It's surprising just how much some apps try to access location, and call logs.
At any rate: It may not work for some, but it works great for me (this is why I mentioned it).
The Following User Says Thank You to AndyOpie150 For This Useful Post:
If you live in a town whose crime rate is really going up, fast, like my town, where people will are getting dangerously bolder than ever before, don't drive around with navigator or Ulyses speedometer lit up on your dash, just screaming, "grab me".
I didn't realize the potential danger I could have been putting me and my phone in until my buddy brought it to my attention that I was being pretty stupid "advertising" my nice phone on my dash everywhere I went.
I guess were back to the common sense thing, my own of which I question.
Keep in mind that the app will not work on non-rooted phones. All it will be able to do is tell you what permission you have inadvertently given each app.
My phone has been rooted since day one but thanks. It works great. I appreciate the app suggestion.
Last edited by aldamon; April 20th, 2012 at 08:47 AM.
The Following User Says Thank You to aldamon For This Useful Post:
Hey guys, me again.
I can't really tell what the difference is between Opera Mobile and Opera Mini.
I do most of my web browsing sitting in front of my wifi, so I guess I don't care about how "compressed" anything is as far as racking up any data.
And I don't have a computer to "link" up to or anything like that.
Which one should I use?
Thank you
I just read somwhere about OperaMini. It uses about 10% of the bandwidth vs. the full Opera browser. It uses "flash" entirely to accomplish this, and I would assume the same holds true for Dolphin's mini version as well. This means with mini you won't get full functionality but pages will load faster, & bandwidth consumption lowered by a factor of 10. I haven't used a mini version, I think Dolphin is good enough for me, it sure is way more useful than the stock browser, safer to use too, according to what I've read here in AndroidForums. Hope that helps.
Edit 12/16/2012 : The recent version of Opera performs very well, faster page loading than Dolphin, but Dolphin's bookmark system gives more flexibility. Both are on both of my devices, my OptimusV and my $99 Arnova 7G3 tablet.
Last edited by iwantbruce; December 16th, 2012 at 10:53 PM.
The Following User Says Thank You to iwantbruce For This Useful Post:
LBE Privacy Guard may be Malware and a data miner. Please be careful. Read this AndroidForums thread, this guy couldn't install any other apps after uninstalling LBE Privacy Guard. LBE Privacy Guard: Possible Malware
How to "Harden" Your Android phone (2.2 - 2.3)
.
