Best practices for securing an android device

Question

Does anyone have any suggestions on securing an Android device? I'm not particularly interested in enterprise level software - I'm looking to secure my own ZTE Blade phone which has a lot of personal information on it.

Question taken from: http://www.reddit.com/r/netsec/comments/hsdgc/best_practices_for_securing_an_android_device/

Answer 1

Use the features already on the phone as your first choice. The features on the phone:

• Are battle-hardened technology.
• Don't require Apps from third parties.
• Are very well embedded in the Operating System.
• Usually provide great value for money and effort.
• Just don't look as sexy as additional features (they don't have the marketing budget).

Other Recommendations.

• Screen lock / password. ( Make your password strong enough that it cant be easily guessed / compromised, my daughter cracked my complex pattern password easily, so don't use pattern passwords and probably not pin passwords)
• Only allowing Known Sources (i.e Android Market), remember that an application is a major attack vector.
• Don't load hacked applications ;)
• Don't load many applications at all.
• Dont root your phone.
• Use a password manager on your phone. I recommend Android LastPass myself as it encrypts at rest, but the password has to be entered on demand to make this very secure.
• Unless you have a secure folder as @Traroth mentions, everything on the sim card can be retrieved by your attacker (and malware is probably able to read encrypted content when you unlock the encrypted volume, this goes for a password manager too).
• Remote Wipe (Google Play and a lot of other services offer this).
• Don't select "Always" for important functionality like 'Send SMS', because this can allow a compromised application to send paid-for-sms without user intervention.

Remember that each of these security technologies offer an improvement in security. But equally, they also can provide a avenue for compromise.

1. Remote wipe and other 'control' tools can also maliciously wipe your phone if the account/service is compromised.
2. If the Application provider is compromised, then the malware enabled application can cause a lot of mischief.

Updated for 2018:

• Encrypted storage. Allows for (among other things) simple and complete device wipe.
• Fingerprint unlock. Can ensure much better usability, but can also allow bully-boys to physically force you to unlock your phone.

Answer 2

digitalchris at reddit provided this list of software tools to help protect:

• Android screenlock
• Droidwall - Firewall App
• Norton Security Beta - Anti-malware and tracking
• Prey - Tracking application
• TextSecure - Encrypted text
• RedPhone - Secure phonecalls
• Where's my droid - Tracking

Answer 3

You may want to consider installing NSA's Security Enhanced Android

Features:

• Per-file security labeling support for yaffs2,
• Filesystem images (yaffs2 and ext4) labeled at build time,
• Kernel permission checks controlling Binder IPC,
• Labeling of service sockets and socket files created by init,
• Labeling of device nodes created by ueventd,
• Flexible, configurable labeling of apps and app data directories,
• Userspace permission checks controlling use of the Zygote socket commands,
• Minimal port of SELinux userspace,
• SELinux support for the Android toolbox,
• Small TE policy written from scratch for Android,
• Confined domains for system services and apps,
• Use of MLS categories to isolate apps.

Get the download here: http://selinuxproject.org/page/SEAndroid

Answer 4

There a bunch of apps on Android which offer an encrypted folder you can only access with a password to let you store your sensitive files. For example Secure File, but it's not the only one:

http://www.androidzoom.com/android_applications/tools/secure-file_ujcc.html

Unfortunetly, the website doesn't indicate which encryption algorithm is used, so it's hard to say to which point it's actually secure. I would say: Secure enough to protect you against a random thief stealing your smartphone because it's shiny, but not enough against a corporate spy who is after your data...

Answer 5

I would recommend tracking software such as Lookout Mobile Security (+antivirus) or Prey Project.

Answer 6

Download the Signal app for private and encrypted end to end conversation

Those who are using Redphone and TextSecure

RedPhone users will be prompted to download the new Signal app, while TextSecure users will simply need to install an update that keeps the same private chat capabilities as the previous app, also adding RedPhone's ability to make and receive secure calls. Users can communicate using their existing phone number and address book, rather than needing to set up a separate login, and the Open Whisper team promises all conversations and messages sent between devices running the app are end-to-end encrypted.

http://www.theverge.com/2015/11/3/9662724/signal-encrypted-chat-app-android-edward-snowden

Answer 7

I would recommend you root phone.

Droidwall - Firewall App. ( Necessarily, if you connect to internet through device)

Prey - Tracking application. ( To track your device from home PC, you should looking for another one/two same software. Prey is very popular, it will be disabled firsts. )

Use software to backup/restore firmware and keep clean image of firmware on your PC in addition to sdcard. Better on DVD-R.