I think about mobile security a lot. I also talk about it quite a bit. If mobile security wasn't always an issue, I wouldn't have to bother. Unfortunately, it is, and I find myself always pondering the topic.
The other day, a thought popped into my mind that I had to test. I dove into Android settings, hoping I could find the answer to my question. No matter how much I dug, I couldn't find it. The only option that would even remotely pull off what I wanted was by way of a third-party app.
And you know how I feel about them (spoiler alert: if it's not absolutely necessary… don't install it).
I found myself back at the beginning, wondering why it wasn't possible to do what I wanted with the built-in tools and options.
It just made so much sense.
I suppose I should explain myself.
One of the many reasons why I install so few apps on my Android phone is the idea that they could access my home network. With the help of malware, any app attached to my network could (with the right code) capture and read packets traveling in and out of my LAN. If I log into my bank account via my desktop web browser, that app could intercept that traffic, read it, and send it to a malicious third party.
That's a problem. And even though Android makes it possible for you to adjust the permissions of every app, those permissions neglect one very important aspect of security… your network.
Yes, I lean toward the overly paranoid when it comes to security. I use 2FA for every service that offers it, I use a password manager, and I have three different wireless networks in my home (each for a different purpose). So, the idea of any app on my mobile device having access to my LAN doesn't sit well with me. I not only access important accounts from my network but also get information from various clients (some of which are embargoed and sensitive) -- and I sometimes have to send contracts that contain sensitive information. I can't have a mobile app with a hidden payload eavesdropping on my network traffic.
And that leads me to…
Imagine if you could limit a mobile app to only using your cellular network. That would mean the app wouldn't have direct access to your LAN. The app would be isolated to using only cellular data, and the packets moving back and forth on your local area network would be isolated from the app.
With the ability to prevent an app from accessing your wireless network, you would only have to worry about the traffic coming in and out on your cellular network. Such isolation could be a real boon to preventing malicious apps from accessing various devices on your LAN (especially IoT devices, which tend to be far less secure than phones, desktops, and laptops).
I realize there is a big caveat to this idea. If you limit a mobile to only using cellular data, you could wind up with overages on your mobile bill. This could be especially true if the app in question has anything to do with streaming video or audio. But from my perspective, this is a risk worth taking.
Plus, it would be an optional feature. If preventing cellular overages is more important than preventing an app from accessing the devices and traffic on your wireless network, then you could not make use of the network isolation feature.
Although I'm not a developer, this feature seems like it would be a no-brainer. Android already has the built-in feature to limit apps from using cellular data, so why not add the opposite take on this? I realize the idea behind apps not using cellular data is to prevent overages. However, adding the ability to better secure users from malicious apps taking control of their networks and devices should be a top priority for Google.
And I see no reason why this can't be baked into the operating system. It might not be an option for everyone, but those who take their security seriously would see this as a real boon.
Google, consider this option for Android. I understand it would also require work on the part of every app developer to make it work. If you deem this a worthy security feature, and you have developers who refuse to add it to their apps, you can always remove the app from the Play Store.
It's well past time security became the single highest priority for Google, Android, Android app developers, and users. Until then, we'll continue having to worry about data and identity theft.