Your no-fuss, fail-safe guide to protecting Android devices

You can easily protect both your personal and work-related data from common threats

As Android's popularity continues to climb, it's increasingly joining the workplace. In its early days, Android had little in the way of security, relegating it to personal use. But over the years, Google has upped the ante in terms of Android security, as have third-party vendors.

Today, thanks to the tools baked into Android itself and available from Google Play app store, you can easily protect both your personal and work-related data from common threats.

If your security requirements are very strict, such as due to compliance-oriented regulations, you may need to use a third-party mobile device management tool. But many individuals and businesses can protect themselves with a simpler set of tools and steps.

Focus on these Android risks

To best protect your device and your personal data from threats, you first need to understand what's legitimate and what's hype. For Android, its vulnerability lies in its open nature. In InfoWorld's "A clear-eyed guide to Android's actual security risks," Bob Violino narrowed Android's vulnerabilities down to two core areas of concern.

First is Google Play's "come one, come all" model, allowing just about anyone to upload and distribute their apps. In their native untested state, these apps can contain malware, spyware, and other hijacking protocols that can put your data at risk.

But malware isn't limited to Google Play: Because Android allows for side-loading apps from sources outside Google Play, the risk of compromising your device with a rogue download is compounded.

Hindering Android's ability to fight these risks is Android's second major weakness: its inherent fragmentation. Google and Android OEMs have been criticized -- rightfully so -- for untimely and unreliable updates, which has left Android splintered.

Only 1.4 percent of Android devices are running the latest version (4.4 KitKat), while 21 percent are still running 2010's 2.3 Gingerbread version. Whereas iOS's security holes can be easily patched in one fell swoop by Apple, Android is patched on a version-by-version basis determined separately by each device maker and carrier, which is often a slow and ineffective process.

As a result, someone running Android 4.0 Ice Cream Sandwich might face very different risks than someone running Android 4.1 Jelly Bean, which makes standardizing your protection very difficult.

Then there's the human factor: Your device is only as safe as your literal grip on it. In the hands of an even moderately knowledgeable thief, your data can be easily accessed, shared, and compromised.

Use Android's built-in security tools

As Android has evolved, so has its ability to ward off these dangers. In its most current version, 4.4 KitKat, Android has several tools you can easily configure to provide your device and data with a powerful first layer of protection.

Passwords. You might not think of password protection as a powerful security tool, but it is. In reality, setting up a password on your mobile device is often the most effective yet overlooked way to protect your device from external threat. For the small-time crook looking for valuable personal data like bank accounts, contacts, and call logs, the prospect of cracking a device password is often enough to convince them to move on to easier targets.

Setting up a password on your Android device is simple: Go to the Settings app and navigate to the Security section. There, you'll be able to initiate a password lock with varying levels of security using the Screen Lock option:

Face Unlock made waves when it was first introduced in Android 4.0 Ice Cream Sandwich. Set it up by snapping a photo of yourself in the Settings app. To unlock your device, look into your camera for facial verification. But be aware that a spy can unlock your device simply by showing it a photograph of your face. Despite its cool factor, Face Unlock remains one of the least effective ways to protect your device.

Pattern Lock offers significantly more security. Simply connect the dots by tracing a pattern with your finger on a three-by-three grid to set your pattern password. Draw this pattern to unlock your device.

PIN and Password lock offer the highest level of protection. You can use a four-digit numeric PIN or a password of any length and complexity to unlock your device. As a general rule of thumb, the more complex the password, the better protected your device.

Encryption. Setting up a password is effective for protecting your device from a physical breach, but it can be less effective when it comes to a remote breach. For those with sensitive data on their devices such as work documents and confidential message logs, data encryption adds a valuable layer of security; even if a thief gets your device's data such as through a spyware app, the stolen data remains protected.

To encrypt your device, open the Settings app and head to its Security settings. You'll find the Encrypt Device option there. Plug your device into power or ensure the battery is at least 80 percent charged -- Android can't encrypt your device if there's not enough power to ensure it can run through the process, which can take 30 to 60 minutes. You'll be asked to set up a PIN or password, which doesn't have to be the same as your lock password.

Once your device is encrypted, it will remain so until it's permanently wiped or you disable encryption. You'll have to enter the encryption PIN or password each time you power on the device, but not to wake it from sleep. If you also have a password lock, you'll enter that as well in a separate step.

Remote wipe. One of Android's newest security features is also one of its most useful: Remote wipe was introduced in 2013 and is now available on any device running Android version 2.2 or later. The feature lets you locate your device remotely. It also lets you remotely lock or even wipe the device's contents if it has been stolen, lost, or breached in any way.

Go to the Settings app's Android Device Manager option and check the boxes for "Remotely locate this device" and "Allow remote lock and erase." Then, from a browser on any computer or device, go to and enter your Google account credentials. You'll be shown the location of your device in Google Maps, and you'll have the option to ring your device (in case it slipped under a cushion or seat), lock it (so a password is needed to use it), or wipe it (so its apps and data are removed). Having these three options means you don't have to immediately resort to a device wipe if you think the device is lost or stolen, but can use less intrusive remedies instead based on your level of concern.

Disabling side-loading. Google Play isn't the only place your device can contract malware. Files and apps downloaded from your Web browser and from email attachments -- aka side-loading -- can subject your Android devices malware, spyware, and other dangerous apps.

To protect yourself from side-loaded apps and files, you'll want to let Google scan these downloads for security risks. To have Google do so, go to the Settings app's Device Administration section (part of the Security settings) and check the Verify Apps option.

If you'd rather remove the ability to download these files altogether, go to the Settings app's Device Administration section and ensure that Unknown Sources is unchecked. Doing so prevents your Android device from downloading anything that hasn't been checked and approved by Google. However, be aware that this essentially disables your ability to download email attachments, which may be a major inconvenience for business users.

Add a second layer of protection

Google isn't the only provider paying attention to Android's security risks. There are hundreds of apps available through Google Play that can add a second layer of security to your device. These additional fail-safes can be quite useful for business users.

Password vaults. Setting up a password and encrypting your device is an excellent first layer of protection, but should that initial firewall fail, there are additional tools to keep the account information within your device safe by adding yet another layer of password protection for the apps and data on your device.

One such tool is AppLock, which lets you lock down individual apps with a separate password. It's free, albeit with ads.

Antimalware. Personal and business computing is shifting slowly away from the PC and toward mobile devices, which means that malware is also making the jump. Luckily, antivirus developers are taking note.

Independent test lab AV-Test's results for Android security products found that 16 of the 30 products it tested -- including Bitdefender's Mobile Security & Antivirus, McAfee Antivirus & Security, and Symantec's Norton Security Antivirus -- scored 100 percent when it came to detection rates.

These products also can remotely lock and wipe your device, locate the device if it's lost or stolen, and back up your data -- features that older versions of Android lack. Bitdefender, McAfee, and Symantec all charge the same annual subscription fee: $30 per device. Lookout offers a basic version of its Security & Antivirus app at no charge.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile

More about AppleGoogleMcAfee AustraliaNortonSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anndrew Vacca

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place