I've been using a Motorola Droid X as my primary work phone for more than a year now. I've come to appreciate the breadth and depth of apps in the Android Market, the seamless integration with my office IT environment, and the superlative (and still unequaled) free Google Navigation app, which simply outclasses most traditional in-car GPS navigation devices I’ve used. Aside from occasional glitches and some awkward media handling, my experience with Android-powered smartphones has been largely positive.
Yet despite the runaway success of Android as a smartphone OS, some dark storm clouds are looming on the horizon. That same popularity that drove Android to a dominant position in the smartphone market is beginning to attract the unwanted attention of hackers, cybercriminals, and malware creators who are simply going where the growth opportunities are. Android is growing fast, and bad actors are falling all over themselves for a piece of the action.
I blogged a bit about the Android security risk in January of this year, when Trend Micro Chairman Steve Chang went on the record to say that Android had some security issues. Since then we've seen a raft of other high-profile Android security SNAFUs, from malware appearing in the Android Market to depressing stats from a security researcher who claimed that more than 120,000 apps infected with malware had been downloaded from the Android Market. My Windows IT Pro colleague Paul Thurrott even recently encouraged IT professionals to "just say no to Android" due to looming Android security problems.
So what does a harried IT professional do when faced with the task of trying to keep his burgeoning stable of Android mobile devices safe and secure from attack? While a 100% effective approach to mobile security doesn't (and will likely never) exist, here are some security tips that could be helpful in keeping your Android phones free from malware and other hostile software.
1. Revisit Password Security: Overworked and poorly-trained end-users are often the weakest link in IT security, and nowhere is that more evident than in the use (or lack thereof) of good password policy. We've previously posted a list of basic password security tips that everyone would be wise to follow, and that advice applies for mobile devices as well.
2. Do Your Homework: Before downloading an app onto your shiny new smartphone, you should review reader feedback for the app and possibly do a quick internet search or two to confirm that the app is legitimate. Doing some extra research before you download can save you lots of angst down the road.
3. Leverage Mobile Security Solutions: A number of security vendors have developed apps for mobile device security, including Trend Micro, ESET, McAfee, Symantec, and Webroot. Not all of them protect against the same threats or offer the same number of features, but more sophisticated security applications and approaches should find their way onto mobile devices in the near future. (Look for an overview of mobile security apps in a future blog entry.)
4. Manage Permissions: Android is an amazingly flexible and powerful smartphone OS, but that same freedom and control also gives malware creators more opportunities to slip through the cracks caused by incorrectly configured phones, particularly when it comes to app permissions. Android will prompt you when installing a new application and list all of the phone services that the app will have access to. If that new app is asking for permission to access something that seems unusual -- like an astronomy program asking for permission to access your email contacts -- you might be wise to cancel the install until you're sure the app is legitimate.
5. Block Apps Outside the Android Market: Unlike Apple's gated app store that serves as the primary access point for smartphone apps, Android allows users to easily install applications downloaded from other servers outside the Android Market. That flexibility is a must in some cases, but many users don't need to download apps from anywhere but the Android Market. Limiting your app downloads solely to the Android Market will enhance security a bit, but that approach isn't infallible, as the Android Market itself has been known to accidentally provide malware-infected apps to end users.
6. Disable Wi-Fi Auto Connect: Accessing free wireless at public locations can give you an enhanced smartphone experience, but also carries the risk of sending data and information from your phone to untrusted servers. Not every Android OS version or phone combination may have this feature, but you should see an option to disable it in the "Wireless & networks" tab in Android device settings. Try to only connect to trusted and/or secure wireless access points.
Have some Android phone security tips of your own to share? Add a comment to this blog post or start up a conversation on Twitter.