Android Security: Six Tips to Protect Your Google Phone

Addressing the recent high-profile Android malware scare, CIO.com's mobile maestro Al Sacco shares six tips and tricks--along with a free download--to help secure your Google smartphone and ensure your personal data remains protected.

Google's Android Market mobile software shop was hit last week with its first major malware attack; a popular application called "DroidDream" proved to be infected with malicious code that could steal users' personal information, and Google was forced to use a built-in Android "kill-switch" to do away with the problematic app--but not until after it had already infiltrated thousands of Android smartphones.

Motorola Atrix 4G Android Device with Security Padlock

The Google Android platform has never been more popular; in fact, Android now holds a commanding 31 percent of the U.S. smartphone market share, making it the most popular smartphone OS in the country, according to ComScore.

Slideshow: 8 Essential Android Security Apps

Android has also never before represented such a significant target for hackers and other baddies looking to profit off of the platform's popularity. In other words, now is the time to get smart about Google Android security. The following six tips and tricks will help do just that.

1) Protect Your Android with a Password--Now!

The single most effective security measure you can take to protect your Android device is to lock it with a password. It sounds simple, but a strong password--or even a weak one--will protect you and your smartphone from the vast majority of threats; if a malicious party can't get past your password screen, your data and everything else on-device is generally secure.

Depending on the model of your Android smartphone, you'll have a variety of password options, but they're all accessed in mainly the same way. Open up your Android Settings menu and scroll down to the section called Location & Security Settings or something similar. First, enable Screen Unlock Security and you'll then be presented with a number of password options, depending on your device.

For example, my Motorola Atrix 4G provides password options for a Pattern Lock, for which you can set a specific "swipe pattern" to unlock your device; a PIN Lock that uses numbers to secure your handheld; a Password Lock, for which you can employ both letters and numbers; and finally, a biometric-based Fingerprints Lock that employs the Atrix's fingerprint reader for authentication.

Though the Fingerprint Lock is the most secure option...I'm a bit wary of storing my biometric information on Google's servers, so I opt for the Password Lock. In order of "secureness," the Fingerprint Lock is most secure, followed by the Password Lock, PIN Lock and finally, the Pattern Lock. But using any one of these Android password security options is better than not using one at all.

(Note: If you choose to employ the Pattern Lock option, it's a good idea to frequently wipe your touch screen clean, since repeated entry of your pattern lock can leave a "trail" that can be spotted by hackers and used to gain access to your device.)

After you set your Android password, you should set your Screen Timeout options to a relatively low option, so your device display shuts off and locks itself shortly after you last touch it. To do so, open up the Android Settings menu, scroll down and select Display. On the following screen, locate the Screen Timeout option and pick a value--I suggest one minute or less for maximum security.

2) Customize Locked Home Screen with Owner Info

Imagine you accidently leave your smartphone at a bar. A good Samaritan locates the device and wants to get it back to its rightful owner...but it's locked and the home screen shows only a beautiful, albeit useless, ocean vista.

This scenario plays out all the time, and if more smartphone owners only added owner information to their devices' home screens, many more lost devices would likely be returned. Unfortunately, Android doesn't have any built-in option that lets you post owner information on your device's locked home screen, like other mobile platforms, including Research In Motion's (RIM) BlackBerry OS. But a couple of third-party applications will do the trick.

My favorite option for adding owner information to your Android home screen: the Phone Found - Owner Info app, which is available for free via the Android Market. To customize the Owner Info app, simply launch the software, hit the Edit menu options and enter in your contact information. You can then open up the app's Settings and choose which information you want to display on your device's locked home screen.

3) Do NOT Root Your Android Device

To "root" your Google Android device means to remove a number of manufacturer- and wireless-carrier-imposed restrictions put on your smartphone to make it easier for said parties to install and deliver the applications and services they want you to employ, among other things.

Rooting also opens up system-level access to your device's core resources, which is not a good thing, at least from a security perspective, since doing so also removes a number of safeguards installed to help protect your device from malware and other potentially dangerous code.

Unless you're a developer or someone who is very familiar with Android and you're simply willing to take your chances, you should NOT root your Android device. Ever. Not rooting might mean limited access to some cool, custom applications and services, and you won't be able to download apps from many unofficial third-party app stores. However, avoiding a root does vastly increase security, because in large part applications can't gain system-level access without a root.

Bottom line: Don't root your Android device. But if do, beware that in rooting your smartphone, you're significantly reducing your device's existing security safeguards.

4) Stick to the Official Android Market for Apps

It's a good idea to be very selective about where you download your Android mobile applications. In fact, I suggest only downloading applications from Google's Android Market, even though the whole DroidDream situation proves the official Android Market is not 100 percent free of malware and other harmful apps. (Following the DroidDream debacle, Google did, however, vow to bolster Android Marketplace security.)

Every once and a while, I'll download an Android app from a source other than the Android Market, but I'm always aware of the potential danger, and I always use some type of antivirus scanner after the download to help ensure security--more on Android antivirus coming up in the next section.

As a rule of thumb, it's a wise idea to get your Android software directly from Google's Android Market.

5) Google Android Antivirus

A good mobile antivirus app scans new Android software downloads for obvious signs of tomfoolery, such as strange permissions- or download-requests. And a number of free and commercial, or paid, Android antivirus apps are currently available in the Android Market.

I can't personally vouch for the effectiveness of them all, but in general, running one of the more popular antivirus apps is better than not running any antivirus at all. The app I've used most is Lookout Mobile Security. Lookout is available as a free download, with a basic antivirus scanner, Find-My-Phone features to help locate lost or stolen devices and backup/restore options. You can also upgrade Lookout for more in-depth security features, but the free version should provide basic protection for average users.

Another free antivirus option is the aptly named Antivirus Free app.

Even if you choose not to constantly run an Android antivirus application, it's a good idea to download one and scan your device occasionally for potentially harmful apps.

6) Android Wireless Connectivity and Security

In general, it's a wise idea to disable any and all unused wireless-connection options on your Android smartphone. In other words, you should turn off your Wi-Fi when you leave home and won't be in range of another Wi-Fi network for the day. When you're done using that Bluetooth headset in the car, turn off Bluetooth. Doing so will not only conserve battery life, it'll reduce the risk of malicious parties detecting, or even connecting to, your device without your knowledge.

In addition, you should also disable your Wi-Fi auto connect option--if your device has such an option--to ensure you don't automatically connect to a public Wi-Fi hotspot, through which a Bad Guy could access your device data. Turn off Wi-Fi auto connect by opening up your Android Settings menu, then choosing Wireless & Networks and next, Wi-Fi Settings. If your device has a Wi-Fi auto connect option, you should see it listed here. Uncheck the auto connect box to turn off this functionality.

On the Wireless & Networks settings page, you'll also see a Bluetooth Settings option. Open up your Bluetooth Settings and turn Bluetooth on if it's not already. Then click the Device Name option and change your Android's name to something unique and specific to you. This will reduce confusion in the future, should you attempt to connect your smartphone to another device via Bluetooth.

If your Android device supports mobile hotspot features, you'll want to secure your personal network. First, again open up your Wireless & Networks settings and then scroll down to and select Mobile Hotspot. Next, turn on your Wi-Fi hotspot feature and click the Wi-Fi Hotspot Settings settings menu.

Once the hotspot features are activated, your Wi-Fi Hotspot Settings page should show an option to Configure Wi-Fi Hotspot. Open up this menu, assign a new, unique name to your network, choose WPA2 PSK security from the dropdown menu and then assign a password to your network. Save your changes, and your Wi-Fi hotspot is now secure.

It's a good practice to turn off you Wi-Fi hotspot when not in use, so unauthorized parties cannot employ your network, eating up you monthly data allotment and/or accessing your device information.

AS

Al Sacco covers Mobile and Wireless for CIO.com. Follow Al on Twitter @ASacco. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Al at asacco@cio.com

Join the discussion
Be the first to comment on this article. Our Commenting Policies