I recently had to deal with a non-rooted phone for a couple weeks before my new device arrived, and had to rediscover a few simple, easy things that one can do to gain a little privacy back, and not risk messing with critical system files, as with root methods.
Terminology:
Root Access : To fully understand the concept of 'rooting' your phone, you need to understand a couple simple things about the way Linux works. Android phones/tablets runs off the Linux kernel, as do many other types of devices (such as routers, printers, cameras, P.C.'s, web-servers, etc). The kernel is the heart of the os (Operating System), and if all is well, you should never have to think about it or even "see" the kernel. What you see when you turn on your phone are programs. Linux was designed this way intentionally, and that's partially why Android is so user friendly. On every Linux system, there are many users running around performing various tasks in the background to make it all work. By keeping your programs separate from the system's programs, we are able to keep things secure, because each user on a properly configured Linux system can only access what it is supposed to be able to access. The only exception to this is the superuser, or the root account, which can change anything! Unix/Linux based systems were built this way because back in the old days you would have hundreds of people plugged in to the same main frame, and they needed a very secure way to make sure nobody had access to things that could wreck the entire system. This is the way it still works today.
When you purchase a new Android device, the phone ships without a root/admin account present. This is basically to protect you from yourself, because another great thing about Linux systems is that you can do NO permanent harm to the system without root access. This works pretty well for most people, but if you are like me, and know your way around Linux, and know what you are doing, it sucks. It is so much easier to lock down a rooted device, but you can still do quite a bit to keep yourself secure. After all, it is a Linux system, and is secure by nature.
The Problem
The problem is that people allow apps to be installed that require unnecessary permissions, which in turn compromises their privacy. Or in other cases, phone manufactures ship devices with worthless, malicious apps that cannot be uninstalled... (because you don't have root!)
These days there are so many applications running on your Android device, millions more in the Play Store, and most people blindly accept all of the permissions for these apps, not realizing how much of their personal privacy they are giving away for a stupid game, or the disgusting Facebook app (probably the worst app in history, if you are concerned with privacy). For instance, the Facebook app has permission to access:
- Your Camera
- Your Microphone
- Your Course & Fine Location
- Your Personal Files (anything on the SD card(s)
- Probably even your heart&soul, not sure, as I did not read the terms and conditions
- And all this without you even knowing, unless you actually read the terms of service...
Solutions
The first thing you ought to do install an app like No Root Firewall. This program is quite effective at protecting privacy, as it allows you to decide which apps get internet access, and which ones do not. So even if an app succeeds at collecting personal information, you will be safe; i.e. if the program cannot connect to the internet to relay the information it's collected back to the evil entity, it does not matter. It's not unlike getting busted going through customs, smuggling too much caviare, and being detained-- the firewall will prevent that data from ever leaving your device.
How does this work without root? Well, thankfully we are running Linux systems here, and Linux allows Virtual Private Networks (vpn's) to be configured. VPN's are, as the name suggests, virtual networks, and they have many uses. The primary use of a VPN is often to put your device on the same LAN (local area network) as other devices in a remote location. For instance, corporations use them all of the time so that when an employee works from home, they can be on the companies private network and access the necessary corporate resources. Another plus of doing this is that an encrypted tunnel is created between your internet connection and the VPN server, so anybody attempting to eavesdrop on your traffic between those points will not have any luck. But what does this have to do with a firewall?
Well, in this particular case the No Root Firewall will create a virtual network interface (adapter, card, etc) on your phone, and will force the system to route all of your traffic through this interface. Your sensitive data will not be passed to any remote server, rather the app simply creates a local virtual interface that catches all of the internet requests your device makes, at which point you will be prompted to either allow or deny access! It is ingenious, if you ask me. If you are still a little lost, think of like this:
Instead of the data requests blindly passing through your data or wifi connection, the request are halted and denied access until you say otherwise. For instance, when you boot your phone, you may notice that apps like YouTube, Google Hangouts, and other things you may never use automatically start, and then can freely make internet connections without your consent. However, if you have a local VPN based firewall catching all of those request, it puts you in control. So you can choose to allow the apps you need, like your browser, Google Play framework, and MMS messaging, while denying the apps that you do not use, or do not require internet access to run (this also is useful for blocking in-app adds, btw...).
A firewall is the first and most essential part of any devices internet security. While all Linux systems come with the highly effective IPtables firewall, you need root to configure them, so in this case, this method is the next best thing. Be aware that it is possible for evil entities to extract data through other applications, although unlikely because of the way the Android platform keeps each app in it's in own Virtual Machine, or sandbox (as to prevent shared resource data leaks as mentioned above.) Just remember it's possible, and try your best to limit internet access only to programs essential for the features you use. You will be much better off.
Download No Root Firewall from Google Play
Some other simple things you can do is go to your settings, and make sure that you turn off all of the location services, untick 'allow installation of apps from unknown sources', and opt out of all Google's or your OEM's data collection services (for instance, you will often see 'periodically send data to xxx's servers to help improve our whatever...' Unless you really trust the 3rd party with your personal data, I'd recommend you do not do this.)
Another rule of thumb I live by is: If you can do something in a web-browser, why do you need another application to complete the task? For example, it seems every company from your bank, to Dunkin Donuts to even Walmart offers they're own Android 'Apps.' These apps seldom provide any more functionality then you can already get through a web browser, and in fact, quite a few of them run off HTML anyway! You don't need the Dunkin Donuts application to do anything that you cannot already do on Dunkin's website. Since every app on your device is another potential security risk, I recommend not installing unnecessary applications. Which brings me to my next tip:
How to Avoid Being Forced into Using 3rd Party Applications
Last I checked, when I tried to access Pandora from my phone, it would not allow me to use the web browser. Pandora told me I needed their 'official Pandora App' to stream music. ...(f***king why..?) My Firefox browser is perfectly capable of doing this, and there is just no need to install more (potentially) sketchy software.
One way around this is to use a browser like Dolphin Browser, that in addition to being a great, snappy-fast browser, allows you to spoof your user-agent. All that means is that you can set Dolphin to pretend it's a Desktop computer instead of a phone, which allows you to visit the Desktop versions of websites, which allow you to use the browser like you would on your PC.
Back when mobile internet first took off, it was great that web developers started offering mobile-optimised versions of their sites, which make it easier to navigate web pages on smaller screens, and also cut down on data usage and CPU power needed to parse (or load) the web pages. However, nowadays I feel like this feature is being abused, and tricking people into thinking that not only is yet another application necessary to accomplish a task, but that you will somehow get increased functionality out of it. This is generally not true at all, and installing all of these apps does no good for anyone but advertising companies, the NSA, and corporations that want to collect and sell your personal information. When you run something in a web browser, you tend to have more control over the process than if the data is being controlled by another application that does not include any privacy enhancing features (it's quite the contrary, these days.). Be aware of this.
Download Dolphin Browser and/or Dolphin Jetpack (cooler features, recommended) from Google Play.
*I also highly recommend downloading Firefox, and installing the add-ons Adblock Plus, Https-Everywhere, and NoScript. I use Firefox on my phone most of the time, and Dolphin when I need to spoof my user agent (FF can spoof U.A.'s, but it's harder to set up.)
Encryption, and Why You Should Use it
My last tips for increased privacy are to utilize some simple encryption features that also do not require root privileges:
Encrypt Your Phone's Local Data:
All newer Android systems (from Jelly Bean (?) and up) come with native phone encryption support. From the settings menu, you can go to security > encrypt phone, and follow the instructions from that point. This will encrypt your entire phone with a passphrase, so that if it is stolen, your information will be safe. It does not require any more software, and is one of the easiest, most basic things you can do to protect yourself. I believe that it uses the modern AES-256 cipher (the same one that the NSA uses themselves), to encrypt, so you can put your mind at ease.
Note: it is possible, although extremely difficult, to extract your encryption password from your phones RAM if the device is powered on when/if it falls into the wrong hands. This is because the password is cached to RAM while the device is powered on (it has to be so you can access your files). So, if you find yourself getting pulled over and want to ensure the cops cannot go through your phone, simply power off the device and worry no more.
Encrypt Your SMS/MMS Messages & Phone Calls:
Encryption can also be used to ensure your messages and calls cannot be intercepted by an attacker (this is usually called a 'man in the middle attack' and is becoming increasingly prevalent today). Basically, voice calls and SMS are sent in plain text (or voice), with no encryption, by default. However, your Android is perfectly capable of sending these messages in an encrypted format so that only the intended recipient can read the message or understand your voice conversations.
My personal favourite encrypted SMS/MMS application for Android is TextSecure. This nifty program not only allows you to import all of your currently stored text messages into a password protected, encrypted database (rather painlessly, I might add), but if the person you are texting is also using TextSecure, your messages will be secured with end-to-end-encryption. In other words, anyone attempting to intercept the message in transit will see a bunch of random garbage text that can only be decrypted with your intended recipients private key (TextSecure handles the key exchange for you). For more information on end to end (or PGP) encryption, see my article here.
Then, for phone calls, there is RedPhone. It uses the same public-key-cryptography system that text secure uses to encrypt your voice calls. Anyone eavesdropping at any point will hear a bunch of static, and won't be able to understand a word that you say.
Get TextSecure and RedPhone from Google Play
I hope you've found this article informative. Good luck, and remember: Do Not Accept privacy invasion!