Android is the most popular operating system in the world. And in most instances, Google, a privacy-invading company tracks you. The manufacturer of your device tracks you. And sometimes even your carrier also tracks you through pre-installed bloatware. So, android security is kind of, “MUST” for this generation! Privacy on android may seem impossible. But there are steps to improve it and several ways to make it an extremely private device. Arguably, the most private device you can get your hands on today.
Your data and privacy are vital. We live in a world where everything there is to know about you is discoverable to people you know, companies, governments, and everyone in between. If your data goes into the wrong hands, it may get sold for any purpose for just a few bucks! So, how to be secure on android?
The article is divided into three zones. Zone 1 shouldn’t impact day to day usage. So, I recommend you implement everything within it. Zone 2 will require some small changes that may impact convenience and zone 3 is zone 3. It’s for those looking to go above and beyond. This is mostly a guideline and your specific needs may vary depending on your threat model.
We discussed throughout the article sorted by zone as well as a checklist PDF that corresponds with all the steps to keep you organized along the way.
A final note before going deep. This article will cover custom ROMs like Lineage OS and Graphene OS in zone 3. But it’ll also cater to a more traditional lockdown Android device that doesn’t allow custom ROMs.
Now, let’s jump into securing our android device!
Android security Guide
This article will refer to Android as three different types.
- Type 1 Android is your run-of-the-mill phone from a cell company. These typically involve Google, the manufacturer, and your company tracking you as well as poor security update support and typically locked bootloaders preventing any modification.
- Type 2 Android is stock Android or close to stock. These normally have Google tracking and minimal third-party tracking which is already a huge improvement. Most close to stock devices are open for some ROMs and get much better update support.
- Type 3 Android will be referred to as custom Android ROMs which is essentially flashing a new operating system on your phone. Which typically has no tracking out of the box.
Most type 2 Android devices can become type 3. And even type 1 can become type 3 depending on your device and whether it’s locked or unlocked.
It’s a big article so let’s get into zone 1.
Set a strong password
Your device’s password is your first form of protection on your device making it not only an important thing to secure but it’s also easy to implement. Use a strong password. If your device is locked out and requires a password, having a strong one will be your first line of defense.
As a side note make sure notifications, as well as any voice assistance and settings toggles, are not publicly accessible on your lock screen.
Use of Biometrics
Once you set a strong password there are likely some options to utilize biometrics. These typically suffer three major issues. One, it’s easy to crack. Two, they fall under different legal jurisdictions in some countries. That means authority can force you to unlock your phone if it’s utilizing biometrics. In the US specifically, passwords have historically been protected under both the Fourth and Fifth Amendments. But this rarely if ever extends to biometrics. And three, some users have privacy concerns behind biometric data stored on their devices.
If you want the convenience of biometrics, feel free to use them. Just remember to disable them in high-risk areas like airports, protests, borders, and other places with heavy law enforcement where you may have to unlock your device. As for Android lock patterns, they have been shown time and time again to be incredibly insecure. So, avoid this at all costs.
lastly, some Android devices have something called screen pinning which locks the phone to a specific app if you’re letting someone else use your device and want to keep them inside just a singular application. It’s just a fun tip.
Passwords on Websites
Passwords that you use on websites are commonly left out as part of your security. If you use the same or similar password for all of your services, one breach can very easily lead to the others being breached since they utilize the same or similar credentials. Weak passwords are in general very easy to crack.
Make sure at least in zone 1 that you are using a strong unique password. I’ll write an article on what that means and different methods of doing it.
Zone 2 will go further into this. Your browser has the ability to track everywhere you go on the internet. Ensuring you are only using something with proven security and privacy is paramount to protecting your web traffic.
I suggest you use different browsers for different kinds of activities. The main reason to use multiple browsers is to separate your traffic and add additional features. Having a browser like DuckDuckGo or firefox focus on nonpersonal disposable searches which auto-delete when you close the browser. Away from your normal web browser, is fantastic not to mention they add tracking and ad protection.
I recommend having at least one disposable browser as discussed in your arsenal and more is always an option. Bromide is a fantastic browser with an emphasis on security and privacy. And tor does have an official app for Android to help anonymize your web traffic significantly.
I’ll upload a guide talking about mobile browser compartmentalization and how to do it so make sure to subscribe so that you don’t miss that!
Hopefully, this gets you thinking about separating your searches and web traffic across different browsers based on their(browsers’) main function.
Similar to your browser, your search engine also has the capability of tracking everything you do on the Internet. Which major companies like Google do.
Android browsers tend to offer you a lot more customized ability here than iOS. The two mainstream recommendations are DuckDuckGo and the start page. So, see if you can implement one of those within your browsers as the default or use something else with privacy in mind.
Your IP address uniquely identifies you on the Internet. And different websites use your IP address to track you. A simple way to prevent this is by utilizing a trusted VPN provider to not only hide your IP address from sites but also gain some additional protection on public Wi-Fi networks to prevent attackers from snooping on your traffic.
Cell companies and other snoops and many VPNs include additional protection like private DNS Maur and ad blocking and more. If you’re using trusted and mostly open-source applications that guard loses some of its use cases so analyze the apps you have on your phone on App Census and Exodus privacy for insight into background activities. We recommend VPNs over net guard for most users but just know you can use that guard if you have a specific reason to and yeah just know that’s an option available to you.
DNS is a domain name service and they are like a phonebook for the internet directing you to the sites you visit every day. The problem is, most default DNS providers track your browsing. So, try using a DNS provider with privacy in mind.
If you’re using a VPN service, it likely includes its own DNS server. Which means you don’t need to worry about this. If you aren’t using a VPN, check out the DNS servers on privacy tools IO and manually set them on your phone. This will vary depending on what version of Android you’re running.
This is broad but less is almost always more when it comes to security and privacy. Each additional application and setting you to utilize increases attack surface and the possibility of abuse with your personal information. If you’re a person with pages and pages of apps that you mostly never use they are likely not just doing harm in the background with your data but also negatively impacting things like battery life and storage space. So, delete them, or for stock-apps disable as many as you can.
Some applications like Twitter have amazing mobile sites. So, if you can utilize the web app within your browser and add it to your home screen that’s a great way to separate the app and keep it within your browser which is typically safer than the application.
There are also apps like Web Apps and frost for Facebook and lots of other versions of that on places like f-droid which is an app store we’re gonna cover very shortly.
Clear temporary data
Outside apps try to frequently clear data if you don’t need it like old text messages, phone calls, and especially temporary data like browser cache, history, cookies, and other temp data within your applications.
Tying its minimalism, there are lots of settings on your phone and within applications, you may never use and are pointlessly collecting data about you as an individual. We have a go incognito lesson covering this more.
Thoroughly, if you’re looking for more specific settings to disable do not forget to go through each individual application settings as well to ensure nothing is needlessly tracking you within the application.
On a similar note, app and os permissions should not be taken lightly. Calculator apps don’t need your contacts and the FBI workout app doesn’t need your location. Dig into the privacy settings and revoke any permissions that seem questionable.
Keep in mind there are workarounds to abuse permissions that you disable. It’s pretty spooky and shows it better to not have the app at all.
If possible web apps will prevent this kind of abuse as we talked about in the minimalism section. One of the most forgotten things to do is set a password on your SIM card. If it’s storing your contacts, someone can just pop out your SIM card and view the information. Even without contacts if your phone is stolen, someone can send fraudulent messages using your phone number and no one wouldn’t know it isn’t you!
You can do this quite easily within your settings.
Most things you read about like the newest Android exploits are almost always patched through updates the best thing to do as much as they can suck is utilizing automatic updates for Android as well as your applications. I personally like reading changes being made and if you are in that boat or simply prefer the manual route. Make sure to at least check for updates frequently I’d say probably about once a week.
Keep in mind most type 1 Android devices like Samsung phones and others get both delayed android security updates as well as lack of android security updates after normally just a couple of years. It’s a good reason to avoid these types of devices if possible.
Type 2 and type 3 devices tend to have quicker updates with longer update support
finishes own one rooting you can root to gain additional functionality and if you really know what you’re doing you may be able to accomplish some things for your privacy you wouldn’t otherwise be able to do on Android.
However, for the overwhelming majority rooting, will only lower security and open your device off so we recommend almost all viewers to just avoid rooting unless you know exactly what you’re doing.
FOSS stands for “Free and Open Source Software. This means the software’s code is publicly viewable and theoretically modifiable by the community this ensures you can verify the security and privacy behind the software.
We have a whole video covering this born thoroughly in general.
I just advise moving from proprietary to Foss applications as much as the possible signal is Foss as well as some VPNs like proton VPN and I VPN and email providers like to denote ax and proton mail.
FOSS will typically honor you and your data much better than proprietary solutions to find calls alternatives to apps you use to check out an alternative to the net for recommendations Android is wonderful as it has a fantastic app store called f-droid which exclusively hosts open-source applications that you can use on any Android device alongside the Play Store
We use our phones predominantly for communication. So, ensuring you’re communicating as securely as possible is quite important. The biggest know is to avoid SMS and standard phone calls at all costs. SMS can be unencrypted and they are stored by your cellular provider indefinitely meaning government entities as well and any random person can likely intercept
Them phone calls are similar the goal is to move to something that implements proper encryption with the privacy of the user in mind you can find some messengers on privacy tools i/o as well as this site the highlights bank signal briar and riot signal being the simplest and easiest recommendation we have for you which can even replace your default SMS application on android outside texting and phone calls
If you’re looking to implement encrypted emails check out Protonmail to denote a–. Both have very generous free plans and offer a fantastic user experience to denote a– is already on f Droid and Protonmail is supposed to be coming soon
I’ll leave links to both of those in a description
Avoiding Google is a great step for controlling your data as Google is not a privacy friendly company whatsoever
For a zone to disable as much as possible related to Google in your settings like cloud backups, device syncing, and ideally other cloud providers as well. This will require manual backups. So, you’ll have to either find ways of backing up your raw data or use a third-party solution to do a device backup to your computer.
Outside using strong and unique passwords which we covered in zone 1, where and how they’re stored can be incredibly important as well.
Password managers are a commonly recommended way to go. We have covered what password managers to use in a blog of going incognito so check that blog out for a long answer.
In short, avoid storing your passwords within your browser. If you want simple cloud syncing between your devices check out bit warden on the Play Store or f-droid. If you want a more DIY password manager, there’s a key pass to Android from the Play Store with in-house cloud syncing and key pass DX with an F droid gear currently for more local usage.
I have a whole guide to keep ass on our channel for those who want to learn how it works.
Two Factor Authentication (2FA)
Beyond having a strong password implementing two-factor authentication is arguably just as important to F a combined something you know like a password with something you have ideally a code generated locally on your device.
At the very least SMS 2FA which are those texts, you receive with a code is better than nothing. Although there are a couple of issues with SMS 2FA such as the risk of sim swapping.
The better and more recommended option is a local Authenticator app that uses a QR code, not every site supports this but many do so look for it and use it instead of SMS when available some notable Android apps are and OTP and aigis both of which are open-source and available on the Play Store and F droid.
Radio and Bluetooth
Radios apply to anything that gives off a signal on your phone. This means predominantly cellular Wi-Fi, Bluetooth NFC and GPS will cover the more extreme solutions in zone 3. But for zone 2 try disabling Bluetooth and NFC when they are not in use.
Bluetooth for one is an insanely and secure protocol not to mention. Bluetooth being an instrumental tool used to track your movements. It’s even being implemented in stores like Target Walmart and more where beacons are used to track where you walk throughout the store which is then fed to advertisers who target you with the products you viewed within the store.
As for Wi-Fi, it’s good practice to disable it when you are using cellular and vice versa. For GPS, leaving it off when not in use and disabling as many permissions related to it in the settings for both the operating system and specific applications is highly advisable.
the general rule of thumb if it doesn’t need to be on turn it off.
Multiple User accounts
Most Android devices offer something very neat multiple user accounts ones Apple gonna catch up.
You can use these to compartmentalize or separate different aspects of your life. Maybe you have a business account, a school account, and a dating account and then your personal account you can have two or more. The options are limitless. The goal here is to separate aspects of your life that don’t need to be intermixed within the same operating system for both privacy and security benefits. It’s a spectacular feature currently exclusive to Android for mobile devices
most people are aware of this one but covering your cameras can prevent the theoretical camera hack or someone spies on you through your camera cover them up if you never use your cameras and don’t want to just use tape if you are a standard user who uses their cameras frequently there are some sliding covers you can implement which will block them when not in use but will allow you to still use the cameras easily
I’ll leave some of these options in the description that you can use
privacy screen protector
the last step for zone 2 is another physical mod and it’s a privacy screen protector these make it so it’s very difficult to view your phone screen from side angles protecting your personal information from snoops and shoulder attacks
I will leave a link in the description with
some privacy screen protectors I cannot recommend them more than the peace of mind they give me in public spaces is fantastic
Zone 3 (Actual Android security)
Finally, here we are, in zone 3! and like I mentioned earlier, this is for the extreme users looking for the utmost android security and privacy on their devices.
GPS and Location
First disable GPS and location altogether. It is easily abused by your operating system and applications to track everywhere you go throughout the day.
When disabled entirely you have to manually enter addresses for navigation and/or relying on a separate device. This will obviously mean any software used to find your phone if it’s lost, will not work. So again, zone 3 is for extreme usage which can oftentimes have negative consequences.
Keep in mind that just because GPS is off, it doesn’t mean apps can’t access a general location of where you are as your IP address can narrow you down pretty well.
Again go to zone 1 for VPNs which combined with disabling GPS will prevent most people from tracking your location.
Faraday pouches and backpacks
If you want a guaranteed method of cutting out all radios from your device without just using airplane mode look into Faraday pouches and backpacks. They are designed to fully eliminate communication your device has with the outside world. They do have to be used properly and I’d recommend looking at the sources for some tips on doing so.
I’ll also leave some products to check out in a description that seemed to be great options.
Disable Google Products
To take Google a step further you can fully log out and it will still be a usable phone you will lose google specific features and the Play Store but Android still allows you to use third-party app stores like Aurora from f-droid that gets you apps straight from the Google Play Store without needing a Google account not to mention F droid if you want to stick to just 100% open-source software.
The one downside is that even after logging out Google Play services will still undoubtedly track you and build a shadow profile on an account indirectly tied to you which is an improvement but still a concern if you want to fully get away from Google.
There are some people who may find luck removing both Google Play services and/or the stock applications on their phone using ADB but this is a pretty messy solution that only more advanced users should take a look at for their specific device.
If this is all too extreme at the very least and sure you’ve handed over as little personal information as possible to Google disabled analytics performed by them in the settings disabled as many features as possible logged in to your Google my activity page and disabled everything along with the other stuff we covered in zone 2.
Similar to some cards, your cellular provider is likely something you forgot about in the US. They are all universally bad for privacy. Your best bet is to at least sign up with as little personal information as possible.
My personal favorite provider is mint mobile which is a prepaid cell plan meaning you pay for however long you want upfront no contracts or payments all they require is an email payment method and an address to send you the SIM card I was able to use a mail drop a pseudo email and a non-relatable vanilla Visa Card paid for in cash to obtain the SIM card I use everyday mint has no direct information about me and I’d recommend you go this route or similar one as well with whatever provider works best for your needs
Camera and Microphone
There are also those pesky cameras and mics if you really don’t want them to consider removing the cameras depending on your phone model this may be extremely simple you can also snip the microphone and stick to only using the microphone on your earbuds this is for very extreme threat models but the option is available notes that opening up your device may void its warranty.
And finally, we saved the best for last. Custom ROMs are what we classify as type 3 Android. These ROMs generally don’t come with Google Play services making them a fantastic option for privacy as you get an open-source Android device where you can use open source apps like f-droid and aurora to get most of your open source applications with utmost privacy.
Probably the most well known custom ROM to date is lineage OS. It is great if your device is supported. However, be aware that lineage OS requires an unlocked bootloader which lowers the security of your device to attackers as well as some other things that decrease security.
Almost all custom ROMs are in this boat of typically being good for privacy as there’s zero Google at the cost of having drop-in security but not so fast there are two options for users who want to do –gel without sacrificing security.
1. Calyx OS
Calyx OS is based on the mother Android open source project and maintains its strong security model with micro G. Micro G is an open-source alternative to Google Play services. This will still technically contact Google but in a much more controlled and open-source fashion. You are able to know exactly what’s being sent over without needing to be logged in.
Calyx OS is a great ROM for those of you who can’t live without an app reliance on Google Play services as most apps will work great on calyx OS because of micro G.
we are planning on covering calyx soon on the channel so make sure to subscribe if you want to see a full review of that ROM.
2. Graphene OS
The second drum is graphene OS which is similarly based on an OS P and it actually improves on its security model this is one of if not the most secure operating systems you can run on a mobile device with zero Google out of the box.
We covered graphene more thoroughly on our channel which we’d heavily recommend checking out.
Even people like Edward Snowden endorsed both graphene OS and calyx OS are fantastic ROMs. Those are mainly geared towards Google pixels which are ironically the devices most open to flashing ROMs 2d Google with some of the strongest security models and open-source hardware and firmware.
That’s all, my friend! I would like to end this article with the quote, “Information is wealth!”
I would really like to know up to which level(zone) you could go. So, let me know your preferred zone in the comment down below and also if you have any suggestions, feel free to comment.
Also, If you found this guide helpful and informative, make sure to share to reach and educate more people about privacy and subscribe to our blog so that you don’t miss our newer content.