The paranoid Android traveler’s data-protection checklist

Credit to Author: Richard Hoffman| Date: Tue, 25 Jul 2017 03:01:00 -0700

International border crossings are often legal gray areas where government agents can, and sometimes do, ask travelers for access to their laptops, phones and other mobile devices. Complying with the request allows them to freely search, read or copy documents, emails, passwords, contacts and social media account information.

Here’s how to safeguard corporate and personal data when traveling with recent Android-based phones and tablets, using the Chrome browser. (Part 1 of this series, which focuses on the legal background of border searches, and traveling tips for Apple devices, is available here.)

Many of the processes and steps highlighted here are basically the same as for Apple devices, but there are some key differences, mostly having to do with variations in architecture and design between Android and iOS.

The latest version of Android supported by your devices will vary depending on who the manufacturer is, what device you have and who your mobile carrier is. There are a variety of licensing and other issues involved. But in general, most Android devices should get at least 18 months of OS updates — and some vendors support devices for longer. For example, Google supports its own Pixel and Nexus devices with updates for at least two years and provides security updates for three years from when the device was sold through the Google Store, or 18 months from when sales ended. With some vendors, however, you’re lucky to get even one major operating system update, and that might arrive months after its release.

As a result, the vast majority of users don’t have the latest version of Android. Currently, less than 12% of Android devices are on the newest version 7 (Nougat), more than half are running version 5 or older, and at least one in four users remains on version 4.4 (KitKat) or prior — relying on an operating system that is at least four years old, and likely unsupported. (Current version info can be found here.)

Here’s info on which Android vendors provide the best (and worst) support.

It’s worth noting that Google has gradually shifted much of Android’s core functionality into standalone apps, which allows the company to update those elements more frequently without any third-party involvement. Numerous security-related fixes and enhancements are provided directly to users, regardless of the age or maker of their device. Google also issues monthly security patches for manufacturers to address OS-level vulnerabilities, though some are better than others about delivering those on a timely and reliable basis.

The bottom line: Many devices running older versions of Android will never be able to update to the newest version, at least without using an unlocked bootloader and installing a custom ROM, a process typically not supported by vendors and beyond what most users would want to tackle. And since unlocking your bootloader can significantly decrease the security of your device, it is not advisable if you’re looking for ways to protect data when traveling. (If you are interested in more information, a good place to dive into the deep end is here.)

Changes to Android in more recent releases have bolstered security, so if you are traveling with an older device that does not support Nougat, you may want to seriously consider a hardware upgrade. Among other improvements, Nougat introduced new — and potentially more secure — device and file encryption; newer devices should have adequate hardware to handle encryption effectively (more details below).

These tips are in roughly increasing order of difficulty and complexity, with the simplest and quickest first. In general, these tips involve a tradeoff between security and ease of use (making it harder to search your device can also make it a little harder for you to use it). So you may want to use some of these options only when traveling.

1. Completely power off all electronic devices prior to border crossing.

There is often a higher legal threshold in requiring a person to turn on and log into a device than simply waking one from sleep. An encrypted device (see below) that is completely powered-off typically provides strong protection against searches. If you are asked to power on and log in to your device, you will need to weigh your choices, but there are things you can do to keep your information secure even in this scenario.

Screen lock and password settings – Android Nougat 7.0.

2. Make sure your device cannot be used without a passcode.

You will generally find these options under either Settings > Security > Screen Lock, or Settings > Display > Lock Screen. Set your screen lock to a PIN (at least 6 characters), or better, an alphanumeric password. If your device has biometric authentication (fingerprint or facial recognition), turn it off, at least while crossing the border; there is some legal gray area where you could be compelled to unlock your phone with biometrics, but not be compelled to provide a passcode. Biometric authentication can usually be found under Settings, either under Security, or Fingerprints & Security > Fingerprints. You can also go into Settings > Security > Smart Lock (if your device supports Smart Lock) and turn off “Trusted Face” and “Trusted Voice” if they are on, as well as On-body detection and Trusted devices. The point is to make it harder to get into your devices without your permission and active participation.

You should also turn off “Make passwords visible” or “Password typing visible,” which is found in Settings > Security. This makes it more difficult for someone looking over your shoulder or filming you from recording your passwords as you enter them.

You can also turn your screen sleep timer (usually found under Settings > Display) to a low value, under a minute. This forces you (or someone who takes your device to read through it) to re-enter your passcode when it times out and enters sleep and the device is turned back on. From personal experience, this can get annoying in normal use; you can change this setting back to a higher value when you’re on your way.

Display lock setting – Android Nougat 7.0.

Finally, if you can, set your device to automatically erase data after a certain number of incorrect passwords. Some Android devices — including some Verizon phones and Galaxy models, for instance — have access to this feature pre-loaded (usually under Settings > Display). 

3. Delete your browser cache data.

For Chrome, go into History > Clear browsing data. Select “beginning of time,” and decide how much data you want to delete. The most secure option is to delete everything — browsing history, cookies and site data, cached images and files, saved passwords, and autofill form data.

Clearing browsing data – Chrome on Android Nougat 7.0.

You may also want to go into your Google My Activity page and delete your activity (it’s on the left side, “Delete activity by” and select by date).

4. Encrypt your data.

This is an area where, until recently, Android was far behind Apple in the implementation of effective, granular, easy-to-use encryption. The release of newer versions of Android, particularly Nougat, improved the situation — especially the addition of a new, file-based encryption capability (see below for details), though Android is still playing catch-up in both capability and transparency/ease of use. Some of the difference has to do with hardware decisions Apple made that allowed full, accelerated hardware encryption to be accomplished in a way that didn’t significantly slow down iOS devices; some has to do with implementation specifics of file-based encryption; and some involves differing design priorities.

Some newer Android devices come with device encryption turned on by default, but older devices often did not have the hardware capability to handle full encryption without significant slowdowns. The bottom line is that an encrypted device, especially if powered off, is enormously harder for someone to access, search and copy, and if your device is fast enough to handle it and you are worried about data security, use it.

Full-disk encryption – Android Nougat 7.0.

If encryption is not enabled by default, the option to encrypt is usually under Settings > Security. You will ideally want to have the device fully charged and plugged in, and you’ll want to do this in advance of traveling — encrypting can take a long time the first time it is done. (If encryption is interrupted in the middle of the process, your data can be lost, so it’s a very good idea to make sure you have a full data sync/backup first.)

For older devices that have been upgraded to Nougat, the new file-based encryption system must first be enabled; it’s a clunky process that involves performing a factory reset, erasing all installed apps and data, then hopefully restoring everything from backup. At this point, the benefits may not outweigh the trouble, but if you want to give it a try, more information is available here.

Encryption can also be performed on external storage (usually via Settings > Security > Encrypt SD Card Storage). Not all Android devices have a micro-SD slot, but for those that do, traveling with an external storage card, putting critical, sensitive or confidential data on the card, encrypting the card, and then taking the card out and keeping it separate from your device can be one of the best ways to keep your data secure. Typically, SD cards cannot be encrypted unless you have selected a PIN to unlock your lock screen (see No. 2, above).

One caveat is that because of the way Android devices handle encryption of external storage, the decryption is tightly tied to a specific hardware device. If you encrypt a micro-SD card on a specific tablet or phone, and then that device is lost, stolen or damaged, or you just want to move the card to another device, you can’t decrypt it, even if you have the password. The only way to transfer a card between devices is to decrypt it first (on the same device used to encrypt it). You can always reformat the card, but of course you’ll then lose the data. The rule here is to treat the card as permanently associated with that device, and make sure you have remote backups of any data that is on an encrypted external storage card.

For more information, see: “How to Encrypt Your Android Phone (and Why You Might Want to)“; “The limitations of Android N Encryption“; and “Keeping Android safe: Security enhancements in Nougat.”

5. Protect social media/email accounts.

There have been numerous cases of border control staff asking travelers to log into their social media accounts, and/or email on their devices, or asking for the passwords to those accounts. Your choices here are either to create new “travel-only” accounts (for both social media and email) that contain only material you do not mind being searched and copied, and/or delete unnecessary social media apps (and browser caches, see above), as well as email accounts, from your Android device before your border crossing. That process is detailed in my traveler’s guide for Macs and iOS devices.

6. Create a new Google account used only for traveling (advanced).

First, create a new Google account.

Add the new account (usually Settings > Accounts, or Settings > Accounts & Sync) to your device. Don’t use the same password for both old and new accounts. If you want to share applications, books and music between the old account and the new, you can set up a Google Play Family Library that both accounts are attached to as “family members.” You can then selectively copy only the Contacts, Calendars, documents and so on that you need for travel (and that you don’t mind being searched or copied), to the new account.

For Contacts, you can copy in bulk using the Import/Export feature in the menu from the main screen, and copy from one account to the other using an external drive or Gmail. Alternately, you can Share contacts individually by going into a specific Contact and selecting Menu > Share (again, selecting only the contacts you specifically need while traveling).

You can export and then import events in Calendar, too, or you can simply share a single calendar between two accounts so either account can view and edit the same data. (A few vendors provide their own tools, but you can’t do this from your Android device — you have to do it from a computer/browser.) 

When you’re sure you have only what you need transferred over to the new account, you can go into Settings > Accounts, select your old account, and go to the Menu > Remove Account. After you return home, you can re-add your primary Google account, and (if you wish), remove the travel account.

A cautionary note: This process could cause some usability issues, as many aspects of the system — including app installations and numerous types of data backup — are tied to a device’s primary Google account. So you’ll want to proceed carefully.

7. Get a burner phone.

If you’re an Android user and decide you don’t want to risk even taking your main device on your travels you can consider a cheap “burner” phone. You might take a look at the Unihertz Jelly and Jelly Pro, which is just finishing a Kickstarter campaign. I haven’t had one in the lab yet to test, but at least on paper it looks like it could make a good basic, nearly disposable travel phone — and it runs Nougat.

Here’s more information on the Jelly phone.

The Unihertz Jelly could be used as a “burner” phone.

http://www.computerworld.com/category/security/index.rss