Whenever someone asks me if a smartphone is truly secure, I find myself feeling vexed. On the one hand, anything that connects to the Internet could become a security concern. By the same token, if someone is aware of commonsense practices for avoiding data leakage and exploitation, then today's smartphones are very safe to use.
In this article, we're going to be talking about Android security. I'll share my top tips for avoiding data leakage and doing everything possible to protect yourself against threats like identity theft, hacked accounts and your contact list being spammed.
100% secure doesn't exist
Difficult to avoid security exploits can range from provider backdoors to exploits affecting firmware. Realistically, these issues aren't going to be something the casual users are able to protect themselves against. Therefore, this article is going to focus on completely avoidable security issues instead.
This is a fact, regardless of your preferred mobile platform. So even if someone claims alternative mobile platforms have an edge on security due to their walled garden app store, they fail to realize this only prevents applications from becoming a security risk. It does nothing for other entry points.
Restricting data access
Spend some time in your Android device's data usage area. All Android devices have access to this feature, and I suggest getting to know it better. Right away, you're going to notice the biggest data users on your device. This is also the area where you can click onto a specific app and only allow it Internet access when connected to wifi.
My recommendation is doing this with the apps that will never need to connect to the Internet when not at home. This includes file managers and apps that you would never think to connect to the Internet in the first place. While it doesn't prevent malware or data leaks specifically, this practice can help you to troubleshoot potentially bad apps.
As a general rule, I recommend always restricting apps from using mobile data unless it's necessary. Others might point you to using software firewalls. Instead I prefer using carefully thought out hardware firewall on my LAN with logging. If something besides allowed ports are being used for that device, the ports will be blocked. This practice might not stop crazy ads and other ad related weirdness, but it could prevent other more dangerous surprises by restricting port access at the network level.
The problem I have with Android firewalls is that many of them are by no-name companies which I've never heard of. They ask for heavy permissions and their support email is an @gmail.com address. Personally, I don't find all that secure. I'd much rather have some control over which apps are connecting to the Internet. I may grant some exceptions (SMS apps, etc), but I keep a tight leash otherwise.
Restricting application installation
I'd love to tell you that every single application on the Google Play Store is well vetted. The truth is that isn't true – period. This means it's easier to get applications with more features than you might find on other platforms, but it also means you need to be careful about what you're installing.
The first rule of installing Android applications is to only do so from trusted sources. I'm not talking about installing apk packages vs Google Play. You need to know the source and company behind the application before trusting it completely. Like many of you, I've been known to make exceptions...but even then I'm careful about the permissions I grant the software.
To be clear, I would trust an apk package from a vendor's website I trust more than I would some random Google Play app that I know nothing about. Why? Because Google Play on its own merit doesn't promise security. There is still some user responsibility for maintaining a secure Android experience. That said, I would suggest you're safer downloading random apps on Google Play than some mysterious forum page's listed apk packages.
Public wifi and VPN
No matter what software you choose to install, more often than not the biggest security threat comes from your browser. When you're using a public wifi access point, you're taking a significant risk each time you login to anything important. Much of this is mitigated thanks to SSL and https secured websites, such as banking and some email websites. But there are still countless other sites out there where you could be sending your login credentials to anyone around you monitoring your connection.
I suggest looking into a reliable VPN service. There are some good ones, but I suggest doing your own research. Some might question how a VPN tunnel secures your Android device. I would submit that it provides an added layer of encryption to your online web browsing activities. And while the encryption ends on the other end of the tunnel, at least your activity isn't broadcasted to other users sharing the same public wifi access point.
There was a time when the idea of running anti-malware software on your Android device might have seemed unnecessary. And even in 2015, there are Android users who may still feel this way. Personally, I happen to be in the "better safe than sorry" camp. The software I've had the most success with is called Lookout. Using Lookout has proven to be low on resource usage and big on making sure my installed applications aren't doing anything nefarious.
I also like the fact that Lookout provides me with the ability to remotely locate my phone if it were lost or stolen, and can also remotely wipe the data if I choose. It's a solid application and it works properly across all of my Android devices. I've also never had any issues with software being missed that contained something dangerous.
There are other decent security software titles out there, but I'd advise you to research each app and their company closely before installation. Some of the security apps out there are thinly veiled adware installers. So be careful.
The last security tip I want to share is about rooting your phone. On the surface, rooting your Android phone has a lot of benefits. You can remove pre-installed bloatware, install applications that only work when a device is rooted, plus be in full control of the device to its core. It's a powerful experience, no question about it. The downside of running as root is that any layer of protection from Android has been removed. This is a root device – if code is executed, it's going to run. Period.
On the flipside, rooting also allows you to take control of your device and setup your own security best practices. The key factor is since you've rooted, you're in charge. Don't expect your mobile carrier to bail you out if you screw up. If you're someone who has rooted a phone before, has a rock-solid plan for restoring their device if they need to, then rooting can indeed make a lot of sense.
A rooted phone can allow you to install a strong software firewall – one that works reliably with 4g LTE and wifi. You're also free to install adblockers and make advanced changes to better secure your phone from web threats. But before even considering rooting your phone, make sure you have a plan B if something goes wrong.
So what say you? Do you feel a rooted phone is a secure option? Perhaps you believe security software on your Android device is just silly? Hit the Comments and share your thoughts!
Photo courtesy of Shutterstock.