So I got an Android phone and I think it’s only fair to write up a few things to secure it.
1) I Rooted My Phone
Rooting your phone and unlocking the bootloader doesn’t actually make it more secure. You take your security out of the hardware and you rely on the kernel instead. That’s actually really crappy, but it’s necessary for almost everything else you’ll want.
2) Custom ROM
I’m running a custom operating system on my device. It’s Android, it’s just not the Android that came with it. Specifically the Verizon Galaxy Nexus (as of 07/27/2012) comes with Ice Cream Sandwich (ICS). ICS is the first Android OS to incorporate Address Space Layout Randomization (ASLR) but the ASLR is really weak and preliminary. Jelly Bean, Android 4.1, has full ASLR with Position Independent Executables, hardening against information leaks, full RELRO support for most of the OS, and it’s basically just a whole lot better on the ASLR front.
So moving to Jelly Bean is recommended.
3) Passwords / PIN/ Face Unlock
In terms of security it goes (greatest to least) Password -> PIN -> Face Unlock. Anyone with a Facebook picture of you or some photograph can access your phone if it uses Face Unlock. The feature is really cool and I’d love it if it paired with voice recognition or something (this way the attacker needs your face, your voice, and the phrase) but right now it’s nothing special. PINs are too short, useless against anyone but a friend who wants to mess with you. Passwords are pretty much where it’s at – you’re limited to 16 characters but that’s more than enough.
If you’re not using encryption it actually doesn’t really matter that much – they can get in anyways. But still, always good to go for a password.
4) Encryption Of Home
Android now allows you to encrypt the entire data partition with 128bit AES. I have personally opted out of this function as it’s kind of a pain in the ass – flashing ROMs with it isn’t easy. If I weren’t rooting and doing all this stuff I’d encrypt but for now it’s not worth it.
5) Disabling NFC
NFC allows your Android device to connect to others in short range and transfer information. It’s not good for security. It’s come up multiple times as a potential attack vector and I have no use for it myself.
Settings -> More… -> NFC
Uncheck the box.
If you don’t use it then… don’t use it. There’s no reason to leave it on.
6) Where’s My Droid
This is less of a security app and more of a “oh shit I lost my phone” app. Where’s My Droid is a free app that allows you to send key phrases via text to your phone and have it either ring or send you back a GPS coordinate. It also has a web interface that allows you to get details on the whereabouts of the phone.
If you use Where’s My Droid I highly suggest you make use of the “whitelist” and set it so only a few phones can send the message.