This document has been deprecated.

The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS benchmark down to the most critical steps for your devices, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.

How to read the checklists

Step - The step number in the procedure. If there is a UT Note for this step, the note number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in The Center for Internet Security (CIS) benchmarks. The CIS documents outline in much greater detail how to complete each step.
UT Note - The notes at the bottom of the pages provide additional detail about the step for the university computing environment.
Cat I - For systems that include category I data, required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include category II or III data, all steps are recommended, and some are required (denoted by the !).

Supported Devices

Supported devices include any that can run Android 4.0 and later. Some security settings and options may not be available on older devices.

Checklist

Checklist
StepTo DoCISUT NoteCat ICat II/III
  Basic Security    
1 Update operating system to the latest version1.1.1§!!
2 Do not Root the device §! 
3 Do not install applications from third party app stores1.1.17§! 
4 Enable device encryption1.1.15§! 
5 Disable 'Developer Actions'1.1.16§!!
6 Use an application/service to provide remote wipe functionality3.2§! 
7 Enable Android Device Manager §  
8 Erase all data before return, repair, or recycle1.1.11§!!
  Authentication Security    
9 Set a PIN and automatically lock the device when it sleeps1.1.2§!!
10 Set an alphanumeric password1.1.3§  
11 Set Auto-Lock Timeout1.1.4§!!
12 Disable 'Make Passwords Visible'1.1.14§  
13 Erase data upon excessive passcode failures §! 
  Browser Security    
14 Show security warnings for visited sites1.2.2§!!
15 Disable 'Form Auto-Fill'1.2.3§  
16 Do not automatically remember passwords1.2.7§  
17 Disable browser plug-ins1.2.6§  
18 Turn on Do Not Track §  
  Network Security    
19 Turn off Bluetooth when not in use1.1.9§  
20 Disable network notification1.1.6§! 
21 Forget Wi-Fi networks to prevent automatic rejoin1.1.15§  
  Additional Security Settings1    
22 Turn off Location Services1.1.8§  
23 Use a third party application to password protect applications with sensitive data §  
24 Limit the number of text (SMS) and multimedia messages (MMS) saved1.1.18 - 1.1.19§  
25 Disallow cookies in Chrome browser1.2.4§  
26 Disable JavaScript in Chrome browser1.2.1§  
27 Use TextSecure to encrypt SMS messages §  

Footnote

1These security settings are proactive in nature but are intended for devices where there exists a very high need for security, as they may negatively impact the user experience and interfere with the functionality and utility of many applications.

UT Note: Addendum

This list provides specific tasks related to the computing environment at The University of Texas at Austin.

Please be aware that the exact process for activating security features will vary from device to device and between versions of the operating system.  The instructions here are provided for reference only and will not be applicable to all handsets.  It is recommended that users follow the instructions contained in the operating manual for their device where possible.

UT Note: Addendum
1

Update operating system to the latest version

Android devices ship with various versions of the operating system, determined by both the selected carrier and handset manufacturer. New versions of the Android operating system frequently address security vulnerabilities in addition to providing bug fixes and adding new features. Not all devices will support the most recent version of Android and not all carriers will make upgrades available for all handsets, even ones that are capable of running the newer software. Upgrade to the latest available and supported version for your device.

For high security environments, plan on replacing devices every 2-3 years in order to stay current on operating system releases. Additionally, consider using only Nexus devices, which are supported by Google directly instead of a mobile carrier, in order to ensure that operating system updates are actually made available to you.

2

Do not Root the device

Rooting an Android device often takes advantage of known vulnerabilities in the operating system to disable the security controls that prevent users and applications from performing actions such as executing privileged commands, interacting with the hardware at a low level, modifying and deleting necessary system files, and removing carrier and manufacturer installed applications, for example. Once these security controls are bypassed, any application has the ability to break out of its sandbox and act maliciously (perhaps unintentionally). Installers for rooting Android devices typically add a Superuser application which is used to specify the  applications that have the ability to elevate their privileges, however this is another security control that must be managed and monitored by the end user. Unlike iOS devices, rooting is not required to sideload applications.

You should understand that by rooting your device, you are taking on increased responsibility for securing your device and protecting yourself from malicious software.Devices used with Category I data should not be rooted.

3

Do not install applications from third party app stores

Google manages applications distributed through the Google Play store and has the ability to remove malicious applications both from the store when discovered and directly from any devices that have installed the applications from the Google Play store. Installing applications from other sources is riskier since you have no way of knowing how the stores are managed and whether or not the applications available in it can be trusted to not be malicious in nature.

To disable application installation from unknown sources:

  1. Press the Menu button
  2. Tap System settings.
  3. Tap Security.
  4. Scroll to Device administration.
  5. Uncheck Unknown sources.
4

Enable device encryption

When enabled, Android uses your passcode or password to generate an encryption key that is then used to encrypt the device. This passcode/password is then required every time the device is powered on. This protects the data stored on the device from unauthorized access in the event that it is lost or stolen. The encryption process may take an extended amount of time, depending upon the amount of storage in the device. The device needs to remain plugged in and the encryption process should not be interrupted.

To encrypt a device:

  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Personal.
  4. Tap Security.
  5. Scroll to Encryption.
  6. Tap Encrypt |LF||LF|device|RF||RF|.
  7. Tap Encrypt |LF||LF|device|RF||RF| again.
  8. Enter lock screen passcode or password when prompted.
  9. Tap Continue.
  10. Tap Encrypt |LF||LF|device|RF||RF|.
5

Disable 'Developer Options'

Android provides a number of features that allow developers to interact with the device through the built-in USB power/data port to change its behavior, read and modify local storage, and issue commands. When enabled, it is possible to completely control a device through this interface. These features should be enabled only as needed and only for the duration required for testing.

To disable developer options:

  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to System.
  4. Tap Developer options.
  5. Uncheck USB debugging.
  6. Uncheck Stay awake.
  7. Uncheck Mock locations.
6

Use an application/service to provide remote wipe functionality

The intent with this is to ensure that if the device is lost, the data can be erased remotely.  There are a couple of ways to accomplish this with Android:

  • Austin Exchange Messaging Service provides this functionality to synchronized devices.  Device wipes can be requested by the Exchange server administrator or initiated by the account holder through Outlook Web Access under Options > Mobile Devices.
  • Google Play provides this functionality through the free Android Device Manager service.
  • Many third party applications provide this functionality. Some options include Norton Mobile Security, Wave Secure, Lookout, Security Shield, and Theft Aware. The exact feature set of each application varies; some do much more than just provide remote wipe functionality. At a minimum, users should look for the ability to lock the device remotely, wipe the device remotely, and wipe the device after too many failed unlock attempts when evaluating products for this requirement.
7

Enable Android Device Manager

Android Device Manager is a free service provided by Google that allows users to track and remotely lock or erase an Android device. A free Google account is required to use this service. If a device is lost or stolen, having this service enabled may allow the owner to find and recover the device with the assistance of the University Police Department (UTPD). Even if recovery of the device isn't possible, the ability to remotely erase may protect any sensitive data that was stored on it.

To enable Android Device Manager:

  1. Press the Menu button.
  2. Tap System settings.
  3. Tap Security.
  4. Scroll to Device administration.
  5. Tap Device administrators.
  6. Check Android Device Manager.
  7. Tap Activate.
8

Erase all data before return, repair, or recycle

In order to prevent an unauthorized person from being able to recover sensitive information from the device, the disk should be erased before it is out of your physical control. Note that for this method of erasing a device to be secure, meaning that the data is not forensically recoverable, encryption may need to be enabled on the device first (see control 4 above). This will vary based upon the specific device.

To erase a device:

  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Personal.
  4. Tap Backup & reset.
  5. Tap Factory data reset.
  6. Check "Erase SD card" unless the SD card will be disposed of separately from the device.
  7. Tap Reset phone.
  8. Enter the passcode if requested.
  9. Tap Next.
  10. Tap Erase everything.
9

Set a PIN and automatically lock the device when it sleeps

Setting a PIN prevents casual unauthorized access to a device. A PIN (or a password) is more secure than a pattern as patterns can be trivially observed by people around you and there have been cases of using the fingerprint smudges on devices to derive lock-screen patterns. While setting a PIN you can also configure the device to immediately require that you enter the PIN after the device sleeps. This will prevent the device from being unlocked after sleeping from inactivity without entering the PIN first. Since a 4 digit PIN only has a maximum of 10,000 possible combinations, we recommend that users select a longer PIN.

To set a PIN:

  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Personal.
  4. Tap Security.
  5. Tap Screen lock.
  6. Tap PIN.
  7. Tap in a PIN.
  8. Tap Continue.
  9. Enter the same PIN again.
  10. Tap OK.
  11. Tap Automatically lock.
  12. Tap Immediately.
  13. Check Power button instantly locks if not already checked.
10

Set an alphanumeric password

In addition to the PIN and pattern options for authentication, Android also supports the use of alphanumeric password. For high security applications, it is recommended that a complex alphanumeric password be used instead of a PIN or pattern.

To enter an alphanumeric password:

  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Personal.
  4. Tap Security.
  5. Tap Screen lock.
  6. Tap Password.
  7. Type in a complex password.
  8. Tap Continue.
  9. Enter the same password again.
  10. Tap OK.
  11. Tap Automatically lock.
  12. Select Immediately.
  13. Check Power button instantly locks if not already checked.
11

Set Auto-Lock Timeout

This option automatically locks the device after it has been inactive for the specified amount of time.

To enable:

  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Device.
  4. Tap Display.
  5. Tap Sleep.
  6. Tap 2 minutes.
  7. Press the Back button.
  8. Scroll to Personal.
  9. Tap Security.
  10. Confirm that Automatically lock is set to "2 minutes after sleep."
12

Disable 'Make Passwords Visible'

This feature controls whether passwords are displayed as they are entered. Disabling this feature increases security by making it harder for people in close physical proximity to learn your passwords by observing you interact with your device.

To hide passwords as they are entered:

  1. Press the Menu button.
  2. Tap System settings.
  3. Tap Security.
  4. Uncheck Make passwords visible.
13

Erase data upon excessive passcode failures

Refer to control 6 above. Android does not natively provide this functionality, but there are a number of third party applications, some of which were mentioned earlier, which can. Since excessive passcode failures typically indicate the device is out of your physical control, having the device automatically erase may protect the confidentiality of information stored on the device.

14

Show security warnings for visited sites

This feature will warn you of common security problems, such as invalid or expired SSL certificates, affecting the web sites you visit. These warnings could indicate that communications between your computer and the site's server are not secure, meaning that data sent to the site could be intercepted. Caution should be exercised when using sites that generate security warnings with this feature.

To show security warnings for sites:

  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy & security.
  5. Check Show security warnings.
15

Disable 'Form Auto-Fill'

Date entered into web forms may be stored so that, upon subsequent visits to the page, the form can be auto-completed. While this may be convenient, it also may result in the storage of sensitive information, such as passwords and credit card numbers, locally on the device. Additionally, automatically filling in web forms could result in the unintentional disclosure of sensitive data to unauthorized people.

To disable the 'Form auto-fill' functionality:

  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy & security.
  5. Scroll to Form data.
  6. Tap Clear form data.
  7. Tap OK on the confirmation dialog.
  8. Uncheck Remember form data.
  9. Press the Back button.
  10. Tap General.
  11. Uncheck Form auto-fill.
16

Do not automatically remember passwords

Refer to control 14 above. Passwords entered into forms are automatically stored so that they can be auto-filled upon subsequent visits to the site. This not only results in the local storage of user credentials entered via the web browser, but having the browser automatically fill forms using this data may result in the unintentional disclosure of the data to a unauthorized person.

To prevent the browser from remembering passwords:

  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy & security.
  5. Scroll to Passwords.
  6. Tap Clear passwords and tap OK on the confirmation dialog.
  7. Uncheck Remember passwords.
17

Disable browser plug-ins

Chrome supports plug-ins that allow developers more control over sites or enable richer user experiences, such as Flash. Historically, the security of such plug-ins has been very poor and they have been and remain a very commonly exploited vector for infection by malware. Plug-ins should only be enabled for trusted sites and disabled when not in use.

To disable plug-ins in Chrome:

  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Advanced.
  5. Tap Enable plug-ins.
  6. Select Off.
18

Turn on Do Not Track

The Do Not Track option instructs Chrome to send a specific header in web requests that indicates the your preference not to be tracked by the websites you visit. Many sites have opted to honor this preference so there is some small privacy benefit from enabling it. It is important to note, however, that this feature is strictly voluntary and web sites are under no obligation to honor it. There are no guarantees that any specific web site will now, or, in the future, continue to, obey this header.

To turn on Do Not Track:

  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy.
  5. Tap Do Not Track.
  6. Select On.
19

Turn off Bluetooth when not in use

Disabling Bluetooth reduces the remote attack surface of devices and may also prevent you from unintentionally connecting to unknown Bluetooth services and devices. Bluetooth should be enabled only when it is actively being used.

To turn off Bluetooth:

  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Wireless & networks
  4. Slide the Bluetooth switch to Off.
20

Disable network notification

By default, Android devices will automatically present a list of detected wireless networks from an icon in the status bar that users may attempt to connect to when no networks that have previously been connected to are available. The issue is that anyone can run a wireless hotspot and, joining a poorly configured or insecure network could allow a malicious user on that same network to intercept, capture, and alter any network traffic sent by a user. In fact, many attackers will intentionally run wireless networks in popular, crowded areas, like airports and coffee shops, hoping to lure unsuspecting users into connecting. If this feature is disabled, you must manually search for and select a wireless network to join. This may reduce the risk of inadvertently joining a similarly named yet untrusted network (e.g. “defualt” instead of “default”).

To disable network notifications:

  1. Press the Menu button.
  2. Tap System settings.
  3. Tap More... if present.
  4. Tap Wi-Fi settings.
  5. Tap the Menu icon and choose Advanced.
  6. Uncheck Network notification.
21

Forget Wi-Fi networks to prevent automatic rejoin

By default, an Android device will remember and automatically rejoin networks that it has previously associated with. The problem with this is a trusted but unauthenticated Wi-Fi network may be spoofed and then automatically joined. Additionally, if previously joined network has a common SSID, such as “default” or “linksys”, it is very probable that the device will encounter an untrusted instance of a same-named Wi-Fi network and automatically join it.

To forget a remembered or connected Wi-Fi network:

  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Wireless & networks.
  4. Tap More... if present.
  5. Tap Wi-Fi.
  6. In the Wi-Fi settings, locate the Wi-Fi network.
  7. Tap and hold down on the entry for the network you wish to forget.
  8. Tap Forget.
22

Turn off Location Services

Location Services allows installed applications and visited websites the ability to request your current location. Once access is granted to an application, the application may request the data again at any time with no further notification to users.

To turn off Location Services:

  1. Tap globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy & security.
  5. Scroll to Location.
  6. Uncheck "Enable location."
  7. Press the Home button.
  8. Press the Menu button.
  9. Tap System settings.
  10. Scroll to Personal.
  11. Tap Location services.
  12. Uncheck Google's location service.
  13. Uncheck GPS satellites.
23

Use a third party application to password protect applications with sensitive data

Some options for this include App Lock, App Protector Pro, and Protector.  These applications allow for a separate password to be required to launch specific applications.  This may be useful to secure applications that store sensitive data so they cannot be accessed even if the device is found unlocked. If supported by your device, encryption is a much stronger and more secure approach to protecting data however (see control 4 above).

24

Limit the number of text (SMS) and multimedia messages (MMS) saved

For high security environments, limiting the number of SMS and MMS messages saved per conversation thread may reduce the likelihood and scope of information disclosure in the event the device is lost or compromised.

To limit the number of messages saved:

  1. Tap Message icon.
  2. Press Menu button.
  3. Tap Settings.
  4. Check Delete old messages.
  5. Tap Text message limit.
  6. Scroll to 100.
  7. Tap Set.
  8. Tap Multimedia message limit.
  9. Scroll to 20 messages.
  10. Tap Set.
25

Disallow cookies in Chrome browser

While this setting does have the beneficial effect of disallowing third party tracking cookies, it is overall not recommended for most users as cookies are heavily utilized by typical modern web applications. Using this feature selectively, though, may provide a sort of limited privacy mode in Chrome.

To disable cookies:

  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy & security.
  5. Tap Clear all cookie data.
  6. Tap OK.
  7. Uncheck "Accept cookies."
26

Disable JavaScript in Chrome browser

Ideally JavaScript should only be available when browsing trusted websites. In high security environments, it may make sense to disable JavaScript as a method of hardening the browser against malicious web sites. This is not recommended for most users as JavaScript is heavily utilized by typical modern web applications.

To disable JavaScript:

  1. Tap the globe Browser icon.
  2. Press the menu button.
  3. Tap Settings.
  4. Tap Advanced.
  5. Uncheck JavaScript.
27

Use TextSecure to encrypt SMS messages

The application TextSecure available in the Google Play store can encrypt SMS and MMS messages in transit and at rest on the device. This helps secure your communications with others from interception and alteration. Also, just like limiting the number of messages saved (from control 24 above), this can reduce the likelihood and scope of information disclosure in the event the device is lost or compromised.