Ask Slashdot: Android Security Practices? 173
Soft writes "Smartphone security recommendations seem to boil down to Windows-like practices: install an antivirus, run updates, and don't execute apps from untrusted sources. On my own computers, running Linux, I choose to only install (signed) packages from the distribution's or well-known repositories, or programs I can check and compile myself, or run them as a dedicated user — and I don't bother with an antivirus. What rules should I adopt on my soon-to-be-bought Android device? Can I use it purely with open-source apps and still make the most of it? Are Android's fine-grained permissions (accessing the network, contacts...) reliable? Can apps be trusted not to scan your files and keyboard for passwords and emails? What precautions do security-conscious Slashdotters take to keep control of their phones?"
Install a firewall (Score:5, Informative)
A smart phone is just a computer. (Score:4, Informative)
Re:Install a firewall (Score:4, Informative)
More specifically, root your Android phone (no, it will not lessen security unless you are stupid and click "allow" on any app that pops up the su dialog unless you KNOW it needs the root permission.)
Install DroidWall and allow it full su access. Then when you install a new app, make sure to allow it out, because by default, new apps are not allowed to phone anywhere. LVL is handled by another mechanism, so apps should know they are licensed even if you block them with DroidWall.
After installing DroidWall, and selecting the apps you know that need to communicate, that will provide a decent measure of protection.
Re:Permissions aren't 'fine grained' (Score:3, Informative)
Take these for what they are worth... (Score:5, Informative)
Take these for what they are worth, but here are my security practices:
1: Install DroidWall and use that to lock down everything except the apps you do want going out.
2: Use TouchDown or a discrete app for secure Exchange email. This allows you to keep contacts separate from the rest of the device, and the app can keep the contacts encrypted. If it is work E-mail, it is good to keep it separated anyway.
3: Consider a PIN protecting app for #2 above, as well as your terminal, settings, and su app.
4: Use Titanium Backup with the encryption feature and store on Dropbox. If you look at TB, you will find that the way it does encryption using RSA keys is pretty well designed, so storing backups of apps on DB can be done securely.
5: Get a utility (I use WaveSecure out of habit, but there are others) that will lock the phone if the SIM card is changed, airplane mode is put on, and even allow one to remotely wipe the device and SD card. I'd like a utility that would give the ability to wipe the device and SD card if the phone has not seen Net access in "x" amount of time, similar to what BlackberryOS provides.
6: Look at reviews before buying apps.
7: Look at what the app asks for security permissions. If a notepad app wants access to your contacts, phone, SMS, or perhaps even pops up the su dialog, get rid of it ASAP.
8: If you use nandroid, consider some type of file encryption. This sucks when restoring a ROM image, but there are ways around that (decrypting the image while the SD card is mounted via USB, using a temporary ROM image with no data for decrypting, etc.)
9: Use AdBlock with Dolphin Browser. Ad rotation services are a noted source of malware.
10: Use known ROMs. The ROM ecosystem has been astoundingly clean for now, but it is only a matter of time before blackhats start adding their own "functionality" and putting ROMs on xda-developers and other sites.
11: Consider PIN protecting your SIM card. This way, when you do a remote erase, the thief might have a clean phone, but won't have free access to bandwidth, SMS, or calling capabilities.
12: Consider a "stuffbak" sticker. If the phone is found, at least there is a small chance it might get back to you, as opposed to 0 chance without it.
13: Keep backups. This way, if you do lose your phone, you can get another Android phone, fire up Titanium Backup, log onto DropBox, type in your decryption key, and restore your apps with their saved data.
14: Bug Google for them to put volume encryption (LUKS) into Android, so it can be used on the SD cards.