Read enough about Android security threats, and you might think that the safest thing is to turn off your phone, wrap it tightly in tinfoil, and hide it in your junk drawer. Hackers are stepping up their game -- Stagefright, the recently discovered platform vulnerability, exposes up to 95 percent of all Android devices to malicious attacks.
Mobile phones are attractive targets, getting more attractive as they become ever more functional. Phones keep financial information, details of our professional and personal lives, shopping behaviors, breadcrumbs of daily activities. For example, many of us use our phones for mobile banking and payments. What criminal wouldn't want access to those accounts?
But don't foil your phone just yet. By following our commonsense steps, you can reduce your risk of exposure to malign activities. And if the worst happens and you lose control of your phone, you can minimize the damage.
Set a screen-lock password or PIN
It seems reckless to not take this first simple step, but a recent survey reports that as many as half of mobile phone users don't lock their screen with a PIN, password, pattern, or fingerprint. With a screen lock, each time you turn on or wake up your device, you'll be asked to unlock it.
To set a screen lock, go to Settings, tap Lock Screen and Security, and set up your screen lock.
On its own, a screen lock will only block those with physical access to your phone from gaining access to your data, so don't set a screen lock and think you're safe. Some apps, such as the phone and camera, provide limited use from the lock screen. And recent reports suggest that Android passwords, PINs, and even fingerprints can be hacked, so consider a screen lock a good first step and keep reading.
While you're setting up your screen lock, make sure you're using a strong password for your Google account, and consider using a password manager, which lets you easily use strong, unique passwords for websites and apps. A recent Google security report noted that a password manager is part of a solid strategy to stay safe online.
Update your Android OS and apps
Here's another easy and effective step: Keep your Android operating system and apps up to date. Google and third-party app-makers frequently update their software, adding new features and patching security holes. Keeping software up to date can help ensure you are protected from new threats.
Although your phone should notify you if an update to the Android OS is waiting to be installed, you can check for updates too by going to Settings, navigating to System updates, and tapping "Check for system update."
To update your apps, open the Play Store, go to My Apps, and update any apps that show a new version is available.
Unfortunately, you may see a lag between the time Google identifies a software security hole and when the security patch finally reaches your phone. The patch often has to make its way from Google to your handset maker, then your carrier, and finally to your device. However, Google, Samsung, and LG have pledged to release monthly security updates for their devices in an effort to shorten the space between the appearance of malware and the release of a security patch.
Beware of links in email, on websites, and in social posts
Phishing continues to be a major -- and increasingly sophisticated -- security problem. While some users get hacked through an active attack, many people open up their own security holes by getting caught in a phishing scam or by downloading malware from untrustworthy sites. Be smart about links in emails, on websites, and in posts, and if a link looks suspicious, don't click it. (See "Security software" below for more on now to be safe with shady websites.)
Use public Wi-Fi with caution
If you're using a public Wi-Fi hotspot -- in a cafe, in a hotel, on a plane -- experts say you should assume someone is snooping on you, trying to grab your information.
While some recommend that you turn off Wi-Fi and Bluetooth when out in public, that kind of defeats the purpose of having a mobile device. Most email services and e-commerce and financial sites offer secure connections by default, which provides a measure of protection when using Wi-Fi in public places, and browser makers are adding security features that will warn you when you're trying to access an insecure site. For additional security, a VPN allows you to create a private connection over a public network to send and receive sensitive data, such as credit-card information.
Download from the Google Play Store, and check app permissions
Security experts warn that a significant source of malware is websites claiming to offer free versions of paid apps, such as a free version of a paid upgrade for Angry Birds. You save 99 cents, but you now have malware on your phone, too. It's safer to download apps through the Google Play Store than through third-party sites, as Google monitors its store for malicious apps.
Also, before you install an app, read which permissions you are giving it. Scroll to the bottom of the app's Google Play page and tap Permission details. If you have concerns, such as why a flashlight app needs access to your contacts, find a similar app with permissions you are more comfortable with.
Use security software
Antivirus and security software can scan for malicious apps, warn you about suspicious websites, and offer security for lost phones. An antivirus app doesn't make you less responsible for the security of your phone, however. It works in coordination with the other steps listed here; it is not a replacement for them. Several publishers make Android security apps, including Avast, Lookout, and McAfee.
Take advantage of Android Device Manager
Losing your device or having it stolen can be just as damaging as having it hacked. Android Device Manager can help you locate a lost phone or tablet, reset the screen lock PIN, and (if you can't recover your device) erase the phone's data.
Protect your Google account
If something goes wonky with your Google account -- say, you lose your password or Google notices unusual activity -- Google can assist you through a recovery email or phone number. If you really want to be safe, set up two-step verification. With that additional step, Google sends your phone a single-use code you enter when you sign in. That way if someone does get your password, they still won't be able to get into your account. Head over to your accounts page to set up a recovery number and two-step verification.