palliatives for losing mobile phone security
August 26, 2020 5:35 PM Subscribe
When Google stops providing Android security for my phone, how do I minimize my risk? Obviously I'll remove my banking app; what else should I change?
This is almost a follow-up of pdb's "what should I do with my phone?" yesterday, but I really want to keep my Pixel 2.
I *really* like my Pixel 2. It still has great battery life (perhaps thanks to AccuBattery), works flawlessly, and is a great phone for my needs. There's nothing particularly covert in my life; how safe can I be with a phone which no longer gets security patches?
At present I have the USAA banking app, and I'll remove that when security updates stop. I'll also remove LastPass, and go over passwords stored in Firefox and Chrome to make sure there's nothing there which could leak financial data or help someone log on to any financial accounts, and I never ever store bank credentials.
I've never used the phone for shopping, nor for making payments, but I do use gmail as my main email system, and have the phone set as my 2FA second verification. If I switch to using a physical device for 2FA instead of my phone (e.g. Yubikey) can I be reasonably safe with my phone for non-financial use?
What's the best way to clean up and be safe?
I *really* like my Pixel 2. It still has great battery life (perhaps thanks to AccuBattery), works flawlessly, and is a great phone for my needs. There's nothing particularly covert in my life; how safe can I be with a phone which no longer gets security patches?
At present I have the USAA banking app, and I'll remove that when security updates stop. I'll also remove LastPass, and go over passwords stored in Firefox and Chrome to make sure there's nothing there which could leak financial data or help someone log on to any financial accounts, and I never ever store bank credentials.
I've never used the phone for shopping, nor for making payments, but I do use gmail as my main email system, and have the phone set as my 2FA second verification. If I switch to using a physical device for 2FA instead of my phone (e.g. Yubikey) can I be reasonably safe with my phone for non-financial use?
What's the best way to clean up and be safe?
Maybe ask on xda-developers about recommended ROMs
posted by trig at 12:41 AM on August 27, 2020 [1 favorite]
posted by trig at 12:41 AM on August 27, 2020 [1 favorite]
If you aren’t getting security patches, you aren’t using a secure device.
Getting patches doesn’t mean you’re using a secure device either, it just means you’re more likely to be marginally better protected. Security isn’t a thing you have, it’s a process and a practice. “Reasonably safe” from who is always the question.
Anadem, a lot of this depends on what your real risks and threat model are. If you’re not an activist or journalist standing up against state actors, who might be targeted by relatively deep-pocketed and well-equipped security services of some kind, it’s unlikely to be a problem for you to stick with the phone for a few more years, and the practices you’re describing above will probably - and this is about risk management, so “probably” is all you get here - be fine.
Your Android applications don’t stop getting updates when your OS does, so use a browser that gets regular updates. Getting mail on your phone is probably fine, maybe limit it to only a day or week of backlog. Use a strong passcode and set it up so you can remotely wipe it if you need to. Yubikeys are great, but make sure your accounts can be recovered if you lose your 2FA however that happens, whether it’s your phone dies or your keys fall down a drain.
posted by mhoye at 5:17 AM on August 27, 2020 [4 favorites]
Getting patches doesn’t mean you’re using a secure device either, it just means you’re more likely to be marginally better protected. Security isn’t a thing you have, it’s a process and a practice. “Reasonably safe” from who is always the question.
Anadem, a lot of this depends on what your real risks and threat model are. If you’re not an activist or journalist standing up against state actors, who might be targeted by relatively deep-pocketed and well-equipped security services of some kind, it’s unlikely to be a problem for you to stick with the phone for a few more years, and the practices you’re describing above will probably - and this is about risk management, so “probably” is all you get here - be fine.
Your Android applications don’t stop getting updates when your OS does, so use a browser that gets regular updates. Getting mail on your phone is probably fine, maybe limit it to only a day or week of backlog. Use a strong passcode and set it up so you can remotely wipe it if you need to. Yubikeys are great, but make sure your accounts can be recovered if you lose your 2FA however that happens, whether it’s your phone dies or your keys fall down a drain.
posted by mhoye at 5:17 AM on August 27, 2020 [4 favorites]
I would suggest dumping any apps on the phone you can live without, or have the option of using a website of instead. This reduces the exploitable surface area of the device.
posted by nickggully at 8:07 AM on August 27, 2020 [1 favorite]
posted by nickggully at 8:07 AM on August 27, 2020 [1 favorite]
With respect to apps, if you use the phone for browsing I'd use firefox with addons like ublock origin and noscript.
If you've never used f-droid, it's an open-source app store full of open-source apps, which (theoretically, at least) are less likely to have malware.
posted by trig at 8:44 AM on August 27, 2020 [1 favorite]
If you've never used f-droid, it's an open-source app store full of open-source apps, which (theoretically, at least) are less likely to have malware.
posted by trig at 8:44 AM on August 27, 2020 [1 favorite]
This thread is closed to new comments.
posted by oceanjesse at 8:47 PM on August 26, 2020 [6 favorites]