How to FBI-proof your Android
The FBI is having an awfully hard time breaking into an iPhone whose security settings have been turned on high. Could it just have easily been an Android? No, but it’s certainly not out of the realm of possibility.
Because Google’s Android is a more open mobile operating system than Apple’s iOS, Android devices are harder to secure than iPhones.
“Android is not designed to be completely locked down,” says Collin Mulliner, mobile-phone security researcher and a co-author of the Android Hacker’s Handbook. “People might argue that Android isn’t as open as it used to be, but it’s much much more open than iPhone.”
The open-source openness of Android has helped it become the most popular mobile operating system in the world, with more than 1.4 billion devices running it as of September 2015. But popularity has consequences, and one big knock against Android is that it is less secure than Apple’s iPhone. Another is that the most secure version of Android available, Android 6.0 Marshmallow, is running on only 2.3 percent of all Android devices. So most people with Android don’t have access to its latest security features.
You don’t have to install a security-enhanced third-party Android operating systems like CyanogenMod or buy a security-focused Android like the Blackphone to tighten security on your Android so that it’s about as protected as a locked-down iPhone. The goal isn’t to prevent law enforcement from accessing your device, but to prevent anybody from doing so without your permission. Just as with The Parallax guide to locking down your iPhone, some of the recommended changes below impair some of Android’s conveniences.
Step 1: Encrypt your phone
Although Androids have had the ability to encrypt your data on the phone, Android Marshmallow is the first version of the operating system to enable encryption by default. Even if you’ve updated an older phone with Android Marshmallow, you’ll have to enable encryption manually.
To encrypt your Android, plug it in, and make sure that the battery is fully charged. Leave it plugged in, and go to Settings, then Security. Select “Encrypt Phone,” then tap the Encrypt Phone button at the bottom of the screen. Depending on how much data is on your phone, this can take up to an hour.
You can also encrypt your SD card, though doing so will prevent you from using the card in another device. To encrypt the SD card, go to the Security menu, as above, and choose Encrypt SD card storage.
Step 2: Switch to a complex alphanumeric passcode.
The latest iPhones have an option built-in to switch from a simple to a complex passcode. Apple predicts (PDF) that it would take more than five years to test all the combinations possible for a six-digit passcode of letters and numbers.
You can do this on Android, too, by choosing to log in with a password. Go to Settings, Security, then Screen Lock. From there, you can choose a password of as few as four letters or numbers, though it is recommended that you use at least six for hard-to-crack security.
And be careful not to use numbers (or letters) in sequence from your address or phone number.
Step 3: Disable the fingerprint reader and newer ways to log in.
The latest Androids have a plethora of log-in options that need to be shut down to ensure better security.
Fingerprint readers are one form of logging in. Your fingerprint is considered physical property, so law enforcement can force you to use it to unlock your Android. But since your passcode is nonphysical knowledge, you can’t be forced to use it to unlock your phone.
Newer Androids also have options to keep the phone unlocked, if it detects your gait or is paired with a specific device over Bluetooth. You can even log in using a selfie.
Zach Lanier, a director of research at computer security company Cylance and co-author with Mulliner of the Android Hacker’s Handbook, recommends disabling all those newfangled log-in options.
“They’re super-convenient, but they’re super-convenient for law enforcement too,” he says. “Imagine pairing your phone to your car stereo [so it’s always unlocked in your car], and you get pulled over by the police.”
You can check up on whether these features are enabled by going to the Screen Lock menu as in Step 2, and the Smart Lock menu under Settings, Security, then Smart Lock.
Although a phone running Android Marshmallow will automatically lock after it hasn’t been used for four hours, disabling these features ensures that they can’t be used against you.
Step 4: Take control of your data (when you lose control of your phone).
While iPhones can be set to erase all your data after 10 failed passcode attempts, the only way to do this on an Android is to install an app. Syed Rizwan Farook, one of the shooters in a December attack in San Bernardino, Calif., had activated this feature on his iPhone 5C, leading the FBI to demand that Apple build a special version of iOS.
Locker is an app that gives Androids this same feature. Unlike the iPhone, which is fixed at 10 failed logins before wiping, Locker lets you choose as few logins as one or as many as 20 before it wipes your data.
Step 5: Say goodbye to Ok Google (for now).
Apple’s Siri voice-activated personal assistant is, by default, on from the lock screen. Ok Google is too, at least on some devices. While you can train Ok Google to respond to only your voice, it’s safer to just disable it entirely when your phone is locked so that nobody else can unlock your phone without your say-so.
The easiest way to do this is to go to the Google Search app, then Settings, Voice, and choose “Ok Google” detection. Make sure that “Trusted voice” is unchecked, so that it can’t unlock by voice from the lock screen.
Step 6: Disable Google Backups.
Automatic phone backups ensure that you no longer have to reinstall everything when upgrading your phone. Those same backups also make it easy to retrieve information from a laptop when you’re not with your phone.
Remote servers storing all your data make it accessible to other people by means legal and otherwise. Government agencies could subpoena the data, and remote servers are hardly impervious to hackers.
To disable Google’s automatic backups, go to Settings, then Backup and Reset, and disable “Back up my data” and “Automatic restore.”
You can always choose a third-party backup service, but somebody who has access to your list of installed apps may be able to figure out which one you’re using.
Step 7: Consider disabling automatic app updates, too.
One of the best modern Android features is that apps automatically update through the Google Play Store. Unfortunately, it also might be one of the best modern ways for a clever hacker to attack your phone.
Whether knowingly or not, a developer that has an app update approved can have that update automatically installed on your phone. A hacker could find such an accidental vulnerability or exploit in the app, and use it to access data on the phone.
To disable auto-updates for apps, go to the Google Play Store app, then Settings, tap “Auto-update apps,” and choose “Do not auto-update apps.” Be warned: If you do this, you will have to manually update your apps, which means at the very least checking app makers’ sites to ensure that their updates are legitimate. That’s a time-consuming process, to be sure, but potentially a worthwhile one, if you’re extremely worried about auto-update attacks.
Advanced tips for the paranoid Android user
With Android’s extra options come more security choices. Be sure that your phone does not accept apps from unverified sources, and add two-factor authentication to make it harder to jump from hacking your Android to cracking open your Gmail. Also avoid rooting your phone, unless you know how to secure it.
Despite their mutual interest in hacking Androids and making them more secure, Lanier and Mulliner recently switched to iPhones for their personal use.
“I want to see how the other side lives,” Lanier says.