5 Myths About Android Security: VPN, Antivirus, Password Managers, Rooting

Dawn of indisputable trust to the magic of security software.

5 Myths About Android Security: VPN, Antivirus, Password Managers, Rooting

Top 5 Myths

Myth #1: Use VPN‌‌
Myth #2: Use a Password Manager
Myth #3: Use Antivirus
Myth #4: Root a Device
‌‌Myth #5: De-Google

Top 3 Advises

Advise #1: Don't Trust Anyone
‌‌Advise #2: Update Often
‌‌Advise #3: Use Strong Authentication


I love to find conflicting claims inside a single post. Let's see what is going on in the article "11 Android security tips" at the bestvpn.com. There is a tip which suggests to install apps from a custom app store (e.g. Android Drawer), and this implicitly implies turning on a "Settings > Security > Unknown Sources" option. The second tip is about to deny applications from unknown sources, and this explicitly implies turning off the "Unknown Sources" option. Do you see, "on" versus "off" in the same list.

I'm going to walk through "11 Android security tips", "10 Android phone security tips you need to know", these tips, and a few similar.

I stay against the ultimate pitching of the "best" security practices that mislead users.

I encourage critical thinking.

I am going to talk in details about security basics and about a problem of trust.

Myth #1: Use VPN

📰 "Use VPN to stay secure. Avoid unsecure connections."

There is nothing bad in advise to secure connection, but we are talking about Android security, right? There is a little bunch of nuances related to VPN in the context of privacy.

So, what's wrong with that?

1. VPN collects private data, then private data can be transferred to third parties

There is a gigantic investigation discovering free VPN providers, a lot of them are secretive companies with a Chinese ownership:  "Free VPN Apps: Chinese Ownership, Secretive Companies & Weak Privacy".

Another news spots data theft from a hacked VPN provider: "VPN Provider Citrix Hacked, Up to 6TB of Data Accessed".

A modern VPN service acts like a pumped proxy server.                              

The amount of collected private data, a level of data protection, and a level of misuse, depends on particular VPN that a customer decides to use. Unreliable companies may leak your private statistics, other ones improperly protect collected information.

Therefore customer should be wise choosing VPN provider. You cannot just go to the Google Play store and use any randomly selected VPN appearing there in a list.

2. Disconnect your device to stay more secure

‌There is a simple principle:

Device is disconnected Device is connected
Device is more secure Device is less secure

There is a trade-off between being online and being secure.                                            

Security versus availability

Why so? Because once you are in the network, your private data leaks: DNS requests, unencrypted data exchange, hidden application usage statistics, device usage statistics. You're taking back the phishing emails, scam, viruses and adware.

The safest system is a vault underneath the ground.

3. VPN is for network security and Internet freedom

VPN can secure your Internet experience. VPN leverages your Internet freedom, and I like that concept. It allows to bypass government and ISP restrictions.

Still, VPN is a case of network security, not really about Android device security. Of course, once you are in the web, you need to balance between comfort and safety. VPN is the point, however, we face with a concept of trust.

4. Shifting a point of trust towards VPN

If you decided to use VPN, choose VPN vendor you're going to trust. Think twice. Be careful.

Eventually, once you are connected, private data starts to leak, and now VPN vendor is a single point of trust that collects all the data from your device. Internet service provider doesn't see your steps in the web, but VPN server does.

Whom would you trust? Are you sure that a VPN vendor doesn't sell data collected about you to any third parties? Who is the owner of a concrete VPN?

Check information about supposed VPN provider in the article "Free VPN Apps: Chinese Ownership, Secretive Companies & Weak Privacy".

If you're confused among the relatively reliable VPN providers, check recommendations in the Internet.

If you're still not sure, don't enable VPN. Don't forget to check HTTPS in the address bar of the browser and consider basic precautions.

Myth #2: Use a Password Manager

📰 "Password manager is a way to generate and manage strong unique passwords. Therefore password manager improves your security."

1. Brain is the most secure place for a password

Strong unique password is a good deal for sure. Don't confuse with a strong password manager.

Security is getting worse starting at the moment when a third-party application takes care about your secrets synchronizing them over the Internet.

The longer way, the higher risk.

A password manager is a custom third-party software. Good password manager encrypts your password before transferring over the network. All passwords are usually encrypted on a single master password. Periodically passwords are synchronized.

The main question: does a particular password manager deserve a trust? Is a concrete password manager free from leaks and critical vulnerabilities?

A single vulnerability leads to compromising of entire set of passwords.

2. Password manager is less about security, it's more about user experience

It's hard to create a new password for each account, and it's hard to remember them all. Password manager helps you, generating new passwords, encrypting all passwords on a single master password and synchronizing over the network. Password manager makes user experience smoother.

Do you remember: we are talking about security.

Recall "security versus availability" dilemma.

Brain is secure but not reliable. You can forget a complex password, then your private data turns out to be encrypted forever, your account gets closed, and it's all sad. But everything remains secure. Secure but not available.

Password manager is an opposite case. It reliably controls many passwords, but you should trust a password manager giving up all the responsibility.

Password in your head Password in a password manager
Security is better Security is worse
Availability is worse Availability is better

3. Choose strong password that you can remember

Strong password is not always that is hard to remember.

A phrase of few words could be much stronger than a difficult pseudo-random password. I love that comics on https://xkcd.com/936/.

Note, that a password manager generates a password which should be properly randomized but really hard to remember.

4. What password manager would you trust?

Consider a pretty generic situation: you try to login to any web site.

Before After
You enter a password Password manager enters a password

Be careful. Choose a password manager carefully. If you're not sure: doesn't install password manager and remember strong passwords by yourself.

Myth #3: Use Antivirus

- Let's get out of here, author knows nothing about security.
- Wait, don't go, fellows!
- Of course antivirus is a "must be", everyone knows!
- Yeah, you may install antivirus application. However it doesn't mean you can install everything you wish after that.
- Most antivirus software are bad, but my favorite antivirus is the best. I'm totally secured.
- No.

1. With a great power comes a great responsibility

Modern antivirus software is more than a file checker, it may contain anti-phishing, anti-theft and other protections. And it's a good news.

Modern antivirus software is a cloud-based technology with a wide access to files and system resources. And it's a "so so" news.

User installs a custom application, i.e. antivirus app, and that application gets an incredible power, because user allows all possible permissions ever existed.

Long list of permissions needed by "Kaspersky Mobile Antivirus"

You can expect at least 2 undesirable consequences then:

  1. Unreliable antivirus software may collect private information and send it via the Internet.
  2. If antivirus app is hacked itself, then someone gains an access to all collected information.

Another bad news is that Most Android Anti-Malware Apps Don’t Offer Any Protection.

2. The best antivirus doesn't exist

There is no antivirus/anti-malware application able to catch all viruses and magically solve security issues.

As well as there is no VPN able to magically solve all network security issues.

"Antivirus versus virus" is an endless game. Once a new virus spreads over the Web, it makes a harm until its signatures are added to antivirus database and populated among the customers.

3. Don't install application from unknown sources

The current concept of Android mobile device is that you install application from a trusted source (e.g. Google Play), where the application is already verified about viruses.

Antivirus itself is verified in Google Play against viruses and well-known malicious patterns, but there is a problem to verify all internal logic and protocols.

If you really need more of security services, then care about what antivirus to trust.

Myth #4: Root a Device

📰 "Superuser allows to make device more secure via installing a powerful secure tools and early Android updates. After rooting you can tune up your Android system, remove ads, improve performance and hack the games in a sake of adventures."

1. Superuser is too powerful

Android applications are isolated between each other (basically via unique UID/GUID), but an application with root privileges has a power to read/write into other one.

Superuser has an access to data of each application

2. Malware + root = love

When the superuser is enabled then malware has a precious gift. Malware can use root to go into each application, get secret keys and disclose sensitive personal data.

A lot of good points could be found in Kaspersky's Blog: "Rooting your Android: Advantages, disadvantages, and snags".

After gaining superuser access rights, malicious applications enjoy full freedom. In fact, the first thing many Trojans for Android do is attempt to gain root access. Users rooting their own devices offer quite a gift to malware developers.

Myth #5: De-Google

📰 "Remove Google Services because Google spies."

1. De-Googling implies rooting

Root privileges must be gained to remove Google Services. While it's not recommended to enable root. See Myth #3: Root a Device to get that a rooting is the worst security advice ever.

2. "Unknown sources" must be allowed

A third-party app store would be used instead of removed Google Play. It implies to enable "Unknown sources" option in Android settings which may harm security of Android.

3. And about a trust

Getting back to the problem of trust.

Obviously, advise to remove Google Services derives from a point to not trust Google which collects a hidden statistics of different granularity.

Advice: rely on ecosystem, change ecosystem in the opposite case.

Google invests a lot into Android security. As well as Apple into its own ecosystem. Google Play Store is being improved continuously including malware and malicious behavior detection. Check the Android Treble Project which brings a modularity and a lot of security hardenings into Android starting from Android 8.0.

Rooting and customizing Android without a deep expertise is rather harmful.

Talking about Android Drawer the best security feature there is that mostly all apps have been taken from Google Play. Unfortunately, Android Drawer allows to submit third-party applications avoiding Google Play.

Choose carefully whom you will trust.

Top 5 Advises to Keep Android Secure

Keep It Simple Stupid

Let me cut the long story short. You just need to be careful and don't act way much proactively.

Let me share my personal chart of the best security tips.

Advise #1: Don't Trust Anyone

  1. Don't install apps from unofficial sources.
  2. Check permissions before app installation.
  3. Be careful in the web.
  4. Check HTTPS in the address line.
  5. Watch out phishing emails.

Advise #2: Update Often

System updates contain security patches. Sometimes new bugs. But more likely security patches.

  1. Update Android.
  2. Update applications.

Advise #3: Use Strong Authentication

  1. Secure your device:
    • lock it down
    • don't use 1234 as your PIN
  2. Secure your accounts:
    • enable 2-factor authentication
    • don't use simple password