IceDigger
[H]F Junkie
- Joined
- Feb 22, 2001
- Messages
- 12,089
With all the junk out there for the android devices, what is your best practices to secure your android device and make it stay secure?
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Android Security?
- Thread starter IceDigger
- Start date
Don't install random apps outside of the Google Play store is probably the most important thing. While not everything in the Google Play store is 100% safe, it is at least somewhat vetted by Google. Install the most current software updates for your device to ensure you stay at a current security patch level. Unfortunately non-google phones are frequently stuck behind a few months due to delays from the carrier and thee OEM. Some non-flagship devices just don't get security updates...
A few things:
- Two-factor authentication for as many things as possible. Don't give people the chance to hijack your accounts through brute force.
- Encrypt your device storage if it isn't already.
- Only get apps from Google Play unless you know you can trust the source.
- Don't feel compelled to grant permission to apps if you're not comfortable with it.
- Get only Google phones if you care about timely security updates.
One other thing I will suggest: don't use antivirus software. It won't really stop zero-day attacks or otherwise protect you against flaws that they're not trained to recognize. That and antivirus software tends to be something of a racket -- you pay for a subscription that likely won't help you at all.
- Two-factor authentication for as many things as possible. Don't give people the chance to hijack your accounts through brute force.
- Encrypt your device storage if it isn't already.
- Only get apps from Google Play unless you know you can trust the source.
- Don't feel compelled to grant permission to apps if you're not comfortable with it.
- Get only Google phones if you care about timely security updates.
One other thing I will suggest: don't use antivirus software. It won't really stop zero-day attacks or otherwise protect you against flaws that they're not trained to recognize. That and antivirus software tends to be something of a racket -- you pay for a subscription that likely won't help you at all.
Vermillion
Supreme [H]ardness
- Joined
- Apr 5, 2007
- Messages
- 4,417
What Aurelius said is pretty accurate. But much of those ideas are simply good security practices anyways.
The biggest key is be mindful of stuff you sideload. Sideloading is where the bad stuff almost always comes from.
Android isn't nearly as insecure as all the haters and media headlines make it seem. Everybody was so worried about Stagefright and it amounted to well...nothing. That isn't to say it wasn't a bad thing but it wasn't the OMGZ THE SKYZ ARE FALLING thing people made it out to be.
Most of the time those anti-virus companies are the ones that talk about "finding new malware in the wild" and use scare tactics to try to sell their worthless AV products. Only they neglect to tell you (until the very end of the article as a footnote) that it's some malware only found in some obscure, Chinese 3rd party app store where people go to pirate stuff. Some of those viral headlines "OMGZ 1 BILLION ANDROID USERS OPEN TO MASSIVE SECURITY HOLE" are so bullshit it's crazy. Some of the exploits they talk about are technically very hard to even pull off. Yes it's an exploit that needs to be patched but the odds of somebody being able to successfully weaponize said exploit is extremely small.
This is also where having so many different OEMs is actually nice. For example the Dirty Cow Linux kernel exploit which was blown out of proportion...only works on some devices. Not all devices are vulnerable to Dirty Cow. Others it looks like it works but really doesn't and yet with others it doesn't work at all. So many people freaked out and claimed all Android devices can now be rooted and all this other bullshit and in reality it didn't do much especially with the devices people really wanted to be rooted.
That difference in how an exploit works from device to device makes weaponizing these exploits hard. Why would you weaponize something for the OnePlus 3T which has a very small footprint in device usage? You want to weaponize and exploit as many devices as you can with as little work as possible. Attacking the HTC10 is worthless but trying to attack a Galaxy S7...now that's worth the time and effort. Oh wait...Samsung devices are heavily locked down and pretty damn secure. So that makes it very hard.
So overall just be smart and you'll be just fine.
The biggest key is be mindful of stuff you sideload. Sideloading is where the bad stuff almost always comes from.
Android isn't nearly as insecure as all the haters and media headlines make it seem. Everybody was so worried about Stagefright and it amounted to well...nothing. That isn't to say it wasn't a bad thing but it wasn't the OMGZ THE SKYZ ARE FALLING thing people made it out to be.
Most of the time those anti-virus companies are the ones that talk about "finding new malware in the wild" and use scare tactics to try to sell their worthless AV products. Only they neglect to tell you (until the very end of the article as a footnote) that it's some malware only found in some obscure, Chinese 3rd party app store where people go to pirate stuff. Some of those viral headlines "OMGZ 1 BILLION ANDROID USERS OPEN TO MASSIVE SECURITY HOLE" are so bullshit it's crazy. Some of the exploits they talk about are technically very hard to even pull off. Yes it's an exploit that needs to be patched but the odds of somebody being able to successfully weaponize said exploit is extremely small.
This is also where having so many different OEMs is actually nice. For example the Dirty Cow Linux kernel exploit which was blown out of proportion...only works on some devices. Not all devices are vulnerable to Dirty Cow. Others it looks like it works but really doesn't and yet with others it doesn't work at all. So many people freaked out and claimed all Android devices can now be rooted and all this other bullshit and in reality it didn't do much especially with the devices people really wanted to be rooted.
That difference in how an exploit works from device to device makes weaponizing these exploits hard. Why would you weaponize something for the OnePlus 3T which has a very small footprint in device usage? You want to weaponize and exploit as many devices as you can with as little work as possible. Attacking the HTC10 is worthless but trying to attack a Galaxy S7...now that's worth the time and effort. Oh wait...Samsung devices are heavily locked down and pretty damn secure. So that makes it very hard.
So overall just be smart and you'll be just fine.
Stick to the Play Store and F-Droid, stay away from obviously shady shit on there (You don't need a flashlight app with permission to access the internet, and Pokemon Go was not distributed by "Neentedoo") Just pay attention and use common sense.