Slashdot Mirror
Ask Slashdot: How Do You Protect Data On Android?
Gibbs-Duhem writes "It makes me very nervous that my Android phone has access to my email/AIM/G-talk/Facebook, protected only by a presumably fairly easily hacked geometric password protection scheme. Even more because simply attaching the phone to a USB port allows complete access to the internal memory and SD card regardless of whether a password is entered. I have no idea how much of that information ranging from cached emails to passwords stored in plaintext is accessible when mounting the device as a USB drive, and that worries me."
For the rest of Gibbs-Duhem's question about issues in Android security, read on below.
Gibbs-Duhem continues:"I have a lot of sensitive information in my email, including passwords for websites and confidential business/technical strategy discussions (not to mention personal emails ranging from racy emails from boyfriends to health discussions). My email and messaging client passwords are difficult to type (or even remember), so I would ideally want them saved in the device, although at least having something like a keyring password that needed to be re-entered after a time delay would make me feel better. This leaves me relying on encryption and OS level security to protect me.
I'm okay with this on my real laptop and computers as my hard disks are software encrypted and I make a habit of locking my session whenever I leave my desk. For instance, if I lost my laptop, the odds of the thief getting access to my information is minimal. However, I don't feel that this is at all true for my phone (which is frankly far more likely to be lost).
How is it that the Slashdot security pros handle this issue? Do you just not use email or the many other incredibly convenient capabilities of new Android smartphones due to the risk? Or are there specific ways in which we can guarantee (or at least greatly augment) the existing security practices?"
I'm okay with this on my real laptop and computers as my hard disks are software encrypted and I make a habit of locking my session whenever I leave my desk. For instance, if I lost my laptop, the odds of the thief getting access to my information is minimal. However, I don't feel that this is at all true for my phone (which is frankly far more likely to be lost).
How is it that the Slashdot security pros handle this issue? Do you just not use email or the many other incredibly convenient capabilities of new Android smartphones due to the risk? Or are there specific ways in which we can guarantee (or at least greatly augment) the existing security practices?"
This looks like exactly what you want. It warns that its in beta, though, so I'm not sure how well I would trust it. Seems like better than nothing.Says it does full encryption of the entire system, optionally your SD card, as well as optional firewall for your phone. Wouldn't rely on it without backups, but it should work. Also, you could look at a system that keeps passwords off your actual phone, like LastPass does. Not sure how well it works with Android, but I'd look into it.
Also, Honeycomb supposedly offers device-level encryption link), so if you can wait for that on phones, that'd work too.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
"Even more because simply attaching the phone to a USB port allows complete access to the internal memory and SD card regardless of whether a password is entered."
I have a Nexus S with Android 2.3.4. Whenever I plug in a USB data cable, a pop-up asks me to "Turn on USB storage". This is only accessible after I enter my password. I realize he is bitching in general but with respect to this specific problem... it's a non-issue.
Actually you can have your cake and fucking eat it too:
Set the default USB connection activity on the phone to "CHARGE" instead of "MOUNT SDCARD LIKE A FUCKING DUMB ASS".
Then enable the lockscreen option and if someone picks your phone up and connects it to a PC, its only going to charge the battery.
Now the thing to really worry about is someone taking your phone and then pulling the SDCARD out and mounting that on their PC, that will give them full access to everything stored on it, including all downloaded emails, dirty picks and movies you've shot in the bathroom to send your partner, etc.
Can you even access the pull down the activate USB mass-storage mode when the phone is locked?
I would think it's sufficient just to disable development mode, so that ADB cannot be hooked into USB, which I think does work when the phone is locked.
Even more because simply attaching the phone to a USB port allows complete access to the internal memory and SD card regardless of whether a password is entered.
No, it doesn't. You get access to /sdcard (whether it corresponds to a physical SD card or not), but that's it. You don't get access (even read access) to sandboxed application and system data storage, unless your phone is rooted.
So the obvious answer is that, if you want security, don't root your phone. It should be kinda obvious that if you can do what you want with the phone via USB, so can any application running on your PC.
If you think that 99% of people use "smart phones", you're grossly out of touch with reality. "Smart phones" are grossly expensive status symbols. The only people I know who use "smart phones" have them to impress other people. I run a multi-million dollar business just fine with a laptop and a "dumb" cell phone.
In Australia in 2010, 43% of phones sales were smart phones. The prediction for 2011 is 70% of sales will be smart phones..
Smart phones are becoming the norm.