Most people these days carry a mobile phone or tablet on their person. Some people even have two, maybe an extra device for work. Globally there are an estimated 6 billion devices in circulation (http://www.bbc.co.uk/news/technology-19925506). Devices these days are like a mini computer and store things like contacts names and numbers, they can deploy applications for us that we can interact with. We can check social media or the internet and of course we can make a call or SMS (Text Message). The device is a window to the world and because of this, it should be secured against any wrongdoing, either online (hacking), or offline (lost/stolen).
All of our information is downloadable and traceable and could be shared with the whole world if we are not careful.
In an ideal world people wouldn’t steal other peoples stuff, but it happens and your information may be valuable to someone else. There is no one better to ensure our data is safe than ourselves. Here are a few tips on how to keep that device safe.
Login Authorization: Android 2.3 or higher comes with password protection installed. A password or phrase is probably the best way of securing access to our device. Smudges on screen can give away our pin numbers. Fingerprint scanning is quite secure, but that fingerprint will be saved on the device and if hacked, is easily accessible, giving an intruder the option of stealing our identity.
Passwords or phrases should be long (The longer the better), contain upper and lower case letters. Also use numbers and special characters (&*$%£).
Many Android operating systems have a feature called ‘pinning’ – this can lock the selected application on display on the device. Your device can be passed to another person to show a page or image of interest, but they cannot leave this page or explore your device – a pin number is need to unlock the device for normal usage.
Device Updates: Updates are critical to security. Recently Nexus released an Android update because their devices were vulnerable to remote code execution through multiple methods such as email, web browsing and MMS (https://source.android.com/security/bulletin/2016-02-01.html). Devices not updated will still be vulnerable to this attack. With updates, vendors release patches for vulnerabilities they find on their devices.
Device Back-up: It is second nature for us to create backups of important data from our desktop or laptop computers. Our mobile devices represent a greater risk, they can be stolen, dropped, malfunction or replaced with a newer model / device. When considering a backup option, consider the following:
- 3-2-1: Three copies, two different media and one copy off site – best practices.
- Where will this backup application store the data, how secure is it?
- Most smart phones can back-up to an attached Storage Device (this should be encrypted & set for daily backups).
- ISP’s, E-mail providers and the phone manufacture may offer a free back-up option – it’s prudent to research if your data can be used by them in any way.
– A plenitude of backup applications exists, recall the ‘New Applications’ section above when choosing – popular solutions are: My Backup Pro ($3.99), Super Backup ($1.99), Easy Backup (free), Backup Your Mobile (free). Ideally choose an application that will fulfill the 3-2-1 guide.
Wifi Protector: This app is for those who are tired of being kicked from the network by WifiKill, also, for those who are a little bit paranoid, because they know it’s quite easy to read the Wi-Fi traffic with tools like DroidSheep, Ettercap, FaceNiff, Cain & Abel and others. Such programs use the same technique to prevent you from accessing the network or to sniff your data. You can defend yourself with a single app.
Wifi Protector is an Android security app specifically designed to detect and prevent ARP spoofing attacks against your device in Wi-Fi networks.
Personal Firewall: ‘Lostnet Firewall‘ app allows the user to blacklist geographical areas that are known hotspots for malware activity. It also allows the user to set any application to full network access, Wi-Fi only access or block all activity – can help reduce data usage in this manner. The ‘pro’ version (€0.99) enables the phone to use the VPN provided, mitigating man-in-the-middle-attacks and general data gathering technique’s.
Encryption: To set it up if we haven’t already done so, open our device’s Settings screen, tap Security, tap Screen Lock, tap PIN or Password, and set up a new PIN or password. We can now encrypt our Android phone’s storage. Open its Settings screen, tap Security, and tap Encrypt phone (or Encrypt tablet) under Encryption.
To encrypt communications there are app’s like Redphone for calls and Signal or Telegram for messaging. These offer end to end encryption for users.
New Applications: The ‘Play Store’ is the main repository for Android applications, it should be remembered that not all apps int the Play Store are safe. When reviewing an app, take the following into consideration – read comments and rating of the app, what permissions does it require. The permissions should equal the functionality of the application, e.g. a flash torch app will not need access to your messages/contacts. To protect users that install apps from outside the android Play Store Verify Apps 
attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove any such applications.
Malware Detection: If our device manufacturer is Google, enable the Verify Software option under Security in Settings. If this option is not available, a third party anti-virus scanner can be installed to scan apps before they are installed for known malware. Additionally installing Clueful app will detail the current applications installed on our device and what permissions they have – do we know how many of our apps track our location or have access to our messages?
Lost/Stolen: In the event of our device getting lost or stolen we could refer back to encryption and authorization. If we have correctly configured our device with those two steps our data will be secure. If we have data that is in urgent need of retrieval there are many apps that will track our device. One of these is AntiDroidTheft. A simple anti-theft device which lets us locate our device via GPS, track changes made to the SIM card and view the pictures that have been taken by the smartphone all through the Web.
If there is important data on the device that you would not like to get into the wrong hands we could wipe the entire contents of the device remotely. Cerberus has all the works, remote alarm trigger, tracking via GPS, remote wipe of the SD card as well as the internal storage, remote lock of the phone, plus alerts of a SIM change. You can also record audio from the microphone. The free version lasts for a week, while the Pro version lets you use it for up to 5 devices under the same account (Pro: €2.99).
As we can see, there are many apps we can add to our device to keep our data safer, but no device is completely safe. The advice here would be, don’t log into any public Wi-Fi networks, use only your device providers network or your home network. Better again, any time you leave the house, go invisible, just turn off Wi-Fi and Bluetooth.
By David Lynch and QuBits 05 February 2016
Linux Security Blog 