Mobile Security: Tips for Securing Android Phones

RSS

I've been using a Motorola Droid X as my primary work phone for more than a year now. I've come to appreciate the breadth and depth of apps in the Android Market, the seamless integration with my office IT environment, and the superlative (and still unequaled) free Google Navigation app, which simply outclasses most traditional in-car GPS navigation devices I’ve used. Aside from occasional glitches and some awkward media handling, my experience with Android-powered smartphones has been largely positive.

Yet despite the runaway success of Android as a smartphone OS, some dark storm clouds are looming on the horizon. That same popularity that drove Android to a dominant position in the smartphone market is beginning to attract the unwanted attention of hackers, cybercriminals, and malware creators who are simply going where the growth opportunities are. Android is growing fast, and bad actors are falling all over themselves for a piece of the action.

I blogged a bit about the Android security risk in January of this year, when Trend Micro Chairman Steve Chang went on the record to say that Android had some security issues. Since then we've seen a raft of other high-profile Android security SNAFUs, from malware appearing in the Android Market to depressing stats from a security researcher who claimed that more than 120,000 apps infected with malware had been downloaded from the Android Market. My Windows IT Pro colleague Paul Thurrott even recently encouraged IT professionals to "just say no to Android" due to looming Android security problems.

So what does a harried IT professional do when faced with the task of trying to keep his burgeoning stable of Android mobile devices safe and secure from attack? While a 100% effective approach to mobile security doesn't (and will likely never) exist, here are some security tips that could be helpful in keeping your Android phones free from malware and other hostile software.

1. Revisit Password Security: Overworked and poorly-trained end-users are often the weakest link in IT security, and nowhere is that more evident than in the use (or lack thereof) of good password policy. We've previously posted a list of basic password security tips that everyone would be wise to follow, and that advice applies for mobile devices as well.

2. Do Your Homework: Before downloading an app onto your shiny new smartphone, you should review reader feedback for the app and possibly do a quick internet search or two to confirm that the app is legitimate. Doing some extra research before you download can save you lots of angst down the road.

3. Leverage Mobile Security Solutions: A number of security vendors have developed apps for mobile device security, including Trend Micro, ESET, McAfee, Symantec, and Webroot. Not all of them protect against the same threats or offer the same number of features, but more sophisticated security applications and approaches should find their way onto mobile devices in the near future. (Look for an overview of mobile security apps in a future blog entry.)

4. Manage Permissions: Android is an amazingly flexible and powerful smartphone OS, but that same freedom and control also gives malware creators more opportunities to slip through the cracks caused by incorrectly configured phones, particularly when it comes to app permissions. Android will prompt you when installing a new application and list all of the phone services that the app will have access to. If that new app is asking for permission to access something that seems unusual -- like an astronomy program asking for permission to access your email contacts -- you might be wise to cancel the install until you're sure the app is legitimate.

5. Block Apps Outside the Android Market: Unlike Apple's gated app store that serves as the primary access point for smartphone apps, Android allows users to easily install applications downloaded from other servers outside the Android Market. That flexibility is a must in some cases, but many users don't need to download apps from anywhere but the Android Market. Limiting your app downloads solely to the Android Market will enhance security a bit, but that approach isn't infallible, as the Android Market itself has been known to accidentally provide malware-infected apps to end users.

6. Disable Wi-Fi Auto Connect: Accessing free wireless at public locations can give you an enhanced smartphone experience, but also carries the risk of sending data and information from your phone to untrusted servers. Not every Android OS version or phone combination may have this feature, but you should see an option to disable it in the "Wireless & networks" tab in Android device settings. Try to only connect to trusted and/or secure wireless access points.

Have some Android phone security tips of your own to share? Add a comment to this blog post or start up a conversation on Twitter.

Discuss this Blog Entry 3

on Sep 12, 2011
I would add that most Android phones have the possibility to connect to a VPN connection of which many companies have their own. If connecting to an open wireless access point using a VPN connection allows you to encrypt your internet traffic so it won't matter if someone intercepts it as it. This is the easiest way to get around the open access point problem.
on Sep 8, 2011
Good tips, Jeff. At Symantec, where I work, we often share very similar best practices. Unfortunately, there is no fool-proof way of determining if an app on a market is legitimate or a Trojanized replica. I think the key is leveraging a combination of all the tips listed here. One additional trick that came to mind is to pay attention to the name of the app creator. If downloading a popular app from a well-known app creator, then an app that purports to be the legitimate version, but has a different author listed should be a definite red flag. Spencer Parkinson Symantec
on Sep 11, 2011
Thanks for the feedback and input, Spencer.

Please or Register to post comments.

What's Security Blog?

Security news, views, product reviews, and solutions for Microsoft Windows IT professionals.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×