Security and privacy are always a hot topic in the mobile space. While there are plenty of high-profile headlines that try to convince us all that the sky is falling, there are also serious and valid concerns. Regrettably, the FUD often takes the stage and the real issues are lost in the maelstrom of bickering and tribalism about which company is the best.
Let's take a moment and talk about what we can do to make our phones — the things that contain most every private detail about our lives — more secure.
In our forums, thinkinfinity has started a great discussion about keeping your phone secure, and what may be some "best practices" to do so.
We're going to break down the things all of us can do to maximize security, so we can keep our information out of the hands of anyone who might do unfriendly things with it. Yes, this means you, too. You don't have to be high-profile to be a target. Banking information, credit card data and even your Social Security number can be pretty valuable information for a lot of people. Keeping it as safe as you can is a no-brainer.
1. Have a secure lock screen
We say this a lot, and we always here things like "I never put my phone down" or "I'll never lose my phone" or "I can remote wipe my phone" as replies. Those are all great options and ideas, and while we also hope you never have a lost or stolen phone, in the real-world stuff happens.
Use a password, PIN or any other means to secure the lock screen on your phone. It's easy to do, and all the tools you need to do it are already built into your lock screen settings.
The inconvenience of having to unlock your phone when you pull it out of your pocket or pick it up from your desk is minimal, and things like Android's Smart Lock features can make it something you won't have to do as often.
Compared to the possible issues you would face if the wrong person was able to get in your phone because they stole it or you lost it, unlocking your phone when you pick it up is a minor inconvenience at the most.
Be safe. Protect your lock screen.
2. Only install apps you trust
For many of us, this means stick to the Google Play store exclusively.
Sideloading applications — a feature built into Android since the beginning — is a great option to have. It's also just about the only way to encoutner one of those "Android security scares" you'll read about on the Internet, so you need to be careful here.
Google allows anyone willing to register a developer account to upload applications to Google Play, but they also scan each and every application to see if it's malware. While things can (and have) slipped in and caused trouble between the time they were uploaded and the time they got scanned, this is extremely rare (and happens in every application store, no matter how high the garden walls are) and chances are you'll never have to face it.
Amazon, and OEMs like Samsung or LG also have application markets. These are probably just as safe — especially if you don't have to allow "unknown sources" (sorry, Amazon) to download and install apps. There are also other alternative App stores, many of which have a very good reputation.
We're not saying sideloading is a bad idea. If you know what you're doing, and more importantly, have absolute trust in the source of the app you want to sideload, it's a great option. Just don't do anything you're not 100 percent sure of.
3. Do you need root?
Do you "need" to root your phone?
I get it, trust me I get it. You paid good money for the small computer in your hands, and should be allowed to do anything with it that it is capable of doing. And that means you need root to do a lot of it.
But allowing root access on your phone makes it less secure. Not counting any silly mistakes you may make while fiddling with things (it happens to the best of us), there are also concerns about what other apps and badware may want to try to do.
If you sideloaded an application that has hidden code to do bad things, it can't do most of them if your phone isn't rooted. It can try, but it won't have the needed permissions to get to any sensitive data and it will fail.
If you allow root access, it has a chance to do more. You can rely on your best judgement as well as a superuser access prompt of one sort or another, but the folks trying to do bad things to your phone are clever.
If you don't need root access on your phone, stay away. If you do need root access, you have to be more careful and more critical about anything you install if you want to stay safe.
4. A safe bootloader is a locked bootloader
Just like with root above, do you need to unlock your bootloader?
A locked bootloader is an excellent method to protect your phone, especially if someone steals it. If the right person gets your phone in his or her hands, and the bootloader is unlocked, they may be able to root it and bypass any password or other lock screen protection you have in place. This means they have all your stuff.
If your bootloader is locked, it's far more difficult to get admin access and pull data off the phone because an attacker can't just boot up with an unsecure image and grab your data. To do that, they would need to unlock the bootloader, which erases all of your data.
I'll admit, my bootloaders are usually unlocked. I know that means that half of the people reading this would be able to get a full copy of everything from my phone with minimal effort if they got my phone in their hands. Why do I risk this, you ask? I dunno. Don't do the silly things I do unless you have a valid need.
5. Only click links you trust
If you get a link — whether it's in email, or a text, or an IM, or Facebook or anywhere — from someone you don't know, do not click it.
I'll repeat — don't click any link from someone you don't know.
Random Internet links from random people are a great way to find rogue apps that want to install themselves on your phone (they can't unless you say it's OK, though) or corrupted media files that can freeze things up, or even more serious exploits like the poorly-named "stagefright" hack.
And you might get RickRolled, too. Which is almost as bad.
Don't click random links from random strangers.
6. Something nobody wants to talk about — faith in the people who made your phone
I know this is a touchy subject, and is one of those things that is as divisive as it is informative. But it needs to be talked about and considered:
Are the folks who made your phone delivering those promised "monthly security updates" ?
If you have a Nexus phone — the only models under Google's full control — the answer is yes. If you don't the answer if a lot more ugly and complicated.
Samsung, LG, HTC and the rest want to keep you as safe as they can. Making you feel safe means you're more likely to be a return customer, and they also probably want to take care of their customers. The folks working there are also customers of someone, who would want to get all the security updates they need, too.
But they can't do it. There are too many hoops and too many models and too many carriers between a security patch in the code and your phone for you to ever see timely — as in hurry and fix my phone while it is still relevant — patches and fixes.
The various Android vendors make good stuff. Nobody can deny that. But they also will never be able to keep current with security patches the way companies with fewer models and a more streamlined distribution method can.
Some of us are willing to trade off features and options and services for slower security patches. Some of us aren't. Only you know the right answer for you.
It's just something we need to remember when we buy our next phone.
7. Wrapping it up
There will always be a trade-off of convenience versus privacy and security if you want to use the services and features provided by the folks who made your phone or the software that runs on it. Apple, Google and Microsoft all need to collect a good bit of anonymous (and that's a key point — keeping it anonymized) data about how, when and where you're using the things you use. Besides wanting to maximize profits, this also helps improve the services and features. For the most part, all these companies do a good job harvesting as much data as they can while keeping it anonymous, and not sharing it with anyone you don't explicitly want it shared with.
While we can't do much about how this is handled without buying the majority of voting stock in these companies, we can do a few simple things ourselves to stay more secure and safer.