How to secure your Android phone or tablet
Jan. 14, 2021
You could call mobile devices the new frontier for malicious software. Malware can infect mobile devices in a variety of ways such as through an app, phishing email, or SMS text message. Common types of mobile malware include ransomware, worms, trojans, and spyware.
If you have an Android phone or tablet, it’s a good idea to know how secure the Android operating system is, along with its limitations. That’s important if you want to help keep your devices and data safe and secure.
In this article, we cover what you need to know to get started. This includes ways you can help enhance the security of your device. You can also learn about these four levels of Android security protection.
- Default Android Security Settings
- Basic Android Security Settings
- Advanced Android Security Settings
- Pro Android Security Settings
How secure is the Android operating system?
Android’s operating system has layers of protection that add to its security. It requires you to provide permission for nearly all functions that could compromise your system or data. But it can also be vulnerable to malware. That’s because of the openness of its platform.
The flexibility that leads to so many awesome apps also has the downside of leaving some security vulnerabilities open.
Only a small fraction of the apps distributed via Play store are malicious — just 0.6% of all apps, according to research by NortonLifeLock Labs. Even so, this translates to a sizable number of malicious installations, due to Play store’s popularity.
But fear not. It’s possible to help protect your Android device by adjusting the security settings for your device and your apps, and taking some steps outlined below.
Android phones come with useful security settings built into the operating system. They can help you protect your device and safely surf the web and download content. Also, most Android phones come with the Smart Lock suite that allows you to unlock your phone in different ways, including On-Body Detection, Trusted Places, Trusted Face, and Trusted Voice Recognition.
We’ve categorized these security settings into four levels of protection.
The first level of protection covers default security settings. Android devices have built-in, standard security features like Google Play Protect and on-device encryption.
Google Play Protect
Google Play Protect is Google’s built-in malware protection for Android devices. Play Protect scans apps in the Google Store daily to verify they remain free from malware. It also identifies and removes malicious apps from the store before they are downloaded onto devices.
Every app and developer is vetted before their apps are available in the Google Play store. Google Play Protect can also automatically scan your apps for malware before and after you install them.
On-device encryption is another default Android security feature. Important to note: You must set your phone to lock with a pattern, PIN, or password for the encryption to kick in. When your phone is locked, 256-bit AES standard encryption will protect the data stored on that device.
Android devices offer another layer of basic protection when you activate additional security features that include setting a password, and enabling two-step verification and the Find My Device tool.
Setting Your Password
Android phones require the traditional locking methods of setting a pattern, PIN, or password. The strongest protection is a complex, unique password consisting of a random combination of uppercase and lowercase letters, symbols, and numbers.
You can set two-factor authentication — also known as 2FA — to add more protection. How does it work? Once enabled, this form of verification gives you an extra layer of security by requiring two different codes from two different sources. After you submit a password, a code will be sent to your default phone via text or a call. Only entering this code will give you access to an account.
Two-step verification will provide that additional protection when, for instance, someone tries to access your Google account from another device. You’ll get the access code — and they won’t. Hackers will need more than just your username and password credentials to infiltrate your data and devices.
To set up 2FA, go to the security settings in your Google account and follow these steps:
Security > Signing in to Google > turn on 2-Step Verification
Find My Device
The Google Play Store offers a Find My Device tool that allows you to track, lock, and erase your device when it’s lost or stolen. Is this necessary? The answer is yes. You don’t know when you might lose your device or when it might fall into the wrong hands. This tool gives you a backup plan to help keep your device and data safe when the unexpected happens.
To activate Find My Device, sign in to your Google account, be sure to have your location turned on, and follow these steps:
Settings > Security > turn on Find My Device
Android devices also offer more advanced security features that you can set up such as biometric authentication.
Newer Android phones have a fingerprint sensor you can set up. Fingerprints can offer more secure authentication and protection than passwords. To start, go to your security settings to register your fingerprint or prints.
How to turn on Fingerprint Unlock:
Settings > Lock screen and security > Screen lock type > add your fingerprint
Google’s On-Body Detection feature can determine if you have your device on your person or in your hand. If so, it will keep it unlocked. Once you put your phone down, it will automatically lock. One downside is its inability to detect if your phone is passed to another person.
The Trusted Places feature allows you to configure your phone settings so it remains unlocked while you’re at home or in other locations you enable.
Trusted Face Recognition
This biometric feature, part of Android’s Smart Lock suite, allows you to unlock your device with facial recognition. When considering face unlocking, however, beware of the ramifications of using a 2D front camera—if you don’t have a 3D depth-sensing camera—to scan your face. Why? Anything that isn’t three dimensional could be more easily replicated and used by others to gain access to your device.
If your device has voice detection set up, you can use this feature to unlock your phone when it hears a trusted voice.
Here’s what to do to turn on the Android Smart Lock suite of features mentioned above:
- Go into Settings > security or Lock screen and security > Advanced > Trust agents and make sure that Smart Lock is turned on.
- Under settings, search for Smart Lock.
- Tap Smart Lock and enter your password, unlock pattern, PIN code, or your fingerprint.
- Then you can enable On Body Detection, add Trusted Places and Trusted Devices, add Trusted Face Recognition, and set up Trusted Voice.
Safe Browsing in Google Chrome
The Safe Browsing feature in Google Chrome and other web browsers helps protect against websites that contain malware or phishing content.
Protection from Unknown Sources
Google Play Protect is effective in its vetting of apps, but it can’t help you if you download an app that isn’t in the Play Store. Instead, the Android operating system does provide a solution for helping avoid unknown downloads. This tool, Unknown Sources or Unknown Apps, will block the installation of apps that aren’t from the Google Play Store.
If you find an app that hasn’t been vetted by Google Play Protect that you just can’t do without, you can turn off this protection. But be sure to switch back the setting when you’re done.
Here’s how to turn Unknown Sources on and off:
Settings > Security > Unknown sources or Unknown apps > toggle on or off the installation of apps from a non-Play Store source
Several Android security features go above and beyond to help provide additional layers of security for your device and data.
Physical Security Key
Perhaps one of the highest levels of protection resides in getting a security key. If you have one, you — and more importantly, others — won’t be able to access anything without it. For example, if someone steals your passwords, they normally can access your accounts — but not if you have the protection of a security key. Other benefits include its size, because it’s small like a flash drive, and its ease of use, because it allows you to store all of your authentication data in one place.
Disable Smart Lock and Auto Sign-In
While the Smart Lock for passwords and auto sign-in features can be handy, you should consider disabling them if you want to be able to lock down your phone. If you have these features on and someone steals your phone, they’ll have access to all of your passwords.
To disable Smart Lock and Auto Sign-In, go to the security settings in your Google account and follow these steps:
Security > Signing in to other sites > Saved Passwords > toggle on Offer to Save Passwords (instead of Auto Sign-In)
Disable Bluetooth Connectivity
Consider taking the extra step of disabling Bluetooth when in public. Bluetooth lets your phone connect wirelessly with other devices, so it also may let others connect to your device without your permission.
Use a Password Manager
Downloading a password manager can be a big help in password management. A password manager can help keep your passwords organized — and safe from hackers. Many password managers also will help you create strong, complex, and unique passwords. All of your unique passwords are then captured and protected in a ‘vault’ by one master password or your fingerprint.
Use a VPN
When you’re out and about, you may be tempted to surf the web while using public Wi-Fi. It’s just so easy and tempting to connect in the coffee shop or airport. And if you’re only checking out a site quickly, can it really hurt? Yes. Using public Wi-Fi without any protection is like leaving your front door open with a big sign that tells burglars you aren’t home.
A good way to help ensure you’re protected is to use a virtual private network. A VPN connection encrypts your online activities to keep you safe from eavesdroppers like the hackers at coffee shops waiting for their next online victim. Android users have two options: the built-in VPN on Android devices, or another secure VPN app. The Google Play Store offers several choices.
Use an Authenticator App
The two-step verification noted above is a great added layer of protection. But what if an eavesdropper can intercept your SMS text messages, enabling them also to receive that second code? Authenticator apps address this by offering an even greater layer of protection, generating unique codes on your device instead of relying on the text messages.
Enter Lockdown Mode
Google gives Android 9 users a new mode to essentially lock down your device. If you activate Lockdown Mode, your phone and everything on it will lock. This means you won’t be able to access things like the fingerprint scanner, and Smart Lock will be disabled.
To set lockdown, hold down the power button and select Lockdown or go to:
Settings > Lock Screen
Common Android security threats
All sorts of malware and other security threats target Android phones and the Android operating system. What does this mean if you have an Android phone or tablet?
It’s important to know the red flags. First, consider what malware is: malicious software that sneaks onto your phone and intends to cause harm. Cybercriminals use malware to access your personal data and, in some cases, use that sensitive information to commit identity theft or fraud.
Malware can include viruses, computer worms, Trojans, ransomware and spyware. Here are some of the most common Android security threats to consider.
A man-in-the-middle attack is a vulnerability that can be found on unsecured networks. This kind of threat requires three players: the victim, the entity with which the victim is trying to communicate, and the “man in the middle,” who’s intercepting the victim’s communications. The goal of these types of threats are usually to steal information.
A cybercriminal can use mobile ransomware to lock a device and encrypt personal data, demanding payment to unlock the device or return the data to the user. Victims usually are tricked into downloading mobile ransomware through social networking schemes, phishing scams, fake text messages, or by clicking on pop-ups containing embedded viruses. Victims may think they’re downloading innocent content or useful security software.
Trojans are malware that are disguised as legitimate software and apps. They are all about stealth, their goal being to trick you into activating them. Knowing how to spot them — and not execute them — is important. If you do let them in, they can inflict malicious acts on your data and network.
This type of malware is unknowingly loaded onto your device as a software program. Mobile spyware does just what its name implies: It lets hackers spy on you remotely, monitoring and recording your sensitive data and activities without your knowledge.
A keylogger is a type of spyware that records the keystrokes you type on your device. Keyloggers are particularly insidious because you don’t know they’re there, watching and recording everything you type. A lot of sensitive information can be gleaned from what you enter on your devices—via your emails, text messages, login credentials, passwords used, websites browsed, and financial information accessed.
Android mobile adware are advertisements that display on your device even when you aren’t on the web or using apps. Are pop-up advertisements really that bad? Adware can be much more sophisticated than simple pop-ups. Some adware may contain so-called malvertising code that infects your device and plants adware that then, in turn, could steal your personal data.
7 additional steps to help enhance your Android device security
Consider these steps for protecting the privacy and security of your Android device.
Once you have reviewed the app’s permission list, consider the app’s requests. Do they seem reasonable for the app’s purpose? For instance, does a game app really need to access your contacts? If so, what’s the reasoning? Does the game use social sharing? Otherwise, you may not be comfortable allowing this level of access to your personal information
Review the apps already installed on your phone and check for excessive permission requests or settings.
To see the permissions given to an application after it’s already been installed:
- Open your devices’ main Settings app.
- Depending on your device model, tap on Apps or Application Manager.
- Select an app.
- Scroll down to "Permissions."
If you haven’t used an app in a while, uninstall it. This cleaning will keep you up-to-date to avoid any unnecessary risks while making more room on your phone.
Email is another point of access for malware. Consider this: You receive an email from a sender who looks like your friend. She has included an attachment that looks enticing. You open it, and guess what? It’s actually from a cybercriminal and you just downloaded malware onto your phone.
Updating your device with the latest software updates and security patches is essential to keeping your device safe and secure. These fixes can help protect against security flaws hackers could exploit to find their way in.
It’s smart intall and run robust security software to help protect your Android devices. Reputable anti-malware software can add powerful, effective protection for your Android device and personal information against new and emerging mobile cyberthreats and online scams.
Norton™ 360 for Mobile
Powerful protection for your mobile device and online privacy – plus Dark Web Monitoring Powered by LifeLock™.
It’s more important than ever to make sure your mobile devices are secure and your personal information stays private. Norton 360 for Mobile helps deliver powerful, proactive protection for your device and personal information against stealthy cyberthreats and online scams.
Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2021 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.