In this article, I am going to list down all security features which can be hardened for any Android phone operating system in order to improve the security of user phone. I believe that there are plenty of articles available online for the same, however, they are missing one or other thing. Hence, my try here is to list down every possible feature that we can use to improve Android phone security.
Up-to-date Firmware/Operating System
Make sure the Android phone software is up-to-date with the latest operating system.
Settings > About phone > System updates > Check for Update
Enable 'Screen Lock' feature
Ensure that the 'screen lock' feature should be enabled using a complex pin, password or pattern security.
Settings > Security > Screen Lock > Pin/Pattern/Password
Disable pattern visible if the pattern is used
Disable pattern visible if the pattern is used
Disable the pattern visibility to reduce shoulder surfing attacks.
Settings > Security > Screen Lock > Pattern
Set automatic lock to 'Immediately' option
A phone must be locked if the device goes into sleep mode.
Settings > Search Feature > "Automatically Lock"
Power button 'instantly' locks are enabled
Set automatic lock to 'Immediately' option
A phone must be locked if the device goes into sleep mode.
Settings > Search Feature > "Automatically Lock"
Power button 'instantly' locks are enabled
Make sure the power button should lock the phone instantly. By default, this setting is enabled.
Settings > Search Feature > "Power Button"
'Lock screen message' must be enabled with a custom message
Disable 'Make Password Visible'
'Lock screen message' must be enabled with a custom message
The Lock screen message must be used in case of emergency.
Settings > Search Feature > "Lock Screen"
Disable 'Make Password Visible'
Make sure passwords are not visible during the user input.
Settings > 'Search Feature' > 'Make Pass'
Encrypt phone
Settings > 'Search Feature' > 'Make Pass'
Encrypt phone
Make sure your phone is encrypted. If the device is stolen or lost, encryption provides a great amount of security to the user. Due to an encryption is in place, an attacker can not retrieve user data.
Settings > Security > Encrypt Phone
Settings > Security > Encrypt Phone
Disable 'Developer Options'
Make sure the developer options are disabled.
Settings > Developer Options
Disable 'Unknown Sources'
Settings > Developer Options
Disable 'Unknown Sources'
Make sure the 'Unknown Sources' option is disabled in order not to install any application outside Google play store.
Settings > 'Search Feature ' > 'Unknown Sources'
Settings > 'Search Feature ' > 'Unknown Sources'
Make sure the device is not rooted
Visit the playstore and install 'Root Checker' application. Check the result in the application that whether the device has root access or not. In my case I am using emulator hence it will show as rooted. It should not be an idle scenario in your case.
Enable 'Sim Card Lock'
It is always a good idea to lock your SIM card especially when you are storing your contacts on the SIM. Enabling this feature will restrict hackers to use your SIM card in other devices after removing from yours.
Enable 'Sim Card Lock'
It is always a good idea to lock your SIM card especially when you are storing your contacts on the SIM. Enabling this feature will restrict hackers to use your SIM card in other devices after removing from yours.
Settings > Security > 'Set up SIM card lock
Enable Android device administrator feature
Android device manager is another useful feature of Android OS. If the phone is stolen or lost, you can ring, lock or erase data remotely using this feature.
Enable Android device administrator feature
Android device manager is another useful feature of Android OS. If the phone is stolen or lost, you can ring, lock or erase data remotely using this feature.
Settings > Security > Device administrators
Disable 'Speak Passwords'
The 'Speak passwords' is an accessibility feature. When this is enabled, the device speaks password loud and clear which can be a privacy issue to many users. Make sure this feature is turned off.
Ensure that 'Remotely locate this device' and 'Remote lock and erase' features are set to enable
As the name suggests, it helps you to find your stolen/lost device.
- From a Home screen, navigate: Apps > Settings > Google (Google services).
App vendors often push important security patches on a regular basis. It is highly recommended to keep your apps up-to-date using playstore.
Playstore app > My apps and games > Update All
Ensure that 'Add users when the device is locked' feature is set to disable
Adding guests and other users when the device is locked could be dangerous because guests and other users can do pretty much everything that a device owner can do. Also, Wi-Fi and Bluetooth connects are shared among them. Hence, it is recommended to disable this feature.
Settings > Users > Add users when device is locked
Ensure that guest profiles are disabled
Make sure that guest profiles are disabled or grayed out as mentioned in the screenshot.
Settings > Users > Guest profile icon is grayed out
Check app's permission periodically
Review your device apps' permission periodically. Make sure the application should not ask more than the intended permissions.
Settings > Apps > 'Setting icon on the top' > App permissions > Select App
Ensure your Wi-Fi hotspot password security is set to WPA2-PSK
Secure your wi-fi hotspot password by enabling the highest grade of encryption WPA2-PSK.
Open Hostspot configuration > Password Security > WPA2-PSK
Ensure notification on the lock screen is set to disable
It is a privacy setting in case if you do not want someone to read who sent you a message, who liked your pic when the phone is locked and its lost of stolen.
Settings > Notifications > 'Setting icon on the top' > Configure notifications > Don't show notifications at all
Disable location setting
Turn off location when it is not needed.
Settings > Notifications > Disable
Ensure Google Drive back up is disabled
Due to privacy concerns, it is not recommended to backup your data such as photos, texts, emails, contacts etc. to any third party (Google). Hence, it is recommended to turn off.
Settings > Backup & reset > Back up my data > off
References
Disable 'Speak Passwords'
The 'Speak passwords' is an accessibility feature. When this is enabled, the device speaks password loud and clear which can be a privacy issue to many users. Make sure this feature is turned off.
Settings > Accessibility > Speak Passwords
Ensure automatic time zones and automatic date & times are set to enabled
If this feature is enabled, the devices fetch time and date from the cellular provider which is more accurate. This can be used in forensics to collect accurate evidence.
Ensure automatic time zones and automatic date & times are set to enabled
If this feature is enabled, the devices fetch time and date from the cellular provider which is more accurate. This can be used in forensics to collect accurate evidence.
Settings > Date & Time > Automatic date & time
Settings > Date & Time > Automatic time zone
Settings > Date & Time > Automatic time zone
As the name suggests, it helps you to find your stolen/lost device.
- From a Home screen, navigate: Apps > Settings > Google (Google services).
- To allow the device to be remotely located:
Tap Location.
Ensure the Location switch (located in the upper-right) is set to the ON position.
- Tap Security.
- Tap the following switches to turn on or off:
Remotely locate this device
Allow remote lock and erase
Make sure 'Scan device for security threats' & 'Improve harmful app detection' feature is enabled
If this setting is enabled then Google regularly scans your device and warn you about potential alarming threats to your phone.
Settings > Google > Security > Google play protect >
Ensure 'Screen pinning' option is enabled
If you want your child or friend to use only one application at a time, then screen pinning feature is really important. By enabling this feature, no one can use the entire phone's functionality outside the screen that you pinned for him/her. He/she can only play within that single screen only.
Settings > Security > Security > Screen pinning >
Ensure sleep is set to 1 minute or less
It is always a good practice to set the inactivity timeout in order to restrict the usage of the device if it is unattended for a longer period of time.
Settings > Display > Sleep >
Keep installed apps up-to-dateTap Location.
Ensure the Location switch (located in the upper-right) is set to the ON position.
- Tap Security.
- Tap the following switches to turn on or off:
Remotely locate this device
Allow remote lock and erase
If this setting is enabled then Google regularly scans your device and warn you about potential alarming threats to your phone.
Settings > Google > Security > Google play protect >
If you want your child or friend to use only one application at a time, then screen pinning feature is really important. By enabling this feature, no one can use the entire phone's functionality outside the screen that you pinned for him/her. He/she can only play within that single screen only.
Settings > Security > Security > Screen pinning >
It is always a good practice to set the inactivity timeout in order to restrict the usage of the device if it is unattended for a longer period of time.
Settings > Display > Sleep >
App vendors often push important security patches on a regular basis. It is highly recommended to keep your apps up-to-date using playstore.
Playstore app > My apps and games > Update All
Ensure that 'Add users when the device is locked' feature is set to disable
Adding guests and other users when the device is locked could be dangerous because guests and other users can do pretty much everything that a device owner can do. Also, Wi-Fi and Bluetooth connects are shared among them. Hence, it is recommended to disable this feature.
Settings > Users > Add users when device is locked
Ensure that guest profiles are disabled
Make sure that guest profiles are disabled or grayed out as mentioned in the screenshot.
Settings > Users > Guest profile icon is grayed out
Check app's permission periodically
Review your device apps' permission periodically. Make sure the application should not ask more than the intended permissions.
Settings > Apps > 'Setting icon on the top' > App permissions > Select App
Secure your wi-fi hotspot password by enabling the highest grade of encryption WPA2-PSK.
Open Hostspot configuration > Password Security > WPA2-PSK
Ensure notification on the lock screen is set to disable
It is a privacy setting in case if you do not want someone to read who sent you a message, who liked your pic when the phone is locked and its lost of stolen.
Settings > Notifications > 'Setting icon on the top' > Configure notifications > Don't show notifications at all
Turn off location when it is not needed.
Settings > Notifications > Disable
Ensure Google Drive back up is disabled
Due to privacy concerns, it is not recommended to backup your data such as photos, texts, emails, contacts etc. to any third party (Google). Hence, it is recommended to turn off.
Settings > Backup & reset > Back up my data > off
References
- http://www.redmondpie.com/how-to-check-for-hidden-device-administrators-on-android-and-remove-them/
- https://www.verizonwireless.com/support/knowledge-base-158145/
- CIS Benchmark
1 comment:
Thanks Chintan for valuable post, Its really helpful.
Request - Can you add post regarding iOS app security testing or add Mobile app testing.
Currently am follow Mobile OWASP top 10, If you share post regarding iOS and Android App security that will be really appreciate.
Thanks.
Post a Comment