Hardening Android

As I mentioned in the final word of the Android experience, it is possible -even for “bloody beginners”- to  do some stuff to harden your android system and get control over your system and save your privacy!

Based on my Galaxy 551 and android 2.2 I’ll give some advice for these apps:

• Mail-App
• Browser-App

and discuss some settings done in the settings menu.

Values in brackets [] are suggested values.

Basics

First of all, all devices should be protected by a password, which will be queried each time the phone is unlocked. Devices which are permanently connected to the internet should be protected even stronger! You should be conscious of the fact, that a unlock-password is only a barrier not the ultimate weapon of choice. I expect that locked phones are less attractive to thieves. Every password can be bypassed -I guess-.

Set-up the unlock password

Go to Settings, location & security and set-up the unlock password. By password I refer to one of the following options:

• a gesture
• a PIN or
• a password

I won’t give any suggestion. Decide for yourself, but remember that everything is better than nothing! Maybe you should remember to clean your display to prevent the “enemy” to see your fingerprints or “fingermarks” on often used points on your display.

But let’s start with the settings

Settings

location & security

• use wireless networks [disabled]
  “See location ins applications (such as Maps) using wireless networks”
• use GPS satellites [disabled]
  “Locate to street-level”
• Visible passwords [disabled]
  “Show password as you type”
  -> a really bad idea -isn’t it?-

Accounts & sync settings

• Background data [disabled]
  “Applications can sync, send, and receive data at any time”
  Note: Some apps (like “Vendor” aka the market) need this to work
• Auto-sync [disabled]
  “Applications sync data automatically”

Tethering & mobile hotspot

You should always use the USB-Datacable to tether your phone. Otherwise you need to create a mobile hotspot in order to share your mobile internet connection. Android will create a new AP (the hotspot) and manage the whole spot. IP-addresses and gateways are leased and so on. If you use the mobile hotspot feature you have to set the following settings to secure your hotspot and your phone of cause.

• Network SSID
  Use a harmless name, which does not “point” to you or your Droid. This can be considered as the rule #1 for WiFi networks. Networks which lead to their operators (e.g. a family name, address, first name, etc.) are more often attacked then “anonymous” networks, I guess.
• Security (Encryption)
  Choose everything but “none”, or “open” (not sure how it says on english phones, my phone is german). The only alternative was WPA2 PSK.
• Password
  Enter a good password here. Android forces you to enter at least 8 characters.

Privacy

(Privacy sounds more like backup. Settings to set-up real privacy are not present in this menu. I suggest to disable this option. Backup means “just upload your data to google”. Bad idea …)

• Back up my data [disabled]
  “Back up my settings and other application data”

Apps

Mail-App

The Mail-App must be configured manually! Using the assistant will cause a bunch of problems. Encrypted communication will be disabled if the assistant is used. Which means that all your eMails (except eMails which are encrypted by programs like pgp, S/MIME) and passwords are transferred in plain-text aka human-readable. This is even worse if you are using public hotspots or open WiFi networks. (I consider WEP as open)

Find below a small howto:

1. open the Mail-App
2. set up a new email account
3. enter Email address and password an tap on “Manual setup”
4. select IMAP*/POP3*-account
5. enter the username, password and the address/IP of your POP3*- or IMAP*-server (get these information from your ISP)
6. select the security type (default is “none” and the worst selection. Select either SSL* or TLS*)
   Select SSL* or TLS* (accept all certificates) if you have massive trouble to get a secured connection. This should be the last resort!
   The port is set automatically, but should be compared with the ISP settings.
7. The Mail-App will check the settings and opens the “outgoing settings”
8. fill in the username, password and address of the SMTP server
9. set the security type to TLS* or SSL*
   Select SSL* or TLS* (accept all certificates) if you have massive trouble to get a secured connection. This should be the last resort!
   The port is set automatically, but should be compared with the ISP settings.
10. The Mail-App will check the settings and opens the account if all went fine!

The communication will be encrypted from now on.

*: For all those, who have trouble to read the abbreviations, I’ve prepared a small KB here.

Browser

The Browser has some default settings, which must be changed asap. To access the settings menu, press the menu button and scroll down to the bottom of the list.

Change the settings according to this:

• Block pop-up windows [activated]
• Enable JavaScript [disabled]
  Note:
  Some pages will not work as expected by you and/or the developer.
• Enable plug-ins [on demand]
• Accept cookies [disabled]
  Note:
  Some pages will not work as expected by you and/or the developer.
  general advice about cookies:
  My mom told me that I should never take cookies or sweets from strangers … What’s wrong with you guys? This is also true for the internet!
• Remember form data [disabled]
  This option will save information entered into forms  (like log-in masks). I suggest that you disable this. Mobile devices get lost some times …
• Enable location [disabled]
  Web-sites don’t need to know where you are, right?
• Remember passwords [disabled]
  This option will remember entered passwords in forms.