Image: Jack Wallen

This is my quarterly reminder to all Android users on how to avoid the pitfalls of malicious software on the Android platform.

I’m not going to lie, it gets frustrating after you’ve warned and warned and warned users on best practices to keep them safe from affronts on their mobile privacy. But like any admin, IT manager, or service provider, this fight will never end. Why? Because, no matter how hard you make your case, people are gonna people. And when they do, bad things can happen.

SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)

Said bad things (at least in this case) is the introduction of malware on Android devices. But I’m here to help you teach users to avoid that. Only this time, it’s going to come with a little tough love.

I’m going to start out nice.

1. Don’t sideload applications

As much as you want to install that fun looking game you heard about (the one only available as a download from some nefarious-looking site)–don’t. Period. End. Of. Story. Sideloading applications might be okay for those who are trying to test new features in upcoming releases of official software (that have yet to make their way to the Google Play Store). It’s not okay for installing games, themes, and other sundry apps. It’s just not. Why? Because there is absolutely no vetting to be had with that software. You have no idea where it came from, what’s in it, and no way of knowing. In fact, chances are actually good that game is nothing more than a front for a data siphon or ransomware.

So don’t install it. Period.

2. Use caution in the Google Play Store

Thing is, you can’t even be certain if the apps you want from the official Google Play Store can be fully trusted. Why? Ads. Although ads are a great way for developers to monetize their applications, it’s also a great way for ne’er do wells to inject malicious code onto your device and sniff your traffic.

To that end, maybe it’s time for Google to consider a new means for developers to monetize their apps. It’s become all too clear that ad networks are dangerous to the mobile world–an issue that should not lie on the shoulders of the users or app developers. This, of course, is a double-edged sword, as developers know fewer and fewer users are willing to pay a single penny for an app (which is a statement in and of itself). Because of this, developers are caught in a no-win situation, where they have to rely on in-app ads to make a penny or two for their hard work.

One solution is to completely end the ad revenue method and test out a subscription model for users. Users could, say, pay 10 USD per month to have completely ad-free access to all apps that would otherwise normally depend on ad revenue. The income from those subscriptions would go to pay developers (and Google, of course).

Either way, users need to employ a serious amount of caution when installing anything from the Google Play Store that’s not an official app or developed by a reputable company or developer.

SEE: VPN usage policy (TechRepublic Premium)

3. Go full-on open source

Another option is to go the route of F-Droid. What is F-Droid? F-Droid is an app you install (not from the Google Play Store) that serves as an installable catalogue of open source applications for the Android platform. But wouldn’t it be even more of a risk to install from an entity that doesn’t have the massive and official backing of Google?

One thing you should know about F-Droid is that none of the applications found within the catalogue include tracking. F-Droid also has a very strict auditing process and, because the apps are all open source, it’s quite easy for the auditors to comb through the app source code to find out if everything is on the up-and-up. In fact, F-Droid even has its own site audited, to ensure it follows best practices. They’ve worked with Radically Open Security and Cure53 for audits. Their first external audit (in 2015) found some critical issues with the site’s opt-in beta features and some minor issues with fdroid import, which isn’t used on core infrastructure.

You can read the full document of the F-Droid Security Model and judge for yourself how trustworthy the site (and what they offer) is.

SEE: IT pro’s guide to the evolution and impact of 5G technology (TechRepublic download)

4. Only install what you have to use

Here’s where the tough love comes in.

At some point the burden of blame has to also land on the shoulders of the user. Why? Because no one is making them install any and every shiny new thing they see on the Google Play Store. To that end, stop installing random apps. Just stop. Install only what you need to remain connected, informed, and productive. Sure, go ahead and install Facebook, Twitter, WhatsApp, and Instagram. And, of course, install a game or two (but only from reputable game developers).

But everything else? Forget it. No more FaceApp. No more shopping/coupon apps. In fact, any app that looks “too good to be true”–avoid it as though the life of your data security depends on it (because it likely does).

If you depend on your Android device for work, install what you need to get the job done and no more. If you depend on your Android device to stay in contact with friends and family, install only those things necessary to do so. If you depend on your Android device for entertainment, only install apps developed by official entities whose bottom line could be negatively impacted by software rife with malicious code.

Being completely honest, I could probably get by with only the following apps:

  • Gmail
  • Google Drive
  • Google Calendar
  • Google Keep
  • Chrome
  • Google News
  • Google Maps
  • Google Photos
  • Facebook Messenger
  • Twitter
  • Spotify
  • Ring
  • Amazon
  • Enpass

If my arm were twisted, I might also add Facebook. And that’s it. Most of the above list is pre-installed on stock Android. And not one app from that list relies on ads. Using the above list I can get my work done (when I’m away from my desktop) and be connected and entertained all the while.

The moral of that story is simple: The more apps you install, the more likely you are to install malware. So before you install that random app, ask yourself, “Is this worth the risk of installing malicious software on my phone?” Chances are, the answer will be a resounding “no”.