Android has been around for nearly a decade and has come a long way from its early wannabe iPhone days. New features, upgraded camera phones, a wide variety of apps and platforms, and polished interface design have led to a huge install base—a whopping 2 billion+ monthly active devices—making it the biggest mobile OS in the world to date.
This is but one testament to how technological advancements have enormous selling power. What was once a pipe dream (Compete with the iPhone?! Fat chance.), is now reality. At the moment, Android’s future seems all unicorns and rainbows. However, expanded technological capabilities aren’t always a good thing—especially for security. Let me explain.
Introducing new technology, such as a new Android version, doesn’t mean that users can adopt it right away. Quick adoption is what Google phone users expect. But for the majority of Android users, it all depends on when their carriers push the upgrade. In other words, it’s no fault of the users if they’re still on an old OS version. Plus, let’s not forget the rise of cheap Android smartphones, which may not get an OS upgrade at all.
The longer a user has to wait to receive an upgrade, the longer they’re missing out on new security features, patches for vulnerabilities, and other fixes. This could mean that flaws in the previous (or older) version will remain open and potentially exploitable to cybercriminals.
But that’s just one way Android’s tech can be infiltrated by threat actors.
One of the prime attractions for Android users is more flexibility, especially when it comes to application platforms. Third-party platforms offer developers a chance to test new ideas in a less-regulated, free market. However, fewer regulations often leads to abuse—malicious APKs (Android application packages) abound. And while the Google Play Store does attempt to crack down on bad apps, the sheer number of developers means that more than a few will, and have, slipped through.
And finally, lest we forget cybercriminals’ favorite new pastime, drive-by cryptomining has trapped Android users browsing the web on their phone, while cryptomining malware eats up so much of Android’s processing power that it can explode.
So how can Android users balance the power of better tech with the safety of best cybersecurity practices? Here are a few tried and true methods to protect your Android phone.
How do I secure thee: Let me count the ways
Let’s face it, “more than 2 billion monthly active devices” sounds mouth-watering to cybercriminals, regardless of what confectionery-themed OS version these devices are running on. This number alone makes Android users prime targets for cybercrime.
Say, for example, you’re on a budget phone running Lollipop that your carrier can no longer update. How can you keep your device as secure as possible—given its inherent limitations—and your data as private as it can be? Here’s what you can do for any version, carrier, and hardware.
1. Know your Android.
You may have been an Android user for years, but really, how well do you know the security and privacy settings of OS you’re using? It’s time to sit down and get to know your OS all over again (if you haven’t already) or re-acquaint yourself with its built-in features (if you need a quick refresher course) by doing some research.
For starters, some features you may want to check out are Smart Lock, Device Protection, Find My Device, Verify Apps, and full-disk encryption. Note that older and newer smartphone models alike may encounter a performance issue once users choose the encryption feature.
2. Give your phone a security and privacy audit.
Now that you’re familiar with the security and privacy features your OS version has to offer, you can now give your smartphone a (quick) audit to make sure that it is as secure as you want it to be, starting with the basics.
Do you have a PIN or pattern to lock your phone? If not, give it one—now. Does your Google account have two-factor authentication enabled? You might want to set that up next.
You can use Google’s online Security Checkup tool to help you in the audit. Also, if you find apps you no longer use, uninstall them. JR Raphael of Android Intelligence wrote up a convenient checklist you may want to check out.
This doesn’t mean that you have to use all security and privacy features, although this is the ideal setup for optimal safety. If a function is proving to be more of a problem than a solution, such as full-disk encryption, then you might want to keep it disabled and use a third-party encryption app instead. Luckily, such apps can be found in the Play Store. Some of them allow users to encrypt a folder of your choice or just your photos, if you’re not that concerned about other files.
3. Set a calendar reminder 12 months after the audit.
If you don’t change phones in the next year, you should make sure you re-audit in 12 months time. However, that doesn’t mean ignoring your phone’s settings in between audits. Checking the security and privacy of your smartphone on a regular basis ensures that it’s not only running smoothly but everything is up-to-date and in order.
4. Consider using apps that provide end-to-end encryption.
This is entirely optional, as Android already has Gmail pre-installed (and emails might be the most sensitive information you transmit on your phone, outside of financial transactions). If you’re twitchy about your privacy when sending SMS messages, you may opt to use a third-party app to encrypt them. Apps such as Signal, Dust, Telegram, and WhatsApp (among others) could just be what you’re looking for.
5. Stop disclosing your location.
For some reason, many apps want access to geolocation (even going so far as requesting permission to run geolocation in the background when users aren’t using the app). We recommend limiting apps’ geolocation permissions as much as possible, although we recognize that some app features may be impacted (maps, Waze, etc.). Thankfully (maybe), Android allows users to change the accuracy of their location data. If you’re not sure which apps to pick, stick to GPS.
6. Turn off Bluetooth and WiFi when you’re not using them.
Doing so not only decreases the likelihood of mobile attacks (not to mention pranks) taking advantage of Bluetooth technology and WiFi, but it also helps with your smartphone’s battery life.
7. Untangle that web of connected devices.
It’s not uncommon to use one Google account with multiple devices and browsers. As you’re apt to lose track of these connections after a while, you can just visit your account’s security settings to look at the list and determine which devices you’re no longer using—or which devices you’ve never used. If you see one that is alien to you, delete them ASAP and change your Google account password.
8. Be wary of (unofficial) apps that bank on other apps’ popularity, or on seasons and events.
We’ve seen apps appear in the Play Store pretending to be something related to [famous app here], but cheaper, with more features, or some other too-good-to-be-true scenario. For example, WhatsApp is no stranger to copycat apps. In late November 2017, one supposed WhatsApp update used Unicode to slip under Google’s defenses. We’ve also seen fake apps that take advantage of popular events, like the Winter Olympics.
Users take the bait, download the app, and then their smartphone is never the same. It slows down, ads pop up at random and in multitudes, and new apps are suddenly installed without user permission.
This is why it’s essential to spot seemingly innocuous but ultimately malicious apps before trying them out. A good starting place is reading the reviews. Make sure that you lean toward legitimate reviewers, as it’s always possible for paid users to leave glowing reviews for a crappy app—or bad reviews for a good one.
9. Weigh the odds when it comes to free public WiFi.
Ah, coffee shop WiFi—to connect or not connect? Well, it depends. Is the WiFi you want to connect to even legitimate? Approach a coffee shop employee and ask for the WiFi’s name and password. If there’s a password, it’s a bit safer to connect. (If not, consider any browsing you do in the coffee shop to be open season for criminals.)
If you like to take this a step further and use a mobile VPN, keep in mind that the free ones don’t have a particularly good record of maintaining your privacy. And the Play Store is full of free VPN apps. Good thing there are better options available online. Steven J. Vaughan-Nichols of ZDNet has a list of VPNs you may want to look into further. Throwing in a privacy browser in there won’t hurt, too.
10. Stop and think awhile.
When it comes to links sent to you either via email, SMS, or social media, stop and think before you do anything. Do you know the sender? Better yet, do you trust the sender? For your security, we recommend installing an antivirus program for your Android that’ll intercept malicious links or attachments before any malware is deployed on your system.
Related post: Top 10 ways to secure your mobile phone
When owning an old Android is unsafe
We began this piece on the premise that our user is running an old Android version on a budget phone. One might ask: “How long can a user keep using this phone?” Or “Would an old smartphone eventually become unsafe to use?” The answer, according to this article in Tom’s Guide, is this: “One might actually be safer using a cellphone that predates smartphones, instead of an out-of-date smartphone.”
This may sound fun and retro, but it’s not a failsafe. Just because no one is attacking outdated or “dumb” phones doesn’t mean they are not vulnerable or are more secure than newer units. What they are is less attractive targets to cybercriminals.
Just one click
Whether your Android phone is the latest model running the newest OS with the most up-to-date apps or the opposite, a callous or unknowing click here or there may not actually make a difference to your holistic security well-being. Sadly, what most of us don’t realize is that all it takes is a single, wrong click to do a good deal of damage—and that can happen to some of the most careful and savvy users.
So if you don’t want to tempt the odds, your best bet is to prime your smartphone’s security up to the hilt, use apps that indeed take care of your privacy, educate yourself on the latest threats, and most of all, adhere to sound and secure behaviors when handling your phone.