The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS benchmark down to the most critical steps for your devices, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.
How to read the checklists
Step - The step number in the procedure. If there is a UT Note for this step, the note number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in The Center for Internet Security (CIS) benchmarks. The CIS documents outline in much greater detail how to complete each step.
UT Note - The notes at the bottom of the pages provide additional detail about the step for the university computing environment.
Cat I - For systems that include category I data, required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include category II or III data, all steps are recommended, and some are required (denoted by the !).
Supported devices include any that can run Android 4.0 and later. Some security settings and options may not be available on older devices.
|Step||√||To Do||CIS||UT Note||Cat I||Cat II/III|
|1||Update operating system to the latest version||1.1.1||§||!||!|
|2||Do not Root the device||§||!|
|3||Do not install applications from third party app stores||1.1.17||§||!|
|4||Enable device encryption||1.1.15||§||!|
|5||Disable 'Developer Actions'||1.1.16||§||!||!|
|6||Use an application/service to provide remote wipe functionality||3.2||§||!|
|7||Enable Android Device Manager||§|
|8||Erase all data before return, repair, or recycle||1.1.11||§||!||!|
|9||Set a PIN and automatically lock the device when it sleeps||1.1.2||§||!||!|
|10||Set an alphanumeric password||1.1.3||§|
|11||Set Auto-Lock Timeout||1.1.4||§||!||!|
|12||Disable 'Make Passwords Visible'||1.1.14||§|
|13||Erase data upon excessive passcode failures||§||!|
|14||Show security warnings for visited sites||1.2.2||§||!||!|
|15||Disable 'Form Auto-Fill'||1.2.3||§|
|16||Do not automatically remember passwords||1.2.7||§|
|17||Disable browser plug-ins||1.2.6||§|
|18||Turn on Do Not Track||§|
|19||Turn off Bluetooth when not in use||1.1.9||§|
|20||Disable network notification||1.1.6||§||!|
|21||Forget Wi-Fi networks to prevent automatic rejoin||1.1.15||§|
|Additional Security Settings1|
|22||Turn off Location Services||1.1.8||§|
|23||Use a third party application to password protect applications with sensitive data||§|
|24||Limit the number of text (SMS) and multimedia messages (MMS) saved||1.1.18 - 1.1.19||§|
|25||Disallow cookies in Chrome browser||1.2.4||§|
|27||Use TextSecure to encrypt SMS messages||§|
1These security settings are proactive in nature but are intended for devices where there exists a very high need for security, as they may negatively impact the user experience and interfere with the functionality and utility of many applications.
UT Note: Addendum
This list provides specific tasks related to the computing environment at The University of Texas at Austin.
Please be aware that the exact process for activating security features will vary from device to device and between versions of the operating system. The instructions here are provided for reference only and will not be applicable to all handsets. It is recommended that users follow the instructions contained in the operating manual for their device where possible.
Update operating system to the latest version
Android devices ship with various versions of the operating system, determined by both the selected carrier and handset manufacturer. New versions of the Android operating system frequently address security vulnerabilities in addition to providing bug fixes and adding new features. Not all devices will support the most recent version of Android and not all carriers will make upgrades available for all handsets, even ones that are capable of running the newer software. Upgrade to the latest available and supported version for your device.
For high security environments, plan on replacing devices every 2-3 years in order to stay current on operating system releases. Additionally, consider using only Nexus devices, which are supported by Google directly instead of a mobile carrier, in order to ensure that operating system updates are actually made available to you.
Do not Root the device
Rooting an Android device often takes advantage of known vulnerabilities in the operating system to disable the security controls that prevent users and applications from performing actions such as executing privileged commands, interacting with the hardware at a low level, modifying and deleting necessary system files, and removing carrier and manufacturer installed applications, for example. Once these security controls are bypassed, any application has the ability to break out of its sandbox and act maliciously (perhaps unintentionally). Installers for rooting Android devices typically add a Superuser application which is used to specify the applications that have the ability to elevate their privileges, however this is another security control that must be managed and monitored by the end user. Unlike iOS devices, rooting is not required to sideload applications.
You should understand that by rooting your device, you are taking on increased responsibility for securing your device and protecting yourself from malicious software.Devices used with Category I data should not be rooted.
Do not install applications from third party app stores
Google manages applications distributed through the Google Play store and has the ability to remove malicious applications both from the store when discovered and directly from any devices that have installed the applications from the Google Play store. Installing applications from other sources is riskier since you have no way of knowing how the stores are managed and whether or not the applications available in it can be trusted to not be malicious in nature.
To disable application installation from unknown sources:
Enable device encryption
When enabled, Android uses your passcode or password to generate an encryption key that is then used to encrypt the device. This passcode/password is then required every time the device is powered on. This protects the data stored on the device from unauthorized access in the event that it is lost or stolen. The encryption process may take an extended amount of time, depending upon the amount of storage in the device. The device needs to remain plugged in and the encryption process should not be interrupted.
To encrypt a device:
Disable 'Developer Options'
Android provides a number of features that allow developers to interact with the device through the built-in USB power/data port to change its behavior, read and modify local storage, and issue commands. When enabled, it is possible to completely control a device through this interface. These features should be enabled only as needed and only for the duration required for testing.
To disable developer options:
Use an application/service to provide remote wipe functionality
The intent with this is to ensure that if the device is lost, the data can be erased remotely. There are a couple of ways to accomplish this with Android:
Enable Android Device Manager
Android Device Manager is a free service provided by Google that allows users to track and remotely lock or erase an Android device. A free Google account is required to use this service. If a device is lost or stolen, having this service enabled may allow the owner to find and recover the device with the assistance of the University Police Department (UTPD). Even if recovery of the device isn't possible, the ability to remotely erase may protect any sensitive data that was stored on it.
To enable Android Device Manager:
Erase all data before return, repair, or recycle
In order to prevent an unauthorized person from being able to recover sensitive information from the device, the disk should be erased before it is out of your physical control. Note that for this method of erasing a device to be secure, meaning that the data is not forensically recoverable, encryption may need to be enabled on the device first (see control 4 above). This will vary based upon the specific device.
To erase a device:
Set a PIN and automatically lock the device when it sleeps
Setting a PIN prevents casual unauthorized access to a device. A PIN (or a password) is more secure than a pattern as patterns can be trivially observed by people around you and there have been cases of using the fingerprint smudges on devices to derive lock-screen patterns. While setting a PIN you can also configure the device to immediately require that you enter the PIN after the device sleeps. This will prevent the device from being unlocked after sleeping from inactivity without entering the PIN first. Since a 4 digit PIN only has a maximum of 10,000 possible combinations, we recommend that users select a longer PIN.
To set a PIN:
Set an alphanumeric password
In addition to the PIN and pattern options for authentication, Android also supports the use of alphanumeric password. For high security applications, it is recommended that a complex alphanumeric password be used instead of a PIN or pattern.
To enter an alphanumeric password:
Set Auto-Lock Timeout
This option automatically locks the device after it has been inactive for the specified amount of time.
Disable 'Make Passwords Visible'
This feature controls whether passwords are displayed as they are entered. Disabling this feature increases security by making it harder for people in close physical proximity to learn your passwords by observing you interact with your device.
To hide passwords as they are entered:
Erase data upon excessive passcode failures
Refer to control 6 above. Android does not natively provide this functionality, but there are a number of third party applications, some of which were mentioned earlier, which can. Since excessive passcode failures typically indicate the device is out of your physical control, having the device automatically erase may protect the confidentiality of information stored on the device.
Show security warnings for visited sites
This feature will warn you of common security problems, such as invalid or expired SSL certificates, affecting the web sites you visit. These warnings could indicate that communications between your computer and the site's server are not secure, meaning that data sent to the site could be intercepted. Caution should be exercised when using sites that generate security warnings with this feature.
To show security warnings for sites:
Disable 'Form Auto-Fill'
Date entered into web forms may be stored so that, upon subsequent visits to the page, the form can be auto-completed. While this may be convenient, it also may result in the storage of sensitive information, such as passwords and credit card numbers, locally on the device. Additionally, automatically filling in web forms could result in the unintentional disclosure of sensitive data to unauthorized people.
To disable the 'Form auto-fill' functionality:
Do not automatically remember passwords
Refer to control 14 above. Passwords entered into forms are automatically stored so that they can be auto-filled upon subsequent visits to the site. This not only results in the local storage of user credentials entered via the web browser, but having the browser automatically fill forms using this data may result in the unintentional disclosure of the data to a unauthorized person.
To prevent the browser from remembering passwords:
Disable browser plug-ins
Chrome supports plug-ins that allow developers more control over sites or enable richer user experiences, such as Flash. Historically, the security of such plug-ins has been very poor and they have been and remain a very commonly exploited vector for infection by malware. Plug-ins should only be enabled for trusted sites and disabled when not in use.
To disable plug-ins in Chrome:
Turn on Do Not Track
The Do Not Track option instructs Chrome to send a specific header in web requests that indicates the your preference not to be tracked by the websites you visit. Many sites have opted to honor this preference so there is some small privacy benefit from enabling it. It is important to note, however, that this feature is strictly voluntary and web sites are under no obligation to honor it. There are no guarantees that any specific web site will now, or, in the future, continue to, obey this header.
To turn on Do Not Track:
Turn off Bluetooth when not in use
Disabling Bluetooth reduces the remote attack surface of devices and may also prevent you from unintentionally connecting to unknown Bluetooth services and devices. Bluetooth should be enabled only when it is actively being used.
To turn off Bluetooth:
Disable network notification
By default, Android devices will automatically present a list of detected wireless networks from an icon in the status bar that users may attempt to connect to when no networks that have previously been connected to are available. The issue is that anyone can run a wireless hotspot and, joining a poorly configured or insecure network could allow a malicious user on that same network to intercept, capture, and alter any network traffic sent by a user. In fact, many attackers will intentionally run wireless networks in popular, crowded areas, like airports and coffee shops, hoping to lure unsuspecting users into connecting. If this feature is disabled, you must manually search for and select a wireless network to join. This may reduce the risk of inadvertently joining a similarly named yet untrusted network (e.g. “defualt” instead of “default”).
To disable network notifications:
Forget Wi-Fi networks to prevent automatic rejoin
By default, an Android device will remember and automatically rejoin networks that it has previously associated with. The problem with this is a trusted but unauthenticated Wi-Fi network may be spoofed and then automatically joined. Additionally, if previously joined network has a common SSID, such as “default” or “linksys”, it is very probable that the device will encounter an untrusted instance of a same-named Wi-Fi network and automatically join it.
To forget a remembered or connected Wi-Fi network:
Turn off Location Services
Location Services allows installed applications and visited websites the ability to request your current location. Once access is granted to an application, the application may request the data again at any time with no further notification to users.
To turn off Location Services:
Use a third party application to password protect applications with sensitive data
Some options for this include App Lock, App Protector Pro, and Protector. These applications allow for a separate password to be required to launch specific applications. This may be useful to secure applications that store sensitive data so they cannot be accessed even if the device is found unlocked. If supported by your device, encryption is a much stronger and more secure approach to protecting data however (see control 4 above).
Limit the number of text (SMS) and multimedia messages (MMS) saved
For high security environments, limiting the number of SMS and MMS messages saved per conversation thread may reduce the likelihood and scope of information disclosure in the event the device is lost or compromised.
To limit the number of messages saved:
Disallow cookies in Chrome browser
While this setting does have the beneficial effect of disallowing third party tracking cookies, it is overall not recommended for most users as cookies are heavily utilized by typical modern web applications. Using this feature selectively, though, may provide a sort of limited privacy mode in Chrome.
To disable cookies:
Use TextSecure to encrypt SMS messages
The application TextSecure available in the Google Play store can encrypt SMS and MMS messages in transit and at rest on the device. This helps secure your communications with others from interception and alteration. Also, just like limiting the number of messages saved (from control 24 above), this can reduce the likelihood and scope of information disclosure in the event the device is lost or compromised.