Travelling all over the world I learned that the security related to WIFI-connectivity is in most public places very bad. And yet many people make use of it despite the alerts they get about a unsecure connection. In fact they do transactions through unsecure WIFI networks like banking transactions. I was amazed. Surely they these people are not aware of the major impact that this can have. Here a brief overview what you can do.
How to protect my Android!
Let me start by saying that whatever you do to protect yourself, the risk being hacked is always there. Only you minimize it! Here are the steps you can do to protect yourself:
- Common security settings
- Additional security settings
- Install all kind of security apps
- Analyse your alerts and logs now and then
- Set your device policy if you are using a smartphone for private as well business use.
Common security settings
The following topics can be configured within “Settings” of your telephone if you have the required features for it.
- If you have an telephone with a fingerprint or face recognition enable this. See settings on your phone.
- Make use of MFA, Multi Factor Authentication. So besides an initial password you will use additional resources software tokens, hardware tokens or using a fingerprint.
- Use at boot time a strong password or passcode. A strong password can be 6 – 8 digits consisting of (special) characters, numbers, signs and is a mix of small and large letters. See settings on your phone.
- Use a passcode for protecting your SIM. See settings on your phone.
- Encrypt your data on your phone. See settings on your phone.
Additional security settings
- Data usage – Limit your data in case of exfiltration of data through mobile traffic data.
- VPN – Turn on VPN and download VPN applications to ensure confidentiality, and anonymity.
- User – Add an guest account on your phone. Use the guest account for browsing and link this to an anonymous email so that your are more invisible, certainly is this true in conjunction with using VPN.
- Apps – Review the rights/permissions on your phone. The amount of apps are growing fast on your phone. Most people including myself are accepting during the installation all kind of permissions/rights. An extended and periodically review is needed.Go to Configuration-Apps and list the apps, review the apps with special rights/permissions/privileges and this will help you with trimming down the rights / permissions / privileges.
- Manufacturer – Deny access to manufacturers of mobile phones. Think of crash reports or marketing.
- Location – Normally I turn this off but a lot of apps use this feature and especially this feature is useful in case you have forgotten to take your phone with you. By turning on tracking others can track you. On Google I have seen that they can track you even for many month depending on how long you are activated your location.
Install security applications
First of all, install only apps through Play Store or App Store where you can be certain of the fact that these apps are validated / certified. Secondly there are many applications you can use, paid or open-source. In both areas you have good and bad apps. Read the reviews, make use of a trial period. And Google and retrieve information of the Apps you want to download.
Here are an overview of an arbitrary set of security tools:
- Authentication apps from Microsoft
- Authentication apps from Google
- Apps (like Dashlane) for storing and securing your passwords. As we all know, we use many applications on the Internet and each time you need an user and password. Also you can generate very strong passwords which will be stored and automatically retrieved once you login into a application on the Internet.
- Antivirus for detecting malware.
- A Noroot firewall app for protecting inbound and outbound traffic from the identified apps on your phone.
- An app that detecting weak WIFI-connections, non-secure apps, non-safe SMS, and if the device is rooted.
- Apps related to VPN for encrypting message especially when using non-secure WIFI-connections. I use commercial and opensource apps.
- A security app that discovers your network, executes a risk detection, gathers information about speed and IP-addresses, DNS names, executes application security tests and monitoring an unauthorized use of the microphone and video. Also this app executes a threat detection and traffic inspection and reports about all these aspects.
- Also when you want to send sensitive text you can use various apps that creates instantaneously encrypted text which you send through email, FTP or whatever.
Analyse your logs and alerts
Not all but some of the above mentioned applications are providing logs and alerts. It is recommendable that you do an investigation and use various tools like Whois, Ping, Traceroute or user external websites like dnslytics.com or Shodan.io. or network-tools.com. Once you have find meaningful data you can use this to block (blacklist) certain IP-addresses or IP-ranges.
Set (Google) device policy
Now a days many users have a company phone. This can be used for private purposes. Want you do want is separating these environments for the obvious reasons. Large companies have already mobile policies and enforce these policies by controls. However there are enough organisations where people have a company phone and NO policies and No means for protecting these devices and act when a breach has happened.
Since I am a user of Google for many years I recently used their Google Device Policy app. This app provides a lot of possibilities to secure your phone and separate it from you private apps. The following security policy entries can be set:
- Strength of device password.
- Length of device password.
- Number of times that an invalid password may be entered before the device is deleted.
- Number of recently expired passwords that are blocked.
- Number of days before a device password expires.
- Number of minutes that a device is not used before it is automatically locked.
- Application control.
- Delete external device account.Delete an external device.
- Set up version requirements for the Device Policy app.
- Number of days that the device is not synchronized before it is deleted.
- Block devices whose security has been compromised.
All in all, many things you can do to raise the bar of security. It will cost you some work but not much money. I think it is wise to do this or consult your system manager to assist you with improving the security on your Android.