LYNIS- Open-Source Linux System Auditing Tool

LYNIS- OPEN-SOURCE LINUX SYSTEM AUDITING TOOL

Lynis is a system based auditing and open source tool. It supports with the auditing systems which is running UNIX-systems and providing controls for system hardening and comliance based testing.

By running ‘lynis’ the program is begun and will give the essential parameters accessible. If you are using it for first time Lynis (or utilized Git), at that point utilize “./lynis” to begin the program from the local directory.

The most common command to begin Lynis is utilizing review framework order. This still begin the security scan.

To run Lynis you should meet one essential: have compose access to/tmp (temporary documents).

INSTALLATION VIA PACKAGE

Installing Lynis via a package manager is one option to get started with Lynis. For most operating systems and distributions, a port or package is available.

First add our software repository. This way the latest version will be available to your system.

RED HAT

This applies to systems running YUM, including CentOS, Fedora, Red Hat Enterprise Linux (RHEL).

$ yum install lynis

DEBIAN

Systems running Debian, Linux Mint, Ubuntu, or are based on one of these.

$ apt-get install lynis

OPENSUSE

$ zypper install lynis

After the installation, it is time to run Lynis for the first time.

INSTALLATION VIA GIT

Clone project

The first step is cloning the project. Before doing so, select the parent directory. Git will create a ‘lynis’ subdirectory with the full program in it.

$ cd /Desktop

$ git clone https://github.com/CISOfy/lynis

Cloning into ‘lynis’…

remote: Counting objects: 1733, done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 1733 (delta 3), reused 0 (delta 0), pack-reused 1725
Receiving objects: 100% (1733/1733), 886.18 KiB | 378.00 KiB/s, done.
Resolving deltas: 100% (1204/1204), done.
Checking connectivity... done.
$ cd lynis

That is it. Time to run your first security audit:

$ lynis audit system

Although no configuration is required, there are a few useful commands to learn.

LYNIS COMMANDS

The Lynis tool requires a minimum amount of parameters to run. If you are using it for the first time, just run lynis and see what output it provides.

                                    ./lynis

AUDIT

The audit command tells Lynis to perform an audit.

Targets include:

• system - audit the host system

• docker file - audit a docker file

SHOW

The show command informs Lynis to share information, like help or the value of something.

Options:

• help – show help and tips
• profiles – show discovered audit profiles
• settings – show active settings
• version – show Lynis version

• Here you can see the commands which are all given in the Lynis auditing tool,There are more options which are given below, some of them are layout options, misc options and Enterprise options too.

• Lynis scans the system and performs the tests, results should be displayed on the screen. The log files should be displayed on the screen during the system scan. To check that log database to saved here var/log/lynis.log. The log file should store once the backup before the process of running Lynis again and again. During the audit process, Lynis will gather some findings and data points should use where we can find that storage process using varlog/lynis-report.dat.Benefits:
  • Perform audits within a few minutes
  • System hardening can be done
  • Central management
  • Powerful reporting
  • Compliance checks (e.g. PCI DSS)
  • Additional plugins and more tests
  Comparison between Lynis and other tools:
  Hardening process are easily exposed when compared to other auditing tools such as Bastille, TOD (Touch of Death). It conserves time when compared to other auditing tools.
  It helps to track your compliance needs, IT audits, better security defences.
  Operating system Finding:
  It detects the operating system name, operating system version, host name and hardware platform for the Lynis tool.
  Lynis runs almost all UNIX-based systems and versions including,
  AIX
• FreeBSD
• Linux
• macOS, Solaris etc…

• It even runs on the storage devices like Raspberry Pi, or QNAP

• System Tools:It find out the Binaries, scanning the tools which are all currently updated or not and used some plugins also in this system tools.

• Boot configuration:In this boot configuration level issues to be find whether the password is encrypted, booting method like legacy boot or UEFI boot method, Grub checking possibilities, and how many services are running in the system, to check the start-up files also.

Conclusion:

Security need to be reliable. Lynis can remind us to stay consistent. Lynis will scan your system and warn you for any security holes. This blogs gives an idea about Lynis server hardening tool to harden server and also discussed about where the exact location of hardening. BriskInfosec offers end to end server hardening solutions where ever the industry requires to know more get in touch with us.

AUTHOR

Aravind

Security Engineer

BriskInfosec Technology and consulting PVT LTD

Find me @https://www.linkedin.com/in/aravindhan-s-90b98787/

MAN IN THE MIDDLE ATTACK ON MOBILE APPLICATIONS

MAN IN THE MIDDLE ATTACK ON MOBILE APPLICATION BECOMES SERIOUS THREAT

WHAT IS MAN IN THE MIDDLE ATTACK?

Man in the middle attacks (MITM) is one of the attacks where the attacker interrupts between the sender and receiver and gathers the sensitive data. MITM attacks, which are a form of session hijacking are not new. However, what might not be known is that mobile devices are vulnerable to MITM attacks too. It is quite complex for the attacker to inject the MITM attack on mobile applications than on web applications.

HOW DOES A MAN-IN-THE-MIDDLE ATTACK WORK?

A man-in-the-middle attack (MITM) is like eavesdropping. Data is sent from point A (Mobile) to point B (server/website), and an attacker can get in-between these transmissions. They then set up tools programmed to “listen in” on transmissions, intercept data that is specifically targeted as valuable, and capture the data. Sometimes this data can be modified in the process of transmission to try to trick the end user to expose sensitive information, such as login credentials. Once the user has fallen into the trap, the data is collected from the target, and the original data is then forwarded to the planned destination unaltered.

MAN IN THE MIDDLE ATTACK ON MOBILE APPLICATIONS

For mobile apps to prevent these types of attacks it is important to look at how the mobile app performs authentication. Using certificate pinning within the mobile app helps ensure that the mobile app is communicating with the device it is expecting to communicate with.

TYPES OF MITM ATTACKS

• ARP Poisoning
• DNS Spoofing
• Port stealing
• Invisible Proxy
• Certificate Forgeing

In this blog, we will discuss the major attack (SSL PINNING)

SSL PINNING

Certificate pinning is hard-coding the certificate known to be used by the server in the mobile application. The app can then ignore the device’s trust store and rely on its own, and allow only SSL connections to hosts signed with certificates stored inside the application.

The client makes a connection to the server and the server responds with its SSL certificate. If that certificate was issued by a Certificate Authority that is trusted by the OS, then the connection is allowed.

 CERTIFICATE PINNING FOR ANDROID AND IOS APPS

When we, developers, are working in the development of any kind of software, we can’t forget about security. The minimum security measure we should use is HTTPS as the protocol to share information between a client (in this case, an Android/iOS app) and a server, followed by an updated cryptographic protocol like TLS 1.2 (SSL 3.0 is vulnerable!)

You may think that using an HTTPS is enough but in some cases like banking applications, where sensitive data may be sent between our client and our server, could be risky.

By default, when making a TLS connection, the client check two things:

• The server’s certificate matches the requested hostname.
• The server’s certificate has a chain of truth back to a trusted root certificate.

What it doesn’t do is check, if the certificate is the specific certificate you know your server is using, and that’s a possible security vulnerability, if the client is compromised and an unsafe certificate is installed(certificate forging), someone could do a man-in-the-middle attack.

Root CA, intermediate CA and Medium certificate

The solution to this problem is certificate pinning. Storing a certificate on our client application to ensure that any SSL request made matches the server’s certificate provided by a trusted CA (certificate authority). Let us see how to do it on both Android and iOS apps.

ANDROID

OkHttp lib provides a CertificatePinner class to be added to an OkHttpClient instance. The easiest way to pin a host is turned on pinning with a broken configuration and read the expected configuration when the connection fails.

CertificatePinner certificatePinner = new CertificatePinner.Builder()
          .add("mydomain.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
          .build();
      OkHttpClient client = OkHttpClient.Builder()
          .certificatePinner(certificatePinner)
          .build();

After a request is executed, you’ll see this message on the console:

javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure!
    Peer certificate chain:
      sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=mydomain.com, OU=PositiveSSL
      sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA
      sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority
      sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=: CN=AddTrust External CA Root
    Pinned certificates for mydomain.com:
      sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
    at okhttp3.CertificatePinner.check(CertificatePinner.java)
    at okhttp3.Connection.upgradeToTls(Connection.java)
    at okhttp3.Connection.connect(Connection.java)
    at okhttp3.Connection.connectAndSetOwner(Connection.java)

The exception will provide you the server’s certificate public key hashes. Paste them on the CertifinatePinner and done! Once the certificate pinner function is enabled in the Android app it will have protection against        SSL MITM attacks

CertificatePinner certificatePinner = new CertificatePinner.Builder()
        .add("mydomain.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=")
        .add("mydomain.com", "sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=")
        .add("mydomain.com", "sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=")
        .add("mydomain.com", "sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=")
        .build();

IOS

The iOS solution is not so straightforward because you need to store the certificate itself inside your app. In my case, I’ve used Alamofire as HTTP client lib for Swift.

First, you need to get the server’s certificate in .der format and add it to your iOS project.

openssl s_client -showcerts -server name mydomain.com -connect mydomain.com:443 </dev/null | openssl x509 -outform DER > mydomainCert.der

And now, let’s enable certificate pinning: to do it we need both ServerTrustPolicy and SessionManager objects. The first one will define the hostname and certificates that will be used in the process:

var serverTrustPolicies = [
     "mydomain.com": .pinCertificates(
     certificates: ServerTrustPolicy.certificates(),
     validateCertificateChain: true,
     validateHost: true
   ),
 ]

ServerTrustPolicy.certificates() will return all stored certificates and the booleans will validate the certificate chain and the hostname.

Lastly, create a SessionManager object using this trust policies:

var sessionManager = SessionManager(serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies!))

Done! Just use this sessionManager object to execute request

sessionManager.request(“https://mydomain.com/api”, method: .get, headers: headers)…

Conclusion:

Since MITM attacks are stealthier and it does not need any physical access to the victim device, a robust protection mechanism is required to prevent it. Hence SSL pinning is a much needed robust protection as it protects the application against MITM attacks by only allowing the connections to the server based on the trusted CA certificates.

Android Security Hardening Cheats Part-2

The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS benchmark down to the most critical steps for your devices, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.

How to read the checklist

Step - The step number in the procedure. If there is a UT Note for this step, the note number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective device.
CIS - Reference number in The Center for Internet Security (CIS) benchmark, if applicable.
UT Note - The notes after each checklist provide additional details about the step for the university computing environment.
Cat I - For systems that include category I data, required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include category II or III data, all steps are recommended, and some are required (denoted by the !).

Supported devices

Supported devices include any that can run Android 4.0 and later. Some security settings and options may not be available on older devices.

Checklist

All items marked with a ! are mandatory to be considered compliant with the Minimum Standards governing the use of Category I data.

Step	√	To Do	CIS	UT Note	Cat I	Cat II/III
		Basic Security
1		Update operating system to the latest version	1.1.1	§	!	!
2		Do not root the device		§	!
3		Do not install applications from third party app stores	1.1.17	§	!
4		Enable device encryption	1.1.15	§	!
5		Disable 'developer options'	1.1.16	§	!	!
6		Use an application/service to provide remote wipe functionality	3.2	§	!
7		Enable Android Device Manager		§
8		Erase all data before return, repair, or recycle	1.1.11	§	!	!
		Authentication Security
9		Set a PIN and automatically lock the device when it sleeps	1.1.2	§	!	!
10		Set an alphanumeric password	1.1.3	§
11		Set auto-lock timeout	1.1.4	§	!	!
12		Disable 'make passwords visible'	1.1.14	§
13		Erase data upon excessive passcode failures		§	!
		Browser Security
14		Show security warnings for visited sites	1.2.2	§	!	!
15		Disable 'Form auto-fill'	1.2.3	§
16		Do not automatically remember passwords	1.2.7	§
17		Disable browser plug-ins	1.2.6	§
18		Turn on Do Not Track		§
		Network Security
19		Turn off Bluetooth when not in use	1.1.9	§
20		Disable Network Notification	1.1.6	§	!
21		Forget Wi-Fi networks to prevent automatic rejoin	1.1.5	§
		Additional Security Settings1
22		Turn off Location Services	1.1.8	§
23		Use a third party application to password protect applications with sensitive data		§
24		Limit the number of text (SMS) and multimedia messages (MMS) saved	1.1.18 - 1.1.19	§
25		Disallow cookies in Chrome browser	1.2.4	§
26		Disable JavaScript in Chrome browser	1.2.1	§
27		Use TextSecure to encrypt SMS messages		§

Footnote

¹ These security settings are proactive in nature, but are intended for devices where there exists a very high need for security, as they may negatively impact the user experience and interfere with the functionality and utility of many applications.

UT Note: Addendum

This list provides specific tasks related to the computing environment at The University of Texas at Austin.

Please be aware that the exact process for activating security features will vary from device to device and between versions of the operating system.  The instructions here are provided for reference only and will not be applicable to all handsets.  It is recommended that users follow the instructions contained in the operating manual for their device where possible.

1	Update operating system to the latest version Android devices ship with various versions of the operating system, determined by both the selected carrier and handset manufacturer. New versions of the Android operating system frequently address security vulnerabilities in addition to providing bug fixes and adding new features. Not all devices will support the most recent version of Android and not all carriers will make upgrades available for all handsets, even ones that are capable of running the newer software. Upgrade to the latest available and supported version for your device. For high security environments, plan on replacing devices every 2-3 years in order to stay current on operating system releases. Additionally, consider using only Nexus devices, which are supported by Google directly instead of a mobile carrier, in order to ensure that operating system updates are actually made available to you.
2	Do not root the device Rooting an Android device often takes advantage of known vulnerabilities in the operating system to disable the security controls that prevent users and applications from performing actions such as executing privileged commands, interacting with the hardware at a low level, modifying and deleting necessary system files, and removing carrier and manufacturer installed applications, for example. Once these security controls are bypassed, any application has the ability to break out of its sandbox and act maliciously (perhaps unintentionally). Installers for rooting Android devices typically add a Superuser application which is used to specify the  applications that have the ability to elevate their privileges, however this is another security control that must be managed and monitored by the end user. Unlike iOS devices, rooting is not required to sideload applications. You should understand that by rooting your device, you are taking on increased responsibility for securing your device and protecting yourself from malicious software. Devices used with Category I data should not be rooted.
3	Do not install applications from third party app stores Google manages applications distributed through the Google Play store and has the ability to remove malicious applications both from the store when discovered and directly from any devices that have installed the applications from the Google Play store. Installing applications from other sources is riskier since you have no way of knowing how the stores are managed and whether or not the applications available in it can be trusted to not be malicious in nature. To disable application installation from unknown sources: Press the Menu button Tap System settings. Tap Security. Scroll to Device administration. Uncheck Unknown sources.
4	Enable device encryption When enabled, Android uses your passcode or password to generate an encryption key that is then used to encrypt the device. This passcode/password is then required every time the device is powered on. This protects the data stored on the device from unauthorized access in the event that it is lost or stolen. The encryption process may take an extended amount of time, depending upon the amount of storage in the device. The device needs to remain plugged in and the encryption process should not be interrupted. To encrypt a device: Press the Menu button. Tap System settings. Scroll to Personal. Tap Security. Scroll to Encryption. Tap Encrypt [device]. Tap Encrypt [device] again. Enter lock screen passcode or password when prompted. Tap Continue. Tap Encrypt [device].
5	Disable 'developer options' Android provides a number of features that allow developers to interact with the device through the built-in USB power/data port to change its behavior, read and modify local storage, and issue commands. When enabled, it is possible to completely control a device through this interface. These features should be enabled only as needed and only for the duration required for testing. To disable developer options: Press the Menu button. Tap System settings. Scroll to System. Tap Developer options. Uncheck USB debugging. Uncheck Stay awake. Uncheck Mock locations.
6	Use an application/service to provide remote wipe functionality The intent with this is to ensure that if the device is lost, the data can be erased remotely.  There are a couple of ways to accomplish this with Android: Austin Exchange Messaging Service provides this functionality to synchronized devices.  Device wipes can be requested by the Exchange server administrator or initiated by the account holder through Outlook Web Access under Options > Mobile Devices. Google Play provides this functionality through the free Android Device Manager service. Many third party applications provide this functionality. Some options include Norton Mobile Security, Wave Secure, Lookout, Security Shield, and Theft Aware. The exact feature set of each application varies; some do much more than just provide remote wipe functionality. At a minimum, users should look for the ability to lock the device remotely, wipe the device remotely, and wipe the device after too many failed unlock attempts when evaluating products for this requirement.
7	Enable Android Device Manager Android Device Manager is a free service provided by Google that allows users to track and remotely lock or erase an Android device. A free Google account is required to use this service. If a device is lost or stolen, having this service enabled may allow the owner to find and recover the device with the assistance of the University Police Department (UTPD). Even if recovery of the device isn't possible, the ability to remotely erase may protect any sensitive data that was stored on it. To enable Android Device Manager: Press the Menu button. Tap System settings. Tap Security. Scroll to Device administration. Tap Device administrators. Check Android Device Manager. Tap Activate.
8	Erase all data before return, repair, or recycle In order to prevent an unauthorized person from being able to recover sensitive information from the device, the disk should be erased before it is out of your physical control. Note that for this method of erasing a device to be secure, meaning that the data is not forensically recoverable, encryption may need to be enabled on the device first (see control 4 above). This will vary based upon the specific device. To erase a device: Press the Menu button. Tap System settings. Scroll to Personal. Tap Backup & reset. Tap Factory data reset. Check "Erase SD card" unless the SD card will be disposed of separately from the device. Tap Reset phone. Enter the passcode if requested. Tap Next. Tap Erase everything.
9	Set a PIN and automatically lock the device when it sleeps Setting a PIN prevents casual unauthorized access to a device. A PIN (or a password) is more secure than a pattern as patterns can be trivially observed by people around you and there have been cases of using the fingerprint smudges on devices to derive lock-screen patterns. While setting a PIN you can also configure the device to immediately require that you enter the PIN after the device sleeps. This will prevent the device from being unlocked after sleeping from inactivity without entering the PIN first. Since a 4 digit PIN only has a maximum of 10,000 possible combinations, we recommend that users select a longer PIN. To set a PIN: Press the Menu button. Tap System settings. Scroll to Personal. Tap Security. Tap Screen lock. Tap PIN. Tap in a PIN. Tap Continue. Enter the same PIN again. Tap OK. Tap Automatically lock. Tap Immediately. Check Power button instantly locks if not already checked.
10	Set an alphanumeric password In addition to the PIN and pattern options for authentication, Android also supports the use of alphanumeric password. For high security applications, it is recommended that a complex alphanumeric password be used instead of a PIN or pattern. To enter an alphanumeric password: Press the Menu button. Tap System settings. Scroll to Personal. Tap Security. Tap Screen lock. Tap Password. Type in a complex password. Tap Continue. Enter the same password again. Tap OK. Tap Automatically lock. Select Immediately. Check Power button instantly locks if not already checked.
11	Set auto-lock timeout This option automatically locks the device after it has been inactive for the specified amount of time. To enable: Press the Menu button. Tap System settings. Scroll to Device. Tap Display. Tap Sleep. Tap 2 minutes. Press the Back button. Scroll to Personal. Tap Security. Confirm that Automatically lock is set to "2 minutes after sleep."
12	Disable 'make passwords visible' This feature controls whether passwords are displayed as they are entered. Disabling this feature increases security by making it harder for people in close physical proximity to learn your passwords by observing you interact with your device. To hide passwords as they are entered: Press the Menu button. Tap System settings. Tap Security. Uncheck Make passwords visible.
13	Erase data upon excessive passcode failures Refer to control 6 above. Android does not natively provide this functionality, but there are a number of third party applications, some of which were mentioned earlier, which can. Since excessive passcode failures typically indicate the device is out of your physical control, having the device automatically erase may protect the confidentiality of information stored on the device.
14	Show security warnings for visited sites This feature will warn you of common security problems, such as invalid or expired SSL certificates, affecting the web sites you visit. These warnings could indicate that communications between your computer and the site's server are not secure, meaning that data sent to the site could be intercepted. Caution should be exercised when using sites that generate security warnings with this feature. To show security warnings for sites: Tap the globe Browser icon. Press the Menu button. Tap Settings. Tap Privacy & security. Check Show security warnings.
15	Disable 'Form auto-fill' Date entered into web forms may be stored so that, upon subsequent visits to the page, the form can be auto-completed. While this may be convenient, it also may result in the storage of sensitive information, such as passwords and credit card numbers, locally on the device. Additionally, automatically filling in web forms could result in the unintentional disclosure of sensitive data to unauthorized people. To disable the 'Form auto-fill' functionality: Tap the globe Browser icon. Press the Menu button. Tap Settings. Tap Privacy & security. Scroll to Form data. Tap Clear form data. Tap OK on the confirmation dialog. Uncheck Remember form data. Press the Back button. Tap General. Uncheck Form auto-fill.
16	Do not automatically remember passwords Refer to control 14 above. Passwords entered into forms are automatically stored so that they can be auto-filled upon subsequent visits to the site. This not only results in the local storage of user credentials entered via the web browser, but having the browser automatically fill forms using this data may result in the unintentional disclosure of the data to a unauthorized person. To prevent the browser from remembering passwords: Tap the globe Browser icon. Press the Menu button. Tap Settings. Tap Privacy & security. Scroll to Passwords. Tap Clear passwords and tap OK on the confirmation dialog. Uncheck Remember passwords.
17	Disable browser plug-ins Chrome supports plug-ins that allow developers more control over sites or enable richer user experiences, such as Flash. Historically, the security of such plug-ins has been very poor and they have been and remain a very commonly exploited vector for infection by malware. Plug-ins should only be enabled for trusted sites and disabled when not in use. To disable plug-ins in Chrome: Tap the globe Browser icon. Press the Menu button. Tap Settings. Tap Advanced. Tap Enable plug-ins. Select Off.
18	Turn on Do Not Track The Do Not Track option instructs Chrome to send a specific header in web requests that indicates the your preference not to be tracked by the websites you visit. Many sites have opted to honor this preference so there is some small privacy benefit from enabling it. It is important to note, however, that this feature is strictly voluntary and web sites are under no obligation to honor it. There are no guarantees that any specific web site will now, or, in the future, continue to, obey this header. To turn on Do Not Track: Tap the globe Browser icon. Press the Menu button. Tap Settings. Tap Privacy. Tap Do Not Track. Select On.
19	Turn off Bluetooth when not in use Disabling Bluetooth reduces the remote attack surface of devices and may also prevent you from unintentionally connecting to unknown Bluetooth services and devices. Bluetooth should be enabled only when it is actively being used. To turn off Bluetooth: Press the Menu button. Tap System settings. Scroll to Wireless & networks Slide the Bluetooth switch to Off.
20	Disable Network Notification By default, Android devices will automatically present a list of detected wireless networks from an icon in the status bar that users may attempt to connect to when no networks that have previously been connected to are available. The issue is that anyone can run a wireless hotspot and, joining a poorly configured or insecure network could allow a malicious user on that same network to intercept, capture, and alter any network traffic sent by a user. In fact, many attackers will intentionally run wireless networks in popular, crowded areas, like airports and coffee shops, hoping to lure unsuspecting users into connecting. If this feature is disabled, you must manually search for and select a wireless network to join. This may reduce the risk of inadvertently joining a similarly named yet untrusted network (e.g. “defualt” instead of “default”). To disable network notifications: Press the Menu button. Tap System settings. Tap More... if present. Tap Wi-Fi settings. Tap the Menu icon and choose Advanced. Uncheck Network notification.
21	Forget Wi-Fi networks to prevent automatic rejoin By default, an Android device will remember and automatically rejoin networks that it has previously associated with. The problem with this is a trusted but unauthenticated Wi-Fi network may be spoofed and then automatically joined. Additionally, if previously joined network has a common SSID, such as “default” or “linksys”, it is very probable that the device will encounter an untrusted instance of a same-named Wi-Fi network and automatically join it. To forget a remembered or connected Wi-Fi network: Press the Menu button. Tap System settings. Scroll to Wireless & networks. Tap More... if present. Tap Wi-Fi. In the Wi-Fi settings, locate the Wi-Fi network. Tap and hold down on the entry for the network you wish to forget. Tap Forget.
22	Turn off Location Services Location Services allows installed applications and visited websites the ability to request your current location. Once access is granted to an application, the application may request the data again at any time with no further notification to users. To turn off Location Services: Tap globe Browser icon. Press the Menu button. Tap Settings. Tap Privacy & security. Scroll to Location. Uncheck "Enable location." Press the Home button. Press the Menu button. Tap System settings. Scroll to Personal. Tap Location services. Uncheck Google's location service. Uncheck GPS satellites.
23	Use a third party application to password protect applications with sensitive data Some options for this include App Lock, App Protector Pro, and Protector.  These applications allow for a separate password to be required to launch specific applications.  This may be useful to secure applications that store sensitive data so they cannot be accessed even if the device is found unlocked. If supported by your device, encryption is a much stronger and more secure approach to protecting data however (see control 4 above).
24	Limit the number of text (SMS) and multimedia messages (MMS) saved For high security environments, limiting the number of SMS and MMS messages saved per conversation thread may reduce the likelihood and scope of information disclosure in the event the device is lost or compromised. To limit the number of messages saved: Tap Message icon. Press Menu button. Tap Settings. Check Delete old messages. Tap Text message limit. Scroll to 100. Tap Set. Tap Multimedia message limit. Scroll to 20 messages. Tap Set.
25	Disallow cookies in Chrome browser While this setting does have the beneficial effect of disallowing third party tracking cookies, it is overall not recommended for most users as cookies are heavily utilized by typical modern web applications. Using this feature selectively, though, may provide a sort of limited privacy mode in Chrome. To disable cookies: Tap the globe Browser icon. Press the Menu button. Tap Settings. Tap Privacy & security. Tap Clear all cookie data. Tap OK. Uncheck "Accept cookies."
26	Disable JavaScript in Chrome browser Ideally JavaScript should only be available when browsing trusted websites. In high security environments, it may make sense to disable JavaScript as a method of hardening the browser against malicious web sites. This is not recommended for most users as JavaScript is heavily utilized by typical modern web applications. To disable JavaScript: Tap the globe Browser icon. Press the menu button. Tap Settings. Tap Advanced. Uncheck JavaScript.
27	Use TextSecure to encrypt SMS messages The application TextSecure available in the Google Play store can encrypt SMS and MMS messages in transit and at rest on the device. This helps secure your communications with others from interception and alteration. Also, just like limiting the number of messages saved (from control 24 above), this can reduce the likelihood and scope of information disclosure in the event the device is lost or compromised.