Lawyers have ethical and legal duties to take competent and reasonable measures to safeguard confidential client information; they also may be subject to other requirements to protect that data, including statutes, regulations, and contracts. These obligations extend to the use of smartphones and other mobile devices, which can be lost or stolen, hacked, infected by malware, and have their communications intercepted. This lesson will offer suggestions about apps that can help protect the data on your devices and assure that confidential information remains confidential. While Bouncer (discussed later) will eliminate many concerns, users should still consider additional layers of security.
Basic Device Security
Basic security setup includes1:
- Reviewing and following the security instructions of the phone manufacturer and carrier (an important step that is often forgotten or ignored).
- Setting the screen lock (password or PIN).
- Setting the screen timeout (how long after the last “touch” before the device automatically locks).
- Encrypting the device. (This applies to the Honeycomb, Ice Cream Sandwich, and Jelly Bean operating systems; earlier Android versions require a third-party app).
- Maintaining physical control of the device.
- Setting a strong password, passphrase, or PIN.
- Locking the device after a set number of failed login attempts.
- Setting automatic logoff after a defined time.
- Providing for protection of data in transit.
- Disabling interfaces that are not being used (e.g., Bluetooth, Wi-Fi, etc.).
- Enabling remote location, locking, and wiping of a lost phone. (This may require third-party software or services).
- Using third-party security applications (e.g., antivirus, encryption, remote locating and wiping, etc.).
- Backing up important data.
Do not “jailbreak” or “root” a smartphone. (These unlock a phone, including security controls.)
Although you may not be carrying the recipe for Coca-Cola Classic on your device, you probably have important confidential client information. Here are some apps designed to encrypt that data; in other words, they prevent others from seeing the information without a password or other security key.
BoxCryptor adds a layer of security to Dropbox, Google Drive, or Microsoft SkyDrive by encrypting files while still allowing users to access data easily and from any device. You control the decryption key, so only you or others you give it to can read the data. BoxCryptor is easy to use, and it has a corresponding desktop version that makes it easy to share files between devices (it works with Windows, Mac, and iOS). Moreover, because encryption and decryption are done directly on the device, the app never transmits a password.
Encrypt It (http://bit.ly/UPfkvL)
When you need to encrypt certain text, this app will do the trick, although it’s not the most user-friendly. Once you get the hang of it, it works fine. All you do is select the e-mail, document, or set of notes you want to secure and type or paste it into the app. Then enter a password (called a “seed”) and push the Encrypt button. That’s it. To decrypt, do the reverse.
Rooting Your Device—Don’t Do It
At times, you will see apps that require you to “root” your device. Don’t do it! If you do, you will almost certainly void your warranty and could “brick” the device, i.e., stop it from working and turn it into a “brick.” Rooting your device means hacking it and giving yourself “super-user” rights and permissions. When you root your device, you can load custom software and may be able to enhance battery life and performance. But the flip side is that you could create significant problems. The device may not work properly, and you won’t be able to turn to your phone provider or to the manufacturer for assistance. You’ll end up spending a lot of money on a new device.
Encrypt File Free (http://bit.ly/Ri5oIa)
All mobile lawyers should have this app. It encrypts (password-protects) files of almost any type with either a master password or a file-specific one. Once you encrypt a file, it can only be opened by someone with the password; that way, prying eyes can’t view your privileged materials.
If you need to make secure phone calls, this paid app is very good, but the other caller must also have the program. Once you both do, Kryptos encrypts your conversation against any eavesdroppers.
Antivirus and Other Security Products
Many people believe Androids are more secure than PCs; even so, they still need protection from viruses that can wreak havoc on hardware and data. Fortunately, a wide range of options makes it easy to protect your phone or tablet. Plus, many of the best products are free, and some have enhanced features that transform them into robust security suites. Some perform better on certain devices, however, so you may need to test a few to find one that works. But remember, you only need one antivirus app, not multiples.
As an all-around utility suite, it’s hard to beat ZDbox, which does just about everything, including some things you never even thought of, and does them all well and with an easy-to-use interface (see Figure 3.1). If only it had antivirus protection, it would be alone in its category. ZDbox’s battery use meter is terrific, showing how much battery power each app is using, as well as helpful information such as the battery’s health, temperature, and time until it is empty. A data gauge allows you to monitor your downloads and avoid overage charges.
One helpful feature called “Do Not Disturb” lets you silence your device at preset times to avoid embarrassing interruptions. You can also lock apps so that they only run when you enter a password. It has a task killer, an uninstaller, a file manager that helps you move apps to your SD card, and a system cleaner that gets rid of the clutter. All in all, this is as much of a must-have app as you can get.
Lookout Mobile Security (http://bit.ly/OsPGxR)
Another good mobile security app is Lookout, which includes free data backup and a “find my device” function. The app works quietly in the background and uses very little of your device’s resources. The premium (paid) version also backs up your call history and photos, adds browsing and privacy protections, and will remotely lock and wipe your device. Many users will be happy, however, with the basic version (see Figure 3.2a).
Customize How You Lock Your Phone
Security is important, and you should always set your phone to lock when it boots up and when you haven’t used it for a specified period of time. You can customize the lock screen in many ways. There’s the traditional PIN code, or you can set it up to be unlocked by tracing a pattern on a series of dots. Some versions of the Android operating system have Face Unlock, which only lets you use the phone if the front camera detects that it’s you. Regardless of the way you set up your device, always make sure it locks when you are not using it.
Norton Security (http://bit.ly/OK7Erx)
Norton is one of the most well-known names in security, and its mobile apps are excellent. Norton Security includes basic antivirus and malware protection, with antitheft, call blocking, and web protection available at an additional cost. You can set it to perform daily, weekly, or monthly scans, including scans of your SD card. Plus, you can register your devices online and manage the security settings for all of them in one place.
avast! Mobile Security (http://bit.ly/OK6P1K)
Another suite of security products that can do just about everything is avast! Mobile Security. It not only scans new and installed apps to assure that they are free of viruses but also monitors your network traffic, corrects mis-typed web addresses, verifies that websites are safe, and has a top-notch anti-theft program that allows users to control their devices remotely from the Internet or even by text or short messaging (sometimes referred to as SMS).
Dr. Web (http://bit.ly/ROTLHk)
This app goes beyond the traditional antivirus product, but it’s also not free, so you need to determine whether you need the extras. In addition to virus and malware protection, the app includes an antispam program that allows you to block calls and text messages from contacts and others whom you enter onto a blacklist. Dr. Web also has antitheft features that allow you to remotely delete all of your data. The unique Cloud Checker can block dangerous or potentially dangerous websites, although it only works with the default set browser.
Vault-Hide SMS, Pics & Videos (http://bit.ly/J0yING)
This app hides your private photos, videos, text messages, and contacts. The program creates a password-protected space on your device where you can encrypt and store confidential information. The free version provides basic data storage; the premium version lets you store your Vault files in the cloud, hide the fact that you even have the app, and take pictures (if your phone has a front camera) of anyone who tries to use Vault and enters the wrong password.
Norton Mobile Utilities (http://bit.ly/RmYyEJ)
Monitoring basic device information, such as battery life, app status, performance quality, and data usage, is easy with Norton Mobile Utilities. Although most users won’t need it, the paid version includes roaming overage protection, a battery saver, and an automatic task killer. Regardless of which version you choose, the program works well and has no appreciable impact on performance (see Figure 3.3).
AntiVirus FREE (http://bit.ly/Qeys64)
Also called AVG Mobilation, AntiVirus FREE is more than just an antivirus program; it’s a complete protection suite. The app scans your device and notifies you if it has any viruses or malware. In addition, the product uses Google Maps to help you locate your device if it’s lost or stolen and, if necessary, lets you wipe the device so none of your sensitive information goes public. Finally, the app monitors your battery and can tune up your device so it runs even better.
Smart App Protector (http://bit.ly/SIu7v5)
Use SmartApp Protector when you have an app that you don’t want anyone else to run. You can use it for document-editing software, a text-messaging program, an e-mail client, or any other app that you want to keep private. All you do is select what you want to secure, set your password (or keyboard pattern), and you’re ready to go. For lawyers, this is an inexpensive way to add a level of security to confidential information.
How to Set and Clear a Default App
When you open files or access certain features, you may be asked whether to use a certain app by default. To do so, check Use by default for this action and then tap the app you want to use. Some versions of Android will now ask if you want to use the app “Just Once” or “Always.”
If you want to remove or deselect the default app, go to Settings, then select Apps and choose the app that was selected as the default. You will see a section of the screen called “Launch By Default.” Clear the selections from there, and the app won’t be the default the next time you open the particular type of file.
ESET Mobile Security (http://bit.ly/O1WYIV)
Yet another in a crowded category of quality security apps is ESET, which includes a security audit in addition to antivirus, antispam, and antitheft features. But because none of these are free, other comparable apps may do the trick, unless you really feel the need to have a periodic security analysis.
Kaspersky, one of the better-known names in security, offers a suite that has antivirus and antitheft protection, call and text-messaging filtering, and the ability to restrict access to private contacts, along with your call and text history with them. Like other similar products, this app can also block the use of your device or wipe its data remotely. What’s unclear is why the app asks for permission before it scans new or updated programs, which can be a bit annoying.
It is important to make sure that you use secure methods when adding, removing, or sharing files on smartphones and tablets. There remains substantial concern about the security of services like Dropbox because the terms of service provide limited protection and confirm that the vendor controls the encryption, which means that its employees can get access to customer data. Alternatives such as Bouncer or some of the other services listed in Lesson 2 provide enhanced security because the end user, not the vendor, controls the decryption keys.
App Security: Bouncer
Because Google has exercised limited control over Android apps, numerous malware and security issues have been found. To address this problem, Google announced in early 2012 that its new service, codenamed Bouncer, would automatically scan new and existing apps in Google Play for “known malware, spyware, and trojans” and look for “behaviors that indicate an application might be misbehaving, and [compare] it against previously analyzed apps to detect possible red flags” (read more).
This service protects only apps sold by Google Play. To address this limitation, an app linking to Bouncer is now included with the Jelly Bean version of the Android operating system; if you purchase an app from somewhere other than the Google Play store, your device will prompt you to “verify” it. When you do, data about the app is sent to Google, which will analyze and compare it with known software to confirm that it is safe. This protection is not currently available for earlier versions of Android.
While Bouncer is a major security improvement, it is not foolproof and should be used in conjunction with other security measures to assure the greatest available protection.
1 “Smartphones and Tablets for Lawyers: Managing and Securing Them,” Sharon D. Nelson, David G. Ries, and John W. Simek. Locked Down: Information Security for Lawyers, Chapter 7 (American Bar Association 2012).
Discover More Android Apps
This post was adapted from the Law Practice Division’s publication Android Apps in One Hour for Lawyers. Daniel Siegel highlights the “best of the best” Android apps that will allow you to practice law from your mobile device.
(Image Credit: ShutterStock)