10 Steps to Secure and Mitigate Risk on Android (and more!)

Surrounded by IT hobbyists, technologists, professionals, and others, I’ve come to realize we don’t treat our phones as computers that store and access data. Many do not take the necessary steps to secure mobile devices. Many access their work and personal emails on these devices yet have not taken any steps to secure their devices and mitigate risks. Multi-layered security is the best approach to securing mobile devices. With the ever-growing popularity of Android phones, what can we do to better protect ourselves from the dangers online?

While many of these steps seem commonplace for IT or security professionals, yet many of us still succumb to not securing our mobile devices.

Due to the fragmentation of Android, and a multitude of manufacturers, it’s difficult to summarize every possible option of securing an Android device. However, with BYOD on the rise, and the amount of work that's done via mobile devices always increasing, it's important that everyone takes steps to secure their mobile devices.

1. Before even purchasing an Android device, consider the manufacturer you are purchasing from. Do they provide regular security and/or OS updates? Are they well known for fixing bugs? The decision to choose a certain manufacturer is one of the most important factors to consider when looking at security.
2. Set up a passcode (password). This is the first step any person can take to protect their devices yet is often skipped. While a 4-digit PIN is better than nothing, I encourage using a password with a combination of different characters. Using numbers only is more easily brute forced.
3. Enable Encryption if possible for data at rest. This setting is often found in Settings > Security but could be found elsewhere depending on the version of Android and device. Many newer Android devices come encrypted by default. If using an SD card, encrypt that as well.
4. Keep your device up to date with Security patches and OS updates. Companies like Google will release Security updates every month.
5. Install an Anti-Malware/Anti-virus solution. Malware often targets Android devices.
6. Install and use a trusted VPN (especially on Public wi-fi). This will encrypt data in transit.
7. Avoid Public wi-fi where possible.
8. Only install applications from trusted sources; uninstall/remove bloatware/unnecessary applications where possible.
9. Limit the data you store locally on your device. Don’t store your sensitive information like passwords or credit card information. Use a password-manager (there are a ton of free/paid options) to store that type of data. The less data you store on your device and in the apps your accessing, the smaller the vector, and lower the risk.
10. Don’t root your phone. While some users can benefit and improve upon the security of their mobile devices, it’s generally considered best practice to not root your devices.

Bonus:

1. Use a private DNS provider, if possible, such as Cloudflare.
2. Install a mobile intrusion detection system.
3. Understand Find my Device / prepare to use it if your device is stolen.