Operating system security

Android Security: Take Control

May 12, 2011 by Matt Mossman

Are you in control of your Android device? Really? Then answer this brief survey:

  • Has every single app on your phone been installed from the Android market?
  • Have you password protected your device in some way?
  • Do you make regular back ups of your device?
  • Have you installed a “find me” application [such as Lookout]?
  • Do you actively take steps to encrypt your data (both internal and external)?
  • Do you avoid picking up random QR codes to see where they lead?

If you answered “no” to any of the above questions then perhaps we should reevaluate the importance of taking control of your open-source device.

Let’s examine the types of ways you could incur loss and then establish ways to circumvent these ordeals.

Problem: Your phone is missing.


Ok, don’t panic. There is a good chance that you can recover your phone and an even better chance of preserving your data should the worst case scenario come to fruition. With an app like Lookout Mobile Security you can activate the ‘find my phone’ feature on your Android similar to iPhone users’ MobileMe.

“Real-time phone tracking available on Android 1.5+”

Simply create an account on My Lookout and track your missing phone via GPS location.

“Help track a lost device with Lookout or remotely wipe with Lookout Premium”

Should the culprit of your stolen phone disable the GPS on your device, you can preserve your personal data by remotely wiping your internal and external memory with WaveSecure by McAfee. The downside is that this app weighs in at a subscription price of $19.90 per year. Of course, with an exhaustive list of apps to choose from both on the Android Market and elsewhere such as:

  • Security Shield by SMobile ($29.99)
  • Lookout Mobile Security Premium ($2.99 per month or $29.99 annually)
  • Anti-Virus by AVG paired with Chrome’s Findr can locate and remotely wipe your device for free.

Problem: Your phone data usage has sky rocketed and applications no longer work the way they should.


A Trojan or some form of Malware has been installed on your phone, either intentionally (read those privilege agreements!) or otherwise.


Scan and clean your device regularly, especially when you download a new app or content from an external source.

Check out:

  • Anti-Virus Free by AVG Mobilation (Free on the Android Market)
  • Super Security (Free on the Android Market)
  • SmartGuard Mobile Security (Also free on the Android Market)

While there are copious amounts of anti-virus type applications out there, one may never need such a feature. With a few common practices you can lower the risk of infection by virus on your Android device without the need for resource-hungry software. Though I will not get into the tribulations surrounding resource management, every security risk should be addressed per an individual need basis.

Problem: You frequently work with sensitive data both over your carrier network and public Wi-Fi networks without proactive security measures to protect your data.


Password protect your apps and encrypt your data.

You can set individual app protection with a host of utilities such as:

  • App Protector Pro ($1.99 on the Android Market)
  • Password Box ($2.99 on the Android Market)
  • Android Protector (Free on the Android Market)

Normally, applications on your phone are open and free to your information as soon as the device is unlocked. At my home screen alone, I can reach my Gmail, Google Voice, text messages, voice mail, and a secondary email account. If it weren’t for the added protection of a password manager, a third party would have access to all of this information and more.

“Does your app contain something you wouldn’t want just anyone to see? Password protect it!”

Instant information has become the norm in the world of smart phones. Overly complicated steps to access your information might detract from the very purpose of having an Android device. So it is up to you to find a balance between how much security you require and how fast you want to access your information. The added step of typing in a 4-digit PIN to access your Gmail might just save you a headache should your device be compromised by a third party.

Problem: Your device will no longer boot or has suddenly become unresponsive.


Restore your data via backed up images (you did remember to backup your data, right?)

Backing up data is an often thought of yet often overlooked method for securing your data. I have been held victim of a derelict device recently. Fortunately I am very diligent (read: OCD) about creating and managing backups. Should you drop your phone and need a replacement, or fall prey to malicious software, there is no better method for data recovery than redundancy.

For your apps, Google keeps a handy track record of everything that you have purchased from the Android Market in the cloud. After restoring your device to factory defaults or recovering from a catastrophic failure of some sort, you can browse to the Android Market downloads section to see a list of previously purchased apps.

MyBackup Pro, a surprisingly featured utility with the capability to backup; apps, photos, contacts, call log, browser settings and bookmarks, SMS, MMS, calendar and more. Coupled with a scheduler, for those of you too busy to manually backup your settings, this app can automatically create and manage backups in the background.

“Set a backup schedule for regular background backups”

For you rooted users, I highly recommend Titanium Backup. The free version will backup your apps, user settings and all, for easy restore if needed. The pro version (about $6 on the Android Market) offers automated commands and the ability to ‘freeze’ apps in memory.

“Titanium Backup Pro – For rooted users only”

If your device has external memory, it would be wise to backup the entirety of your SD card to a computer or another source. We can snap pictures on the fly, record video and carry our music wherever we go with our Android devices. Having a backup of those memories is crucial in the event of a lost device.

Redundancy is one word you will hear quite often in the IT world with regards to security and data integrity. Why do you think Google has such incredible uptimes on their data centers? Keep regular backups of your apps and settings to reduce the risk of loss in the event of a theft or corrupt device.

As for data encryption, WhisperCore integrates with the Android OS including various platform management tools to secure your internal and external storage with an AES 256 algorithm in XTS mode. This method can cipher all your data on your mobile device with options to encrypt onboard SD cards.

Currently, WhisperCore only supports the Nexus S phone and requires Gingerbread (2.3+). The initial beta provides full disk protection and software firewall security. You can monitor your connections in real time, giving you more control of active apps.

We can look forward to this type of software being more widely available as the Android platform evolves and grows. With Google Honeycomb API, hardware encryption is finally fleshed out. Currently available on the Motorola Xoom with Honeycomb installed, one can enjoy AES 256 full disk encryption.

In parallel with Google’s Android technology evolving to meet consumers’ technological hunger, security threats constantly mutate to exploit loopholes and glitches alike.

Use common sense when downloading and installing, backup your data regularly, and most of all, use the tools available to you to reduce the risk of a security breach. Let us work together in this open-source endeavor with Google’s Android platform. If you see a threat, report it! If you create a security measure, share it! That’s what keeps Android going and out devices safe.

Posted: May 12, 2011
Matt Mossman
View Profile

Matt Mossman is a security researcher for the InfoSec Institute and a co-founder of Killer Android, an organization dedicated to spreading awareness of the Android Open Source Project. Matt continues to promote the Android platform through social media outlets and scholarly venues. He has developed several Android applications with a few being published on the Android Market. As a University of Michigan graduate, Matt strives to lend his knowledge and experience in parallel with the Android platform ideology. Though he spends his days as a humble Systems Admin for a renowned communications firm based out of Livonia, MI, Matt spends his nights advocating for Android.