I should start by explaining my situation; my father-in-law recently bought a generic tablet b/c he wants to have quick access to the internet while on the couch. He will use it to browse all kinds of sites like most would on a laptop. I know there are some unscrupulous sites that, while not containing viruses per se, can still be very annoying. My question is: If I turn off the ability to accept 3rd party apps, as well as verify the apps he gets from the play store, is there any danger in the sites that he visits in terms of putting malicious software on his tablet? He knows about phishing sites and how to avoid those, but could his browsing harm the tablet or access anything it shouldn't? I am especially worried about him accidentally turning the tablet into a packet sniffer or an eavesdropping device. I googled it, and it seems that people will say both yes and no, with no real way to verify who is right.
I have asked a similar question here before, but that was for me and most sites that i go to are safe. But I don't know the sites for him, so I am paranoid. As a secondary question, can an app hide from showing it is installed? If a shady website is (accidentally) visited, is there any chance that it would install something and not display it when I look at a list of all apps?
Unless the tablet is rooted you really have nothing to worry about.
Android by default is a rather secure OS with built in global policies like sandboxing and a robust user policy that becomes rather difficult to exploit in comparison to a windows based system.
It would take a series of repetitive events in order to invoke the installation of 3rd party software on the device between it's download, failure to install and acceptance of notice of failure, change of exact settings, than a secondary round of all the initial triggers to get the ball rolling again.
Even then, if the tablet is not rooted any given malware would still be restricted to default android policy management and not be able to monitor or sniff network traffic. They certainly could just blast the user with ads and track the user's activities.
Apps can hide themselves but once again without root it would take a series of trigger events to grant the app administrator access to the system, even then it would show up in the device administrator list of the device and a flick of the finger disables it. Even with administrator access a malicious app could not poison your network, just wreak a bit more havoc on the local device like format the sdcard.
You are probably being a little too sensitive, just create your own local security policy.
Rule #1, as a un-trusted device inform your wife or significant other to never log into banking or similar high security sites on said device.
Use a good high quality mobile security app on the device like Avast, AVG, or similar..yes, they make mobile versions.
If you really are concerned you can protect the father-in-law and everyone who uses the same network he does, wifi OR connected, by implementing a free OpenDNS account.
OpenDNS - Parental Controls
Look into the free OpenDNS Home.
You obviously have a wifi router/residential gateway. In that wifi router/gateway settings you can specify an exact DNS address it has to use.
Every request for named internet traffic has to pass through a DNS server, and by creating a free account at OpenDNS and setting your router to use OpenDNS servers for domain name service then it allows you to apply specific blocks for content like known bad websites that spread malware, spyware, and viruses.
It's not as hard to setup as you think and OpenDNS provides comprehensive instructions.
Give it a shot, just note that you do have to log into OpenDNS from a computer or device on the network you want to protect as OpenDNS can detect your network's IP address that way.
