Ask Slashdot: Android Security Practices?

Soft writes "Smartphone security recommendations seem to boil down to Windows-like practices: install an antivirus, run updates, and don't execute apps from untrusted sources. On my own computers, running Linux, I choose to only install (signed) packages from the distribution's or well-known repositories, or programs I can check and compile myself, or run them as a dedicated user — and I don't bother with an antivirus. What rules should I adopt on my soon-to-be-bought Android device? Can I use it purely with open-source apps and still make the most of it? Are Android's fine-grained permissions (accessing the network, contacts...) reliable? Can apps be trusted not to scan your files and keyboard for passwords and emails? What precautions do security-conscious Slashdotters take to keep control of their phones?"

Install a firewall

[girlintraining]

Install a firewall. Not to keep the hackers out, mind you, but to keep your data *in*. There are way too many apps that try to phone home or do things they don't need to ('live' wallpapers come to mind). Disable their network access. If an application requires network access, bring it home, set it up on your home wifi network, and run a sniffer to find out where the data goes. You don't need to know what the data is per se. Then, try blocking as much of it as you can until the application stops working. You've now found the minimum amount of access that app needs to function.

Re:Install a firewall

[mlts]

More specifically, root your Android phone (no, it will not lessen security unless you are stupid and click "allow" on any app that pops up the su dialog unless you KNOW it needs the root permission.)

Install DroidWall and allow it full su access. Then when you install a new app, make sure to allow it out, because by default, new apps are not allowed to phone anywhere. LVL is handled by another mechanism, so apps should know they are licensed even if you block them with DroidWall.

After installing DroidWall, and selecting the apps you know that need to communicate, that will provide a decent measure of protection.

A smart phone is just a computer.

[Kenja]

A smart phone is a computer like any other and should be treated as such. Trust mobile apps as much as you would trust desktop applications. Do not install unknown software from unfamiliar sources and in general be as vigilant as you are with your Windows, Linux, OS X system. If you are paranoid enough, there are firewall and app activity scanners out there. But perhaps you dont trust them either. In which case, write your own apps. Its not hard for even the inexperienced with the app-builder tools.

Re:Permissions aren't 'fine grained'

[ShavedOrangutan]

Every app requires full permissions, for no useful reason. Why a stopwatch wants access to my calls and read/write on the SD card, I don't know, and the choices are to either accept it or don't use the app. This is seriously broken. I don't even look in the Android Market anymore because it's just too much risk to install anything. It's actually worse than Windows, where at least I know where the software is coming from.

Take these for what they are worth...

[mlts]

Take these for what they are worth, but here are my security practices:

1: Install DroidWall and use that to lock down everything except the apps you do want going out.

2: Use TouchDown or a discrete app for secure Exchange email. This allows you to keep contacts separate from the rest of the device, and the app can keep the contacts encrypted. If it is work E-mail, it is good to keep it separated anyway.

3: Consider a PIN protecting app for #2 above, as well as your terminal, settings, and su app.

4: Use Titanium Backup with the encryption feature and store on Dropbox. If you look at TB, you will find that the way it does encryption using RSA keys is pretty well designed, so storing backups of apps on DB can be done securely.

5: Get a utility (I use WaveSecure out of habit, but there are others) that will lock the phone if the SIM card is changed, airplane mode is put on, and even allow one to remotely wipe the device and SD card. I'd like a utility that would give the ability to wipe the device and SD card if the phone has not seen Net access in "x" amount of time, similar to what BlackberryOS provides.

6: Look at reviews before buying apps.

7: Look at what the app asks for security permissions. If a notepad app wants access to your contacts, phone, SMS, or perhaps even pops up the su dialog, get rid of it ASAP.

8: If you use nandroid, consider some type of file encryption. This sucks when restoring a ROM image, but there are ways around that (decrypting the image while the SD card is mounted via USB, using a temporary ROM image with no data for decrypting, etc.)

9: Use AdBlock with Dolphin Browser. Ad rotation services are a noted source of malware.

10: Use known ROMs. The ROM ecosystem has been astoundingly clean for now, but it is only a matter of time before blackhats start adding their own "functionality" and putting ROMs on xda-developers and other sites.

11: Consider PIN protecting your SIM card. This way, when you do a remote erase, the thief might have a clean phone, but won't have free access to bandwidth, SMS, or calling capabilities.

12: Consider a "stuffbak" sticker. If the phone is found, at least there is a small chance it might get back to you, as opposed to 0 chance without it.

13: Keep backups. This way, if you do lose your phone, you can get another Android phone, fire up Titanium Backup, log onto DropBox, type in your decryption key, and restore your apps with their saved data.

14: Bug Google for them to put volume encryption (LUKS) into Android, so it can be used on the SD cards.