In Depth

Now's the time to perform a personal Android security audit

Android Security Audit

Whether you're an amateur or an expert, this simple 10-step checkup is important -- and worth doing at least once a year.


Android security is always a hot topic on these here Nets of Inter -- and almost always for the wrong reason.

Most of the monthly missives you read about this-or-that super-scary malware/virus/brain-eating-boogie-monster are overly sensationalized accounts tied to theoretical threats with practically zero chance of actually affecting you in the real world. In fact, if you look closely, you'll start to notice that most such stories come from studies commissioned by companies that -- gasp! -- make their money selling malware protection programs for Android phones. (Pure coincidence, right?)

The reality is that Google has some pretty advanced methods of protection in place for Android, and as long as you take advantage of them and use a little common sense, you'll almost certainly be fine. The biggest threat you should be thinking about is your own security surrounding your devices and accounts -- and with the end of the year in sight, it's a prime time to perform a personal audit and make sure your setup is all up to date and kosher.

So take a few minutes and perform these quick and easy steps. Then you'll know you're ready to start the new year lean, clean, and secured as can be.

1. Look over all the apps and services connected to your account.

You've probably granted countless apps access to parts of your Google account over the months and years -- which is no big deal in general, but if you're no longer using those apps, you might as well close and lock the doors.

Visit this page in Google's security settings to see a list of everything that's authorized and what exactly it can access. If you see anything you don't recognize or that you no longer use, click it and then click the blue "Remove" button to give it the boot.

Android Security Audit: Connected Apps

2. Clean up your list of connected devices.

Anytime you sign into a new device with your Google account -- be it an Android phone or tablet, a Chromebook, or even just the Chrome browser on a regular PC -- that device is added to a list and associated with your account.

Click over to this page in Google's security settings and give your list a once-over. If you see any old devices you no longer use, click on them and then click the bright red button to make sure they no longer have access to your account. And if you see any devices you've never used, remove them right away -- and then go change your account password immediately.

3. Clean up your devices in the Play Store while you're at it.

This one isn't directly related to security, but it's a good bit of housecleaning to perform while you've got your cleaning hat on: Head over to the Google Play Store settings and look at your list of available devices. These are the Android devices that show up as options every time you install a new app from the Play Store Web interface -- and also the devices that show up as options in the Android Device Manager (more on that in a sec).

Go ahead and uncheck the box next to "Show in menus" for any devices you no longer use. And if you see any devices with weird cryptic codenames, click the "Edit" button alongside them and rename them to something you'll recognize.

Android Security Audit: Play Store Devices

The next time you download an app or use Device Manager will be a much easier experience as a result.

4. Make sure Android Device Manager is activated and ready to go on all your devices.

You might not realize it, but Google has its own utility for tracking, finding, and remotely wiping an Android device in case you ever lose it -- and the whole system is built right into the operating system.

So what are you waiting for? Make sure all of your phones and tablets are enrolled now, before it's too late. Just head into the Google section of each device's main settings menu (or look for the app called Google Settings), then tap Security and verify that "Remotely locate this device" and "Allow remote lock and erase" are both checked.

You'll also need ensure that location access is enabled on your device -- which it probably is, but it's worth double-checking by pulling up the Location section of your system settings and confirming that the toggle at the top-right is activated.

Now bookmark the Web version of the Android Device Manager and/or download the Device Manager app to your various Android devices. If you ever can't find your phone or tablet, open the app (from the Web or from another device), and you'll be able to pinpoint precisely where the missing gadget was last seen. You can also force it to ring, remotely lock it, or -- in a worst-case scenario -- erase it entirely.

5. Make sure you're using Android's Verify Apps system.

Another often-overlooked fact: Android has the ability to monitor your device for harmful code or suspicious activity -- no third-party apps or add-ons required.

Mosey on back to the Security section within the Google menu of your system settings (or within the Google Settings app) and make sure "Scan device for security threats" is checked. That'll allow Android's Verify Apps system to keep an eye on all apps on your device, even after they're installed, and make sure none of them is doing anything dangerous. The scanning will run silently in the background and never bother you unless something suspicious is found.

Odds are, you'll never even know it's there. But it's a valuable piece of protection and peace of mind to have.

Android Security Audit: Scan Device

(And remember, too, that this on top of Android's long-standing ability to watch your device for newly installed applications and instantly check them for potentially harmful code -- and to remotely scan and monitor all apps uploaded to the Play Store before you ever get there. There's also a built-in system for detecting SMS abuse and blacklisting sources that have exhibited shifty behavior in the past. All in all, the bases are pretty thoroughly covered.)

6. Double-check your security basics.

This one should be a no-brainer, but it's important to mention: If you aren't using a security PIN, pattern, or password on any of your devices, start using one. Now.

The most likely cause of a security failure is simply a failure on your behalf to secure your stuff. You are the weakest link, as the cool kids said 10 to 15 years ago.

Embarrassingly dated pop culture references aside, think about it: If your phone has no passcode protecting it, all of your data is just out there and waiting for the taking anytime you leave the device unattended (intentionally or otherwise). That includes your email, documents, social media accounts, and entire photo collection (yes, even those pictures -- hey, I'm not here to judge).

The best part: Android makes it impressively painless to keep your devices secure nowadays. The software's Smart Lock function makes it possible to automatically keep your phone unlocked in a variety of preapproved "safe" conditions -- like when you're at home, when a specific trusted Bluetooth device is connected, or even when the phone is being carried in your pocket -- so the extra security shows up only when it's really needed.

Android Security Audit: Smart Lock

There's no excuse to leave your stuff unprotected anymore. Head into the Security section of your device's settings to get started, if you haven't already.

7. Peek in on your saved Smart Lock passwords.

One of the newer parts of Android's Smart Lock system is the ability to save passwords for websites and apps accessed on your mobile devices. As part of our audit, glance over the list of saved passwords Google has for your account so you'll know what's there -- and while you're at it, take a few seconds to remove any dated items that are no longer needed and don't belong.

8. Evaluate your two-factor authentication situation.

A single password isn't enough to protect an important account these days -- especially one as wide-reaching and important as your Google account. Two-factor authentication makes it so that you have to put in a special code in addition to your password in order to get into your account. That increases your level of security significantly and decreases the odds of anyone ever being able to break in and access (or even delete) your personal data.

Android Security Audit: Two Factor Authentication

If you don't yet have two-factor authentication enabled for your Google account, head over to this site to get started. Once you have things configured, you'll use an app like Google's own Authenticator to generate single-use codes from your phone or a third-party alternative like Authy that can run on your phone as well as on other devices.

Speaking of Authy, if you're already using that for two-factor authentication, open the app right now and head into the Devices section of its settings. Look and see exactly what devices are currently authorized to access the app, and remove any that are dated and no longer in use.

9. Perform a general Google security check to round things out.

Take a deep breath: We're almost done! This last step will take you through a broad security check that'll confirm some of the steps we've already taken and check up on a few lingering odds and ends.

Just go to this Google security site and go through the various steps it presents. It'll make sure you have a current phone number, email, and security question in case you ever lose access to your account and then check a handful of other areas to be 100% sure everything's in good shape.

Consider it your confirmation that your personal security setup is A-OK.

10. Think carefully about any third-party security apps you use and whether you really need them.

Now that you've made sure your Android security situation is shipshape, think about any third-party security tools you're using (whether you installed them or they came preinstalled on your phone or tablet) and what they're actually adding to your device. I'm talking Lookout, Avast, Norton, McAfee, AVG, Kaspersky -- all those sorts of things.

You've already verified that your device is protected. Android is actively scanning for threats on several levels, both on the server side at the Play Store and on your phone as new apps arrive (from any source) and continuing over time. The operating system is even looking out for SMS-based scams, and the Chrome for Android browser is keeping an eye out for Web-based threats as well.

Beyond all of that, your devices are all enrolled in a sophisticated cross-platform system for remotely tracking, pinging, and erasing as needed. And it's all happening on the native OS level.

So given all of that, is the third-party security app on your phone doing anything that isn't redundant and/or unnecessary? It's probably eating up system resources and impacting performance for no real reason -- and quite likely also costing you money you don't need to be spending -- but is it actually accomplishing anything of value that Android itself isn't already handling in a more direct manner?

The answer is almost certainly no. If having an extra security app makes you feel safer, hey, do what works for you. But if you've completed every step of this audit, there's really no reason you need it -- and every reason to send it packing.

[UPDATE: For a full list of security-oriented tools actually worth having on your phone, see this follow up: 7 Android tools that can help your personal security]

Android Intelligence Twitter
Call on line 2! Six ways to add a second line to your smartphone
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies