What is the correct mindset for using Android phones with data security as the top priority?

[androidisforporn]

I still use an old phone without any extra applications.

I use it for making calls, sending SMS, and writing short personal memos and storing important passwords. That's about it really.

I now want to upgrade to a modern Android phone, and feel the mobile world has changed a lot the last years. The main thing being the importance and attraction of apps. In the "good old days" all the "apps" you needed was on the phone straight from the manufacturer and you did not need to install anything more.

But today I get the impression that more and more functionality is outsourced to 3rd party apps. Which leads me to my question. Before I just had to trust the phone manufacturer (e.g. Nokia or Siemens), but now it seems I have to trust all kinds of 3rd party backyard software programmers - which I certainly don't.

When I write my HIGHLY personal memos and passwords in a note taking application on my phone it is EXTREMELY important for me that they stay on the phone and does not leak out to anyone else.

So, to my question:
Given that I have the privacy of my own personal data (notes, passwords, photos, etc) as the single most important priority, should I consider buying an Android phone or not?

I really would like an Android to but I am unsure if the paradigm underlaying the very fabric of Android is contrary to my requirements.

Must I start thinking about my phone as I think about Facebook. That everything I put on it could one day become public without my control, even though the settings today are set to "private"?

If I were to go for an Android phone, what would be the rules of thumb I would need to adopt to ensure my personal data stay personal and private? I am especially thinking about installing apps from the Android Market. Must I rule out all apps that require network access (which seems to be the vast majority)?

What other rules of thumb would ensure the privacy of my data?

Are there specific manufacturer or phone models that are more geared towards this kind of security than others?

PS. And for curiosity - how to you people think about the data on your phone? Do you accept that it may end up somewhere else? Or are you confident it will not and if so why are you so confident about that?

 

[nkk]

I still use an old phone without any extra applications.

I use it for making calls, sending SMS, and writing short personal memos and storing important passwords. That's about it really.

Storing passwords in plaintext on any mobile device is not smart or secure.

I now want to upgrade to a modern Android phone, and feel the mobile world has changed a lot the last years. The main thing being the importance and attraction of apps. In the "good old days" all the "apps" you needed was on the phone straight from the manufacturer and you did not need to install anything more.

But today I get the impression that more and more functionality is outsourced to 3rd party apps. Which leads me to my question. Before I just had to trust the phone manufacturer (e.g. Nokia or Siemens), but now it seems I have to trust all kinds of 3rd party backyard software programmers - which I certainly don't.

Why not? There are developers that are highly trusted. This concept you have of a backyard developer is just wrong. Some of the notes applications are from large companies that have a lot to loose if they leak your info.

Also, Android's permission system means that if an app does not tell you that it is accessing the internet, it is not. So get a note app that does not request internet access.

When I write my HIGHLY personal memos and passwords in a note taking application on my phone it is EXTREMELY important for me that they stay on the phone and does not leak out to anyone else.

See the permissions above. Also, it seems counterintuitive to me that you would store such personal info in plaintext anywhere. You seem to have a false sense of security on your dumbphone.


So, to my question:
Given that I have the privacy of my own personal data (notes, passwords, photos, etc) as the single most important priority, should I consider buying an Android phone or not?

Yes. Just do not be stupid about which apps you use (i.e. check permissions, established devs, and no shady Chinese third party markets)
​

I really would like an Android to but I am unsure if the paradigm underlaying the very fabric of Android is contrary to my requirements.

It is not.

Must I start thinking about my phone as I think about Facebook. That everything I put on it could one day become public without my control, even though the settings today are set to "private"?

No? Why would you have to do that? IF you are really scared, use encryption.

If I were to go for an Android phone, what would be the rules of thumb I would need to adopt to ensure my personal data stay personal and private? I am especially thinking about installing apps from the Android Market. Must I rule out all apps that require network access (which seems to be the vast majority)?

No. Just rule out apps taht are NOT from trusted devs and require internet access.
​

What other rules of thumb would ensure the privacy of my data?

TRUSTED DEVS! Also, encryption. It seems to me that if you just used AES256 encryption on the files that were private, you would not have a problem.

Are there specific manufacturer or phone models that are more geared towards this kind of security than others?

Not in any major way. IIRC Moto Droid Pro has full device encryption, but that may be overkil and I am not sure of it.

PS. And for curiosity - how to you people think about the data on your phone? Do you accept that it may end up somewhere else? Or are you confident it will not and if so why are you so confident about that?

I treat it as I would any digital data. If it is private, it is encrypted to the highest level that is reasonable. I will say it again-- I think your sense of seurity on the dumbphone and possible your home computer is false. Anything that is mobile or attached to a network is not infallible.

Responeses in Red.

Thanks,
Nkk

 

[thedosbox]

When I write my HIGHLY personal memos and passwords in a note taking application on my phone it is EXTREMELY important for me that they stay on the phone and does not leak out to anyone else.

This combined with your username makes me go

That aside, just choose a note app that does not require network permissions. Similarly, look for one that supports strong encryption in the case your phone gets stolen.

[edit] a timely read on wireless security from android apps: http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

 

[androidisforporn]

Thanks for commenting Nkk and thedosbox

I unfortunately can not share the same trust in 3rd party developers as you Nkk. But maybe I just do not have enough knowledge of their track record and background to evaluate.

This combined with your username makes me go

Ha ha!
I see what you mean!
I am sorry, I just borrowed the account to pose this question not bothering to register my own account yet as I am not sure Android is for me.
The account name is unfortunate.
The information is more like personal diary notes, not daring bedtime photos of my wife ;-)

That aside, just choose a note app that does not require network permissions. Similarly, look for one that supports strong encryption in the case your phone gets stolen.

[edit] a timely read on wireless security from android apps: Catching authTokens in the wild-Universitt Ulm

Thanks.

I am still not sure about this matter.

I have now read some more about the appalling security update practices of most Android phone manufacturers and must say I am if not shocked at least highly disillusioned. History seems to reveal that it is only the Google Nexus models that receive even the most critical security updates.
Editorial: Android's most wanted -- New phones with a current OS | Android Central

So, my "trusted list" just got a whole lot shorter, ruling out HTC, Samsung and the lot, seemingly leaving me with just the Nexus models to consider.

Maybe I should not be looking at phones at all but on PDAs without network capability. But I would really hate dragging with me two devices. Might as well take with me a laptop.

Oh well...

 

[takeshi]

I unfortunately can not share the same trust in 3rd party developers as you Nkk.

You'll be stuck with stock functionality on any smartphone if that's the case. If you're that paranoid, however, you really should seriously question the core Android devs as well as the coders adapting the source to OEM devices. Don't assume you can trust them.

Must I start thinking about my phone as I think about Facebook. That everything I put on it could one day become public without my control, even though the settings today are set to "private"?

Android and Facebook is an apples and oranges comparison.

I am sorry, I just borrowed the account to pose this question not bothering to register my own account yet as I am not sure Android is for me.

You don't have to decide that Android is for you before creating an account here.

Maybe I should not be looking at phones at all but on PDAs without network capability. But I would really hate dragging with me two devices. Might as well take with me a laptop.

Cutting off all outside access and good physical security is the only way to guarantee security. Of course, that's not practical for most. You have to decide where you want to draw the line. Laptops are easily lost/stolen.