Android Security and Privacy

The number of free Android apps that may be infected with malware is on the rise. Although some of free apps might look suspicious, others bearing names such as "Quick Notes" or "Chess" seem innocent, yet contain some of the worst payloads.

The basic types of security risks associated with downloading and installing android apps range from those that collect general usage stats about your online activity, those that invade your privacy collecting personal information, to those that install outright backdoor trojans granting strangers access to your android device and potentially your entire private network.

Android is unlike Apple's IOS in one fundemental way. For better or worse, Google (Android) does not exercise much control or oversight on what developers put on the Android Marketplace / Google Play while the Apple App Store is strictly moderated by Apple. Developers have more freedom to create and share android apps. Unfortunately, malicious app developers find it relatively easy to take advantage of this lack of oversight and make their malware available to the public though Google Play.

Google will remove apps when too many complaints are made, but they do little to inform users of what apps are adware and how intrusive the level of adware may be. They only classify apps as either free or buy. This is a clear deficiency that is entirely on Google to correct, and so far they don't seem to care.

Tips to Avoid Malware

1. Always research the publisher of the app. What other apps does it offer? Do any of them look a bit shady? If so, you should probably stay away.
2. Read online reviews. Android Market reviews may not always be truthful. Check around to see what reputable Websites are saying about the app before you hit the download button.
3. Always check app permissions. Whenever you download or update an app, you get a list of permissions for it. An alarm clock app, for instance, probably shouldn't need to look through your contacts. The general rule of thumb: If an app is asking for more than what it needs to do its job, you should skip it.
4. Avoid directly installing Android Package files (APKs). When Angry Birds first came to Android, you could get it only through a third party. This is called "sideloading," or installing apps using an .APK file. Although Angry Birds wasn't malware, in general it is highly advisable not to download and install .APK files that you randomly come across. Most of the time you won't know what the file contains until you install it--and by then it's too late.
5. Put a malware and antivirus scanner on your phone. Although many people still think that antivirus scanners on phones are useless, maybe outbreaks such as this one will change minds. Several different big-name security companies already offer mobile-security options, many of them free. I myself had downloaded "Spider Man," which is on a bad-apps list. My Lookout software identified it as a Trojan horse.

source: PC World Malware Off Your Android Phone: 5 Quick Tips

Free Apps and Adware

Some free android apps do not have advertisements, while others do. Adware is free software that has advertisements for other products and services traditionally displayed within the app that you see while you use the app. Some adware is benign for the most part. Basically, while you have the app open, you will see a banner advertisement somewhere on the interface. Note that recently some of the new adware has been breaking the boundary of showing ads within the app, and invading other areas of the Android device, becoming intrusive.

Often adware will connect to the Internet, using your data plan or wifi connection, and update the advertisements. The more aggressive adware will collect data about you from your device memory and send it back to companies that use that data. Finally, the most aggressive adware actually downloads and installs trial apps onto your device without your permission.

A Major criticism of Google Play is that it is not clear which apps are adware and which are not. In the days of shareware sites like Tucows for the PC, there was a clear distinction between Freeware and Adware. You always knew what you were getting. Google doesn't seem to care if you are aware that a free ap is actually adware. Google clearly lacks the ethics of the PC shareware predecessors.

On Google Play (also known as Android Market) more passive adware is being replaced by new aggressive push adware, and furthermore by outright spyware that is collecting data about you from your own android device and sending it back to 3rd parties. In some cases certain apps that were previously benign have become malware after updates for that app were released by the developer. This is when a good app turns bad.

reference: Detect addons (push adware and some malware related to advertising): Use https://market.android.com/details?i...addonsdetector

Some companies are looking to address the security risks being introduced by these offending adware / spyware apps. There is one called Lookout Security. Lookout Security launched its free Ad Network Detector in early 2012 but it does not flag apps that exhibit aggressive ad serving. Lookout only protects against malware that threatens your phone as opposed to adware.

"The intent of this product is to clarify for users the behaviour of applications that display ads," said Derek Halliday, senior product manager for security at San Francisco-based Lookout. "And two, to show users what privacy and information collection apps and their ad networks are doing. We're trying to provide transparency."

source: ComputerWorld UK Lookout Ad Network Detector sniffs out aggressive Android 'adware'

Android Phone's Notification Area Ads

If you have installed an adware app using push ads, you may see behavior described by Android user as follows, "In my notification bar (where phone signal, etc. is) a green plus symbol will appear. When i bring down my notification menu it's suggesting to download an app." This person installed something from Google Play containing push ads. It was advertised as a free app with no mention of using push ads.

One remedy is to install an app such as "Airpush detector" or "Addons Detector". They can identify which app has those plug-ins.

There are some new apps reported to block ads from going to your phone even if you have adware installed. One is known as Adaway but should be used with caution.

source: The Spicy Gadgematics Remove Android Phone's Notification Area Ads Quickly - Airpush.

Adware Getting More Aggressive

Thousands of Android apps now include software that shoves marketing icons onto your phone's start screen or pushes advertising into your notification bar--and many of the apps give you no warning about the ad invasion. Many of these ads come from mobile marketing firms such as AirPush, Appenda, LeadBolt, Moolah Media, and StartApp. The companies work with greedy app developers.

Push Ads

The mobile ads are called "push notification ads" and "icon ads." Push notification ads deliver small alerts to an Android phone's notification bar. Icon ads, as the name implies, are icons that are inserted onto an Android phone’s start screen.

Push notification and icon ads are more intrusive than in-app ads. In-app ads are only visible whilst you use the app that the advertisement supports development of. Push and icon ads invade areas of your phone outside of the adware program they came with.

The main crime is that the app developer is often not disclosing the push ad payload that goes on your android when you install their app. These obnoxious intrusive ads are being installed without the android owner's consent.

Both AirPush and Appenda offer clear ways to opt out of receiving ads via their websites. But it isn't obvious that consumers would know they should visit those sites to opt out. On Appenda’s site, you submit your phone number to opt out of receiving push notification ads, which leads to privacy concerns. What will they do with your phone number later on? Do you like telemarketers and text spam?

source: PC World Sneaky Mobile Ads Invade Android Phones

Google Spying and Harvesting User Data

Google+ (formerly Picasa) automatically stealing pictures off your phone

The Google+ application which is pre-installed, will by default automatically upload photos you take on your Android device.

references:

• How to disable instant upload to google plus from your android or iphone app?
• How do I stop my phone from automatically uploading pics to ogle plus

Wipe android phone before selling

Before you sell or dispose of your Android phone or tablet

• Transfer your phone number off the phone
• Factory reset the phone or tablet
• Remove or wipe microSD card
• Optionally change your Google account password

To elaborate on the summary above: erase your Android device before selling it or throwing it away. You need to do this to keep your personal data secure. All Android devices, the phones and tablets, allow a way to wipe via a hard reset. The reset process is different from one Android device manufacturer to the next. The best thing to do is to go to your settings menu and look for a reset option.

Settings > SD & Phone Storage and hit the "Factory Data Reset" 

Keep in mind that a reset does not clear your microSD card. You should remove your microSD card. If you plan to sell it with the phone, you should wipe and reformat it manually. Some phones give you the option to format the SD card at the same time you erase the rest of the device. If not, you'll want to connect the device to a computer and format the card.

Technically data can still be recovered after a format by someone with advanced technical skill and/or the right tools. There are programs that will do a secure wipe or overwriting format. This extra step will prevent recovery of your data from the microSD card.

Make sure you have de-activated your number from the phone with your carrier. Remove your account from the phone so your buyer can't make calls from your number. If you have already switched your number to another phone then you are good to go. Check with your carrier to ensure your number is no longer associated with the old phone if you are not sure.

Finally, if you want to be extra extra careful, you should change the Google account password associated with your phone. Each time you change Android devices and dispose or sell it, go in to Google and change your account password.

Personal Data

The sort of data that is on your phone includes all your music, email, text messages. Your Google account username and password. Your iTunes login information as well as other membership resources. POP3 email or enterprise mail login information. Android phones have multiple forms of storage inside. They have internal memory, where most of your apps and system settings are stored, and the SD card, where music, pictures, and some app settings are stored.

Recommended reading: Securely wiping any device makes it just fine to sell

Also, going a step further than doing a factory reset is flashing with the original ROM.

Hard Reset on Specific Phone Models

• Hard Reset on Motorola Droid Pro

Root / Jail Break

Doing a factory reset will not remove root access to your phone. It will also not undo any custom ROM you have installed. Use a program such as Motorola's RSD Lite (if you have a Motorola phone) to fully wipe your phone. You may need a different program depending on your manufacturer. It is not necessary to undo the root, in some cases it makes the phone more valuable at resell. It is up to you if you want to sell it like that or remove root access.

Changing your Google account password

You can access your Google account from a PC. Goto https://accounts.google.com/ and sign in with your username and password. On the left column menu click "Security" and then towards the right side of the screen click the box "Change Password" and follow the prompts from there.

When you access your Google account from a PC or other means, and change your Google account password for the account that is also associated with your Android device, it will not be able to sync or connect to your Google account until the password is updated on the Android device.

1. The Easy Way

Wait for the Android device to show a warning that it was unable to connect to your Google account. This will be in the form of an exclamation in the notification area (a triangle with an exclamation mark in it on the notification bar). If you click on that, you should get prompted to enter the account password. If this works, you are good to go. This is almost always what happens and it is easy. You can power cycle the phone if you want to force account authentication.

If the Easy Way doesn't work, try one of these alternative methods:

A. Alternative Method

1. Go to Menu->Settings->Applications->Manage Applications
2. Click on GMail in the list and, if needed, "Force Stop" then "Clear data"
3. Click on Google Apps in the list and, if needed, "Force Stop" it, but DO NOT clear data
4. Click on "Clear Data" on GMail Storage
5. Exit back to the phone's Home and open the GMail app
6. Re-enter your Google account info

If you don't see a notification that Google login has failed after a few minutes, turn the phone off and on to force a login attempt.

B. Another Alternative Method

1. Go to google.com/accounts on the phone browser
2. Sign in
3. "Change Password"
4. Go back to the Home Screen on the phone
5. Open the GMail app, clicked on Menu, then Refresh -- you will get a sync error
6. Wait for a notification to re-enter your password (a triangle with an exclamation point in the phone's notificaiton bar and/or something in the gmail screen)
7. Enter the new password

Some information here is sourced from a discussion on Phandroid. Change Google account password. credit to "astrobill".

App Visibility

When an app is installed, from Google Play or directly from the apk file, it is typically visible in the app list and manage apps area. Users refer to something called the apps drawer, which is what you see when you tap the icon typically located in the bottom right of the screen that shows icons for all installed apps, including those not visible on the desktop overlay. There is a launcher, dock, app drawer which are all different from the manage apps area. Android Application Visibility discusses the areas were apps are visible and icons are placed to open or manage an app. It is possible for an app to be well hidden. It is very difficult to hide an app from the Manage Apps area. Android Terminology also clarifies terms like launcher, app drawer, etc.

Keywords: Android Tablet PC Samsung Galaxy Tab Two 2