Experience report: A field analysis of user-defined security configurations of Android devices

The wide spreading of mobile devices, such as smart phones and tablets, and their always-advancing capabilities, ranging from taking photos to accessing banking accounts, makes them an attractive target for attackers. This, together with the fact that users frequently store critical personal information in such devices and that many organizations currently allow employees to use their personal devices to access the enterprise information infrastructure and applications, turns assessing the security of mobile devices into a key issue. In order to understand the common misconfiguration problems, this practical experience report presents a held analysis of 41 user-defined security settings of more than 500 Android devices. Findings suggest that most users neglect basic security configurations such as login mechanisms and (bat manufacturers should rethink their policies in terms of the security settings that can be modified by the users. The paper also proposes concrete security countermeasures to mitigate some of the identified misconfigurations.