Android Security & Privacy Guidance
- Update firmware to the latest version that is available for your device.
- Require a passcode. Don't use a simple passcode.
- Set an auto-lock timeout to five minutes or less.
- Erase data upon excessive passcode failures.
- Turn off "Ask to join networks."
- If you leave Wi-Fi enabled, forget Wi-Fi networks to avoid automatic rejoin.
- Enable data encryption, if available. (Encryption may be available in Android versions 3.0 and later.) Some apps will allow encryption of some data (e.g., Touchdown for Exchange data).
- Enable remote wipe via your managed environment (Exchange, Google Apps, etc.) or via a third-party application.
- Turn off Latitude service for additional privacy.
Web browser settings:
- Block pop-up windows.
- Disable "Remember form data."
- Turn off "Enable location."
- Turn off "Remember passwords."
- Enable "Show security warnings."
- Turn off "Enable Plugins."
- Turn off Bluetooth, Wi-Fi, GPS if you aren't using them. (Use "Power control" widget and/or "Airplane mode" to simplify this)
- Use cell phone network instead of insecure Wi-Fi.
- Avoid public Wi-Fi hotspots.
- Don't "root" your phone and install third-party firmware.
- Erase all data before return, repair, or recycle. Consider using a third-party app to securely erase data.
- Keep applications updated. Remove applications you no longer use.
- Pay attention to permissions requested by applications. Be suspicious of applications that request permissions that aren't necessary for the core functionality of the application. For example, why would "Angry Birds" need access to one's SMS messages?
- Consider installing Lookout Mobile Security to assist with malware detection and lost device location and/or wiping.
- Consider installing TextSecure to protect sensitive text messages.
- Be skeptical: take a skeptical approach to messages, content and software, especially when they are coming from unknown sources via SMS, Bluetooth, e-mail, or otherwise.
- Check reputation: before installing or using new smartphone apps or services, check their reputation using app-store reputation mechanisms and, if possible, with friends, family or colleagues. It is good practice to install apps only from the Android Market, but if you choose to use other sources of applications, make sure you fully trust the source (e.g., Amazon). Never install any software onto their devices unless you know and trust the source of that software and you were expecting to receive it. This refers to any software or applications that you receive on their devices through any channel, e.g., by download over WAP/web, attached to an SMS, MMS, instant message or email, through Bluetooth, or data connection, via synchronization with a computer or from a memory card or other temporary storage device read by the device. Never ignore or override security prompts displayed by your device unless you are confident that you fully understand the risks associated with these actions.
- Check resource usage and phone bills or prepaid balances. Mobile malware can sometimes be detected by monitoring in this way, especially when premium rate services are being defrauded or abused.
Lost or Stolen
- Remote wipe the device.
- Immediately change all passwords (UMICH password, Google, Facebook, etc.) that had been saved on the device.
- If you used your device to access sensitive U-M information, notify immediately your unit's IT security team.
- Do not store U-M (and personally owned) sensitive information (ePHI, SSNs, credit card numbers, private personal information, etc.) on a mobile device such as an Android phone.
- Only access U-M sensitive information from a non-caching applications or ensure that the browser cache is erased afterwards.