As Android's popularity continues to climb, it's increasingly joining the workplace. In its early days, Android had little in the way of security, relegating it to personal use. But over the years, Google has upped the ante in terms of Android security, as have third-party vendors.
Today, thanks to the tools baked into Android itself and available from Google Play app store, you can easily protect both your personal and work-related data from common threats.
[ Read InfoWorld's cleared-eyed guide to Android's actual security risks. | Discover how Android stacks up to iOS, Windows Phone, and BlackBerry in terms of built-in security capabilities. | Subscribe to InfoWorld's Mobilize newsletter today. ]
If your security requirements are very strict, such as due to compliance-oriented regulations, you may need to use a third-party mobile device management tool. But many individuals and businesses can protect themselves with a simpler set of tools and steps.
Focus on these Android risks
To best protect your device and your personal data from threats, you first need to understand what's legitimate and what's hype. For Android, its vulnerability lies in its open nature. In InfoWorld's "A clear-eyed guide to Android's actual security risks," Bob Violino narrowed Android's vulnerabilities down to two core areas of concern.
First is Google Play's "come one, come all" model, allowing just about anyone to upload and distribute their apps. In their native untested state, these apps can contain malware, spyware, and other hijacking protocols that can put your data at risk.
But malware isn't limited to Google Play: Because Android allows for side-loading apps from sources outside Google Play, the risk of compromising your device with a rogue download is compounded.
Hindering Android's ability to fight these risks is Android's second major weakness: its inherent fragmentation. Google and Android OEMs have been criticized -- rightfully so -- for untimely and unreliable updates, which has left Android splintered.
Only 1.4 percent of Android devices are running the latest version (4.4 KitKat), while 21 percent are still running 2010's 2.3 Gingerbread version. Whereas iOS's security holes can be easily patched in one fell swoop by Apple, Android is patched on a version-by-version basis determined separately by each device maker and carrier, which is often a slow and ineffective process.
As a result, someone running Android 4.0 Ice Cream Sandwich might face very different risks than someone running Android 4.1 Jelly Bean, which makes standardizing your protection very difficult.
Then there's the human factor: Your device is only as safe as your literal grip on it. In the hands of an even moderately knowledgeable thief, your data can be easily accessed, shared, and compromised.
Use Android's built-in security tools
As Android has evolved, so has its ability to ward off these dangers. In its most current version, 4.4 KitKat, Android has several tools you can easily configure to provide your device and data with a powerful first layer of protection.
Passwords. You might not think of password protection as a powerful security tool, but it is. In reality, setting up a password on your mobile device is often the most effective yet overlooked way to protect your device from external threat. For the small-time crook looking for valuable personal data like bank accounts, contacts, and call logs, the prospect of cracking a device password is often enough to convince them to move on to easier targets.
Setting up a password on your Android device is simple: Go to the Settings app and navigate to the Security section. There, you'll be able to initiate a password lock with varying levels of security using the Screen Lock option:
- Face Unlock made waves when it was first introduced in Android 4.0 Ice Cream Sandwich. Set it up by snapping a photo of yourself in the Settings app. To unlock your device, look into your camera for facial verification. But be aware that a spy can unlock your device simply by showing it a photograph of your face. Despite its cool factor, Face Unlock remains one of the least effective ways to protect your device.
- Pattern Lock offers significantly more security. Simply connect the dots by tracing a pattern with your finger on a three-by-three grid to set your pattern password. Draw this pattern to unlock your device.
- PIN and Password lock offer the highest level of protection. You can use a four-digit numeric PIN or a password of any length and complexity to unlock your device. As a general rule of thumb, the more complex the password, the better protected your device.
Encryption. Setting up a password is effective for protecting your device from a physical breach, but it can be less effective when it comes to a remote breach. For those with sensitive data on their devices such as work documents and confidential message logs, data encryption adds a valuable layer of security; even if a thief gets your device's data such as through a spyware app, the stolen data remains protected.
To encrypt your device, open the Settings app and head to its Security settings. You'll find the Encrypt Device option there. Plug your device into power or ensure the battery is at least 80 percent charged -- Android can't encrypt your device if there's not enough power to ensure it can run through the process, which can take 30 to 60 minutes. You'll be asked to set up a PIN or password, which doesn't have to be the same as your lock password.
Once your device is encrypted, it will remain so until it's permanently wiped or you disable encryption. You'll have to enter the encryption PIN or password each time you power on the device, but not to wake it from sleep. If you also have a password lock, you'll enter that as well in a separate step.
Remote wipe. One of Android's newest security features is also one of its most useful: Remote wipe was introduced in 2013 and is now available on any device running Android version 2.2 or later. The feature lets you locate your device remotely. It also lets you remotely lock or even wipe the device's contents if it has been stolen, lost, or breached in any way.
Go to the Settings app's Android Device Manager option and check the boxes for "Remotely locate this device" and "Allow remote lock and erase." Then, from a browser on any computer or device, go to www.google.com/android/devicemanage and enter your Google account credentials. You'll be shown the location of your device in Google Maps, and you'll have the option to ring your device (in case it slipped under a cushion or seat), lock it (so a password is needed to use it), or wipe it (so its apps and data are removed). Having these three options means you don't have to immediately resort to a device wipe if you think the device is lost or stolen, but can use less intrusive remedies instead based on your level of concern.
Disabling side-loading. Google Play isn't the only place your device can contract malware. Files and apps downloaded from your Web browser and from email attachments -- aka side-loading -- can subject your Android devices malware, spyware, and other dangerous apps.
To protect yourself from side-loaded apps and files, you'll want to let Google scan these downloads for security risks. To have Google do so, go to the Settings app's Device Administration section (part of the Security settings) and check the Verify Apps option.
If you'd rather remove the ability to download these files altogether, go to the Settings app's Device Administration section and ensure that Unknown Sources is unchecked. Doing so prevents your Android device from downloading anything that hasn't been checked and approved by Google. However, be aware that this essentially disables your ability to download email attachments, which may be a major inconvenience for business users.
Add a second layer of protection
Google isn't the only provider paying attention to Android's security risks. There are hundreds of apps available through Google Play that can add a second layer of security to your device. These additional fail-safes can be quite useful for business users.
Password vaults. Setting up a password and encrypting your device is an excellent first layer of protection, but should that initial firewall fail, there are additional tools to keep the account information within your device safe by adding yet another layer of password protection for the apps and data on your device.
One such tool is AppLock, which lets you lock down individual apps with a separate password. It's free, albeit with ads.
Antimalware. Personal and business computing is shifting slowly away from the PC and toward mobile devices, which means that malware is also making the jump. Luckily, antivirus developers are taking note.
Independent test lab AV-Test's results for Android security products found that 16 of the 30 products it tested -- including Bitdefender's Mobile Security & Antivirus, McAfee Antivirus & Security, and Symantec's Norton Security Antivirus -- scored 100 percent when it came to detection rates.
These products also can remotely lock and wipe your device, locate the device if it's lost or stolen, and back up your data -- features that older versions of Android lack. Bitdefender, McAfee, and Symantec all charge the same annual subscription fee: $30 per device. Lookout offers a basic version of its Security & Antivirus app at no charge.
This story, "Your no-fuss, fail-safe guide to protecting Android devices," was originally published at InfoWorld.com. Follow the latest developments in mobile technology and security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.