Protect your Android device

Updated21 June 2021

Table of Contents

...Loading Table of Contents...

    Security starts with setting your device up to protect your information. Follow the steps in this checklist to make your Android device more secure. Android devices differ by manufacturer, so you may need to look in a few places to find the settings you are looking for.

    Visual guide

    Use this visual guide as you go through the checklists below.

    Use the latest version of your device's operating system (OS)

    • When updating software, do it from a trusted location and internet connection like your home or office, not at an internet cafe or coffee shop.
    • Updating to the latest OS may require you to download software and restart a number of times. You will want to set aside time for this where you do not need to do work on your device. Go through the steps of comparing the latest version to your device's current version below, until your device does not give you additional new updates.
    • If the latest version of the OS will not run on your device, it is best to consider buying a new device.
    • Make sure you restart your device once an update has downloaded, to make sure it is fully installed.
    • See the most updated version available
    • Compare it to the version your device has installed
    • Update your operating system
    Learn why we recommend this

    New vulnerabilities in the code that runs your devices and apps are found every day. The developers who write that code cannot predict where they will be found, because the code is so complex. Malicious attackers may exploit these vulnerabilities to get into your devices. But software developers do regularly release code that fixes those vulnerabilities. That is why it is very important to install updates and use the latest version of the operating system for each device you use. We recommend setting your device to automatically update so you have one less task to remember to do.

    Use apps from trusted sources

    Learn why we recommend this

    The Google Play Store is the official app store for Android. Having apps in one place makes it easy for you to find and install the ones you want, and it also makes it easier for Google to monitor apps for major security violations. Only install apps from the Google Play Store.

    Only install apps from app stores or from the websites of the developers themselves. "Mirror" download sites may be untrustworthy, unless you know and trust the people who provide those services. If you decide that the benefit of a particular app outweighs the risk, take additional steps to protect yourself, like planning to keep sensitive or personal information off that device.

    Learn why Security in a Box trusts the apps it recommends.

    Some authoritarian governments have demanded tech companies ban certain apps in their countries. When that happens, your contacts may encourage you to "root" your device in order to install banned apps by going to third-party app stores or websites.

    We recommend not rooting your device, as it puts you at greater risk from malicious code.

    Remove apps that you do not need and do not use

    Learn why we recommend this

    New vulnerabilities in the code that runs your devices and apps are found every day. The developers who write that code cannot predict where they will be found, because the code is so complex. Malicious attackers may exploit these vulnerabilities to get into your devices. Removing apps you do not use helps limit the number of apps that might be vulnerable. Apps you do not use may also transmit information about you that you may not want to share with others, like your location. If you cannot remove apps, you may at least be able to disable them.

    Apps may share a lot of your data, like the ID of your phone, your phone number, and which wifi you connect to. You may not need an app to access websites and services you use, including social media like Facebook or WhatsApp. Use them through the browser on your device, instead, to protect your privacy.

    Check your app permissions

    Review all permissions one by one to make sure only apps you use can use them. The following permissions should be turned off in apps you do not use, and considered suspicious when used by apps you do not recognize:

    • Location
    • Contacts
    • SMS
    • Microphone
    • Voice or speech recognition
    • (Web)camera
    • Screen recording
    • Call logs or call history
    • Phone
    • Calendar
    • Email
    • Pictures
    • Movies or videos, and their libraries
    • Fingerprint reader
    • Near field communications (NFC)
    • Bluetooth
    • Any setting with "disk access," "files," "folders," or "system" in it
    • Any setting with "install" in it
    • Facial recognition
    • Allowed to download other apps

    To learn more:

    Learn why we recommend this

    Apps that access sensitive digital details or services—like your location, microphone, camera, or device settings—can also leak that information or be exploited by attackers. So if you do not need an app to use a particular service, turn that permission off.

    Turn off location and wipe history

    • Get in the habit of turning off location services overall, or when you are not using them, for your whole device as well as for individual apps.
    • Regularly check and clear your location history if you have it turned on.
    • Location settings may be in slightly different places on different Android devices, but are probably somewhere in Settings, Privacy, and/or Security as well as your Google account preferences.
    • To delete past location history and set it so your devices and Google Maps do not save your location activity, follow the instructions here and here
    Learn why we recommend this

    Many of our devices keep track of where we are, using GPS, cell phone towers, or wifi we use. If your device is keeping a record of your physical location, it makes it possible that someone could find you, or could use that record to demonstrate you have gone to particular places or associated with specific people.

    Make separate user accounts on your devices

    • Make more than one user on your device, with one having "admin" (administrative) privileges and the others with "standard" (non-admin) privileges.
      • Only you should have access to the admin user.
      • Standard users should not be allowed to access every app, file, or setting on your device.
    • Consider using a standard user for your day-to-day work:
      • Use the admin user only when you need to make changes that affect your device security, like installing software.
      • Using a standard user daily can limit how much your device is exposed to security threats from malware.
      • When you cross borders, having a standard user open could help hide your more sensitive files. Use your judgment: will these border authorities confiscate your device for a thorough search, or will they just open it and give it a quick review? If you expect they won't look too deeply into your device, using a standard user for work that is not sensitive provides you some plausible deniability.
    • How to add users
    Learn why we recommend this

    We strongly recommend not sharing devices you use for sensitive work with anyone else. However, if you must share your devices with co-workers or family, you can better protect sensitive information by setting up separate users on your devices in order to keep your sensitive files protected from other people.

    Remove unneeded users associated with your device

    Learn why we recommend this

    When you don't intend for someone else to access your device, it is better to not leave that additional "door" open on your machine (this is called "reducing your attack surface.") Additionally, checking what users your device has could reveal accounts that have been put on your device without your knowledge.

    Secure the Google accounts connected with your device

    Learn why we recommend this

    Most devices have accounts associated with them, like Google accounts for your Android phone, your Chrome laptop, and Google TV. More than one device may be logged in at a time (like your phone, laptop, and maybe your TV). If someone else has access to your account who shouldn't, this is one place you might see and be able to stop that.

    Set your screen to sleep and lock

    • Set your screen to lock a short time after you stop using it (try setting it to 1 minute or 5 minutes and see which works for you)
    • Use a long passphrase (minimum 10 characters), not a short password or PIN
      • Making it possible to use your fingerprint, face, eyes, or voice to unlock can be used against you by force; do not use these options unless you have a disability which makes typing impossible
        • Remove your fingerprints and face from your device if you have already entered them. Android devices differ, so this could be in a few locations on your device, but try looking where you would normally find your device lock settings.
    • Pattern locks can be guessed; do not use this option
    • Simple "swipe to unlock" options are not secure locks; do not use this option
    • Disable "make password visible" option
    • Set a long password
    • Set your device to sleep after a short period of time and require a password to unlock on waking. The place to do this will be different on different devices, but it may be under "Display," "System," or "Security."
    Learn why we recommend this

    While it may seem like technical attacks are your biggest concern, it is much more likely that your device will be confiscated or stolen and someone will break into it. For this reason, it is smart to set a passphrase screen lock, so that nobody can access your device just by turning it on.

    We do not recommend screen lock options other than passphrases. You might easily be forced to unlock your device with your face, voice, eyes, or fingerprint if you are arrested, detained, or searched. Someone who has your device in their possession may use software to guess short passwords or PINs. It is also possible to guess "pattern" locks by looking at finger tracks on the screen. Someone who has dusted for your fingerprints can make a fake version of your finger to unlock your device if you set a fingerprint lock; similar hacks have been demonstrated for face unlock.

    For these reasons, the safest lock to set is a long passphrase.

    Control what can be seen when your device is locked

    Learn why we recommend this

    A strong screen lock will give you some protection if your device is stolen or seized--but if you don't turn off notifications that show up on your lock screen, whoever has your device can see information that might leak when your contacts send you messages or you get new email.

    Disable voice controls

    • Disable Google Assistant and/or voice control. Voice and Assistant settings may be in slightly different places on different Android devices, but are probably somewhere in Settings > Google. Review the instructions here.
    • If you have decided the benefits to you outweigh the large risks of using a smart speaker like Alexa or Siri, follow these instructions to do so more safely.
    Learn why we recommend this

    When a device is set up so you can speak to it to control it--for example, Siri, Cortana, Google Voice, Echo, or Alexa systems--it is constantly listening while it is on. It may even record what is happening and send it back to companies like Amazon or Microsoft for quality control, and their contractors save and review those recordings. It is also possible someone else could install code on you device that could capture what your device is listening to.

    If you have a disability that makes it difficult for you to type or use other manual controls, you may find voice controls necessary. See above for instructions on how to set them up more safely. However, if you do not use voice controls for this reason, it is much safer to turn them off.

    Use a physical privacy filter that prevents others from seeing your screen

    Learn why we recommend this

    While we often think of attacks on our digital security as highly technical, you might be surprised to learn that some human rights defenders have had their information stolen or their accounts compromised when someone looked over their shoulder at their screen, or used a security camera to do so. A privacy filter makes it less likely someone doing this will succeed. You should be able to find this wherever you find device accessories.

    Use a camera cover

    • First of all, figure out whether and where your device has cameras. Your smartphone might have more than one.
    • Low-tech camera cover: use a small adhesive bandage over your camera, and peel it off when you need to use the camera. A bandage works better than a sticker because the middle part has no adhesive, so it does not get sticky stuff on your camera lens.
    • Or search your preferred store for "webcam cover thin slide." "Thin" is important because some covers are too thick, and your laptop may not close.
    Learn why we recommend this

    Some malicious software will turn on the camera on your device in order to see you, the people around you, or where you are without you knowing it.

    Turn off connectivity you're not using

    • Completely power off your devices at night.
    • Get into habit of turning wifi, Bluetooth, and/or network sharing off when you are not using them.
    • Airplane mode can be a quick way to turn off connectivity on your mobile. Learn how to selectively turn on wifi and Bluetooth once your device is in airplane mode, to use only services you want.
    • Turn off Personal Hotspot off when you are not using it.
    • Turn airplane mode on and make sure wifi and bluetooth are off
    Learn why we recommend this

    Wifi is a data connection that lets our devices reach other devices on the internet, using radio waves to connect to a router which usually has a wired connection to the broader internet. Cell phone connections also help us access other computers and phones around the world, via a cellular network of towers and repeaters. NFC and Bluetooth connect our devices to other devices near them, also using radio waves. All these connections are vital to communicating with others. But because our devices are connecting to other devices, there is a chance that someone will use this connection maliciously to get to our devices and sensitive information.

    For this reason, it is a good idea to turn off these connections when you are not using them, particularly wifi and Bluetooth. This limits the time an attacker might have to access your valuables without you noticing that something strange is happening on your device (like it running slowly or overheating when you are not using it heavily).

    Clear your remembered wifi networks

    Learn why we recommend this

    When you turn your device's wifi connectivity on, it tries to look for any wifi network it remembers you have connected to before. Essentially, it "shouts" the names of every network on its list to see if they are available to connect to. Someone snooping nearby can use this "shout" to identify your device, because your list is usually unique: you have probably at least connected to your home network and your office network, not to mention networks at friends' houses, favorite cafes, etcetera. This fingerprint-like identification makes it easy for someone snooping in your area to target your device or identify where you have been.

    To protect yourself from this identification, erase wifi networks your device has saved and tell your device not to remember networks. This will make it harder to connect quickly, but saving that information in your password manager instead will keep it available to you when you need it.

    Turn off sharing you're not using

    • Android devices differ, but look for a "connected devices," "device connections," or similar option in Settings, and turn off or remove all devices there.
    • Turn off Nearby Share
    Learn why we recommend this

    Many devices give us the option to easily share files or services with others around us - a useful feature. However, if this feature is left on when we are not using it, malicious people may exploit it to get at files on your device.

    Advanced: figure out whether someone has accessed your device without your permission (basic forensics)

    Follow the steps on the following checklists:

    Learn why we recommend this

    It may not always be obvious when someone has accessed your devices, files, or communications. These additional checklists may give you more insight into whether your devices have been tampered with.

    Advanced: Use Android without a google account

    If you are concerned with google tracking your every move you can remove your Google account from your device by following the steps in the Android documentation on how to Add or remove an account on Android. Better yet, the first time you configure your phone you can skip the "Sign in" screen. This way your phone will not be tied to any google account. And information regarding location, searches, installed apps and such will not be added to it's profile.

    When there are no google accounts on your device you would have to install applications outside the Google Play Store.

    Use the alternative stores like F-Droid and Aurora Store.

    • F-Droid store offers only free and open source (FOSS) applications. To install it download F-Droid APK. Give permission to install. You may need temporarily allow installing apps from unknown sources. Make sure to disable this option after installing F-Droid!
    • You will find the same apps in the Aurora Store that are in the Google Play Store. You can install Aurora Store from inside F-Droid.
    • Regularly update installed apps by opening F-Droid and Aurora Store and manually verifying upgrades. Note that automatic updates may not work and with time you may be using outdated and insecure apps.

    Advanced: Change your Android devices operating system.

    Android is made by Google so it is loaded with google apps that track you and gather a lot of information about what you do and where you are. In some cases you can install a more secure and private alternative Android operating system such as Lineage, Calyx or Graphene. This is an advance solution, if you decide to do this make sure your device is compatible. There are several steps you must take to install and if something goes wrong you can make your devices unusable.

    See also