Android Best Practices

Android configuration

  • Update firmware to the latest version that is available for your device.
  • Require a passcode. Don't use a simple passcode.
  • Set an auto-lock timeout to five minutes or less.
  • Install Junos Pulse VPN application.
  • Erase data upon excessive passcode failures.
  • Turn off "Ask to join networks."
  • If you leave Wi-Fi enabled, forget Wi-Fi networks to avoid automatic rejoin.
  • Enable data encryption, if available. (Encryption may be available in Android versions 3.0 and later.)
  • Enable remote wipe via Webmail Plus or via a third-party application.
  • Turn off Latitude service in the Maps application for additional privacy.

Web browser settings

  • Block pop-up windows.
  • Disable "Remember form data."
  • Turn off "Enable location."
  • Turn off "Remember passwords."
  • Enable "Show security warnings."
  • Turn off "Enable Plugins."

Operation

  • Turn off Bluetooth, Wi-Fi, GPS if you aren't using them. (Use "Power control" widget and/or "Settings"application)
  • Use cell phone network instead of insecure Wi-Fi.
  • Avoid public Wi-Fi hotspots.
  • Don't "root" your phone or install third-party firmware.
  • Erase all data before return, repair, or recycle. Consider using a third-party app to securely erase data.
  • Keep applications updated. Remove applications you no longer use.
  • Pay attention to permissions requested by applications. Be suspicious of applications that request permissions that aren't necessary for the core functionality of the application.
  • Consider installing Lookout Mobile Security to assist with malware detection and lost device location and/or wiping.
  • Consider installing TextSecure to protect sensitive text messages.
  • Be skeptical: take a skeptical approach to messages, content and software, especially when they are coming from unknown sources via SMS, Bluetooth, email, or otherwise.
  • Check reputation: before installing or using new smartphone apps or services, check their reputation using app-store reputation mechanisms and, if possible, with friends, family or colleagues. It is good practice to install apps only from the Android Market, but if you choose to use other sources of applications, make sure you fully trust the source (e.g., Amazon). Never install any software onto your device unless you know and trust the source of that software, and you were expecting to receive it. Never ignore or override security prompts displayed by your device unless you are confident that you fully understand the risks associated with these actions.
  • Check resource usage and phone bills or prepaid balances. Mobile malware can sometimes be detected by monitoring in this way, especially when premium rate services are being defrauded or abused.

Lost or Stolen

  • Remote wipe the device.
  • Immediately change all passwords (Bronco NetID, Google, Facebook, etc.) that had been saved on the device.
  • If you used your device to access sensitive Western Michigan University information, notify immediately your unit's IT security team (See lost or stolen devices).

Sensitive Information

  • Do not store Western Michigan University (and personally owned) sensitive information (WIN, SSNs, credit card numbers, private personal information, etc.) on a mobile device such as an Android phone.
  • Only access Western Michigan University sensitive information from non-caching applications or ensure that the browser cache is erased afterwards.