Security scares are everywhere in 2016, both on the desktop and on mobile. But how worried should you be as an Android user? In short, not very – but that doesn’t mean you should relax completely, I still have some hard hitting advice to impart and some settings that I’d strongly advise are in place. Read on and (hopefully) be reassured….
The state of Android is well known – it’s fragmented, across multiple versions and hundreds of manufacturers with dozens of skins and add-ons. It’s a genuine nightmare in terms of consistency and security. So we get a vulnerability discovered in the Android AOSP code – and quickly patched by Google and an update issued to its Nexus phones. Which represent less than 1% of all Android-running phones on the planet. Meaning that 99% still have the vulnerability – and the vast majority of these will never be patched. Isn’t this a disaster waiting to happen? Should you be lying awake, sweating with worry every night that you’re not using a Nexus?
Actually no. At least, not if you take reasonable precautions, as detailed below.
For starters, just because a vulnerability is found by some researchers, i.e. a weakness in the OS that can cause things to go wrong in a repeatable fashion, doesn’t mean that an exploit can necessarily be fashioned to do something malicious. One does not always lead to the other.
Secondly, even if an exploit is created by a hacker somewhere, he has the rather tricky task of getting it onto Android phones worldwide. Very occasionally a malicious application will make its way into Google’s official Play Store (perhaps pretending to be a game or utility), but it’s quickly unmasked and withdrawn by Google, even from devices which have it installed. The usual tactic then is to trick the user into checking the box in Settings marked ‘Unknown sources’ and serving them up a ‘.apk’ app installer, either from a web page or via email or social network. No doubt promising a great free game or new functionality. Or riches. You get the idea.
However, even then, i.e. after having allowed installations from unknown sources, as long as the user has ‘Improve harmful app detection’ checked in their Google settings then the big ‘G’ still gets involved and will in due course stop the application from running, via the hooks in Play Services.
So plenty of barriers to anything nasty getting on your Android smartphone. However, the likes of Amazon love to request ‘Unknown sources’ be checked, as it means that they can serve up not only their own legitimate Amazon first party applications but also third party apps via their own store. So it’s tempting to just leave this switch on, to ease installation of these extras. Plus the ‘Improve…’ switch just mentioned defaults in most cases to ‘off’, presumably because it violates some privacy directive – though when has this ever stopped Google before?(!)
In practice then, a surprising number of Android phones are left vulnerable, akin perhaps to leaving your front door unlocked on your house.
Which means that the danger, the risk, then boils down to the ‘Impact’ of any vulnerability in the OS multiplied by the ‘Probability’ that a given phone will actually be affected. For most people, the latter will be very small, as long as they stick to the Play Store for all application installs. And to Amazon’s ‘Underground’ Store at a pinch. So the overall risk is very small.
But as we venture East, to India and China, ‘local’ app stores become prevalent. In theory, these should take as much care as Google at checking submissions – in practice, they don’t and it’s easy for a ‘root kit’ or trojan to make its way into one of these stores, disguised as something more innocuous. The software then intercepts everything you do, including grabbing passwords and banking details. You get the idea.
Even with just the Google Play Store in err…. play, with the switches above turned on and then going looking for free games and applications to download directly, on torrent and pirate sites, is a recipe for disaster – Google’s on-the-fly malicious app checking may often be too late to save you. In the analogy above, it’s leaving your front door open and then going out to tell potential crooks where you live and that they should make themselves at home.
Your Android security check-list
So, let’s boil all of this (and more) down to a simple check list. Obviously, you’d also like your phone to be patched as up to date as possible by Google (via Play Services) and by the manufacturer (in terms of OS and security updates), but you have no control over these. The more things you’re doing right below, the safer you’ll be, however old the software and security status in your current Android smartphone.
- Keep ‘Unknown sources‘ (in Settings/Security) unchecked as much of the time as possible. If you need to enable it for a specific, trustworthy install (e.g. installing or updating the Amazon Prime Video client) then try to remember to disable it again straight afterwards
- Go into ‘Google Settings’ from your main application list and make sure that both ‘Scan device for security threats‘ and ‘Improve harmful app detection‘ are turned on.
- Avoid the temptation to look for applications and games outside of the main Google Play Store. Yes, it’s tempting to think of saving $5 for ‘that game’, but if it brings along malware then you’ll be spending many hours trying to sort out your life afterwards – and possibly losing money and your ID along the way. Piracy isn’t worth it.
- Pop into your SMS messaging application of your choice, dive into (Advanced) Settings and turn off ‘Auto-retrieve MMS’ – this has been a vector for miscreants to take advantage of the much publicised Stagefright vulnerability in a wide number of Android versions, simply by sending out special MMS to mobile phone numbers.
- When looking for an application or game in the Play Store (or a third party Store if absolutely necessary), watch out for ‘copy cat’ titles, often with subtly different names. You can verify that you’ve found the right title by diving into the details and seeing a large number of downloads and realistic reviews stretching back months or even years. An item with only a few hundred downloads or only a handful of reviews (and often all from the last week or so) are big warning signs. Be careful you don’t get duped. And if you’re convinced that an app or game is a fake or misleading then report it – there’s a link at the bottom of every item’s listing, certainly in the main Play Store.
- Minimise your use of public wi-fi. Yes, it’s true that quite a bit of what you do on your Android smartphone has encryption enabled. Think Gmail and Chrome. But an awful lot of data traffic to and from your phone is unencrypted, or using a weak encryption. Meaning that a hacker can put up a ‘man in the middle’ access point in an Internet cafe called ‘Free Wi-fi’ and snoop on everything that passes through that’s not locked down. If this includes passwords, PIN numbers, personal details and so on, then watch out. If you absolutely have to use free wi-fi (e.g to grab a big file) then do it quickly, don’t use other applications while connected and switch back to cellular data as soon as you’re done.
- When browsing unfamiliar web pages, watch out for other browser tabs being opened in the background. At worst these can contain misleading reports of virus infection (with instructions to fiddle in Settings and a handy ‘download’ to fix things, of course!), but these are always confusing and potentially embarrassing (your boss notices, over your shoulder, that you have a tab open to Casino 365 or XXXGals, or whatever). Background or pop-up tabs catch out more people on desktop Windows, of course, thanks to the minefield that’s Flash (insecurity), but they can still be annoying, frustrating and confusing on Android.
- As with your wider computing practice, never, repeat never re-use passwords. You’ve seen the news stories of people getting their identities stolen, bank accounts drained and of huge lists of compromised user accounts on various services – people affected by this are in a jam because they either used a trivial password (famously just ‘password’ or similar!) or re-used the same harder password (e.g. ‘myCatSpot91’) on multiple sites and services. So if one site does get hacked and compromised and the hackers manage to brute-force its password database, they immediately try the same password for your same email/account on other sites and services. So make your passwords long and strong and totally different – yes, this means that you’ll need to keep a note of them. I (personally) use ‘Keepass2Android Password Safe‘ but Lastpass and other solutions also work well. ID fraud is huge in 2016, so spend a little effort now and don’t get caught out on the password front.
Don’t bother with so-called ‘anti-virus’ applications for Android – because of the sandboxed nature of the OS, these applications are very limited in what they can scan for – you’re best leaving detection to Google (as mentioned above). Installing such a security app for Android will just result in it using more of your RAM and processor power, so you’ll have a slower phone.
Well done if you’ve read to here and haven’t rushed off in a panic or grabbed a whisky to calm your nerves. Staying safe on Android isn’t that hard, but it does need the use of common sense and a few choice settings – as I’ve hopefully helped you discover.
PS. Thanks to Jamie Holland (Twitter) for his input in preparing this feature.