Smartphone and online security from the user perspective is sort of a passion of mine. I certainly talk about it whenever I can, to anyone that wants to listen (and even when it seems nobody wants to listen). After all, keeping you safe helps keep all of us safe when we're so connected.
And I don't mean things like "Here are 100 tips to keep the NSA from spying on you — number 34 will shock you!" I mean tips to keep that creepy guy who sits a few cubicles away from digging into your stuff. Or stopping a group of really smart people from someplace you've never been who want to play with your credit card. The basic stuff. There are ways to make it hard for three-letter government agencies to read your messages, but everyone needs to start small.
The first thing to realize is that the weakest link in any security chain is the user. Phone manufacturers need to provide us with current security patches, but even without them common sense goes a long way when it comes to keeping your digital stuff safe. When it comes to Android, there are a few easy things you can do if you care about security.
1. Lock your phone
Having a secure lockscreen is the easiest way to slow down someone who has your phone and wants to see your stuff. I've already said a lot of words about why, and you can read them right here.
Think about what you have on your phone. Now think about someone like me going through it all. Then think about someone who is a nerd like me, but would like to do things to make you miserable.
You will set your phone down and walk away to get a drink or go to the bathroom with other people in the room one day. You probably have done it a time or two already. Locking your phone is too easy to not do it.
2. Don't install apps you don't explicitly trust
There are a lot of trustworthy places to get Android apps out there. There are even more places you shouldn't trust at all out there. Unless you know — not guess or take someone else's word for it — you can trust a website or a person, don't install any app they offer. Not even once.
If you're unsure about all of this, the best thing you can do is stick to Google Play. By default, installation of apps that aren't in Google Play is blocked on your Android. There's nothing wrong with keeping things that way if you're feeling uneasy.
3. Read those long, boring user agreements
Man I hate those things. But I read them every time. Why bother trying to keep prying eyes out of your digital life if you're giving your data away willingly?
Most every service will collect data about you. They all tell you what they are collecting and how they are using it all. It's up to you to decide if it's worth it. Don't listen to the people on the Internet telling you one tech company is good and you should use their stuff, but others are bad. Instead, make sure you understand what you're agreeing to give away and who is getting it. If a company makes it hard to find their privacy policies and user agreements, think twice about using that service. Security and privacy are two separate conversations, but sometimes they overlap. This is one of those times.
Personal data is now a form of currency. Make sure you like what you're paying for when you use it as such.
4. Don't be stupid when it comes to passwords
Resist the temptation to use something like "ABC123" or "mellowyellow" as a password for any service. Use something long enough to be safe (I say 12 characters is the minimum, but that could be overkill) and a mix of capital and lower-case letters, numbers and symbols.
- ilovebeer is a horrible password.
- Il0veB33r is a better password.
- @#?ilove%beer69** is a good password.
Use a different password for every site and service, then use a password manager to help keep track of them all. There are a lot of them, and they all do a good enough job. I like mSecure because it lets me keep a synced database on my local network instead of the cloud. But you might not have always-on home servers or just aren't as paranoid as I am. Find one you like and use it.
5. Use two-factor authentication whenever you can
Even a strong password can be compromised. That's where two-factor authentication (2FA) comes into play.
Whenever you want to sign into a service using 2FA, you will enter your credentials as normal, but then you're asked for a code that you get in real time. With a dedicated app, you can set your Android up as a pretty good authentication device.
Most services will text your 2FA code to the number you gave them when you set up the account. Or you can use an app like Google Authenticator or Authy to manage 2FA codes. Set up either way is usually pretty easy — you can find the details of how to get up and running with 2FA for a service on their website.
A lot of services you would use on your Android phone offer 2FA — Google, Dropbox, Facebook, Amazon and Tumblr are examples — and you should be using it whenever you can.
6. I have so many questions!
Good. We should question anything and everything when it comes to personal device security. The good news is that the Internet is here to help.
Start in the AC forums. They're filled with people just like you and me, and a lot of those folks will have the answers you need. I'm biased because I work here, but they really can be a life-saver.
Also, fire off an email (or send a voice mail) to our podcast team. You'll find us at firstname.lastname@example.org and we love to get mail. Answering your questions is fun, but letting other listeners who also have answers hear them is even better.
There are a lot of things — some easy, some not-so-easy — you can do to keep private stuff private on your phone. These tips are a great place to start.