Android is the most popular operating system in the world. And in most instances, Google, a privacy-invading company, and the manufacturer of your device, like Samsung track you, and sometimes even your carrier through pre-installed bloatware. Privacy on the Android may seem impossible, but there are steps to improve it, and several ways to make it an extremely private device, arguably the most private device, you can get your hands on today. Your data and privacy are vital. We live in a world where everything there is to know about you is discoverable to people, you know, companies, governments, and everyone in between.
Security Zones
So we are going to learn how exactly you can make your Android device as private and secure as you need it to be, from beginner to extreme security. We are going to tackle these in basically three levels of security.
Zone one shouldn’t impact day-to-day usage. So I recommend you implement everything within it.
Zone two will require some small changes that may impact convenience.
Zone three is for those looking to go above and beyond. This is mostly a guideline and your specific needs may vary depending on your threat model. We’ll cover custom ROMs like LineageOS and GrapheneOS in zone three, but it’ll also cater to a more traditional lockdown Android device that doesn’t allow custom ROMs.
Android Types
This tutorial will refer to android as three different types:
Type one android is your run-of-the-mill phone from a cell company. These typically involve Google, the manufacturer, and your cell company tracking you as well as poor security update support and typically locked boot loaders preventing any modification.
Type two android is stock Android or close to stock. These normally have Google tracking and minimal third-party tracking, which is already a huge improvement. Most close-to-stock devices are open to custom ROMs and get much better update support.
Type three android will be referred to as custom Android ROMs, which is essentially flashing a new operating system on your phone, which typically has no tracking out of the box. Most type two Android devices can become type three and even type one can become type three depending on your device and whether it’s locked or unlocked.
ZONE ONE
Passwords
Your device password is your first form of protection on your device, making it not only an important thing to secure, but it’s also easy to implement. Use a strong password. If your device is locked out and requires a password, having a strong one will be your first line of defense. As a side note, Make sure notifications as well as any voice assistants and settings toggles are not publicly accessible on your lock screen.
Once you set a strong password, there are likely some options to utilize biometrics. These typically suffer three major issues. One that can be cracked fairly easily. Two, they fall under different legal jurisdictions in some countries, meaning you can be forced to unlock your phone if it’s utilizing biometrics. In the US specifically, passwords have historically been protected under both the fourth and fifth amendments, but this rarely ever extends to biometrics. Three, some users have privacy concerns behind biometric data stored on their devices. If you want the convenience of biometrics, feel free to use them.
Just remember to disable them in high-risk areas like airports, protests, borders, and other places with heavy law enforcement where you may be forced to unlock your device. As for Android lock patterns, they have been shown time and time again, to be incredibly insecure. So I would not recommend that you use them. Lastly, some Android devices have something called screen pinning, which locks the phone to a specific app. If you’re letting someone else use your device and want to keep them inside just a singular application. Just a fun tip 😉.
Passwords you use on websites are a commonly left-out part of your security. If you use the same or similar password for all of your services, one breach can very easily lead to the other as being breached since they utilize the same or similar credentials, weak passwords are in general, very easy to crack. Make sure that you are using a strong, unique password. You can check more information on passwords here.
Browsers
Your browser can track everywhere you go on the internet! Ensuring that you’re only using something with proven security and privacy is paramount to protecting your web traffic. The main reason to use multiple browsers is to separate your traffic and add additional features. Having a browser like Duckduckgo, or Firefox focus for non-personal disposable searches, which auto-delete when you’re done away from your normal web browser is fantastic. Not to mention they add tracking and ad protection. I recommend having at least one disposable browser, preferably Duckduckgo, and more is always an option.
Bromite is a fantastic browser with an emphasis on security and privacy and Tor does have an official app for android to help anonymize your web traffic significantly. Hopefully, this gets you thinking about separating your searches and web traffic across different browsers that are designed to do different things.
Search Engines
Your search engine also has the capability of tracking everything you do on the internet, which major companies like Google do. The two mainstream recommendations are Duckduckgo and start page, with Brave search joining in recently, and it’s quite promising(I use it regularly). So see if you can implement one of those within your browsers as the default or use something else with privacy in mind.
Virtual Private Networks (VPN)
Your IP address uniquely identifies you on the internet, and it’s used by websites to track you. A simple way to prevent this is by utilizing a trusted VPN provider to not only hide your IP address from these sites but also gain some additional protection on public wifi networks to prevent attackers from snooping on your traffic. As for which VPN you can check this guide about VPNs My current highest rated is proton VPN. It has a free, limited plan for you to try out.
Domain Name Service
DNS is more like a phone book for the internet, directing you to the sites you visit every day. The problem is most default DNS providers track your browsing. So try using a DNS provider with privacy and if you’re using a VPN service, it likely includes its DNS server, meaning you don’t need to worry about this. If you aren’t using a VPN, check out these DNS servers and manually set them on your phone.
Minimalism
Each additional application and setting a utilize increases, the attack surface, and the possibility of abuse with your personal information. If you’re a person with pages and pages of apps that you mostly never use, they are likely not just harming the background with your data, but also negatively impacting things like battery life and storage space. So delete them, or for stock apps, disable as many as you can.
Some applications like Twitter have amazing mobile sites. So if you can utilize the web app within your browser and add it to your home screen, that’s a great way to separate the app and keep it within your browser, which is typically safer than the application. Try to frequently clear data. You don’t need it like old text messages, phone calls and especially temporary data like browser cache is three cookies and other temp data within your app.
Settings and Permissions
There are lots of settings on your phone and within applications, you may never use and are pointlessly collecting data about you as an individual. The go incognito course covers this more thoroughly. If you’re looking for more specific settings to disable, do not forget to go through each application setting as well to ensure nothing is needlessly tracking you within the application.
On a similar note app and OS permissions should not be taken lightly. Calculator apps don’t need your contacts and the FBI workout app doesn’t need your location. Dig into the privacy settings and revoke any permissions that seem questionable. Keep in mind, there are workarounds to abuse, permissions that you disabled. Check out some of the awesome research being done at Berkeley. It’s pretty spooky and shows it better to not have the app at all. If possible web apps will prevent this kind of abuse as we talked about in the minimalism section.
Simcard Passwords
One of the most forgotten things to do is set a password on your SIM card. If it’s storing your contacts someone can just pop out your SIM card and view the information, even without contacts. If your phone is stolen, someone can send fraudulent messages using your phone number and no one wouldn’t know it isn’t you. You can do this quite easily within your settings.
Updates
Most things you read about like the newest Android exploits are almost always patched through updates. The best thing to do as much as they can suck is utilizing automatic updates for Android, as well as your applications. I like reading changes being made. And if you are in that boat or simply prefer the manual route, make sure to at least check for updates frequently. I’d say probably about once a week. Keep in mind in most type one, Android devices like Samsung phones and others get both delayed security updates, as well as lack of security updates after normally just a couple of years, a good reason to avoid these types of devices if possible! Type two and type three devices tend to have quicker and, long time updates support.
Rooting
You can root your phone to gain additional functionality. And if you know what you’re doing, you may be able to accomplish some things for your privacy, you wouldn’t otherwise be able to do on Android. However, for the overwhelming majority, rooting we’ll only lower security and open your device up. So I recommend almost all readers to just avoid rooting unless you know exactly what you’re doing.
ZONE TWO
Free and Open Source Software (FOSS)
FOSS means the software’s code is publicly viewable and theoretically modifiable by the community. This ensures you can verify the security and privacy behind the software. In general, I just advise moving from proprietary to FOSS applications ass much as possible. Signal is FOSS, as well as some VPNs like proton VPN and IVPN and email providers like Tutanota and Proton Mail. FOSS will typically honor you and your data much better than proprietary. To find FOSS alternatives to apps you use check out AlternativeTo for recommendations. FDROID is an app store that exclusively hosts source applications that you can use on any Android device alongside the play store.
Communication.
Your phone is predominantly used for communication. So ensuring you’re communicating as securely as possible is quite important. The biggest no is to avoid SMS and standard phone calls at all costs. SMS can be un-encrypted and they are stored by your cellular provider indefinitely. Meaning government entities as well as any random person can likely intercept them. Phone calls are similar. The goal is to move to something that implements proper encryption with the privacy of the user in mind You can find some messengers on PrivacyTools IO, the highlights being Signal and Briar. Signal is the simplest and easiest recommendation I have for you, which can even replace your default SMS application.
Outside texting, and phone calls, if you’re looking to implement encrypted emails, check out proton mail, and Tutanota. They both have very generous free plans and offer a fantastic user experience. Tutanota is already on F droid and proton mail is supposed to be coming soon.
Google 😬
Avoiding Google is a great step for controlling your data as Google is not a privacy-friendly company whatsoever! For zone two disabled, as much as possible anything related to Google in your settings like cloud backups, device syncing, and ideally other cloud providers as well. This will require manual backups, so you’ll have to either find ways of backing up your raw data or use a third-party solution to do it.
Passwords Part 2
Outside using strong and unique passwords, which we covered in zone one, where and how they’re stored can be incredibly important as well. Password managers are a commonly recommended way to go. Avoid storing your passwords within your browser! If you want simple cloud sinking between your devices, check out Bitwarden on the play store or FDROID. If you want a more DIY(Do it yourself) password manager, there’s keypass2android from the play store with in-house cloud syncing and keypassDX Fdroid geared currently for more local usage.
Two Factor Authentication
Beyond having a strong password implementing two-factor authentication is arguably just as important. 2FA combines something you know, like a password with something you have, ideally a code generated locally on your device. At the very least SMS 2FA, which are those texts you receive with a code is better than nothing. Although there are a couple of issues with SMS 2FA, such as the risk of SIM swapping. The better and more recommended option is a local authenticator app that uses a QR code. Not every site supports this, but many do so. Look for it and use it instead of SMS, when available. The best app for this is Aegis, which is open-source and available on the play store and Fdroid.
Radios
Radios apply to anything that gives off a signal on your phone. This means predominantly cellular wifi, Bluetooth, NFC, and GPS. Try disabling Bluetooth and NFC when they aren’t being used. Bluetooth is an insanely insecure protocol, not to mention, It is an instrumental tool used to track your movements. It’s even been implemented in stores like target Walmart and more where beacons are used to track where you walk throughout the store, which is then fed to advertisers who target you with the products you’ve viewed within the store. Sucks, right?
As for wifi. It’s good practice to disable it when you are using cellular and vice versa. For GPS, leaving it off when not in use and disabling as many permissions related to it in the settings for both the operating system and specific application is highly advisable, the general rule of thumb. If it doesn’t need to be on, turn it off.
User Accounts
Most Android devices offer something very neat, multiple user accounts. You can use these to compartmentalize or separate different aspects of your life. Maybe you have a business account, a school account, a dating account, and then your account. The goal here is to separate aspects of your life that don’t need to be intermixed within the same operating system for both privacy and security benefits. It’s a spectacular feature currently.
Cameras.
Most people are aware of this one, but covering your cameras can prevent the theoretical camera hack, where someone spies on you through your camera, cover them up. If you never use your cameras and don’t want to just use tape. If you are a standard user who uses their cameras, there are some sliding covers you can implement, which will block them when not in use but will allow you to still use the cameras easily. You can find some of the options here.
Privacy Screen Protector
The last step for zone two is the privacy screen protectors. These make it very difficult to view your phone screen from side angles, protecting your personal information from snoops and shoulder attacks. Here are some Privacy Screen Protectors. The peace of mind that gives me in public spaces is fantastic.
ZONE THREE.
Like I said earlier, this is for the extreme users looking for the utmost security and privacy on their devices.
GPS Location and Tracking
First disabled GPS and location altogether. It is easily abused by your operating system and applications to track everywhere you go throughout the day. When disabled entirely, you have to manually enter addresses for navigation and or rely on a separate device. This will mean any software you use to find your phone if it’s lost, will not work. So again, zone three is for extreme usage, which can oftentimes have negative consequences. Keep in mind that just because GPS has turned in doesn’t mean apps, can’t access a general location of where you are, as your IP address can narrow you down pretty well. Go to zone one for VPNs, which combined with disabling GPS will prevent most people from tracking your location. Most people*.
Faraday Cages
If you want a guaranteed method of cutting out all radios from your device without just using airplanes, look into Faraday pouches and backpacks. They are designed to fully eliminate communication your device has with the outside world. They do have to be used properly, and I’d recommend looking at the sources for some tips on doing so. Here are some products to check out.
Google part 2
You can fully log out and it will still be a usable phone. You will lose Google-specific features and the play store, but Android still allows you to use third-party app stores like Aurora App Store from F droid, which gets you apps straight from the Google play store without needing a Google account. Not to mention Fdroid, if you want to stick to just 100% open-source software. You can also check out this guide that discusses the other five alternatives to the google play store which are fantastic. The one downside is that even after logging out, Google play services will still undoubtedly track you and build a shadow profile on an account indirectly tied to you, which is an improvement, but still a concern.
If you want to fully get away from Google, some people may find luck removing both Google play services and or the stock applications on their phones using ADB, but this is a pretty messy solution that only more advanced users should take a look at for their specific device. If this is all too extreme at the very least ensure you’ve handed over as little personal information as possible to Google. Disable the analytics performed by them in the settings, disable as many features as possible. Log into your Google, my activity page, and disable, everything along with the other stuff we covered in zone two.
Cellular Providers.
Similar to sim cards your cellular provider is likely something you forgot about. In the US, they are all universally bad for privacy. Your best bet is to at least sign up with as little personal information as possible. One good cellular provider is mint mobile which is a prepaid cell plan, meaning you pay for however long. Do you want upfront no contracts or payments? All they require is an. Payment method and an address to send you the SIM card. I was able to use a mail drop, a pseudo email, and a non-renewable vanilla visa card paid for in cash to obtain the SIM card I use every day. Mint has no direct information about me and I’d recommend you go this route or a similar one as well with whatever provider works best for your needs.
Snip Snip
There are also these pesky cameras and mics. If you don’t want them, consider removing the cameras. Depending on your phone model, this may be extremely simple. You can also snip the microphone and stick to only using the microphone on your earbuds. This is for very extreme threat models, but the option is available. Note that opening up your device may void its warranty.
Custom Roms
These ROMs, generally don’t come with Google play services, making them a fantastic option for privacy. As you get an open-source Android device where you can use open source apps like afterward in Aurora to get most of your open source applications with the utmost privacy. Probably the most well-known custom ROM to date is lineageOS, which is great if your device is supported.
However, be aware that lineageOS requires an unlocked bootloader, which lowers the security of your device to attack as well as some other things that decrease security. Almost all custom ROMs are in this boat of typically being good for privacy as there’s zero Google at the cost of having drop security.
But not so fast. There are two options for users who want to do Google without sacrificing security. First CarlyxOS is based on the mother Android open source project and maintains its strong security. With microG, an open-source alternative to Google play services. This will still technically contact Google but in a much more controlled and open-source fashion. You can know exactly what’s being sent over without needing to be locked in. CalyxOS is a great ROM for those of you who can’t live without an app reliance on Google play services as most apps will work great on CalyxOS because of microG.
The second ROM is GrapheneOS. Similarly, based on AOSP it improves on its security model. This is one of, if not the most secure operating systems, you can run on a mobile device with zero Google out of the box. It’s even been endorsed by people like Edward Snowden. Both GrapheneOS and CarlyxOS are both fantastic ROMs, mainly geared towards Google pixels, which are ironically the devices most open to flashing ROMs to de google with some of the strongest security models and open-source hardware and firmware 🤷♀️.
Here are some links to pixel phones that you can use.
Pick up a Pixel for a Custom Rom
And that my friends was the end. If you enjoyed this guide make sure to leave a comment below and especially share to reach and educate more people about privacy and stay subscribed to our newsletter for more updates. Thank you for reading, and I hope you’re leaving a little bit more private and secure than when you got here.