This is intended to be an accessible guide to practicing hardening and security awareness for technical laypeople using the Android platform to communicate. While there will never be a set-it-and-forget-it solution, this guide attempts to be a starting point for people who want to learn more about a practical and accessible security procedure for their Android phone.
The Android operating system usually ships with security settings that are, from a certain set of assumptions, true. Unfortunately, many times those assumptions are based upon promises Google or your phone's various manufacturers cannot truly keep while providing all the functionality that the end-user desires from their device. While these assumptions can keep you safe in some circumstances, they also make you part of a large, appealing target and they do break down, often. So people who want to be relatively assured of the privacy of their communication on Android based Operating Systems should be in control of their devices in every way they possibly can.
The rest of this guide will focus on how to avoid allowing a malicious actor to take control of your phone, but the truth is that 99% of compromises are the result of somebody clicking on something fucking stupid and usually won't admit it. They install a malicious fucking "Scrabble" game or some dumb fucking shit and then they get mad at me when I remove it and do my best to clean up the damage it did. There's no point securing your device if you're going to download shit willy-nilly off Google's fucking Play Store.
Do not install apps unless you can trust them to not contain deliberately placed malicious code. Depending on who places the code, this is called either a "Trojan Horse" or a "Backdoor." Scenario A is that a malicious person creates an application which contains code which takes control of information on your device and uses it for malicious purposes. This can be anything from simple things like collecting personal data or geolocation data, or more complex things like injecting malicious code into the Android operating system. As a rule, IF YOU CAN DO WITHOUT AN APP, DON'T INSTALL IT. If you wish to avoid surveillance in a serious way, remove as much non-essential software as possible which may contain bugs which Trojan Horses You may say, "But it's just a little game? Can't I install that? It's harmless." That is exactly how Trojan Horses work. That is what the phrase "Trojan Horse" means. An innocuous looking object that conceals a hidden threat. Virus makers do not label their products. Don't fucking install it.* Scenario B involves a malicious person creating an application which bills itself as a secure application but secretly contains code that allows the app maker to remotely access it. That is called a Backdoor and that kind of vulnerability exists in most proprietary messaging systems, such as Skype and Facebook Messenger. This is of course game-over from a privacy perspective. Much of this guide will center on offering alternatives to messaging systems that contain backdoors or Trojan Horses, but the bottom line is that if you don't need an app, don't install it. At times, this will mean giving yourself potentially dangerous power over your phone that the Manufacturer does not want you to have. Having this power does not make you inherently insecure, it simply means that anyone who takes security seriously must be in control of his or her own security at all times.
*If you want to get games, you should do one of two things. First, and the preferable option, is to get another device which you use to run apps that can't be trusted alongside private communication information. This device will be your social/entertainment "Sandbox," separate from your private communications. I usually keep one Social/Entertainment Sandbox and the rest of my computers are hardened, fully-liberated GNU+Linux machines which refuse any insecure connections. The other option is to only install games from Free Software projects, preferably through the F-Droid app repository explained below. This is still a compromise and could these could still contain vulnerabilities, but due to the ever-present possibility of peer-review these would be unlikely to contain malware or backdoors.
Goal: Remove as many pre-existing vulnerabilities as possible and take control of the device in question from the manufacturer who really controls it.
Computer Hardware and Operating Systems The modern computer is possible as a consequence of the mathematical discovery of what has come to be known as "Turing Completeness," or that from a basic set of functions a machine can be built which can be programmed to perform any kind of calculation. However, Turing instructions are very simple and modern computers provide many ease-of-use layers between the person operating the keyboard and the actual hardware. The first of these are more-complex Instruction Sets used on modern chips, which are provably equivalent to Turing instructions(An engineering property also known as Turing-Completeness) but perform multiple Turing operations in a single step. This also allows your computer to run faster and more efficiently as well. The advantage of these systems is that they are fairly difficult to alter, even if they are vulnerable, it is likely that there would need to be a backdoor in the Operating System as well in order to trigger a vulnerability in the hardware, because an always-on vulnerability would visibly leak information as it was transmitted. The next layer of importance is the Operating System, which provides an interface for people to write the programs you use from day to day like your web browser or your word processor. The operating system does this by providing small, efficient programs which pass messages to each-other in order to process them in the correct order.
Get Updates You should always install the latest security updates for you operating system in order to deal with potential Operating System bugs that can introduce vulnerability. For instance, A program manages the speaker, and when you play a sound a "Stream" of information is passed to that program which it then uses to instruct the speaker. An example of a potential exploit which could make a computer vulnerable would be if a specific stream of information overflowed the memory the speaker program has reserved, which would allow an attacker to put information into the memory area adjacent to the speaker program. If that memory area is scheduled to run a program, the attacker has taken control of that process on your computer. Many exploits follow this pattern of injecting malicious code into a program which has permission to run it. These kinds of vulnerabilities are usually honest mistakes that are patched after being discovered in accordance with your Operating System Update Policy.
Stick to Free and Open Source Operating Software Wherever Possible
There's a good chance that your device manufacturer has a sub-sufficient
Operating System Update Policy. If at all possible, you should find a Free and
Open Source ROM(The Android word for an Operating System) to put on your device.
The reason for this is twofold, for one thing, by using a Free and Open Source
ROM you can be reasonably guaranteed that your Operating System does not contain
a deliberate backdoor or vulnerability because you can, at any time, review
the instructions that make up the operating system. The most popular Free and/or
Open Source ROM's are CyanogenMod,
Replicant, OmniROM,
and these are capable of receiving updates from the Operating System developers.
If your device isn't officially supported by one of these ROM's, you can either
find someone who has ported a Free and Open Source ROM to your device on a site
like XDA-Developers, use that ROM, and actively contribute reports of your
bugs, or financially support the independent development of
Free-and-Open-Source support for your device, or take your chances with a
"de-bloated Stock ROM" which may be better than using a Free and Open Source
ROM which isn't being actively developed. The install procedure for your device
may vary, but chances are that you'll find instructions at
XDA-Developers.
Goal: Make it prohibitively difficult for an attacker who can physically access your device to read, copy, or alter the data on your device.
This part is comparatively easy and self-explanatory. Android and related Operating Systems have the ability to encrypt the disk which contains the system, software, user data, and similar sensitive information. Encryption accomplishes 2 tasks.
First encryption hides the contents of the storage device by scrambling the information on it in accordance with a private key. When you enter your password, you unlock that private key, which tells the system how to de-scramble the information on the storage device. This keeps people from reading your files.
Second: partly as a consequence of the first step and partly as a result of design and review in the encryption field, encryption also guarantees that your data hasn't been altered by someone who manipulated your disk from within a running Operating System on another device, and keeps code from being injected in that manner.
The best time to encrypt your phone is when it is 1: Fully Charged, 2: Plugged in to a Power Source, and 3: Mostly Unused. This will result in the fastest, most reliable encryption process.
Enable Password
When your device goes to sleep, the password will be required to unlock the device.
Enable Encryption
Now when your device goes to sleep, it relinquishes the encryption keys until you re-enter the password you set previously.
Codes and Ciphers
Addressing and Transport
"End to End: Peer-to-peer encryption is also referred to as "End-To-End" encryption, and refers to encryption schemes where only the concerned parties are involved in the encryption and decryption process. This means that even if information is stolen in transit, it's meaning cannot be revealed by downgrading the strength of the encryption while the eavesdropping occurred.
The Problem with the Play Store many people advocate the use of the Google Play Store for a few of it's advantages. The Google Play Store lets app developers sign their apps using their own cryptographic signatures, for one, which many app stores do not. It also sometimes receives updates before other app stores do. However, those pale in comparison with it's disadvantages. The first and foremost disadvantage is the seemingly total lack of meaningful auditing of the apps that are included in the Play Store. On a single search for a more-or-less benign term like "Chess Game" it is possible to find half a dozen instances of apps that ask for inappropriate or excessive permissions in order to track users. These anti-features are not explicitly listed and they are frequently deliberately surreptitious. There are other real problems with the Play Store and Google's services in general as well, including backdoors which allow Google to install and remove applications from your device without your consent or knowledge. If you installed a Free and Open-Source ROM for your device, you've already rid yourself of the Play Store and now you can move on to something better.
*First, Enable Installation from "Untrusted" Sources. * Out-of-the-box, your device "Trusts" applications which Google Play Services "Trusts," which we've already seen means your phone trusts the vast majority of malicious apps already. In this step, we're going to enable you to install apps which aren't trusted by Google Play Services but which provide their own trust mechanism through F-Droid. Security-Conscious users should carefully judge apps they install on their own merit, and not upon the trust that Google places in them.
Next, Download and Install F-Droid from the Web Site
This section is mostly for people who have to use "Modified Stock" ROM's instead of Free and Open Source ROM's, and only if the Modified Stock ROM doesn't come with the phone owner in control of the administrative account. It is mostly included to discuss the issues surrounding rooting and because it is required for those who wish to de-bloat a Stock system without compiling Android from source code for their device. Rooting also allows you to use certain applications to block applications from sending information using elevated permissions and a firewall.
For the purposes of this set of instructions, Rooting is a necessary step in the process of assuring you are in complete control of the what the programs on your device do at all times. It is the process of obtaining full, administrative privilege over your devices settings, and contents. This is necessary because many of Android's features are used to transmit data back to various parties concerned with the operation of your device, like the manufacturer or Google. Even if the information is never misused by those parties, it can easily be eavesdropped upon from many locations in the network by unscrupulous characters and as such should be disabled on any phone used for sensitive communication.
Why rooting is a security risk and why you should do it anyway: Every root guide you will read will disclaim the security risks of rooting to you, but not every security guide will disclaim what those risks actually are. Sometimes, that's because the risks are so low, relatively speaking, that the people adapting the root exploits are not aware of them. There are only 2 risks really associated with rooting your device.
It is also possible to root your device without trusting an app by executing the so-called "Master Key" exploit from your computer with your phone plugged in. In order to do this, you'll need to use a GNU+Linux computer with the Android Debug Bridge and Android Asset Packaging Tool installed.