31 October 2014

Android hardening - secure handling of personal data - local storage YES - cloud NO - Options and solutions

Android hardening - secure handling of personal data - local storage YES - cloud NO - Options and solutions

Nowadays, when software developers sell "their products to the consumers" and "themselves to government agencies", it's essential to safeguard personal data of any kind.
Not because you are breaking the law in your country and are afraid for authorities.
But for respect of your private integrity and personal data.
Even more when you have your own business and government agencies use your private data for economical espionage and give your private company data to your competitors. That explains how various big companies from North America have won contracts against competitors from Europe, or viceversa.

So here come few advices for owners of Android smartphones.

1. Use a decent firewall with detailed logging capability: ukanth AFWall+, JTScholl Android Firewall.
   Authorise only programs which you are well-informed what they do and where they go.

2. Use a good permissions logger/filtering program in interractive mode: Marcel Bokhorst XPrivacy.
   Grant permissions only in interactive mode and use your knowledge and common sense to understand  which program asks for a certain permission.
   If you need a good program, but it asks for strange or anormal permissions thinking of what that progarm is suppose to do (use your thinking), simply grant only permissions that you think are acceptable, in interactive mode, and check the logg of XPrivacy and of your firewall for all the communications. Block anything which looks suspicious.

The above tools are essential, does not matter you are from USA, Russia, China, Iran.

3. The security suite. Depending on your country and relations in respect to world powers, choose accordingly.
   Are you from USA, hard to trust a chinese or russian product.
   Are you from Russia, best protection comes from a russian product. Never trust a product made in USA or UK.
   Are you from the 3rd world (Brazil, India, Indonesia, Iran - be well informed who are the enemies of your country - and never trust products from them).
   It would be total inconscience for Iran to use USA or UK or Israel products.
   Are you an international corporation spread, use at least double-layered security gateways with products from both USA and Russia or China, you'll see how  they react against detected malware, according to its country of origin.
   Don't be surprised if Symantec or McAfee or Comodo don't detect Stuxnet derivates.

4. Protection of own passwords, sensitive personal data, and so on.
   NEVER use cloud solutions and any product with included cloud functionality and no local import/export of data.
   On the list of shame comes almost all known products in category: Password Managers and Browsers.

   Only exceptions: KeePassDroid, Keepass2Android Offline. (we'll see how long the Germany government will let the authors develop without introducing backdoors :) .
   The only secure information managers which really can assure a minimal level of security for your private data.
   Both freewares.
   All other commercial products use only cloud for import/export/sync, and your private data is directly accessible to known government agencies.

   Only browser with local import/export of bookmarks/passwords is Habit Browser (we'll see how long the Japan government will let the author develop without  introducing backdoors :) .
   All other browsers do not allow local import/export of bookmarks/passwords, only sync via cloud and your privacy is gone.

5. Regarding to anti-theft software. Same rules apply as at 3. (all depends on your country). Best, take well care of your device. The anti-theft has a double-face: depending on your software and most of your phone operator, it is not always to recommend to track your device. Many operators, even in foreign countries, give total access to government agencies into their infrastructure.

6. Email. Encrypt it, save it only locally on device and avoid sync to cloud or email apps doing that.
   A good email program is MailDroid, but still not totally secure, due to its juridical placement on USA territory.
   For better safety, use a browser and encrypted webmail.
   Pity for AquaMail, a good but like Siber Systems Roboform Password Manager, pays its "tribute" to government agencies :) no local storage of    individual emails. If we would make a joke, it seems that NSA pays better than all sold licenses :) for AquaMail, same as for Roboform Password Manager.
   What is funny is that the author is living in Russia.

The list of big deceptions, products claiming respect your privacy and helping you doing it, but only empty words.

Mozilla Firefox browser and Siber Systems Roboform Password Manager. More than a year ago I contacted their managers and developers, they promised local import/export/sync.  Nothing yet. Well, both being under USA jurisdictions, it's not a surprise, the USA government dictates (sorry NSA :) ).

With respect,
Zeno Sloim

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.