Privacy Guidelines for android

Android is weak by nature… If you want to keep your android secured, you should take a lot of considerations. Every day, the software is designed to be more and more intrusive, however, such level of intrusion could expose yourself to hackers.

The mechanisms that bring you a “better service” are undermining your security and privacy, the cloud is now more like a dense fog.

Which positive things have the cloud?

  • More and better integration between all our devices (synchronization)
  • More and better fault tolerance (if you drop or change your phone, google will have a backup of your information)
  • Usability Improvements
  • Reduced cost (storage, delivery, anti-piracy)

Which negative things?

  • Everything is centralized:
    • If some hacker steal your google password (by example), he may inject you a malware trough internet directly to your cel phone without having physical access.
    • If someone can physically reach your phone, he will have automatic access to many applications and their authorizations (twitter, facebook, google, instagram), being easy to hack them.
    • We solely depend on the TLS/SSL security, that could be broken with MITM attacks. Certification Authorities has been signing rogue certs and the whole system is compromised.
    • An attacker could use your resources (phone line, internet access, credit cards, and more).
  • My data is extremely valuable.
    • Our data contains phone numbers, emails, and everything about each person we know. A criminal could use such information to run scams, threats, and anything else. (in fact, it’s happening right now).
    • We use our mobile devices and tablets with our credit cards, coupons, and bank accaouns.
    • Our pictures and memories are also in those devices. Even if you have deleted it 🙂
    • Notes and logs of our chats…
    • We also handle information about our work, such information is extremely valuable.

At the end of the day, the cloud was designed just to cut costs and simplify processes without having in mind anything about privacy or security. At personal level is extremely bad, at corporate level is unacceptable.

What should I take into consideration when I look for privacy/security in my mobile devices?

  1. Avoid the cloud.
    1. Disallow the synchronization (Google, Facebook, etc)
    2. Save your contact list locally. Never on your google account
    3. Use a local schedule
    4. Avoid to use google plus in your phone. Google plus upload your taken pictures automatically without requesting for authorization.
    5. Avoid to use cloud-based mail (by example: gmail, yahoo, hotmail)
    6. Avoid the cloud based translators and spell checkers.
  2. Be minimalist, don’t install applications that you don’t need, disallow everything that comes “by the manufacturer”. Try something clean like CyanogenMod
  3. Use DroidWall, configure it in a way that playstore is denied to reach internet. If you want to use it (install something), stop the firewall just for the required time. (** This will help your battery **)
  4. Be sceptic. Don’t believe in anyone.
    1. Avoid to think that some antivirus will protect you
    2. Avoid to think that a certification authority will protect your data. Many had emitted a lot of rogue certs and the attacks based on rogue certs are extremely stealth.
    3. Avoid to think that the cipher is secure forever. The history teach us that everything that is considered secure today will be broken tomorrow.
    4. Avoid to think that because something or someone says that something is ciphered, it’s a fact.
  5. Disable the WIFI and Bluetooth when you don’t use it.
  6. Encrypt your phone. All your data is in it, a good attacker just need about 2 minutes or less with your phone in order to steal all your accounts and personal information.
  7. Use strong passwords (uppercase, lowercase, special chars, numbers, more than 12 chars, and not a dictionary based one)…
    1. Strong password: 0nd12j.!fiBnf4-
    2. Weak password : myp4ssw0rd32!
    3. Weak password: 123456
  8. Disable the conversation logs. If your phone is hacked and you have the logs enabled, the attacker could have access not just to the information generated from the hacking date, he could also access into a valuable historic.
  9. Keep up to date. Update your phone constantly and carefully
  10. Save your relevant contact under other names, in case of coaxion, you can keep the control of the situation. Confuse your enemy.
  11. Don’t trust the following services (use at your own risk):
    1. WhatsApp: This saves the chat on the cloud, in addition, the encryption model used by them is very weak. The cipher rely on the network MAC address and/or IMEI (both are very public)
    2. Skype: This synchronizes all your data with every device logged on your same account, and your won’t even know. You may be chatting with a friend and if a someone have access to your password, he could be reading your conversations from everywhere. And worse, the attacker does not need to be on real time nor hack your device. Skype will synchronize anytime.
    3. Gtalk: This also synchronize between many clients under the same account. Representing the same risks listed above.
    4. SMS: SMS is very easy to capture even to forge.
    5. GSM: GSM is also easy to eavesdrop, false, generate ghost calls, false the caller ID, and everything you imagine. Today, an attacker does not require million of dollars in technology to reach this. This could be done with some USRP (Universal software radio peripheral), and its cheap (between 2000-3000usd).
    6. Others… Never trust
  12. You can use software like Xabber/OTR to encrypt your chats. But remember, there are many other ways to hack into your phone.
  13. You can use software like mumble, but remember: Many of these programs offers you a partial security. These programs does not have enable Perfect Forward Secrecy by default, so, if someone get into your device or the server, then, they can steal the cipher keys and then decrypt anything you have talked before trough that way.
  14. Save your phone backups in an encrypted way.
  15. If you can use a VPN, use it. Don’t trust any public network, include your mobile internet.
  16. Don’t be ashamed to protect yourself, you are not doing anything wrong., you just want to hide information and protect yourself against hackers and malicious criminals

Leave a Reply