Smartphone and tablet users are constantly implored to secure their devices with PINs and other security settings but most rarely venture beyond a simple screen lock. This isn’t enough for reasons that will become clear. If a thief gets hold of a lost or stolen device or tablet there are numerous ways of re-using the handset, accessing any data it contains and even hijacking the account to make expensive calls.
The problem is that on Android it turns out there’s a lot more to device security than first meets the eye and this tends to put people off. One way is to break it down into seven layers of protection, each with its own settings. These are:
- Protecting the smartphone physically using via a screen PIN or password
- Protecting the user’s account held on the SIM
- Protecting the data on the device and SD card using encryption
- Backing up the data (insurance when using certain security features)
- Remotely locating, locking or wiping the handset should it be lost
- Securely erasing data on the device at the end of its life
- Defending the applications using a security app
It’s a lot to remember. Typically, people put a PN on their phone, leaving the SIM unprotected and data in the clear. More and more people download security apps but plenty don’t. Remote wiping can be clunky. A final issue is that Android is fragmented by version and device maker so accessing some of these options might be slightly different for each smartphone brand. The following is the most important hitlist.
1. Set up a screen lock, preferably an alphanumeric password or, if that sounds like a hassle, a PIN number of between four and seventeen digits (pattern locks are risky because they need to be complex not to be guessed and that makes them easy to forget). Four digits is the simplest but that only covers 10,000 possibilities so raising it to five or six is advisable. Of course a thief has to know that the PIN is only four digits but since that is the default that’s where they will start. Stock Android limits attempts to five at a time before it enforces a 30 second wait (some manufacturers allow 10 attempts) so brute forcing is actually quite time consuming.
2. Also set up a SIM lock at the same time. This stops stop thieves simply removing the SIM from a locked device and accessing available credit and possibly call and contact data on another device. This will mean first entering the default PIN number for that network (UK network Giffgaff uses‘5555’ for instance) before entering a new PIN. Android only allows three guesses before locking the handset so it is important not to mess around guessing the wrong default PIN.
3. Back up any data on the device and SD card if one is present. Apart from being a good form of insurance it also makes it possible to use some of the features mentioned below without the risk of losing data in specific circumstances.
4. Encrypt the phone. Having protected the handset and account, now protect the data itself. Not everyone is keen on encryption – the perception of slower performance lingers – but it is still a good idea. Any recent quad-core handset or tablet should cope with it with no problems although issues can crop up on older models. On Android 5.0 encryption is enforced by default on new handsets but has to be enabled manually on earlier versions.
5. Consider encrypting the SD card if the option is offered (it isn’t on all Android smartphones) and an SD card is present but watch out for wrangles. A subsequent reset can render the card inaccessible, which makes sense as it stops thieves removing the card and using it in a separate device. That’s one reason why a backup is advisable.
6. Download a security app of some kind. There are plenty of competent free apps that will do this but always go for one from a recommended vendor. These are important because they vet apps as they are being installed, something that Google itself has a patchy record of doing in its Play store. ESET, Avast and Malwarebytes work well but it's a matter of personal preference.
7. On the subject of software security, check out an Android device’s ‘security state’ using something like Bluebox Security’s Trustable app. This runs a scan to see which known software vulnerabilities the device is susceptible to, which will vary according to the version of Android being used. Because the worst of these will probably have no fix without upgrading Android itself it’s mainly advisory. But this kind of knowledge is becoming more and more important as Android evolves.
8. Download Android Device Manager from Google Play, or an equivalent third-party security app with the same features. This allows the device to be remotely rung, locked or erased. If the phone is lost these features can be accessed from any PC via the Device Manager website.
9. Don’t blithely assume that a factory reset at the end of an Android smartphone’s life will securely wipe the data left on it. A study by security firm Avast earlier this year found that 20 smartphones the firm bought on eBay still contained photographs, selfies, emails, texts, and details of Google searches. Third-party apps are available to overwrite apparently deleted data in a secure way.