cancel
Showing results for 
Search instead for 
Did you mean: 

How to be safe, find trusted apps, & avoid viruses - A guide for those new to Android

(Editors note - this document is from alostpacket on androidforums.com --- it's reprinted here with his permission.  Linky

Hi all,

This is a guide that hopes to give the basic info most people want to  know about the security of their phones, and when to download, and when  not to download applications from The Market. 

It's my hope that this will help people make more informed decisions and  be safe about their application usage, privacy, and data.  I would like  to welcome anyone to post additional ideas or corrections that I will  try to incorporate into the thread as well, and hopefully if the mods  here see fit, they will make it a sticky.



Background about Android

The first thing when understanding the security of your phone is to know  a little bit about what makes it tick.  Android is a 'lite' version of  Linux with most applications that you download from the market written  in Java.

The reason that this is important to know is that it means Android is  very unlikely to ever get a virus in the  traditional sense of 'virus.'  Part of  the reason why is because Linux is a fairly secure operating system that  protects various parts of itself from other parts.  For the more  technically inclined this is similar to how Windows has admin accounts  and limited user accounts.  Because of this protection, applications  downloaded from the market do not have access to anything by default.   You must grant them permission for each activity they want to perform  when they are installed.  This is a very important point which we will  address a bit later.

Nevertheless, while Android is very unlikely to get a 'virus', that does not mean you are completely  safe from 'malware', 'spyware', or other harmful types of programs.



Types of Dangerous Programs

Probably the biggest threat from any application in the market is one  where it trys to trick the user into entering in their data or giving it  permission it doesn't require to do it's job.  There are various types  of these and we'll briefly define each kind just to have a common  understanding of the terms.

Malware
Malware generally is more of an all-encompassing term used to describe  any harmful program.  This includes spyware, viruses, and phishing scams  (sometimes).

Spyware
Spyware is usually used to describe software or applications that read  your information and data without you actually knowing it and reporting  it back to some unknown third party for nefarious purposes.  Often times  this includes keystroke loggers to steal passwords or credit card  information.

Phishing

Phishing and spyware are often related.  The work on a similar principle  of tricking the user and sending user information to a 3rd party to  steal it.  The difference with phishing however, is that the application  (or website) will pretend to be from a trusted source to try and  'trick' you into entering in your details.  Usually this would be a app  or website pretending to be affiliated with you bank or Paypal or your  email provider (Gmail, Hotmail, Yahoo).  However it can, and does  include any service where someone might want to steal your identity or  password.   As far as I know, this is the one and only type of malware  that has yet come out for Android.  You can read about it here: Phishing Android App Steals Banking Info | Android  Phone Fans

Virus
The definition of virus used to be more  of the all-encompassing definition that has been replace by the term  malware.  Today, virus is more typically  used to describe a specific type of software that takes control of your  operating system and either damages it, or uses it for its own purposes.   An example might be when a virus send  emails to everyone in your email address book.  Again this is the type  of program least likely to be a problem for Android.

Adware
Adware is typically a bit of a grey area.  Sometimes this is also called  nuisance-ware.   This type of application will often show the users an  excessive amount of advertising in return for providing a service to the  user of dubious quality.  However, this type of program can often be  confused with legitimate ad-supported software, which shows a mild to  moderate amount of advertising while providing a useful service that the  user wants.  Because it can be hard to tell the difference, there  exists a grey area from most anti-virus companies as to how to handle  adware.



How to Protect Yourself

There are no full-proof ways to avoid all bad situations in the world,  but any sane person with a reasonable head on their shoulders knows that  a few good habits can keep you safe for a long, long time in whatever  you do.  Here are a few tips I have learned from many years as a  professional software developer and from reading these forums that have  many people smarter and more knowledgeable than I about Android

Read the comments in the Market
This should go without saying. Before you download any applications, be  sure to read the comments.  Don't just read the first three either,  click through and see what people are saying.  This can also help you  understand how well an app work on your particular phone or your  particular version of Android.  Comments should also be read EVERY time  you update an app.

Check the Rating
Any app that fails to maintain even 3 stars is likely not worth your  time.  If you are brave enough to be one of the first few to download an  app, this may not apply to you, but almost all good apps have between 4  and 5 stars.  This to me has been a great general rule for finding both  safe, AND quality apps.

Check the permissions

There are many things an app can do to, and for your phone.  But any of  these things that an app can do are told to you when you download and  install it.  Your phone will show you a list of the things that  application will need to function.  Read them.  Try your best to  understand them in terms of what the application is supposed to do for  you.  For example, if you download a game of checkers, and the Market  warns you that it wants to be able to read your contacts, you should  think twice and probably not download it.  There is no sane reason a  game of checkers needs to know your friend's phone numbers.

To see the permission given to an application after installation, go to   the market, press menu, downloads, then select the app, press menu   again, then press security.

Check the developer's website
Make sure the developer has a website and not just some Wordpress blog.   This is often again a good indication of quality as well as safety.  If  the developer cares about their app they will likely have a relatively  nice looking website or, if they are open source, a site on Google Code.   Note: sites on Google code are NOT verified or approved by Google.   However, open source is usually (but not always) more likely to  indicate a safe application.

Updating applications is the same as installing them fresh
Each time you update an application on your phone, you should use the  same diligence as if you were installing it for the first time.  Reread  the permissions to see that it is only asking for what it needs and no  more.  Reread the comments to see if anything has changed in the  opinions of the users and to see if it still works for your phone.

If you are still unsure, ask around -- the community is your  anti-virus
If you see an app you want, but it seems to be asking for more  permissions that it should, or it's comments and ratings are mediocre,  go ahead and ask about the app in these (and other) forums.  You will  often find dozens if not more people who know the answers and another  whole bunch wishing to know the answers to the same questions you have.  

Posting your own comments
After you have downloaded an app you can post you own comments.  The  comment will be visible to all other android users but it will only show  your first name.  To do this go into the Market and press menu >   downloads.  You should see five empty stars at the top which you can   tap to rate the app.  Once you have rated the app you should see an   option to add a comment under the stars.        



What does Google do to protect us?

Unfortunately at the moment, not a lot.  They do police the market to a  small extent and investigate any reports of malware.  They removed the  one instance mentioned above of the phishing application to protect the  users of the Market.  However, the Market is not like the Apple App  Store, there is no screening of applications before they are posted to  the market.  There are no draconian procedures or lengthy approval  processes that developers have to go through to post applications.  All  that a developer needs to do is to 'digitally self sign' his or her  application before posting it.  This helps Google track any developers  with ill intent such as the one who made the phishing app (we likely  wont ever see his apps again), but it's just a way to manage malware after it is discovered.



What about Wi-Fi?

One of the things to remember when trying to keep yourself safe is to be  very careful with public Wi-Fi.  Whenever you connect to the internet  through a public Wi-Fi you should never use any website that requires a  password to sign into.  The danger here is because you have no idea who  is connecting you to the website your are trying to connect to.  A good  analogy would be like trying to mail a letter to your friend by giving  it to a stranger in the street. 


Permissions (work in progress, almost done)

When you install an application the Market will tell you all of the  permissions it needs to function.  These are important to read as it can  give you an idea if the application is asking for permission to do more  than it needs.  While some legitimate apps often ask for more  permission than they need, it should at least raise an eyebrow when  deciding if an application is safe and of good quality.  Again, to see  the permission given to an application after installation, go to  the  Market, press menu > downloads, then select the app, press menu   again, then press security.

This list is a work in progress and by no means definitive.  It also may  contain errors or inaccuracies and I welcome any additions and  corrections.


Services that cost you money
make phone calls
This permission is of moderate to high importance.  This could let an  application call a 1-900 number and charge you money.  However this is  not as common of a way to cheat people in today's world.  Legitimate  applications that use this include:  Google voice and... (suggestions  needed here).

Services that cost  you money [[ clarification needed ]]
send SMS or MMS
This permission is of moderate to high importance.  This could let an  application send an SMS on your behalf, and much like the phone call  feature above, it could cost you money.  Certain SMS numbers work much  like 1-900 numbers and automatically charge your phone company money  when you send them an SMS.


Storage
modify/delete SD card contents
This permission is of high importance.  This will allow the applications  to read, write, and delete anything stored on your phone's SD card.   This includes, pictures, videos, mp3s, and even data written to your SD  card by other applications.  However there are many legitimate uses for  this permission.  Many people want their applications to store data on  the SD card, and any application that stores information on the SD card  will need this permission.  You will have to use your own judgment and  be cautious with this permission knowing it is very powerful but very  often used by legitimate applications.  Applications that typically need  this permission include (but are not limited to): camera applications,  video applications, note taking apps, backup applications.


Your personal  information
read contact data
This permission is of high importance.  Unless an app explicitly states a  specific feature that it would use your contact list for, there isn't  much of a reason to give an application this permission.  The one  exception to that rule includes typing or note taking applications  and/or quick-dial type applications.   Those might require your contact  information to help make suggestions to you as you type.  Typical  application that require this permission include: social networking  apps, typing/note taking apps, SMS replacement apps, contact management  apps.

Your personal  information
read calendar data, write calendar data
This permission is of moderate to high importance. While most people  would consider their calendar information slightly less important than  their list of contacts and friends, this permission should still be  treated with care when allowing applications access.


Phone calls
read phone state and identity
This permission is of moderate to high importance. Unfortunately this  permission seems to be a bit of a mixed bag.  While it's perfectly  normal for an application to want to know if you are on the phone or  getting a call, this permission also gives an application access to 3  unique numbers that can identify your phone.  The numbers are the IMEI,  IMSI and a 64 bit unique id that Google provides for your phone.  Some  software developers use this as a means of tracking piracy.    Additionally, any developer targeting older versions of android (1.6 and  earlier I believe) will get this permission automatically added to  their app.  Nevertheless, while this permission can be innocuous, it is  one to keep a good watch on.  As someone posted in this thread the  application Locale was caught sending this information over the  internet unencrypted to a third party -- much to to the surprise of it's  users.


Your location
fine (GPS) location
While not a danger for stealing any of your personal information, this  will allow an application to track where you are.  Typical applications  that might need this include (but are not limited to) restaurant  directories, movie theater finders, and  mapping applications.


Your location
coarse (network-based) location
This setting is almost identical to the above GPS location permission,  except that it is less precise when tracking your location.


Network Communication
create Bluetooth connection
Bluetooth (Wikipedia: Bluetooth - Wikipedia, the free encyclopedia) is a  technology that lets your phone communicate wirelessly over short  distances.  It is similar to Wi-fi in many ways.  It itself is not a  danger to your phone, but it does enable a way for an application to  send and receive data from other devices.  Typical applications that  would need bluetooth access include: (? need suggestions here).


Network Communication
full internet access
This is probably the most important permission you will want to pay  attention to.  Many apps will request this but not all need it.  For any  malware to truly be effective it needs a means by which to transfer  data off of your phone, this is one of the setting it would definitely  have to ask for.  However, in this day and age of cloud computing and  always-on internet connectivity, many, many legitimate applications also  request this.  You will have to be very careful with this setting and  use your judgment.  It should always peak your interest to think about  whether your application needs this permission.  Typical applications  that would use this include but are not limited to: web browsers, social  networking applications, internet radio, cloud computing applications,  weather widgets, and many, many more.


Network communication
view network state, view Wi-Fi state
This permission is of low importance as it will only allow an  application to tell if you are connected to the internet via 3G or  Wi-Fi.


System tools
Prevent phone from sleeping
This is almost always harmless.  An application sometimes expects the  user to not interact with the phone directly sometimes, and as such  would need to keep the phone from going to sleep so that the user can  still use the application.  Many applications will often request this  permission.  Typical applications that use this are: Video players,  e-readers, alarm clock 'dock' views and many more.


System tools
Modify global system settings
This permission is pretty important but only has the possibility of  moderate impact.  Global settings are pretty much anything you would  find under Android's main 'settings' window.  However there are a lot of  these setting that are perfectly reasonable for an application to want  to change.  Typical applications that would use this include: Volume  control widget, notifications, widgets, settings widgets.


System tools
read sync settings
This permission is of low impact. It merely allows the application to  know if you have background data sync (such as for Facebook or Gmail)  turned on or off.


System tools [[ clarification needed ]]
Write Access Point name settings
I need a bit of clarification on this setting myself.  I believe this  relates to turning on and off wifi and your 3G data network.  (if  someone can comment and clarify I would greatly appreciate it and update  this guide to reflect).   Essentially however I believe this to be  similar to the 'modify global settings' permission above.


System tools
automatically start at boot
This permission is of low to moderate impact.  It will allow an  application to tell Android to run the application every time you start  your phone.  While not a danger in an of itself, it can point to an  applications intent.


System tools [[ clarification needed ]]
restart other applications
This permission is of low to moderate impact. It will allow an  application to tell Android to 'kill' the process of another  application.  However that application should have the option of  immediately restarting itself.


System tools
retrieve running applications
This permission is of moderate impact. It will allow an application to  find out what other applications are running on your phone.  While not a  danger in an of itself, it would be a useful tool for someone trying to  steal your data.  Typical legitimate applications that require this  permission include: task killers and battery history widgets.


System tools
set preferred applications
This permission is of moderate impact. It will allow an application to  set the default application for any task in Android.  For instance  clicking on a hyperlink in your email will bring up a browser.  However  if you have more than one browser on your phone, you may want to have  one set as your 'preferred' browser.  Typical legitimate applications  that require this permission include any applications that replace,  compliment, or augment default Android functionality.   Examples of this  include web browsers, enhanced keyboards, email applications, Facebook  applications and many more.


Hardware controls
control vibrator
This permission is of low importance (but could be lots of fun).  As it  states, it lets an app control the vibrate function on your phone.  This  includes for incoming calls and other events.


Hardware controls
take pictures
This permission is of low importance.  As it  states, it lets an app  control the camera function on your phone. 


Your accounts [[ clarification needed ]]
discover known accounts
This permission is of low importance.  As far as I can tell it just  tells the application if you have a Google account/Facebook account, but  doesn't tell the application anything about that account.



What Does it All Mean?  This Sounds so Scary!

It might sound that way but it is not, by any means, scary.  The power  of the market is actually due to the fact that developers are  free to post updates and applications much more quickly and easily.  But  despite the security risks that this model creates, there is an  incredibly powerful deterrent to malware in the community itself.  Lots  of people on these boards and in the market eagerly try out new apps and  report back the safety and quality.  Again, the community is your  best anti-virus app.

Version history
Revision #:
1 of 1
Last update:
‎02-08-2010 11:56 AM
Updated by:
 
Community News

This is a PUBLIC ARCHIVE board, all artciles are read only.

Please click here to search the Active Community.