How to stay safe on Android

Recently I posted an article on privacy violations by apps on Android and iOS. After reading that article (you did read it, right?) I’m sure you must be wondering what you can do to protect yourself. Well the most assured way is to stop using a cell phone. However, that isn’t very practical. So dotTech has come up with some handy tips on how to protect your privacy on Android devices.

(Sorry iDevice owners. While we would love to do the same for iOS, I don’t own an iDevice and thus can’t be of much use there. Feel free to buy me an iPhone.)

BEFORE WE BEGIN

Before we delve into the tips on how to protect your privacy, take note some of the tips below require you to have a rooted device. If you have not rooted yet, you can read this article to learn how to root. Rooting is, generally speaking, a safe process and opens doors for your ‘droid that you do not have before.

HOW TO STAY SAFE FROM MALWARE

DOWNLOAD FROM OFFICIAL SOURCES

One of the advantages of Android over iOS is lack of big-brother control. However, this advantage is a double-edged blade, so to speak. While it is easy on Android to download apps from sources other than Android Market (now called Play Store), it can also be dangerous. When downloading apps, you want to make sure you are downloading from official sources only. That means not downloading apps from those shady “pay $9.95 get all Android apps for free” type websites; that means not downloading from third party app stores from companies you have never heard of; that means not downloading pirated apps.

Unofficial distributions of apps is the number one source of malware on Android. What happens is malicious punks modify legitimate apps to include malware and then distribute them at these unofficial sources. To you it seems like you are getting a great app for free; and you are getting that great app for free — plus the added bonus of malware, which at best will steal your private data and at worst will install more malware.

So what constitutes an “official source”? What sources are “safe” to download? Well first and foremost there is Android Market/Play Store. While Google’s hands-off policy has resulted in ‘Market getting a handful of malware apps (which are wiped soon as they are discovered), Android Market is clean (generally speaking) and is the number one source for official apps. If you can’t or don’t want to download from Android Market, there is Amazon Appstore. Amazon follows Apple’s lead in reviewing apps before they appear in Amazon Appstore, so it is fairly safe to download from; plus developers use Amazon Appstore as an official distribution point of their apps, so Amazon Appstore is fine to use. Two other sources you can download from are the developer’s own website and GetJar, although I definitely recommend Android Market/Play Store and Amazon Appstore over the developer’s website and GetJar, when possible.

LOOK AT NUMBER OF DOWNLOADS, REVIEWS, AND RATINGS

Often times app stores, particularly Android Market/Play Store, display the number of downloads an app has received, ratings users have given the app, and reviews people have written about the app. When downloading apps it is always a good idea to glance at how many people have already downloaded the app, what people rate the app, and if the reviews point out any issues (privacy issues or otherwise) with the app. This is particularly important when downloading new, lesser known apps. Of course that doesn’t mean you cannot download new, lesser known apps. You can. But as the number of downloads of an app increases, issues with the app are more likely to be discovered which are then reflected in the ratings and reviews.

Obviously this isn’t fool-proof advice; an app could be downloaded a hundred thousand times, could be rated 5/5 stars, and have hundreds of positive reviews and still have privacy related-issues that have not been discovered yet. However, as I mention above, the chance of issues with an app being discovered increase as more people use it, so it is a good rule of thumb to always consult the number of downloads, ratings, and reviews before downloading an app.

TRY TO AVOID UNOFFICIAL APPS

Often times, especially when a company has yet to develop an official app for Android, you will find unofficial apps for web services on Android Market, Amazon Appstore, GetJar, etc. When possible, it is best to download official apps rather than unofficial apps.

Now this advice should be taken with some caution. As shown by Twitter’s example, official apps (especially social networking apps) don’t always respect user privacy. However, you want to try to avoid unofficial apps that could potentially mine your data during the process of allowing you to use whatever service the app is for.

This doesn’t mean never download unofficial apps. Indeed some unofficial apps are better than official apps, with Twitter once again coming to mind how TweetCaster is an excellent unofficial Twitter app for Android. This means whenever possible and feasible, use official apps over unofficial apps.

CHECK APP PERMISSIONS PRIOR TO INSTALL

One great thing Google did with Android is force apps to ask for permission to access certain parts of Android devices. Before you install any app, you will always be prompted with a screen that shows the permissions an app is requesting. It is absolutely critical to take a look at that permissions list and determine if the permissions asked by the app in question are reasonable or not. Often times you can stop privacy-violating apps from installing on your device if you simply look at the app permissions and see that the app is asking for something it shouldn’t need.

Determining what permissions are reasonable and what aren’t is more art than science. There is no fool-proof way of knowing what permissions each app should have. You just have to think and be logical. For example, does a game app really need access to your contacts list? I think not. Should an office documents viewer need access to your location? Probably not. Does a video player need the ability to record audio? Highly doubtful. Sometimes you will run across apps that ask for questionable permissions for legitimate reasons or apps that ask for permissions and you can’t understand why they want it. In this case you can either

  • Not use the app and look for a different app that does something similar.
  • Or, you can read the app’s description or visit the app’s website and the developer may explain why his/her app needs X permission. If you feel the explanation is reasonable, then grab the app.

BLOCK INTERNET ACCESS WITH DROIDWALL [ROOT REQUIRED]

Once an app is on your device, there are really only two ways an app can contact the outside world: Through text/picture messages (SMS/MMS) and the Internet. The former is not really used for transmitting data; it is used by malicious apps to rake up premium number charges. The latter, however, is the main way apps transmit private data to their servers/third parties. As such, logic says one of the most effective ways to protect your privacy is deny apps Internet access. If an app doesn’t have Internet access, even if it intends on violating your privacy by stealing your data (e.g. contacts), it won’t be able to do so.

How to deny apps access to the Internet? By using an Internet firewall (root is required). My favorite Internet firewall app on Android is, without a doubt, DroidWall. DroidWall is an easy-to-use app that allows you to deny apps Internet access, either using a blacklist in which you specify which apps you want to block Internet access for or a whitelist in which all apps are blocked from accessing the Internet and you specify which apps you want to grant Internet access to. If you don’t like DroidWall there are other Internet firewalls you can use such as the one avast! Mobile Security comes with — but DroidWall is definitely the best in this category. Just take note DroidWall only display apps that have Internet access privileges. If an app doesn’t have Internet access privileges then there is no need to block Internet access for it and as such DroidWall won’t display it in DroidWall’s black or white list.

Of course some apps require Internet access to function, such as social networking apps. So using an Internet firewall won’t solve privacy issues with all apps. However, a firewall will help curb potential privacy breaches by restricting Internet access for apps that don’t require it.

DENY APP PERMISSIONS WITH PERMISSIONS DENIED [ROOT REQUIRED]

While Android forces apps to explicitly ask for access permissions prior to install, Android does not provide the ability to deny apps specific permissions — you either accept all the permissions an app is asking for and install the app, or reject all the permissions an app is asking for and not install the app. Permissions Denied is an app that aims to put that control back in your hands. (Permissions Denied has free and paid versions.)

With Permissions Denied, users can deny apps specific access permissions. For example, let’s say I want Application Protection but I don’t want it to have the ability to read sensitive log data. What Permissions Denied lets me do is install Application Protection like normal from Android Market then jump into Permissions Denied and deny Application Protection the read sensitive log data access. Pretty nifty for controlling overzealous developers who make great apps but ask for way too many permissions.

Before you grab Permissions Denied just take note that, firstly, you need to have a rooted device. Secondly, Permissions Denied works by going around basic Android functionality. By denying apps any permissions they ask for, you may make the apps in question unstable and unusable. In extreme cases you may even cause your device to crash. So while Permissions Denied is very useful, it isn’t a magic wand for fixing system access woes.

BLOCK ADVERTISEMENTS [ROOT REQUIRED]

Anyone not living under a rock has used the Internet. Anyone that has used the Internet is aware of how advertisers like to gather demographics and user habits data to try to serve better targeted ads. It is no different on Android. Ads on Android, whether that be in apps or on websites, are run by the same advertisers that show ads on traditional computers; the same advertisers that like to collect data on you. The best way to stop advertisers from collecting potentially private data (I say “potentially private” because the debate still rages on if the data advertisers collect is private or not) is by blocking ads.

Blocking ads in of itself is controversial. Just like how ads support websites (dotTech is ad-supported), ads support many apps, too. Indeed Android Market has about a 60/40 split on free/paid primarily due to the fact that app developers can support their free apps with revenue that comes from ads. By blocking ads you are denying developers potential revenue. However, my point-of-view has always been it is your device — you paid for it (or someone bought it for you). As such you are welcome to block ads on it if you so desire. If you feel your privacy is being violated by advertisers, by all means block ads.

How to block ads, you ask? It actually is very easy. Make sure your device is rooted and download AdAway or AdFree Android. AdAway and AdFree Android are both free apps that allow you to block ads – ads that show in apps and on websites – by making use of your device’s HOSTS file. Both apps are extremely easy to use and are highly effective.

CONCLUSION

As mentioned in the beginning of this article, the best way to ensure protection of your privacy is stop using a smartphone. Since not using a smartphone isn’t very practical (for those people who need smartphones), the second best way to protect your privacy on Android is following the seven tips I have laid out above. While the tips aren’t a guarantee in regards to protecting your privacy, they are good practices to follow and will help mitigate privacy violations.

Feel free to share thoughts on this topic in the comments below.

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

9 comments

  1. Ely

    @Carol:
    If you want Android Firewall application without root, you can use Mobiwol.
    Mobiwol is without root android firewall application that use the VPN interface for fire-walling (without actually connect you to any VPN server)
    In their web-site and google-play They did not say much about how they work.
    but i try it and its actual work fine – and without root required.
    if you want they google-play link:
    https://play.google.com/store/apps/details?id=com.netspark.firewall

  2. Swan

    Hello Ashraf! Long time no see! Not sure if you remember, but we used to offer reviews (along with others) on a giveaway website. ;) Anyway, I LOVE your website and will become an avid reader from now on.

    You’ve given fantastic advice for Androids and I will be sure to pass this URL on to (my engineer) husband, David. On with reading your other articles! ;)

  3. Ashraf
    Author/Mr. Boss

    @Marc: Yeah, that is true. Some phones DroidWall won’t work. As far as I know, there is no firewall alternative — if DroidWall doesn’t work I believe others won’t work either. You can try it, though — avast! Mobile Security comes with a firewall.

  4. Marc

    Nice suggestions but there is a Catch-22 for those of us running older Android OS. I have a Motorola Devour, and want to use Droidwall but receive the following message:

    “can’t initialize iptables table ‘filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded”

    According to the developer, the only solution is to flash a customized ROM with full netfilter support.

    For Droidwall or any firewall to work, I need directions how to do this. Maybe you can provide a link.

    Consequently, I am unable to use any firewall for now.

    You need to consider the operating system of people using older Android OS because this problem makes the firewall suggestion moot.

    What is our firewall alternative?

  5. Ashraf
    Author/Mr. Boss

    @Carol: Excellent advice about rooted apps. Rooting is a double-edged sword, too. If malicious apps are given root access, you are in a world of hurt. So be frugal about what apps you grant root access.

    Thank you for pointing out PDroid. Never heard of it before but admittedly I haven’t been to XDA in a while.

  6. Carol

    Nice article and good advice about taking care where you download your apps from.

    I use DroidWall in whitelist mode (where you have to explicitly *allow* internet access for an app rather than explicitly deny it) and find it superb.

    As an alternative to Permissions Denied I would like to suggest PDroid – see http://forum.xda-developers.com/showthread.php?t=1357056. It’s a little more geeky to setup as it is implemented by patching the ROM but works extremely well in giving you control over app permissions. Other advantages are that you can substitute dummy data if an app objects to being denied access, don’t need to reboot and it’s open source. There’s also an option for realtime popups to show you whenever an app uses a permission – something that is both fascinating and scary to see.

    Regarding rooting something to bear in mind is be *very* circumspect over which apps you grant root access to. Root permissions allow an app to do anything it wants with your phone (not just what it says it will do) including undermining every single security app you have installed. As an example, DroidWall is a great firewall but it can’t stop a rooted app from modifying its configuration or even deleting it. Be sure you trust any rooted apps!

    The whole privacy thing with the internet is pretty scandalous in my opinion. Not so much that it goes on but that it is largely hidden and you cannot easily take control. I look forward to someone like Google getting their knuckles seriously rapped over this some day and having to compensate us for harvesting personal data. Rant over.