What Am I Missing About Data Security On Android?

[DrSmith]

I hope I am missing something, because I would love to use my Android phone for my banking and personal business. But I cannot see how it could possibly be secure unless you locked down the phone, did not install ANY public apps, and maybe worked with the phone manufacturer to produce a secure device. I don’t see any way the average user could possibly set up an Android device that is secure enough to ensure it was safe to create, store or transmit any personal data through it.

First of all, you are installing apps from third parties whose intentions you know absolutely nothing about. Even if they have a “privacy statement” about their app, you are supposed to just trust some kid operating out of his parent’s basement in Uganda and take his word for what he is or isn’t doing on your phone and with your data? I think you’d have to be nuts. And that doesn’t even address the fact that Google has its hooks so far into every single thing you type or say into that phone that, and knows so much more about you than your own mother does, that it’s just plain scary! And who knows how secure the information they have on you is? Do you even know where it resides or who has access to it?

Then you take that app from an unknown a person and grant it all kinds of “permissions” to access every detail on your phone and the ability to transmit it anywhere in the world, possibly without even your knowledge? Virtually any app that is useful enough to do important work also needs permissions that can potentially be used to steal your data and commit a crime against you.

Then there is this. Suppose you have an app to scan your documents and you use it on your phone for scanning documents with critical private information on it like your social security number or account numbers? If you’ve ever looked into this, the phone will store that document in like 5 different places on the phone, without your knowledge, making it difficult to even find and delete it completely from the phone. And it might easily store it in a way you can’t find it at all and don’t even know it’s there. In a flash it could transmit that document to someone anywhere in the world possibly even without your knowledge. And even if you are aware of it, by the time you notice it it is too late.

It’s like making a hundred copies of a private document, running out in the road on a windy day and throwing it up in the air.

Sounds to me that if you are using your Android device/phone to do anything you want to keep private, you are like an elephant hanging over a cliff with its tail tied to a daisy. (I’m sure it’s probably true of ios too although I don’t really know much about that os).

Yet, millions of people are using their phones and devices to handle secure data. Maybe that’s why the incidence of things cyber related crimes are careening out of control?

While still not perfect, especially for the average person who doesn’t understand computer security, at least with a computer you have a better shot at controlling your data. But Android devices are designed to be invasive. That’s how they work their magic. Without it, you have a dumb phone, not a smart one. That invasion of your privacy is a serious double sided sword. I don’t see any way I can trust it with my private business.

What am I missing?

 

[Deleted User]

I agree. Personally there is no way I would install a third party 'banking' app on my phone, and I certainly don't feed any personal information to any app which may compromise the security of my bank account. I use the bank's website to do my online banking, which I feel safer with, but these days even websites aren't completely secure, so I mix up my passwords and don't use the same one across multiple sites.

But yes, you have no idea what an app is doing with your data. Most apps need Internet permission for ads anyway, so who knows where your sensitive information could be flying off to. Bottom line is, I wouldn't trust any third party app with my bank details. Only way to be sure is to write it yourself.

 

[DrSmith]

I agree. Personally there is no way I would install a third party 'banking' app on my phone, and I certainly don't feed any personal information to any app which may compromise the security of my bank account. I use the bank's website to do my online banking, which I feel safer with, but these days even websites aren't completely secure, so I mix up my passwords and don't use the same one across multiple sites.

But yes, you have no idea what an app is doing with your data. Most apps need Internet permission for ads anyway, so who knows where your sensitive information could be flying off to. Bottom line is, I wouldn't trust any third party app with my bank details. Only way to be sure is to write it yourself.

I go further than that. I won't use my phone or Android device for *anything* that needs to be private... no banking, no personal or work related private information, nothing. I never take pictures of anything, store any documents, record anything, type anything into it that I wouldn't want that 12 year old kid in Uganda to have access to. (nothing against Uganda OR 12 year old kids... just making the point).

It's a darn shame because the apps for Android, and Android itself are INCREDIBLE for productivity... plus the fact that it is so portable. But if you can't trust it for security, it's useless for that. I think that for the average person it's actually a trap. These apps give them a false sense of security and even if they aren't designed to do something bad, they are not secure and can allow someone else to do it.

To me it seems like a dirty little secret that millions of people aren't aware of.

 

[mikedt]

I go further than that. I won't use my phone or Android device for *anything* that needs to be private... no banking, no personal or work related private information, nothing. I never take pictures of anything, store any documents, record anything, type anything into it that I wouldn't want that 12 year old kid in Uganda to have access to. (nothing against Uganda OR 12 year old kids... just making the point).

I go even further again, and just don't use anything electronic for banking, personal, work etc. NO smart-phones, NO computers, nada. I just deal in hard cash, and write cheques occasionally.

 

[DrSmith]

I go even further again, and just don't use anything electronic for banking, personal, work etc. NO smart-phones, NO computers, nada. I just deal in hard cash, and write cheques occasionally.

I think you can make a distinction between using a browser to do your banking on a Windows computer versus using it to do banking on an Android phone or device. I think the Windows computer is much more likely to be less vulnerable to crime.

The main difference is that almost all Android apps are specifically *designed* to do intrusive and potentially dangerous things like read and send out your keystrokes, your voice and text messages, your notifications (which sometimes include private information) etc. They are INTENTIONALLY designed as spyware. You are just supposed to suspend disbelief somehow when using Android and assume that all the people to whom this information is being scattershot out to are angels who only want to do nice things for you like conveniently turning your voice into text or keeping track of your passwords in case you are in church and can't think of it when you need to access your bank account to make a donation when they pass the plate around.

It is the fact that Android apps can do things like that that MAKES them useful. But it's also what makes them dangerous!

With Windows, for example, very few apps are designed to do things like that... especially without your awareness. Yes, you can get malware on Windows that will do the same kinds of things, but at least you didn't intentionally open the door for it and welcome it in with a glass of milk and chocolate chip cookies like you do on Android. Of course it isn't perfect, but much less likely to be a problem I think.

Now... if security is the issue, and I have a choice between banking on my Windows laptop or in person at the bank, I choose the laptop. Why? Because with a secure encrypted connection between me and the bank's computer, I think I have less chance of fraud than I do with a human teller seeing my SS# and account # etc. Yes, the bank computer can be compromised and someone can get it that way. But that is true even if you bank in person. So the way I see it, banking online eliminates one layer of human intervention in the process and one opportunity for a bad guy to take advantage.

 

[DrSmith]

And by the way to be clear. I LOVE Android! It is an amazing incredible OS. In terms other than data security it is outstanding. But my complaint is that for anything other than games and entertainment, it seems useless to me if it isn't secure, and I don't think it is anything like secure. It seems to break all the basic rules of data security from the get-go. I also think that people don't seem to understand this and, on a mass scale, with millions of users, that isn't only their problem... to me it may amount to a national security problem because it is so widespread. Computer fraud and crime seems to be growing out of control. I wonder how much this is contributing to it. It's kind of scary in my view.

 

[Dannydet]

The general public are basically like lemmings to the ocean allowing their privacy to be compromised...
What a concept, to be used against them at an unknown later date....
Sit back and watch what happens....

 

[DrSmith]

The general public are basically like lemmings to the ocean allowing their privacy to be compromised...
What a concept, to be used against them at an unknown later date....
Sit back and watch what happens....

This all came up because I recently got a new phone and started installing apps. I already knew about these issues, but this reminded me of just how crazy it has gotten. The database that Google can build on you, where you live, everyplace you go, where you bank, eat, shop, visit, who your relatives are, what kind of car you drive, what your religion is, what Web sites you visit and what kinds of interests you have, what you read, what you write, what you eat, when you go to sleep and wake up for crying out loud!, what kinds of pets you have, what your political opinions are, etc. etc. etc. It's TERRIFYING!

And that's just GOOGLE which (seems at least) to be relatively benign (at least at the moment) compared to what some of the developers might be doing with that information.

I think the age of privacy is over. You no longer have it. If you leave your house, you are on camera everywhere you go. If you use your phone, your computer, or your car, you are being tracked and spied on. It's a fact of modern life. But that doesn't make it any less scary. This is America. Privacy is one of the legs of the chair of our most cherished value which is LIBERTY and FREEDOM. Where will that freedom go if that privacy doesn't exist anymore?

Maybe I am blowing it out of proportion, but to me at least this is very worrisome.

 

[mikedt]

This all came up because I recently got a new phone and started installing apps. I already knew about these issues, but this reminded me of just how crazy it has gotten. The database that Google can build on you, where you live, everyplace you go, where you bank, eat, shop, visit, who your relatives are, what kind of car you drive, what your religion is, what Web sites you visit and what kinds of interests you have, what you read, what you write, what you eat, when you go to sleep and wake up for crying out loud!, what kinds of pets you have, what your political opinions are, etc. etc. etc. It's TERRIFYING!

And that's just GOOGLE which (seems at least) to be relatively benign (at least at the moment) compared to what some of the developers might be doing with that information.

I think the age of privacy is over. You no longer have it. If you leave your house, you are on camera everywhere you go. If you use your phone, your computer, or your car, you are being tracked and spied on. It's a fact of modern life. But that doesn't make it any less scary. This is America. Privacy is one of the legs of the chair of our most cherished value which is LIBERTY and FREEDOM. Where will that freedom go if that privacy doesn't exist anymore?

I believe any privacy you had in America went away long ago, when using Google, Microsoft, Apple, Yahoo, Facebook, etc. especially with things like PRISM. In fact not any more privacy, than we have here in China.

 

[mikedt]

I think you can make a distinction between using a browser to do your banking on a Windows computer versus using it to do banking on an Android phone or device. I think the Windows computer is much more likely to be less vulnerable to crime.

I'm sure there's much more keyloggers, malware, virues, trojans and things written for Windows, than any other OS combined probably. In fact that's why I deliberately avoid using Windows for anything involving my privacy and personal data, and I use Linux.

 

[DrSmith]

I'm sure there's much more keyloggers, malware, virues, trojans and things written for Windows, than any other OS combined probably. In fact that's why I deliberately avoid using Windows for anything involving my privacy and personal data, and I use Linux.

That's probably true because there are far more computers that operate using Windows than any other OS including most businesses and government computers. So there is a reason that the bad guys write more bad programs for it than the others.

For me the bottom line on Android is this:

I installed an app that notified me that in order to work it has to have permission to read everything I type into my phone. But don't worry, the developer wrote -- "we won't use the information for anything bad." (or something very close to that)

HAHAHAHAHAHA! As if I am supposed to take some anonymous person's word? No thanks!

I think anyone who would read that and then use their phone for *anything* involving confidential information is crazy. It's like they warned you they were sticking their hand in your pocket to steal your wallet and you let them do it anyway.

 

[Hadron]

To be fair, a keyboard app by definition has access to everything you type. That's why you get that warning for any keyboard app.

Doesn't mean everything is designed to spy, it's just explaining the reality and hence warning people to take more care with keyboards (assuming you trust the one that comes with the phone more). Or you can use a different OS which won't point this out to you.

Note: I don't have any banking apps on my phone either. And as I root my devices they wouldn't work even if I wanted them to.

 

[DrSmith]

To be fair, a keyboard app by definition has access to everything you type. That's why you get that warning for any keyboard app.

Doesn't mean everything is designed to spy, it's just explaining the reality and hence warning people to take more care with keyboards (assuming you trust the one that comes with the phone more). Or you can use a different OS which won't point this out to you.

Note: I don't have any banking apps on my phone either. And as I root my devices they wouldn't work even if I wanted them to.

I agree, and I also agree that is a point well worth making. The "disclosure" in Android apps when you install them is admirable. The fact that they attempt to notify the user is something that other OS's don't do and technically I think it is very respectful of users to do that.

But in practice I don't think it means much for two reasons:

1. How many users really pay attention to those permissions disclosures? I think 99.9% just click OK and install the app without even giving it a cursory reading.

2. Even if they read it, how many users have the skills to be able to understand the consequences of each permission. I wouldn't think many.

So while I admire Androids attempt to inform users of what intrusions it is potentially making on their privacy, I don't think it is very effective in stopping the unwanted intrusions.

That is NOT to say that I can think of a better way to handle it. I think letting the user decide, whether they are informed or not is the BEST way to handle this.

But, I don't think that changes the fact that Android apps are in general relatively more intentionally designed to do things that are intrusive to user's privacy than say Windows apps and therefore have a higher potential for exposing users to unauthorized use of their data.

I so wish this wasn't the case. I've discovered so many amazing things I could do to help me be more productive with my Android phone that I can't do (or at least not nearly as easily) on a Windows laptop. But it's useless if I can't protect the data. And with potentially threats laced throughout the phone -- even if they are all well intentioned -- I just can't trust it.