Protect your Android device
Cập nhật16 May 2024
Mục lục
...Đang tải mục lục...Security starts with setting up your device to protect your information. Follow the steps in this guide to make your Android device more secure. Android devices differ by manufacturer, so you may need to look in a few places to find the settings you are looking for.
Use the latest version of your device's operating system (OS)
- When updating software, do it from a trusted location and internet connection, like your home or office, not at an internet cafe or coffee shop.
- Updating to the latest version of your operating system may require you to download software and restart a number of times. You will want to set aside time for this where you do not need to do work on your device.
- After updating, check again if there are any further updates available until you do not see any additional new updates.
- If the Android version that runs on your device is unmaintained, it is best to consider buying a new device. Check which Android versions are still maintained in the Wikipedia Android version history or in the page on the end of life dates for Android versions.
- Find out which is the most updated version available.
- Compare it to the version your device has installed and update your operating system.
- To make sure an update is fully installed, always restart your device when prompted to do so after downloading the update.
- Most system updates and security patches happen automatically. To check if an update is available, follow the instructions in Check & update your Android version — Get security updates & Google Play system updates.
- Additionally, check the "Android security update" date on your device. Security updates are released at least once each month.
- Be aware that some phone manufacturers can be one month to a year behind in implementing the latest security updates on their devices.
- If you find this date on your device consistently lags behind the latest security update date, consider buying a phone from a manufacturer which implements security updates faster, for example a recent Google Pixel model. Be aware that this may be rather expensive.
- Also consider that security updates are only guaranteed until a certain date depending on the model of your device.
- If you have a Google Pixel phone, you can check until when you will receive security updates in the official Google documentation.
- If you have a Samsung mobile device, see the page on Samsung security updates.
- If you have a Fairphone, see the page on end of life dates for Fairphone updates.
- If you have a Motorola device, see the Motorola support page on security updates.
- If you have a Nokia device, see the Security and Maintenance Release Summary on Nokia's website.
- For other models, see C. Scott Brown's article on the phone update policies from every major Android manufacturer.
- If you find your security patches consistently lag behind the latest level, consider buying a newer phone from a manufacturer which implements security updates faster, for example a recent Google Pixel model. Be aware that this may be rather expensive.
Learn why we recommend this
New vulnerabilities in the code that runs in your devices and apps are found every day. The developers who write that code cannot predict where they will be found, because the code is so complex. Malicious attackers may exploit these vulnerabilities to get into your devices. But software developers do regularly release code that fixes those vulnerabilities. That is why it is very important to install updates and use the latest version of the operating system for each device you use. We recommend setting your device to automatically update so you have one less task to remember to do.
Regularly update all installed apps
- Check that the Google Play Store app is updated by following the instructions in the official guide on how to update the Google Play Store.
- Follow the instructions in the official documentation to learn how to update all Android apps automatically.
Use apps from trusted sources
- Avoid "rooting" your device.
- Install apps from the Google Play Store.
- Check if your apps were installed from the store and disable installation from unknown sources by using Google Play Protect.
Learn why we recommend this
The Google Play Store is the official app store for Android. Having apps in one place makes it easy for you to find and install the ones you want, and it also makes it easier for Google to monitor apps for major security violations. Only install apps from the Google Play Store.
If you decide that the benefit of a particular app that cannot be installed through the Google Play Store outweighs the risk, take additional steps to protect yourself, like planning to keep sensitive or personal information off that device. Even in this case, only install apps from trusted alternative app stores like F-Droid or Aurora Store or from the websites of the developers themselves. "Mirror" download sites may be untrustworthy unless you know and trust the people who provide those services.
To learn how to decide whether you should use a certain app, see how Security in a Box chooses the tools and services we recommend.
Some authoritarian governments have demanded tech companies ban certain apps in their countries. When that happens, your contacts may encourage you to "root" your device in order to install banned apps by going to third-party app stores or websites. In fact, "rooting" your device is not necessary if you use techniques to circumvent your country's censorship when setting up your phone.
We recommend not rooting your device, as it puts you at greater risk from infection with malicious code.
Remove apps that you do not need and do not use
- Learn how to delete apps.
- It may not be possible to uninstall the apps the manufacturer put on your phone, but see these instructions on how to try to remove or disable them.
Learn why we recommend this
New vulnerabilities in the code that runs in your devices and apps are found every day. The developers who write that code cannot predict where they will be found, because the code is so complex. Malicious attackers may exploit these vulnerabilities to get into your devices. Removing apps you do not use helps limit the number of apps that might be vulnerable. Apps you do not use may also transmit information about you that you may not want to share with others, like your location. If you cannot remove apps, you may at least try to disable them.
If possible, avoid using social media apps
- Access social media and other sites by logging in through your browser instead.
Learn why we recommend this
Apps may share a lot of your data, like the ID of your phone, your phone number and which wifi you connect to. Some social media apps collect more information than they should. This includes apps like Facebook or Instagram. Use those services through the secure browser on your device (like Firefox) to protect your privacy a bit more.
Use privacy-friendly apps
- You can browse the web with Firefox.
- You can read your email with K-9 Mail.
- You can use F-Droid or Aurora Store to find free and open-source apps that offer an alternative to proprietary apps installed in your device.
Learn why we recommend this
Android devices come with built-in apps that by default ask you to log into your Google accounts, like for example Chrome or GMail. Instead, you can use more privacy-friendly apps to browse the web, read your email and much more. In many cases you can also choose to install these apps from alternative app stores focused on free and open-source software like F-Droid or Aurora Store.
Once you have installed and set up these privacy-friendly apps, you can also uninstall or disable the apps that were installed by default in your device and that you aren't planning to use.
Check your app permissions
Review all permissions one by one to make sure they are enabled only for apps you use. The following permissions should be turned off in apps you do not use, and considered suspicious when used by apps you do not recognize:
- Location
- Contacts
- SMS
- Microphone
- Voice or speech recognition
- (Web) camera
- Screen recording
- Call logs or call history
- Phone
- Calendar
- Pictures
- Movies or videos, and their libraries
- Fingerprint reader
- Near field communications (NFC)
- Bluetooth
- Any setting mentioning "disk access," "files," "folders," or "system"
- Any setting mentioning "install"
- Facial recognition
- Physical activity
- Health Connect
- Allowed to download other apps
To learn how to change app permissions on Android, see Google's support page, with details on how to change and remove app permissions, what each app permission implies and how to disable camera or microphone access on your device.
Learn why we recommend this
Apps that access sensitive digital details or services — like your location, microphone, camera or device settings — can also leak that information or be exploited by attackers. So if you do not need an app to use a particular service, turn that permission off.
Turn off location and wipe history
- Get in the habit of turning off location services overall, or when you are not using them, for your whole device as well as for individual apps.
- Location settings may be in slightly different places on different Android devices, but are probably somewhere in Settings, Privacy and/or Security as well as in your Google account preferences.
- Regularly check and clear your location history if you keep it turned on. To delete past location history and set it so your devices and Google Maps do not save your location activity, follow the instructions for your Google Maps Timeline and your Maps activity.
Learn why we recommend this
Many of our devices keep track of where we are using GPS, cell phone towers and the wifi networks we connect to. If your device is keeping a record of your physical location, it makes it possible for someone to find you or use that record to prove that you have been in certain places or associated with specific people who were somewhere at the same time as you.
Create separate user accounts on your devices
- Create more than one user account on your device, with one having "admin" (administrative) privileges and the others "standard" (non-admin) privileges.
- Only you should have access to the admin user.
- Standard users should not be allowed to access every app, file or setting on your device.
- Consider using a standard user for your day-to-day work.
- Use the admin user only when you need to make changes that affect your device security, like installing software.
- Using a standard user daily can limit how much your device is exposed to security threats from malware.
- When you cross borders, having a standard user open could help hide your more sensitive files. Use your judgment: will these border authorities confiscate your device for a thorough search, or will they just open it and give it a quick review? If you expect they won't look too deeply into your device, being logged in as a standard user for work that is not sensitive provides you some plausible deniability.
- Learn how to add users in Google's support page on adding and deleting users.
Learn why we recommend this
We strongly recommend not sharing devices you use for sensitive work with anyone else. However, if you must share your devices with co-workers or family, you can better protect your device and sensitive information by setting up separate users on your devices in order to keep your administrative permissions and sensitive files protected from other people.
Remove unneeded users associated with your device
- Learn how to remove unwanted users in Google's support page on how to delete users.
Learn why we recommend this
If you don't intend for someone else to access your device, it is better to not leave that additional "door" open (this is called "reducing your attack surface"). Additionally, checking what users can access your device could reveal accounts that have been created on your device without your knowledge.
Secure the Google accounts connected with your device
- Log into each Google account associated with your device.
- Check which devices use your account.
- Secure the Google accounts connected with your device following the steps for account protection in our guide on how to use Google.
- Also see our guide on social media accounts to check other accounts connected with your device.
- Take a picture or screenshot of your account activity if you see anything suspicious, like devices you have disposed of, don't have control of or don't recognize.
- Also see the section on suspicious access in the guide on Google.
- Go to the security checkup page and check whether there is any warning.
- Complete the following steps:
- Check the last activity in your account settings. To do this, you can also click on "Details" in the bottom right corner of your GMail inbox.
- Check if there has been any recent security-related activity on your Google account.
- Check if your Google account is connected to any third-party apps or services.
- Check if you have enabled any application passwords.
- Check that you have set a recovery email and phone number to recover access in case you are locked out of your account.
- Check whether your mail is being automatically forwarded to another address.
- Consider enrolling in Google's Advanced Protection program.
Learn why we recommend this
Most devices have accounts associated with them, like Google accounts for your Android phone, your Chromebook laptop, and Google TV. More than one device may be logged into your Google account (like your phone, your laptop and maybe your TV). If someone else has access to your account without your authorization, the checks included in this section will help you see and stop this.
Set your screen to sleep and lock
- Set a longer passphrase (minimum 10 characters), not a short password or PIN.
- To learn how to set or change your passphrase, see the Google support page on how to set a screen lock on an Android device.
- Making it possible to use your fingerprint, face, eyes or voice to unlock your device can be used against you by force; do not use these options unless you have a disability which makes typing impossible.
- Remove your fingerprints and face from your device if you have already entered them. Android devices differ, so this could be in a few locations on your device, but try following the instructions to remove a fingerprint or delete Face Unlock. In alternative, try looking where you would normally find your device lock settings.
- Pattern locks can be guessed; do not use this option.
- Simple "swipe to unlock" options are not secure locks; do not use this option.
- Disable the "make password visible" option.
- Remove your fingerprints and face from your device if you have already entered them. Android devices differ, so this could be in a few locations on your device, but try following the instructions to remove a fingerprint or delete Face Unlock. In alternative, try looking where you would normally find your device lock settings.
- Set your screen to lock a short time after you stop using it (try setting it to 1 minute or 5 minutes and see which works for you). The place to do this will be different on different devices, but look for "Screen timeout" under the "Display," "System" or "Security" settings.
Learn why we recommend this
While technical attacks can be particularly worrying, your device may as well be confiscated or stolen, which may allow someone to break into it. For this reason, it is smart to set a passphrase screen lock, so that nobody can access your device just by turning it on and guessing a short PIN or password.
We do not recommend screen lock options other than passphrases. If you are arrested, detained or searched, you might easily be forced to unlock your device with your face, voice, eyes or fingerprint. Someone who has your device in their possession may use software to guess short passwords or PINs. It is also possible to guess "pattern" locks by looking at finger tracks on the screen. Someone who has dusted for your fingerprints can make a fake version of your finger to unlock your device if you set a fingerprint lock and similar hacks have been demonstrated for face unlock.
For these reasons, the safest lock you can set is a longer passphrase.
Control what can be seen when your device is locked
- In the guide on how to control how notifications show on your phone's lock screen, follow the instructions to not show any notification.
- If you really need to be notified about incoming messages, you can choose to Hide sensitive content from notifications on your lock screen, which will show only incoming messages without mentioning anything on the sender or the content.
- If you have enabled multiple users in your device, make sure that the option "Add users from lock screen" is off. To learn how to do this, see Google's support page on changing guest and user settings. These instructions can vary, and you could also find them in Security > Lock Screen or in System > Advanced > Multiple users.
Learn why we recommend this
A strong screen lock will give you some protection if your device is stolen or seized — but if you don't turn off notifications that show up on your lock screen, whoever has your device can see information that might leak when your contacts send you messages or you get new email.
Disable voice controls
Disable Google Assistant and/or voice control. Voice and Assistant settings may be in slightly different places depending on your Android device, but are probably somewhere in Settings > Google.
Review the instructions in the Google Assistant support page.
If you have decided the benefits to you outweigh the large risks of using voice control, follow the Security Planner instructions to do so more safely and read Keeping your information private and secure in the official Google Assistant guide.
Also consider disabling altogether microphone access on your device and only enabling it when you really need it.
Learn why we recommend this
If you set up a device so you can speak to it to control it, it becomes possible for someone else to install code on your device that could capture what your device is listening to.
It is also important to consider the risk of voice impersonation: someone could record your voice and use it to control your phone without your permission.
If you have a disability that makes it difficult for you to type or use other manual controls, you may find voice controls necessary. This section provides instructions on how to set them up more safely. However, if you do not use voice controls for this reason, it is much safer to turn them off.
Use a physical privacy filter that prevents others from seeing your screen
- For more information on this topic, see the Security Planner guide on privacy filters.
Learn why we recommend this
While we often think of attacks on our digital security as highly technical, you might be surprised to learn that some human rights defenders have had their information stolen or their accounts compromised when someone looked over their shoulder at their screen or used a security camera to do so. A privacy filter makes this kind of attack, often called shoulder surfing, less likely to succeed. You should be able to find privacy filters in the same shops where you find other accessories for your devices.
Use a camera cover
- First of all, figure out whether and where your device has cameras. Your smartphone might have more than one.
- You can create a low-tech camera cover: apply a small adhesive bandage on your camera and peel it off when you need to use the camera. A bandage works better than a sticker because the middle part has no adhesive, so your lens won't get sticky.
- In alternative, search your preferred store for the model of your device and "webcam privacy cover thin slide" to find the most suitable sliding cover for your phone or tablet.
- Also consider disabling altogether camera access on your device.
Learn why we recommend this
Malicious software may turn on the camera on your device in order to spy on you and the people around you, or to find out where you are, without you knowing it.
Turn off connectivity you're not using
- Completely power off your devices at night.
- Get into the habit of keeping wifi, Bluetooth and/or network sharing off and only enable them when you need to use them.
- Airplane mode can be a quick way to turn off connectivity on your mobile. Learn how to selectively turn on wifi and Bluetooth once your device is in Airplane mode, to use only the services you want.
- Turn Airplane mode on and make sure wifi and Bluetooth are off.
- To learn how to selectively turn on wifi and Bluetooth while your phone is in Airplane mode, see Google's support page on keeping your Android’s wireless connections on in Airplane mode.
- Check the "Change more Wi-Fi settings" instructions in Google's support page on managing advanced network settings on Android and make sure "Turn on Wi-Fi automatically" and "Notify for public networks" are turned OFF.
- Turn off the hotspot when you are not using it.
- Make sure your device is not providing an internet connection to someone else using the hotspot. To learn how to turn off the hotspot, see the Android support page or the Pixel support page on sharing mobile connection by hotspot.
Learn why we recommend this
All wireless communication channels (like wifi, NFC or Bluetooth) could be abused by attackers around us who may try to get to our devices and sensitive information by exploiting weak spots in these networks.
When you turn Bluetooth or wifi connectivity on, your device tries to look for any Bluetooth device or wifi network it remembers you have connected to before. Essentially, it "shouts" the names of every device or network on its list to see if they are available to connect to. Someone snooping nearby can use this "shout" to identify your device, because your list of devices or networks is usually unique. This fingerprint-like identification makes it easy for someone snooping close to you to target your device.
For these reasons, it is a good idea to turn off these connections when you are not using them, particularly wifi and Bluetooth. This limits the time an attacker might have to access your valuables without you noticing that something strange is happening on your device.
Clear your saved wifi networks
- Save network names and passwords in your password manager instead of your device's list of networks.
- If you do save network names and passwords in your list of saved wifi networks, get in the habit of regularly erasing them when you aren't using them anymore. To learn how to do this, see Google's documentation on how to remove saved networks.
- Make sure "Turn on Wi-Fi automatically" and "Notify for public networks" are turned off in your Network preferences.
Learn why we recommend this
When you turn wifi connectivity on, your device tries to look for any wifi network it remembers you have connected to before. Essentially, it "shouts" the names of every network on its list to see if they are available to connect to. Someone snooping nearby can use this "shout" to identify your device, because your list is usually unique: you have probably at least connected to your home network and your office network, not to mention networks at friends' houses, favorite cafes, etc. This fingerprint-like identification makes it easy for someone snooping in your area to target your device or identify where you have been.
To protect yourself from this identification, erase wifi networks your device has saved and tell your device not to look for networks all the time. This will make it harder to connect quickly, but saving that information in your password manager instead will keep it available to you when you need it.
Turn off sharing you're not using
- Android devices differ, but look for a "connected devices," "device connections" or similar option in Settings and turn off or remove all devices there.
- Turn off Quick Share (also called Nearby Share on some devices). Only enable it if you really need to share data with nearby devices that you trust.
- If you really must share data with someone near you and they are not your Google contact, choose to share with "everyone" but check the "Use everyone mode temporarily" option so that you stop being visible to nearby devices after few minutes. Once you're done sharing, turn off Quick Share again.
Learn why we recommend this
Many devices give us the option to easily share files or services with others around us — a useful feature. However, if you leave this feature on when you are not using it, malicious people may exploit it to get at files on your device.
Advanced: figure out whether someone has accessed your device without your permission (basic forensics)
Follow the steps on the following checklists:
- Check devices linked to chat applications.
- Review installed applications.
- Check if the phone is rooted.
- Check for indicators of stalkerware installation.
- If you suspect your device may be compromised, follow the steps in the Digital First Aid Kit troubleshooter My device is acting suspiciously.
Learn why we recommend this
It may not always be obvious when someone has accessed your devices, files or communications. These additional checklists may give you more insight into whether your devices have been tampered with.
Advanced: Use Android without a Google account
If you are concerned with Google tracking your every move, you can remove your Google account from your device by following the steps in the Android documentation on how to Add or remove an account on Android. Better yet, the first time you configure your phone you can skip the "Sign in" screen. This way your device will not be tied to any Google account and information regarding location, searches, installed apps and so on will not be added to its profile.
With no Google account connected to your device, you will not be able to use the Google Play Store to install apps. Use alternative app stores like F-Droid and Aurora Store instead.
- The F-Droid store offers only free and open-source (FOSS) applications. To install it download the F-Droid APK from the official website and click the downloaded file to proceed with the installation. You may need to temporarily allow installing unknown apps. Make sure to revoke the installation permissions when the installation is completed!
- In the Aurora Store you will find the same apps that are in the Google Play Store. You can install Aurora Store from F-Droid.
- Regularly update installed apps by opening F-Droid and Aurora Store and manually verifying upgrades. Note that automatic updates may not work and with time you may be using outdated and insecure apps if you don't update them manually.
Advanced: Change the operating system of your Android device
Android is made by Google so it is loaded with Google apps that track you and gather a lot of information about what you do and where you are. In some cases you can install a more secure and private alternative Android operating system such as security- and privacy-focused GrapheneOS and DivestOS. This is an advanced solution: if you decide to do this, make sure your device is compatible. There are several steps you must take to install and if something goes wrong you could make your device unusable.