Recently, under an online Android article, I read a comment from a reader who claimed that Android is as insecure as it was in the early days of Windows. That is quite a statement, but it mainly shows that there is still a lot of uncertainty about Android security. How about that?
There is a lot of uncertainty about security on Android. Google itself states in its annual press releases that the Play Store is safer than ever. On the other hand, many manufacturers find it necessary to supply devices with antivirus, the Consumers' Association attacks manufacturers who do not roll out updates and security patches and there are often news reports about security on smartphones – not only aimed at Android, but also at Apple. These news items often warn against rogue apps, which are indeed reminiscent of malware on Windows. Even ransomware could theoretically strike Android.
However, the comparison with Windows does not hold. Windows is an open system, where programs and processes can install in the background. Often through errors in other programs, such as Adobe Reader or your browser. That even gives malware a chance to install when visiting a trustworthy site whose ad provider has been hacked. For example, the use of Internet Explorer has been repeatedly discouraged by the government in the past because it contained critical errors. That makes a virus scanner on Windows simply indispensable: fortunately, it is available as standard from Windows 8.
Permissions and Device Administrators
On Android, it's a different story. The malware developed for the mobile operating system must be installed via an app and cannot happen behind your back. If you delete the app, the infection is over. Moreover, an app cannot do anything without the necessary permissions. An app must first request specific access to your contacts, location, camera, microphone and so on. When an app requests permission to the storage memory, it gets its own folder on the Android device to store its own data. For example, an app with access to storage memory can do nothing to influence the operation of the system or other apps: a so-called 'sandbox'. In addition, all permissions can be managed, you can always revoke them via the Android settings.
An app can only do something on the system or other apps if it has been given special permissions. These permissions are hidden deep in the settings as device administrators and usage access. You should always give these permissions manually. Therefore, always be very cautious when an app asks for permissions for this.
Android therefore raises many hurdles, so that malware does not just wreak havoc on your device. But it also limits the operation of the virus scanners that you often find in the Play Store. Intervening to stop other malware apps is something an antivirus app cannot do, as is possible on Windows.
On the one hand, it is therefore difficult for malware to strike and for antimalware to do something about it. On the other hand, Android is a very interesting target for criminals because it is by far the largest mobile platform. Malware is indeed a problem for Android, but we as the Dutch are often not the target audience for attackers, because we usually rely on the Play Store for our apps. Google scans these apps in the Play Store to keep the malware at bay.
That does not mean that you can download everything from the Play Store without any worries: sometimes something shoots through the security. Before installation, therefore, take a look at the number of downloads of the app, the ratings and (after installation) be critical of the requested permissions. Other than that, you don't have to worry about malware apps.
But Android also offers the possibility to install apps outside the Play Store. Via so-called APK files, but before you can do this, you have to dive into the Android settings to activate this yourself. Manual installations mainly happen in countries where Google's application store is not available, such as Russia and China.
Antivirus: Wrong Protection?
An antivirus app to protect you against rogue apps is therefore completely unnecessary, despite the marketing of traditional Windows protectors like McAfee and Eset, who are eager to tap into a new market on Android. Malware protection apps are functionally too limited and unnecessary if you use the Play Store as the app source. Even if you think an antivirus app makes you feel safe, it's a waste of your system resources.
What security companies do find raison d'être on Android, is in another area: phishing. Google's own Chrome browser scores poorly when it comes to blocking imitation sites from banks, social media and webmail, whose links are often distributed via WhatsApp or email. Security companies are usually better at blocking phishing sites. But beware: some companies offer a standalone browser application that is not as fast or advanced as the standard Android browser. Other apps offer the possibility to protect your default browser, after you grant them usage access (via the aforementioned rights).
A security app can therefore protect you against phishing, but it does not justify an installation sufficiently. Preferably just use the apps for important things such as banking, mailing, streaming, social media and so on to prevent phishing. Google could do a little better with protection against phishing sites in the meantime.
Why does my Android already have antivirus installed?
Despite the fact that you get nothing with a security app when it comes to protection against phishing, malware protection from McAfee, Avast, AVG or Norton, among others, is already preinstalled on many smartphones. The reason is simple: money. In this way, the security companies hope that people will take out a paid subscription (often after a trial period). Telephone makers receive money or commission for this, but also give users a false sense of extra security. It's bad practice for security companies and manufacturers, who have known them for a long time from Windows PCs. Some manufacturers let you deactivate or uninstall the app. But not always. Samsung smartphones, for example, have the McAfee antivirus hidden in the Android settings so that it is indelible and it is disguised as an important system component.
So far, we've mainly talked about how Android works and that it's better to ignore an antivirus app. But of course, security is paramount on your Android mobile device, just not in the traditional way we learned from Windows. You may use your Android device for things that you only want access to: chatting, e-mailing, shopping, dating, photography, banking and so on. The first step you take is to prevent others from getting into your device. By default, Android stores all data encrypted, with the key that you enter at startup. You can tune this in Settings / Security.
This is also where you can get your lock screen: device lock is an absolute must on Android. Many smartphones offer biometric unlocking, such as fingerprint unlocking, iris scan (for Samsung smartphones) or facial recognition. Biometric options are practical, but you are always dependent on the technology of the manufacturer, especially with facial recognition that sometimes leaves something to be desired. If you want the safest option, it is better to choose a password, pattern or PIN.
Android Device Manager
In addition to locking your device so that others cannot access it in the event of theft or loss, you also want to be able to find your device. Android Device Manager lets you manage and locate your device remotely. To do this, go to the find my Android page with the browser of another device and log in with your Google Account. You can then signal your Android device to make it sound (useful for finding it). You can see on a map where the device is exactly. If you really have lost your device, you can remotely delete all data as an emergency measure. Check beforehand in the security settings of your Android device whether this is on: that is not something you can do again afterwards.
Wiping an Android device raises another security issue: backups. You can automatically back up your system via Google Drive. However, it is also recommended to use your photos (Google Photos), contacts (Google Contacts) and WhatsApp's built-in backup function.
Rumor has it that starting with the Android version codenamed Q (presumably version 10), you'll be given the option to allow app permissions only when you're actually using the app. This is especially nice for apps that request access to the camera and microphone. You don't have to wait for Android Q, though. The Bouncer app brings this functionality to Android, without the need for root access. When an app asks for a permission, you now have three options: deny, always allow or only allow when the app is used. So nice!
Android has a simplified password manager built-in: Google Smart Lock, which automatically fills in your passwords in apps. Chrome has recently also suggested (secure) passwords, which are then linked to your Google account. It's still safer than managing it yourself or keeping all your passwords on a piece of paper in the desk drawer (there are still many who think this is safe). Healthy password management keeps your accounts out of the hands of strangers. Therefore, use a password manager. Good options are Dashlane and 1Password.It's crazy that security companies do bet on antivirus, the necessity of which is highly questionable, while VPN services are overlooked.
The last indispensable puzzle piece for your android security is vpn. The more you think about it, the crazier it actually is that security companies are turning to antivirus, whose necessity is highly questionable, while VPN services are overlooked. A VPN provides an encrypted, redirected connection. This is very important, because mobile devices are also regularly used on public networks, data you send and receive on someone else's networks can be intercepted. Thanks to a VPN connection, you ensure that all data traffic is unreadable. You're safe on other people's Wi-Fi networks, but because your internet traffic is being rerouted, it seems like your internet is from a different location. So if you connect to a Dutch VPN server during your holiday abroad, you will also bypass the geoblocking of, for example, Uitzender Gemist.
It is absolutely necessary that you choose a reliable VPN provider. Because in theory the provider is able to view your data traffic. Unless the provider promises not to log any data. That is why a free VPN service is not really recommended: how should the provider earn its money other than with your data? Especially Onavo Protect is not recommended hard enough. This VPN service is from Facebook, a company that handles your data very poorly.
Fortunately, there are plenty of providers of reliable VPN connections, such as Private Internet Access, NordVPN, ProtonVPN, CyberGhost and ExpressVPN. The former can even act as an ad blocker on your Android, although this (ironically) requires you to manually download and install the app from the Private Internet Access website, as ad blocking is not allowed for apps in the Play Store.
A secure Android device actually starts in the phone shop. You are of course safest when a manufacturer provides your Android device with updates and security patches for a long time. Unfortunately, this is still sometimes the case. Google has agreed with many manufacturers to support smartphones for at least 18 months, but how quickly manufacturers can roll that out. They do that themselves for two years, which means they don't really set the best example: Apple supports its iPhones for much longer.
Check in advance what the Android manufacturer's reputation is when it comes to updates. The reputation of unknown Chinese brands is totally off. But HTC and LG are also making a mess of it, with an excruciatingly slow rollout of updates. Products from OnePlus and the top devices from Sony and Samsung are better choices in that regard. It is not always the manufacturer's fault. Sometimes component makers are disruptive, by no longer providing driver support for the rollout of Android updates. That is a good reason to ignore smartphones with a MediaTek processor.
If you are looking for the best Android support for your smartphone, then you are best off directly with Google. Google's own Pixel smartphone line is at the forefront when it comes to fast support, these smartphones get updates first. Officially, Google does not sell the Pixel in the Netherlands, but many Dutch online stores sell it for a slightly higher price than the suggested retail price (grey import). Google has announced that the affordable Pixel 3A will also officially appear in the Netherlands, but when is not yet clear.
A few years ago, Google started the Android One program. Smartphones running on Android One have an unmodified version of Android and therefore get faster and longer update support. Almost all Nokia smartphones run on Android One, but other manufacturers such as Motorola also offer affordable Android One smartphones.