[TUT] Android Security

This thread is meant for all new Android Users, unsure about the security of their phone and their personal data in this operating system.
Please feel free to contribute all kinds of security related information (anti-virus, firewall, theft protection but also viruses, data harvester apps...).

The structure of this thread:
1. Common Sense / Permissions
2. Security Software
3. Dangerous Software
4. FAQ


1. Common Sense / Permissions

In contrast to what you might be used to from Windows Mobile, Android informs you about the permissions, an app requests, when installing it, either through the Android Market or through an .apk file.
It is important to read these permissions and be reasonably suspicious, when an app requests permissions, that seem inappropriate. But some common sense is also needed to understand that some apps need permissions, you cannot understand immediately.

Here is an example of the permissions, you have to accept before installing an app:



What do these permissions mean?

I will not list all the permissions here, some are self explanatory and for everything else, you can read up on them here.
In general, you can trust Google with all their apps and permissions. Voice Control apps and Siri clones also in general require a lot of permissions, which makes sense, as they should be able to call your contacts, send emails and sms, etc. Install those apps only by developers you trust!

1.1 Permissions you can do nothing about

- Hardware controls, such as disable sleep mode etc.
mostly required by games, that want to keep the display on. Nothing to worry about.

- Write to your sd card
Apps that edit files (e.g. photo editors, office apps, ...), download files (Dropbox, Download all files, Wallpaper or ringtone downloaders, ...) and games, that require additional data to be played (e.g. Gameloft games or other graphics intensive games) need to be able to write files to your sd card, either after you created those files yourself or downloaded files.

- reading imei / phone state
many apps require this permission. while, technically, with a security app, you could disable this permission for the apps, it is not such a bad thing.
this permission is needed to identify the phone. commercial software might determine your valid purchase status through the imei.
the phone state also gives apps the possibility to react to incoming calls and go into standby for the duration of the call.


1.2 Permissions that invade your privacy

- access SMS inbox
necessary for Try 'n' Buy Apps (e.g. Gameloft Games), Apps with in-App purchases, and some apps, that require sim identification (whatsapp, Dailyme...)
For everything else, you should be suspicious.

- access contacts/ call logs
necessary for communication apps with contacts sync (twitter, facebook, skype, ...), also every app which has to do with ringtones (zedge, mp3 ringtone maker, ...) and online games, where you can invite friends to play with you (mostly card and board games and MMOs). Everything else might be a data harvester.

- your current location (network based or gps)
necessary for navigation apps, photography apps and communication apps that allow you to share your location.
Other apps, especially games, should not have this permission.

1.3 Permissions that might cost you money

- make outgoing phone calls
necessary for google apps, voice control apps and name lookup/caller id/phone book apps (for Germany dasTelefonbuch, dasOertliche and klicktel).
This permission should generally not be found in games and small info apps.

- send SMS
necessary for apps with sim activation (Try 'n' Buy Games, apps with in-app purchases, whatsapp, ... (see "access SMS inbox")).


For everything else, when in doubt, google the name of the permission or ask here, what it means and whether the app is trustworthy.

So, what can you do about these permissions?

There are basically 2 options:
1. Don't Install an app that seems suspicious for requesting too much information.
2. Install security software to block certain permissions.

2. Security Software

Here we gather general information and reviews on different security apps.

2.1 LBE Security

LBE Security is a very powerful Security Suite. It can be found here (XDA) and here (Market).
It requires root.
With this app you can regulate permissions given to all the apps you have installed. you can set Internet Access (separated by 3G and Wi-Fi), IMEI, SMS, contacts, location... for all your apps. Also, there is an app monitor, that gives you a notification icon for newly installed apps, so you can comfortably set its permissions. Also, it comes with a traffic monitor, that tells you, how much of your monthly plan has been used. Its statistics can also show you, which app used up what amount of traffic and how many calls and sms were caused by each app. Also, besided permanently forbidding or allowing something, you can set it to ask you each time, as you might want to allow an app to send an SMS once (for verification), but not anymore after that.

Forbidding all unnecessary permissions for apps (including Internet), this is the only software I currently use, as, when set up right, it effectively works as firewall, traffic monitor, virus protection and privacy protection.


2.2 ???

As mentioned above, I only use the one app, but feel free to post basic information and/or reviews of other apps, like kaspersky or avg or droidwall or whatever comes to mind and I will post them here.

3. Dangerous Software

In this portion of the thread, I will list all apps, that have been posted as data harvesters, viruses or generally harmful to your device.

4. FAQ

Here we collect the Questions and Answers worth mentioning.

Let me start of with a few questions on specific permissions:

1. Two out of the three Angry Birds versions on the market require "Positioning". I denied this through LBE and it works just fine, I don't see, what the app would need that for.
2. While I understand that the official Facebook app would need the permissions for contacts and Location, I wonder why it wants to read my SMS inbox and sent paid SMS. I also denied this through LBE. Doesn't seem to be necessary.
3. could someone send me the correct names for all the permissions?

that is true. but the information here is meant for new android users, and there are very few around the general section, while i think, that many of the blackstone users just recently started working with android.

yeah, I understand he was talking about the "general general section", but again, don't all noobs just look at their own device's sections? I mean, I don't even look into the general sections, only the devices I own and/or moderate. However, I believe there is something to it, so I moved it to "Android General" and back, leaving a permanent redirect, so this thread is found there as well which will hopefully draw some attention and also contributors here.

Btw. if there were several contributions that concern blackstone specific security, I'd be fine with that as well. Most important thing is that someone posts more content for me to add. I'm not exactly an expert on the topic, just wanted it covered because I believe it is important and has come up recently.