Best practices for securing an android device

Use the features already on the phone as your first choice. The features on the phone:

  • Are battle-hardened technology.
  • Don't require Apps from third parties.
  • Are very well embedded in the Operating System.
  • Usually provide great value for money and effort.
  • Just don't look as sexy as additional features (they don't have the marketing budget).

Other Recommendations.

  • Screen lock / password. ( Make your password strong enough that it cant be easily guessed / compromised, my daughter cracked my complex pattern password easily, so don't use pattern passwords and probably not pin passwords)
  • Only allowing Known Sources (i.e Android Market), remember that an application is a major attack vector.
  • Don't load hacked applications ;)
  • Don't load many applications at all.
  • Dont root your phone.
  • Use a password manager on your phone. I recommend Android LastPass myself as it encrypts at rest, but the password has to be entered on demand to make this very secure.
  • Unless you have a secure folder as @Traroth mentions, everything on the sim card can be retrieved by your attacker (and malware is probably able to read encrypted content when you unlock the encrypted volume, this goes for a password manager too).
  • Remote Wipe (Google Play and a lot of other services offer this).
  • Don't select "Always" for important functionality like 'Send SMS', because this can allow a compromised application to send paid-for-sms without user intervention.

Remember that each of these security technologies offer an improvement in security. But equally, they also can provide a avenue for compromise.

  1. Remote wipe and other 'control' tools can also maliciously wipe your phone if the account/service is compromised.
  2. If the Application provider is compromised, then the malware enabled application can cause a lot of mischief.

Updated for 2018:

  • Encrypted storage. Allows for (among other things) simple and complete device wipe.
  • Fingerprint unlock. Can ensure much better usability, but can also allow bully-boys to physically force you to unlock your phone.

digitalchris at reddit provided this list of software tools to help protect:

  • Android screenlock
  • Droidwall - Firewall App
  • Norton Security Beta - Anti-malware and tracking
  • Prey - Tracking application
  • TextSecure - Encrypted text
  • RedPhone - Secure phonecalls
  • Where's my droid - Tracking

You may want to consider installing NSA's Security Enhanced Android

Features:

  • Per-file security labeling support for yaffs2,
  • Filesystem images (yaffs2 and ext4) labeled at build time,
  • Kernel permission checks controlling Binder IPC,
  • Labeling of service sockets and socket files created by init,
  • Labeling of device nodes created by ueventd,
  • Flexible, configurable labeling of apps and app data directories,
  • Userspace permission checks controlling use of the Zygote socket commands,
  • Minimal port of SELinux userspace,
  • SELinux support for the Android toolbox,
  • Small TE policy written from scratch for Android,
  • Confined domains for system services and apps,
  • Use of MLS categories to isolate apps.

Get the download here: http://selinuxproject.org/page/SEAndroid