This article deals with securing an Android device against the possibility of spyware, and intrusive surveillance. This is specifically aimed at people with a reason to suspect that they are being spied upon.
If in doubt, wipe your device.
If you have any question about whether malicious software may have been installed on your device, wipe it.
Keep your device locked.
Set a lock code, and keep your device locked at all times. If your device is out of your possession for even a second while unlocked, then someone could easily install malicious software to spy on you.
Consider the benefits and risks of rooting, and make an informed decision.
Rooting your device offers you far more control over what runs on it, but it’s not without risks. Your phone manufacturer, or carrier will not provide support to rooted phones, especially if the problem is regarding phone software. The process of rooting your phone is also risky – if you don’t follow the steps exactly right, you risk turning the phone into a paperweight. Root access also can be abused by malicious applications.
However, many carriers shipped their phones with spyware already installed, in the form of CarrierIQ’s spyware, and rooting the phone is the only way to get rid of it. Also, many carriers are well behind on updating software, so you can get a much newer (and potentially safer) version of Android by rooting.
Keep USB Debugging Off.
USB debugging is necessary for some things, like tethering apps, and to use adb to work with your device. Unfortunately, USB debugging also enables anyone with a computer, or a specialized phone debugging device such as those offered to carriers and law enforcement agencies by Cellbrite to access your phone, EVEN IF LOCKED. If you need to do something that uses USB debugging, turn it on, and remember to turn it back off when you are done.
Consider the implications of allowing non-market applications.
Simply put, if you don’t need this functionality, don’t turn it on – try to avoid needing it, but if you have to use it, use it.
Be careful even with market applications.
Be particularly wary of new applications – it’s best to stick to well-established applications that have strong reviews. The screening process for the Android Market is after-the-fact – bad applications are removed after they are found, rather than prevented from being added.
Even with precautions, don’t let your device stray too far.
Even with a lock code, and USB debugging off, rebooting a smartphone into recovery mode may still offer a way to access it, and the SD card can be removed and/or tampered with. In particular, avoid letting random people use your phone and watch them closely if they need to do so. All the precautions in the world will only buy you a few minutes.
Turn off GPS and location services when not needed.
This is a no-brainer – if you don’t need these services at the time, don’t have them on. There are widgets that can easily turn this on and off.
Consider the risks and benefits of Google services.
Google is a US-based company, and is subject to having to disclose information to the US government under the PATRIOT act, it’s a fair bet to say that they will give out your information to the feds if asked, and that you probably won’t know about it when they do.
Consider the risks of surveillance by the carrier.
Your mobile carrier will have a record of all calls, texts, and other communications from the phone, as well as the location of the phone based on triangulation (which is independent of GPS, can easily be accurate to 150 meters or so) . Encrypting traffic to internet services will prevent the carrier from snooping on them, but they will still know which services you are communicating with.