Mobile phone security can be a nightmare. Mobile platforms are quite complex and with this complexity comes many vulnerabilities. As the complexity of mobile platforms increases so does the number of ways that they can be exploited.
Mobile platforms are also a very attractive target for an attacker, storing increasingly large amounts of data including but not limited to: contacts, pictures, videos, browsing history, text messages, emails and even credit card data. This data is all of great interest to an attacker. But don’t lose hope, there are some simple things that you can do to increase the security of your mobile device today. Taking these actions will not make your mobile phone perfectly secure, there will still be ways that a determined attacker could gain access to your device. However, having some security is better than having none at all.
1. Set Up a Strong Screen Lock
Setting up a strong screen lock is the first line of defense in keeping your phone secure. But what exactly constitutes a good screen lock? As you can see from the picture below, using the pattern based screen lock can leave a smudge on the screen that makes it easy to guess what the pattern is. I recommend using the pin lock or the full text password lock. However, this comes with a caveat. If you are going to use the pin lock you should pick a secure pin. Make it more than 4 numbers and don’t base it on any easily guessable dates or numbers (e.g. 1234, 1984, 1111, 1379). For an excellent in depth analysis of pin code security I recommend this article. Of course setting a full text screen lock is the most secure option, unfortunately it is also the least convenient. If you don’t want the hassle of typing in a full text password I recommend a 7 or 8 digit pin number.
2. Encrypt the Disk
While a strong screen lock will protect your data while it’s turned on, full disk encryption will protect your phone when it is turned off. Full disk encryption encrypts the disk that all of your data is on, making it so that a password is required to read any data on your phone. Android devices have had full disk encryption built in since Android 3. It is based on a tried and true piece of encryption software called LUKS, which is the disk encryption program of choice for Linux users. Full Disk Encryption on android can be enabled by going to Menu –> Settings –> Security –> Encrypt Device. Android will then encrypt your disk. When it reboots you will have to enter your screen lock password before the phone will decrypt the disk. This is another reason to choose a strong screen lock password! Personally however, I prefer to have an encryption password that is more secure than my screen lock password. There is an app that will let you change your disk encryption password if you have root access to your phone: CryptFS Password. There is one caveat however, once you encrypt your disk you can not undo the process. If you forget the password that you set, all of the data on your phone will be permanently lost.
3. Use Open Source Software
There are many great apps for entertainment, work, and more in the android app store, Most of them do what they say; however there are some unscrupulous app developers out there that will insert malicious code into their applications. This can include anything from code that tracks what web pages you visit to code that logs your keystrokes or tries to steal banking data. The problem is that there is no way to confirm that an android application does what it says it will do since you cannot see the source code. With open source software, anyone can read the source code and (hopefully) verify that the program is doing what it says it will do. Some great open source alternatives include Firefox instead of chrome, K-9 mail instead of the default email client, OSMAnd instead of Google maps and Duck Duck Go instead of Google for searching. There is even an app store that only includes open source software called F-Droid. If you want to get especially hardcore you can even replace the android operating system with an open source fork called Cyanogen Mod.
4. Use Encryption Applications
Now that we have open source software running and our hard drive is encrypted, we can focus on protecting our data while it is in transit. Encryption software will protect your data while it is in transit over the mobile data network. There are a number of great encryption applications for Android, all of these programs are open source as well! The programs that I recommend are: Text Secure (text messaging), Red Phone (phone calls), Ostel (phone calls), APG (email), Orbot and Orweb (web browsing), Chatsecure (chat), Notecipher (Notes). By using these applications you can increase the security of your data on your phone as well as in transit.
Following these steps will not make your phone 100% secure. None of the steps are foolproof. A determined attacker could find ways to circumvent all of them. But it will make your phone more secure. By pro-actively pursuing security for your mobile device you will be able to keep your data safe from many of the attacks that a mobile user will face.