Know how to use the tools you're given to keep your phone and your data secure.
Update, April 2017: In light of the recent round of celebrity phone hacks, we have refreshed this page with up-to-date information.
Google, Apple, and Microsoft have great tools for managing your online security. Some implementations may be technically better than others, but you can be reasonably sure that your data — both on the phone and in the cloud — is safe. If you need more reassurance or have different needs, third-party companies are available that with the big three to provide enterprise-grade security assurances. No method is 100% secure, and ways to get around it are found regularly; then patched quickly so the cycle can repeat. But these methods are usually complicated and very time-consuming and rarely widespread.
This means you are the weakest link in any chain of security. If you want to keep your data — or your company's — secured you need to force someone to use these complicated time-consuming methods if they wanted to get into your phone. Secure data needs to be difficult to obtain and difficult to decipher if someone does get hold of it.With Android, there are several things you can do to make someone work really hard to get your data — hopefully so hard that they don't bother trying.
Use a secure lock screen
Having a secure lock screen is the easiest way to limit access to the data on your phone or the cloud. Whether you just left your phone on your desk while you had to walk away for a moment or two or if you've lost your phone or had it stolen a lock screen that can't be simple to bypass is the best way to limit that access.
The first step is to lock the front door.
If your company issued you a phone or you work for someone with a BYOD policy there's a good chance your phone is forced by a security policy to have password protection and your IT department may have assigned you a username and password to unlock it.
Any method that locks your phone is better than none, but generally, a random six-digit PIN is enough to require someone have special knowledge and tools to bypass it without triggering any self-destruct settings. Longer randomized alpha-numeric passwords mean they will need the right tools and a lot of time. Entering a long complex password on a phone is inconvenient for you and we tend not to use things that inconvenience us so alternatives have been thought up that use patterns, pictures, voiceprints and a host of other things easier to do than typing a long password. Read the instructions and overview for each and decide which works best for you. Just make sure you're using one.
Encryption and two-factor authentication
Encrypt all of your local data and protect your data in the cloud with two-factor authentication on your account logins.
Recent versions of Android come encrypted by default. Android 7 uses file-level encryption for faster access and granular control. Your corporate data may have another level of security to reinforce this. Don't do anything to try and lessen it. A phone that needs to be unlocked to decrypt the data is one that only someone dedicated is going to try to crack.
Online accounts all need to use a strong password and two-factor authentication if offered. Don't use the same password across multiple sites and use a password manager to keep track of them. A centralized spot with all your account credentials is worth risking if it means you'll actually use good passwords.
Know what you're tapping on
Never open a link or message from someone you don't know. Let those people email you if they need to make the first contact, and offer them the same courtesy and use email instead of a DM or a text message to get in touch with them the first time. And never click a random web link from someone you don't trust. I trust the Wall Street Journal's Twitter account, so I'll click obscured Twitter links. But I won't for someone I don't trust as much.
Trust is a major part of security at every level.
The reason isn't paranoia. Malformed videos were able to cause an Android phone to freeze up and had the potential to allow elevated permissions to your file system where a script could silently install malware. A JPG or PDF file was shown to do the same on the iPhone. Both instances were quickly patched, but it's certain that another similar exploit will be found now that the "right" people for the job know where to look. Files sent through email will have been scanned and links in the email body are easy to spot. The same can't be said for a text message or a Facebook DM.
Only install trusted applications
For most, that means Google Play. If an app or link directs you to install it from somewhere else, decline. This means you won't need to enable the "unknown sources" setting required to install apps that didn't originate from a Google server in the Play Store. Only installing apps from the Play Store means Google is monitoring their behavior, not you. They are better at it than we are.
If you need to install apps from another source you need to make sure you trust the source itself. Actual malware that probes and exploits the software on your phone can only happen if you approved the installation. And as soon as you're finished installing or updating an app this way, turn the Unknown sources setting back on as a way to combat trickery and social engineering to get you to install an app manually.
None of this will make your phone 100% secure. 100% security isn't the goal here and never is. The key is to make any data that's valuable to someone else difficult to get. The higher the level of difficulty, the more valuable the data has to be in order to make getting it worthwhile.
Some data is more valuable that others, but all of it is worth protecting.
Pictures of my dogs or maps to the best trout streams in the Blue Ridge Mountains won't require the same level of protection because they aren't of value to anyone but me. Quarterly reports or customer data stored in your corporate email may be worth the trouble to get and need extra layers.
Luckily, even low-value data is easy to keep secure using the tools provided and these few tips.
Reader comments
How to properly secure your Android phone
I just want a tool to make the robbery process harder to achieve. One that let's say upon activation disable reset / power off buttons from lock screen, disable / lock hardware reset key combinations, be able to re enable Wi-Fi / data connection and location services and lock access to bootloader. As far as I know there's no such thing since many of these would need to be implemented system/kernel wise and Google doesn't care that much about the topic, wish they do
Why not get a Blackberry Priv, Dtek50 or 60. Can't get more secure than that. Security is BB's trademark. Dare I say that?
Wow I don't keep bank or stock apps on my phone. other than email I never used a pass if it's not in my pocket it's in my hand or on my desk at home charging and if anyone in my family picks up and opens my phone without asking. well !!
You are aware that law enforcement can now seize your phone during a traffic stop? I like you, also have nothing to hide, but, still doesn't mean I will freely allow anyone, especially law enforcement access my phone!
You're
If you're going to recycle a 8+ month old article is it too much to ask that you at least fix the grammatical error at the top (ex. "Know how to use the tools your given to keep your phone and your data secure.")? C'Mon Man! :)
http://www.youtube.com/watch?v=13FV1GaA20I
I also like the phrase "Some data is more valuable that others, but all of it is worth protecting." That others? How about than others. Like you said, at least fix the original article if you are going to repost it 8+ months later.
I have had a question for Jerry on this topic, when not use Smart Lock as a solution between easy and secure? If the Smart Lock stuff is detected, I've used my phone recently, a trusted WiFi, trusted Bluetooth etc. Smart Lock set an easy password such as a pin or pattern. Or even a fingerprint. If these aren't met, it's time to type the long and difficult password. Many might not want it, but should be a good extra security for those that want to have it.
If I have the phone set to self destruct after 15 wrong entries, does that work when machines are trying to brute force my password ? Will it shut down after 15 wrong tries?
I have an elderly friend who had expressed concern about selecting a password he could remember but was still safe. He has a difficult time remembering case and special chacters. I suggested he string together unique random words or phrases. "centralmolesdriverlesscars" for example. Good/bad advice?
https://xkcd.com/936/
Try specific dates in History that are unique, so many are taught to us and memorized, no one can link historical dates to a persons identity like Mother's maiden, Birth dates, pets, and so forth.
Well, using a random phrase would be easier to remember and still secure Ex. "doyoulikecheese", "iprefertoeatfirst"
Where can I get that blue pill container? I wanna use it for weed. I've one already but doesn't look as cool.
It's called a bison tube. http://rover.ebay.com/rover/1/711-53200-19255-0/1?ff3=4&pub=5575095911&t...
Great, thanks!
This is a great article. Thanks for writing this, Jerry. I hope this gets some people who don't normally think about this stuff to lock their phones at the very least.
Posted via the Android Central App
Just basics! I do all of them except the agreements one. Thats really boooring! Would love to read if you have got anything else.
JP
Posted via the Android Central App
I use my fingerprint. Every month I slice my fingers with a knife in order to change them.
I find it easier just to cut other people's fingers off use them
Posted via the Android Central App
I prefer passwords like "WdPodUS,iO2fa+pU" (*), they're much easier to remember, and almost impossible to guess. Taking the first letters (with phonetic substitutions) of a quote (as obscure as possible, unlike this example) is a technique I learned a long time ago from a security expert, and it has served me well so far.
(*) "We the People of the United States, in Order to form a more perfect Union"
I think the development with U2F on Android is awesome. Already works on the GitHub site, just a question of time before app support comes too.
The end user is the number one reason for vulnerability
Posted via the Android Central App
I've been using password wallets for over ten years, just so I can make passwords more complex and unique from place to place. My daughter is the king of passwords though, and uses her near photographic memory she inherited from her mother to remember her passwords that are about 100 characters long. I don't even bother trying to guess them...
Posted via the Android Central App
I always use 2FA.
Especially on services like Steam and Google. Strong passwords on both, and they both require my phone, which is also secured with a strong screen lock. Maybe I'll put some applocks.
Thanks for another great article on the subject manner. And yes since we have not seen any new evidence after MWC that security patches are on their way or why they are not on their way for non Nexus phones, choose wisely when voting with your dollars.
Posted via the Android Central App
I understand the need to change passwords and lock your phone and what not but wouldn't it also help if the security updates that are posted monthly would actually be installed on one's phone? Seems most people's phones have Dec 2015 security updates installed yet we are a couple months into 2016.
Posted via the Android Central App
What is that wallpaper? It's pretty awesome.
I think i got it from 4-chan, not sure who made it.
Ever since I read the xkcd strip (no link because I'm lazy) about passwords, I've started using their advice. Just taking several large random words and combining them together. Super easy to remember, but super long as well. Add numbers and stuff when required.
Posted via the Android Central App
I remember that strip lol, it's actually a pretty decent strategy in my opinion.
It's worth throwing some special characters and numbers in there though, and remembering the human mind isn't always as random as it thinks.
Posted via the Android Central App
... And then I run into a place that only allows up to 12 characters, and it must have a number and a special character, and I'm back to where I started. :(
Can you use Google Authenticator or Authy along with a text fall back? I just haven't used the other two and have read people messing up the authenticator and having to start over on getting into their accounts (or maybe I just didn't understand the problem).
That depends entirely on the service in question.
Posted via the Android Central App
Google / Amazon / Lastpass / Dropbox
Google definitely. I'm pretty sure Amazon does but not 100%. No idea for the other two as I don't use them, I'm sure they've got FAQs about it though.
Posted via the Android Central App
A real eye opener!
Thank you Jerry...
Posted via the Android Central App
Another excellent article Jerry. You've probably written about this before, and if so, someone will no doubt refer me to the article, but what is your take on Android anti-virus software like Lookout or others?
I've had them, and they get really annoying and seem to slow the phone down somewhat, but if they really help I'd consider it. If all they do is protect you from doing stupid things like opening links in emails from Nigeria, I can love without them.
Thanks!
Posted via the Android Central App
Lookout, like any company, is in business to make a profit. Their products work, but do you really need it? I mean, what if you could pay me $20 a week to test eat your lunch? I'd take a bite of everything and a sip of every drink just to make sure it's not poisoned. Would it be worth it? You could just stick to getting your food from reputable establishments and avoid food from Bob's house of food poisoning. But some folks like to live dangerously I guess.
Posted via the Android Central App
Thanks traveling_troop. Coming from you, that is meaningful.
Posted via the Android Central App
I'll be blunt — if you use pirated apps, you better use one of the popular anti-malware apps.
If you stick to trusted sources, you're fine without them.
There are no self-replicating or self-installing viruses or malware on Android. Every time a phone is infected, it's because the user said it was OK to install something.
Of course, all this goes out the window if you have rooted your phone. Installing files anywhere in the system programmatically is trivial then. But you still have to initiate and run any downloaded content yourself.
Jerry, can you be more specific on what anti malware programs (names).
Better to be safe than sorry. I value your opinions.
Note 5 (just in case, hog = Harley Davidson)
Thanks Jerry.
Posted via the Android Central App
I use Sophos and it seems to work fine and not affect my phone's performance at all and it's free. It's probably overkill for someone like me who only grabs apps from Google Play as Jerry said...but I'm paranoid by nature.
ilovebeer? That's amazing. I've got the same password on my luggage.
Posted via the Android Central App
Jerry I'm relatively new here so I'm going to guess you're the security guy around these parts, with this article and you're article from last week 'Monthly security patches are the most important updates you'll never get'. But with the new G5 and S7, why were you the only one to mention "this hot-swap stuff is going to affect updates"? Why are we singing how beautiful the S7 is while S6 users are STILL waiting for the latest updates from Google? It's infuriating to read about all the new cameras and screens and batteries while nobody (well, you had one line) is talking about updates. I'm not buying anything they're pitching at MWC until we get a clear picture on updates and I haven't seen that anybody is willing to bring the issue to the forefront.
I feel ya. And it's part of my role here to worry about things before we find out if we need to worry.
And remember, the people who actually have the answers can't say too much. The guys busting ass writing the code really want everyone to have the best software they can write, and that includes being updated and patched. Unfortunately, the people doing the talking aren't the people doing the coding and we get half-truths and promises. In the end, the people that say "We promise to support this device for 2 years with software updates" are the same people who promised to send a security patch every month.
Part of that is our fault. HTC promised and set dates for past updates. When they missed them by just a few days, the Internet went ballistic. We won't cut them any slack if they give us a date, no matter the reason. In return, they don't want to tell us too much lest we turn against them.
I think I set the bar pretty low when the only thing I demand is for a company the size of Samsung or LG to be as prudent as BlackBerry when it comes to critical Android updates, but apparently not. Having more devices means you might need more people working on things. We certainly pay enough for these phones that a little money could be spent to hire enough people to support them as promised.
Password length is more important than complexity. Hard for you to remember doesn't make it hard for a machine to guess. This is importanter! (I don't know why that word cracks me up, but it does.)
I think it's just the point of adding numbers case and special characters to expand the variables. Even one of each makes the entire process longer. Think if you just have 10 letters. It's a permutation of 26 options. Versus with numbers is 36.
Posted via the Android Central App
But doesn't the very fact that a password CAN contain numbers and special characters make it harder to crack, even if your actual password doesn't? The number of possibilities is the same either way.
I'm no expert, that's just how it seems to me.
Posted via the Android Central App
It does not, no. The tools that have been built to brute-force passwords on stolen databases have many rules that are implemented to try things that are easy to crack before trying things that are more difficult to crack. Even if the password field supports the entire unicode standard, someone going after accounts on the database using one of those tools will wind up trying english world passwords early on, strings of english words, reversed english words, leetspeak substitutions of letters, popular song lyrics, abbreviations of popular song lyrics, bible verses, and the like long before they wind up resorting to "try every possible character string in lexicographic order"
Damn ninjas! lol.
Posted via the Android Central App
One reason is because people do use brute force attacks that only target lower case letters or letters or whatever because they're far faster and do yield results, plain text is also considerably easier for a human to guess. There's also databases of common passwords that can be tried very quickly.
This is especially dangerous if someone is using a programme to guess against stolen cryptographic hashes offline versus brute forcing an online account.
Posted via the Android Central App
This comic explains it better then I could, https://xkcd.com/936/
Inherent in the comic is an assumption that the person brute-forcing a password database will be going at it in the worst possible way, without any knowledge of the ways people remember passwords, the contents of successfully-cracked password databases, available software purpose-built for cracking password databases, common English words. or XKCD 936.
Just as relevant, if someone REALLY wants your data: https://xkcd.com/538/
I take device security pretty seriously, but if someone starts yanking my fingernails off, my login credentials will become public knowledge pretty damn quick.
Edit: dammit, I replied to a months-old comment again.
Does changing your password really help? They don't sit there and guess your password lol
Posted from my Nexus 6/Nexus 7 2013/Surface Pro 3
This is what I do for the government, so I know what I'm talking about. The longer a password is used, the longer it's vulnerable to compromise. It gets complicated and technical, but think of a password as a stone wall. It's thick and sturdy but if I scratch at it with a screwdriver long enough, I'm going to poke a hole in it. Now, if you build a new stone wall every couple weeks or months (at random), I won't have much reason to even scratch at it.
Posted via the Android Central App
Thank you friend
Posted from my Nexus 6/Nexus 7 2013/Surface Pro 3
I actually just made a couple of tasker profiles that change the pin code to my phone every day... and I'm the only one with the algorithm to unlock it!
I build stones walls every day son!
That's actually a really great idea. The typical user probably won't understand it or go to this effort, but I love it.
Posted via the Android Central App
You just made me understand what tons of PSAs failed to do for years... Props to you my dear fellow
Posted via the Android Central App
Great article, Jerry. Congrats
I'm not sure why Jerry needed to post all 3 of my passwords..... Point proving?
Posted via the Android Central App
Awesome work! Always looking forward to your articles.
I was horrible at passwords, I read about the free enpass pro in December and it completely changed how I did all my passwords. I had the same password for a ton of services and for probably like 8 years for a bank (grant it my bank does a 2FA not an excuse). The ability to have random passwords generated and stored seamlessly on all my computers and phones makes me feel a bit more comfortable about my security situation, I am just waiting for FIDO and more 2FA so passwords become a thing of the past.