As we shift more and more of our computing to the mobile space, mobile security becomes more and more important. These days our phones are full of sensitive information – from personal photos to bank login credentials. So how can we keep ourselves safe?
Android Lollipop, the newly released version of Android, has a bunch of useful features, including Google’s new Material Design aesthetic. More importantly, though, it packs a big punch in the security arena, bringing in a number of features that improve security across the board. Let’s dive in and see what improvements you can expect when you boot up your new Lollipop device.
In October, Google stated that new Lollipop devices would be encrypted by default. Devices upgraded to Lollipop won’t be, but they’ll still have the option to enable this feature. This is a big jump in device security. Unless you encrypt the drive, all the security measures in the world will only last until an attacker physically accesses the memory. Ultimately, unencrypted data is vulnerable. If you have any sensitive information on your phone, encryption is a must.
Unfortunately, there’s a major caveat here, which has to do with performance. Many Android phones use a dedicated encryption chip, which makes storing and accessing files fast and seamless, even in encrypted mode. For devices without the chip, unfortunately, enabling encryption can cause major performance hits. Even Google’s own Nexus 6 is affected, with storage retrieval slowing by up to 80%. Because of these performance concerns, several low-end Lollipop devices do not have encryption enabled by default – despite Google’s statements last year. In contrast, iOS has had mandatory encryption on all devices since 2010.
This is another consequence of Google’s open platform. It’s relatively easy for Apple to make sure that every single iOS device has an encryption chip. Google, with its bullpen of different hardware manufacturers, is fighting a much more uphill battle. If they demand too much from manufacturers, they run the risk of those manufacturers refusing to upgrade to Lollipop, further fragmenting the ecosystem.
For now, you should at least try to enable device encryption on your device and see what slowdown (if any) you experience. It’s an important security feature that you should absolutely be using, if your hardware can handle it.
One of the most important security features on Android has been around for a long time, but isn’t all that widely used. Pass-code unlock does a huge amount to keep your data safer from casual attackers, but can be inconvenient. So, with Lollipop, Google has made a major push to make logging in more convenient, via the Smart Lock feature.
Smart Lock is all about the device knowing when it’s safe. It can use the accelerometers to detect when it’s still being held or carried, and not lock until it’s set down. It can sync with other wearable devices or wifi hotspots to determine when it’s near an authorized user or in a safe place (like your home) and remain unlocked. It can even use face recognition to determine how long it’s been since you’ve been near it, and lock itself accordingly.
This doesn’t make the device safer, in and of itself (it actually makes the device a little less secure). However, it does make having a lock screen significantly more convenient. That hopefully translates into more people activating a lock screen and leaving it enabled.
The Verify Apps mode, which is new to Lollipop, is similar to antivirus software on desktop operating systems. If you opt in, Android automatically warns you if you try to install third party apps, and continuously scans installed apps for malicious code. It also checks apps against a blacklist of apps that are known to try to steal user data (as reported by users). The Verify Apps mode will warn the user – and, if the threat is severe enough, remove the app automatically.
This may seem like basic functionality, but it’s much better than nothing – especially given Android’s relatively permissive app store (compared to iOS). While Google will tell you Android doesn’t have a malware problem, there have been issues in the past (like the flashlight app that was quietly stealing user data). Being able to identify these apps and take steps to neutralize them is a huge step forward for security on Android.
Expanded Automatic Updates
One of the biggest problems that Google faces with Android has been fragmentation. Device makers are fundamentally shiftless and lazy, and getting them to consistently use the latest version of Android (and keep old devices up to date) has been an uphill struggle.
To help combat this, Google has been slowly moving more and more functionality away from the operating system and into Google Play Services, which operates as can app that they can update without the support of device makers. In the long run, we may even see Android break away from regular releases, moving almost everything into Play Services.
For now, Google is continuing the trend by moving Web View, the web page renderer, into Play Services. This gives Google the ability to react to bugs and potential security issues much more fluidly, without having to wait for the next Android release. This may become important as the web becomes richer and richer with interactive content, and threats from browser-based attacks grow.
Reset protection is another setting that indirectly improves the security of the device. A locked and stolen Android phone is essentially worthless on the face of it: it’s a brick until you figure out the password. Unfortunately, almost all Android devices allow you to wipe a device back to factory default from the BIOS, essentially turning it into a new phone (even if you don’t have the password).
Reset protection is an optional setting that changes factory reset functionality to require the password. While this doesn’t help you much if your device is stolen, it does make stolen Android phones less valuable, reducing the incentive to steal them in the first place.
One big change to Android is one that’s totally invisible to the user: the switch to secure SELinux under the hood. While the switch to SELinux officially happened a while ago, it’s only with Lollipop that its security features are actually enabled. Technically, this is the switch from ‘permissive’ to ‘enforcement’ mode.
SELinux is a special version of Linux, originally developed by the NSA, which is designed to make it harder for malware to get a foothold in a system. While Android has always had app sandboxing (designed to keep apps from spying on one another), SELinux gives this feature teeth and makes it much more difficult to circumvent or disable. That means that it’s harder for malware to casually snoop on your other apps and steal personal information.
Guest accounts are a staple of modern computer operating systems, and for good reason. There are plenty of scenarios when you want to give someone access to your computer, but don’t necessarily want to give them unlimited access to your personal information and login credentials.
The same is obviously valuable on a phone, and is finally available with Lollipop, allowing you to quickly put the phone into guest mode (or even create fully-featured alternative accounts for people who regularly use your phone). This goes a long way towards protecting your privacy during real-world use.
While Windows Phone OS has had this trick for a long time, it’s something that iOS still lacks. This change could be a deciding factor for many iOS users on the fence about switching to an Android device.
Android For Work
Plenty of professionals out there have to keep two phones: one for work, and one for fun, because it’s hard to guarantee the security of random user phones, and hard to keep corporate data safe from whatever random malware the user might have on their personal device.
Android For Work is an attempt to address that by maintaining a secure sandbox within Android screened off from other apps. Data is strictly partitioned along the same lines: personal apps can’t decrypt work data, and vice versa. Essentially, the user has two phones on one device that they can swap between. Google is hoping it can use this feature to persuade enterprises to let users use their own Android phones for work. This would cut into iOS’ market share, as Apple mobiles make up about 69% of official enterprise phones.
Security by Necessity
Android has unique security challenges compared to its more locked-down competitors, and these changes are a major step in the right direction. That said, security is only as strong as its weakest link, which is usually the user. Try to take advantage of these features as much as you can, and keep security in mind. Does it seem like that flashlight app is demanding too many permissions? Get a different one! There’s no kernel upgrade to replace common sense.
Upgraded to Lollipop yet? How are you liking the security features? Let us know in the comments!