ANDROID
It is common knowledge that Apple iOS devices are safer than Android and I agree with that. One reason, is that you do not find pre-installed spyware or malware on iPhones (more below). Also, there is no consistency with Android. No expert can tell someone how to configure an Android device because they all have a different set of options. This is illustrated below in the item about factory resets after too many bad passwords.
- Medical Emergency: First responders are trained to look at our phones for emergency contacts and medical information. In general, search Settings for "Emergency information" On Samsung: Phone app -> Contacts tab -> My Profile -> bottom of the page. On Pixel with Android 10: Settings -> About phone -> Emergency information. There is one section for Medical information and another for Emergency contacts. To see the emergency information: When prompted to enter the passcode to unlock a phone, tap on the word Emergency, then you are on your own as each Android phone is different. On a Pixel with Android 10 there is an Emergency Information button at the top of the screen. More here: Emergency contacts on your phone: Set it up right now by Jason Cipriani (Feb 2020).
- Set a lock screen message in the hope that a lost device is found by an honest person. Something like: If found please call 111-222-3333 or email me@somedomain.com. I use an email address that is auto-forwarded to multiple email addresses.
Android 8: Settings -> Security and Location -> Lock screen preferences -> Lock screen message
Android 9: Settings -> Lock screen -> Contact information
Android 10: Settings -> Display -> Advanced -> Lock screen display -> Lock screen message
Android 11: Settings -> Display -> Advanced -> Lock screen -> Add text on lock screen
Android 12: Settings -> Display -> Lock screen -> Add text on lock screen
- The safest Android phones are the Pixel line from Google which is updated at the start of every month with bug fixes. Pixel phones are also less likely to come with pre-installed bugs, malware and/or spyware. My guess is that Pixel phones purchased from Google will be safer than those from a cell company. That said, phones running the "Android One" version of the operating system should also be safe, and cheaper.
- The Google Photos app has a Locked Folder. Files in the folder are not backed up to the cloud. They are not accessible at all without the PIN code that unlocks the phone. To create it, in the Photos app, go to Library, then Utilities, then Locked Folder.
- SAFE APPS
- The developers of GrapheneOS have two open source, privacy focused apps: Secure Camera and Secure PDF Viewer. The PDF viewer does not require any permissions at all. See: GrapheneOS brings its privacy-conscious camera and PDF viewer apps to the Play Store from xda-developers.com (March 2022).
- For not spying on you or phoning home to Google or Facebook, Michael Bazzell recommends the Simple Apps at simplemobiletools.com. Also, no ads. Their apps include: Picture Gallery, file manager, notes, calculator, app launcher music player, draw, dialer, voice recorder, flashlight and SMS messenger. They are available both in the Play Store and F-Droid.
- Another organization with privacy friendly apps is the SECUSO Research Group. They offer
over 30 apps including Notes which does both text and audio. The notes are on just one device, there is no synching over a network to other devices. Their WiFi manager turns Wi-Fi off when you are not at home.
- Exodus Privacy is an excellent resource to learn about the trackers and permissions in Android apps (both how many, and which ones). It is available both as a website and as an Android app. As an app, it will scan all the other apps installed on the Android device. If you like baseball, beware that the MLB app is a cesspool of spying with 16 trackers. The
CNN app has 14.
- The F-Droid app store is free and open source. Likewise, all the apps there are also free and open-source. Apps with ads or tracking are clearly labeled as such. No account is needed to use F-Droid.
- appcensus.io evaluated Android apps and reported on the data they phoned home with. When I looked at the site in Feb. 2020, it seemed to have been abandoned. I checked again in January 2022 and they were transitioning from an academic research project to a commercial service. So, still not available.
- In the Android Google app, click on the circle in the top right corner (with either your initial or picture), then click on Your data in Search. This brings up a number of Google search configuration options, such as saving web and app activity, personalized search results, app info from your devices and more. Customize to your liking.
- SAMSUNG
- Anyone with a Samsung phone, should go into the settings for the Samsung Pay app and turn on the "Do not sell" option. Samsung users also need to be aware that Samsung has their own spying and tracking as per: Galaxy users, take note: Samsung's probably selling your data (JR Raphael Jan. 2020).
- Samsung Galaxy phones have an 'SOS Messages' feature that will sent texts to your emergency contacts, make phone calls and more, all at the touch of a button. Takes a bit of setup. See How to Send SOS Messages from a Samsung Galaxy Phone by Joe Fedewa (Aug 2021)
- SYSTEM WIDE AD AND/OR TRACKER BLOCKING
- Private DNS on Android 10, 11 and 12, Private DNS is a single OS setting that changes the DNS server system-wide, for all Wi-Fi and 4G/LTE networks. It uses DoT for encrypted DNS. You can combine this with DNS based ad and tracker blocking to get blocking without having to install an app or define a VPN. The really amazing aspect of this is that it works even in combination with a VPN (I tested four VPNs). My preferred DNS blocker is nextdns.io (more below). You can also use AdGuard by specifying dns.adguard.com or dns-family.adguard.com.
-- Note that Private DNS on Android 9 works a bit differently from Android 12, 11 and 10, when it comes to VPNs. By default, an active VPN on Android 9 will impose its DNS servers and the Private DNS setting will be ignored.
-- Private DNS does not exist on Android 8 or earlier. These older versions require changing DNS settings for each Wi-Fi network and again for 4G/LTE. You will need to install an app that, no doubt, will create a phony VPN just to get control over DNS.
- For DNS based blocking, I suggest nextdns.io. The number of features is extensive, but the documentation is poor, so expect it to take some time to get up to speed. Sign up for a free account. Tweaking of the block rules can be done at any time. Make a note of the DNS over TLS hostname, it will be something like abc123.dns.nextdns.io. Turn on Private DNS in Android and set the DNS over TLS hostname as the "Private DNS provider hostname". Extra credit: identify the device in the (optional) logs by using a name like harveyphone-abc123.dns.nextdns.io as the hostname.
- TrackerControl is an Android app that allows you to monitor and, maybe, control the hidden data collection in Android apps. It is free and open source and from the University of Oxford in the UK. It installs as a VPN so you can not use it while a real VPN is active. All the processing takes place on your Android device, the creators of the app know nothing about your activities. The version of the app in the Play store is a lite version that only reports on trackers. Google will not let them put an actual blocker in the Play store. The full version, that does block trackers has to be sideloaded. More: How to Monitor and Block Ad Trackers on Android by Jordan Gloor of How To Geek (Dec 2021)
- The Blokada ad blocker is free, open source and not allowed in the Play Store. Google profits off ads, so they do no like ad blockers in the Play Store. Thus, you have to side load the app. It installs a VPN, but only to enable the intercepting of all DNS requests. It is not a real VPN and it can not run alongside a real VPN. It may also block some trackers. Great feature: customized white and black lists. Blokada also offers a paid VPN in the Play Store, see the VPN topic for details. More: How Blokada works and Blokada Help.
- The Lumen Privacy Monitor spies on the apps that spy on you. It seems to have been abandoned, but I found it functional on Android 9 and10. It was/is from the International Computer Science Institute at UC Berkeley. It is not a VPN, but it installs as a VPN and thus can not run alongside a real VPN. It shows all the domains an app calls out to and lets you block them just for the one app or system-wide. It also shows how often an app uses HTTPS vs. HTTP. Although it identifies ad/tracker domains, it does not block anything by default. It reports on data leaks, showing both the type of data that was leaked and which app leaked it. It intercepts TLS, a feature that requires you to install their certificate. There is no one list of blocked domains, so when a blocked domain stops an app from working, ugh. It does not replace or encrypt DNS. It phones home as part of the research project. Website
haystack.mobi.
- A big reason for Android's security problems are the lack of bug fixes. Most Android devices are shamefully vulnerable both because fixes are late in being issued (if they are ever issued) and then late in being installed. Here's an idea: before buying an Android phone try to find out when bug fixes for it will be released. Lotsa luck. The correct answer is once a month. Better still, try to find out when the last bug fixes for the phone will be issued, that is, when the software will be abandoned. You will not get an answer to either question.
- Annoyance: There is no solution to this problem. Press the power button to put the device to sleep. A couple seconds later press the power button again and you have to re-enter the PIN code despite the very short sleep time. As of Android 12, there is no configuration option that controls this. Smart Lock comes close, but it is not a real solution.
- SETTINGS
- Turn off Allow Scanning. This allows apps and services to scan for WiFi networks and nearby devices at any time, even when Wi-Fi or Bluetooth is off.
- Turn off the option to send usage and diagnostic data to Google. On Android 12: Settings -> Privacy -> Usage & diagnostics.
- DEFENSE
- Only install apps from the Play store (miserable name for the app store). Do not use side loading (aka sideloading) to install apps from outside the Play store. Side loading is OFF by default. Also, do not install apps that come to you via Telegram or WhatsApp messages. If you must sideload, APK Mirror is a trustworthy source.
Android 8 and 9: Settings -> Apps & Notifications -> Advanced -> Special App Access -> Install Unknown Apps. For each app capable of sideloading, it will say "Not allowed" by default. Again, this is the safe setting.
- Every now and then turn the phone/tablet off and then back on a minute later. While every operating system benefits from a clean boot/startup, if you are targeted by bad guys, certain malicious stuff might be removed when the device is powered off. It is not a perfect defense, but the NSA recommends rebooting/restarting a phone every week. Reboots to install bug fixes count. More: Turn off, turn on: Simple step can thwart top phone hackers by AP News (July 2021)
- Disable some pre-installed certificates. I have never seen this advice suggested anywhere, perhaps because it is hard to understand. I will skip the explanation, other than to say that pre-installed certificates are used to trust software and websites. But these certificates come from hundreds of companies that no one knows who they are. So, maybe disable some certificates from China. Just do these one a time in case it breaks something. Search Settings for "Encryption and credentials" or "Trusted credentials." Among the companies that created these certificates/credentials you may find the Hong Kong Post Office (Hongkong Post), China Financial Certification Authority, Chunghwa Telecom Co., Ltd. and
GUANG DONG CERTIFICATE AUTHORITY CO., LTD. Which of the hundreds to disable? Dunno. I have never seen an article about this.
- ANDROID 13
- There is a new Active apps button in the Quick Settings menu (at the bottom) which shows currently running apps and makes it easy to stop them.
- Android 13: 6 settings to update immediately by Jon Gilbert of Android Police (Aug 2022). Bilingual Android users can now set the language on a per-app basis, if the app supports it. Shrink the huge clock on the lock screen.
- ANDROID 12
- When first setting up a new copy of Android 12, you may be asked to improve the messaging app. Say no.
- Android apps can auto-update but on every Android device I have used that option defaulted to off. To enable it: Play Store -> click on your picture or initial in the top right corner -> Settings -> Network Preferences -> Auto-update apps. While there, you may also want to change the Auto-play videos setting.
- Also in the Play Store Settings, in the General section, is an option, App install optimization, that sends data to Google. Maybe turn that off.
- A new feature lets you quickly cutting off access to the camera and/or microphone system-wide. However, the buttons for this are not in the Quick Settings by default. To add them: swipe down from the top of the screen with two fingers to bring up Quick Settings. Then click on the pencil (bottom left) and tap and hold and drag up the buttons for Mic access and Camera access.
- There is a new Privacy Dashboard screen that shows which apps are using assorted permissions and how often they use them. See it at Settings -> Privacy -> Privacy dashboard.
I suggest checking this periodically. Unfortunately the report only covers the last 24 hours. And, its pretty lame. Still, it does let you revoke permissions that you find apps were using. It just doesn't tell you this - long press on an app in the report that used a permission.
- Settings -> Privacy -> turn on Show clipboard access to see when apps access copied data. Maybe turn off "Personalize using app data" which allows apps to send data to the Android system. Exactly what this means is not clear to me, but any personalization infers spying. Turn off "Usage and diagnostics" which is definitely spying.
- Settings -> Display -> Lock screen -> Turn off the Show wallet option.
- There are six different Location services. Review them and adjust as you see fit. They are at Settings -> Location -> Location services. The Google location accuracy is sneaky, as it lets the phone use WiFi even when WiFi is off.
- Turn off the option to send usage and diagnostic data to Google at: Settings -> Privacy -> Usage and Diagnostics
- Multiple Users: Android 10, 11 and 12 devices (not sure about v9) support multiple userids, including a Guest user. The feature is off by default. Google says: "Each user has a personal space on the phone for custom Home screens, accounts, apps, Settings and more." The Guest user can be blocked from making phone calls. On a Pixel phone running v11: Settings -> System -> Advanced -> Multiple users. DO NOT USE THIS. The messaging app is buggy when logged on as a secondary user and Google is not prepared to accept bug reports from normal people (me). This feature is clearly not a priority as the bugs I found were very obvious. Google says text messages are not shared between users, this is not true, they are shared.
- Android 10 (aka Q): When an app asks for access to location data, there is a new option to only allow this while the app is in use. Also, there is a new Privacy section in system Settings.
- Chrome browser: Configure by pressing the three vertical dots in the top right corner -> Settings.
- Site Settings -> Motion sensors -> Off. By default the Chrome browser has access to the accelerometer (aka motion sensors). This can be used to spy on you and offers no benefit. Verified Nov. 2021 on Android 10 and 11.
- Privacy & Security. Turn on Always use secure connections and Secure DNS. For a DNS provider use NextDNS or Quad9. Turn off Access payment methods and Preloading pages. Turn off Privacy Sandbox trial features.
- Downloads -> Turn on Ask where to save files
- Site settings -> Cookies. Either Block third-party cookies all the time (will break some websites) or only in Incognito mode.
- Browsers: There are many available web browsers for Android, such as Firefox and Brave. The Kiwi Browser supports most chrome desktop extensions. It also blocks ads and trackers.
- Control the usage of 4G/LTE/5G data
You can ask to be warned about mobile data usage after a MB or GB amount you specify. You can also prevent any Mobile data over a certain amount which is probably
a good idea for a child but not for an adult.
- Android 12: Settings -> Network & internet -> Internet -> Gear icon next to your 4G or 5G data provider -> Data warning & limit
- Android 11: Settings -> Network & internet -> Mobile network -> Data warning & limit
You can see the apps using the most mobile data. If you click on an app, there will be an option to turn off "Background data" that prevents the app from using mobile data when it is running in the background.
- Android 12: Settings - Network & internet -> Internet -> Gear icon next to your 4G or 5G data provider -> App data usage. Or, maybe search settings for "Mobile data usage"
- Android 11: Settings - Network & internet -> Mobile network -> App data usage
- One thing to learn from Jeff Bezos having his iPhone hacked is to periodically check the data used by the apps on your phone. Android 10 reports Wi-Fi usage separately from 4G/LTE usage. Both are in the Network and Internet section. Then Wi-Fi -> Wi-Fi data usage -> see example. And, Mobile network -> App data usage -> see example.
- Gboard is the Google Keyboard app. If it is installed, go to Settings and search for Gboard. Turn off the "Share usage statistics" option. This sends keyboard usage statistics to Google. Maybe also disable the "Improve Gboard" option.
- Stop the phone from listening to you:
Disable the Hey Google command, which invokes Google Assistant. You have to be online when you do this.
- Android 12: search Settings for "Hey Google"
- Android 10 and 11: Settings -> Google -> Account Services -> Search, Assistant and Voice -> Voice -> Voice match -> Hey Google -> turn off
- To see what else is allowed to listen to you, search in the Settings app for "Microphone". Some apps are allowed all the time, some only when in use and others are always denied. Review each list to see that it makes sense to you.
- ADS
- Android 12: Settings -> Privacy -> Ads -> Delete advertising ID
- Android 10 and 11: Settings -> Privacy -> Advanced > Ads. Turn on "Opt out of Ads Personalization". Or, it might be at: Settings -> Google -> Ads. While there, also click on "Reset advertising ID".
- Android 8 or 9: The Ads Personalization option may not exist, so try searching in Settings for "ads".
- A January 2020 report from the Norwegian Consumer Council points out that there is no OS enforcement of your opting out of personalized ads, it is up to each app to honor this request. So, a scam.
- Usage & diagnostics:
- Android 12: Settings -> Privacy -> Usage & diagnostics -> turn it off
- Android 10 and 11: Settings -> Privacy -> Advanced -> Usage & diagnostics -> turn it off
- Autofill:
This ease-of-use feature lets Google save still more information about you. Turn it off.
- Android 10, 11 and 12: Settings -> Privacy -> Autofill service from Google.
- You may be able to set an Android device to erase all data after too many failed attempts to enter the PIN/passcode. On one Android 10 device: Settings -> Lock screen -> Secure lock settings -> Auto factory reset (after 15 bad passcodes). However, other Android devices I checked (an Android 11 phone, two Android 10 tablets and an Android 8 tablet) had no option for this at all. I have read that it might be at Settings -> Security & Location -> Screen lock.
- Backup: How to back up Android devices: The complete guide by JR Raphael for Computerworld (Jan 2020)
- The Android Play Store allows many apps to share the same name. Before installing an app, check who created it, to insure it is really the app you think it is.
- The Jumbo Privacy + Security app increases your privacy on Facebook, Twitter, Amazon, Google and Alexa. It adjusts Facebook privacy settings, deletes old tweets, erases Google Search history, deletes voice recordings stored by Alexa and more. As of Jan 2, 2020 it was rated 687 times in the app store with an average rating of 4.8 (very high). More here and here.
- I have not used it but Malwarebytes Security: Virus Cleaner, Anti-Malware has 55,000 reviews
and is rated 4.6 (as of March 2021).
- As bad as it gets: Millions of Android phones can be hacked. Original source: Over 400 vulnerabilities on Qualcomms Snapdragon chip threaten mobile phones' usability worldwide from Checkpoint (August 2020). This research was dubbed "Achilles" no doubt because it is an Achilles Heel for Android. Checkpoint found about 400 bugs in a DSP chip from Qualcomm that is used in phones from Google, Samsung, LG, Xiaomi, OnePlus and others. iPhones are not affected by these flaws. If the bugs are exploited, you can be spied on or lose all your data. More here.
- PRE-INSTALLED CRAP
Cheaper Android phones are the worst when it comes to pre-installed crap and none of this happens on iOS.
- Chinese-Made Smartphones Are Secretly Stealing Money From People Around The World by Craig Silverman for Buzzfeed (Aug. 2020). Preinstalled malware on low-cost Chinese phones has stolen data and money. The malware, xHelper and Triada, secretly downloads apps and attempts to subscribe the victim to paid services. A factory reset does not remove the malware. The phone cited was a Tecno, made by Transsion, which is the fourth-biggest handset maker in the world, behind Apple, Samsung, and Huawei. The article cites other cases of pre-installed malware on Android phones.
- We found yet another phone with pre-installed malware via the Lifeline Assistance program by Nathan Collier of Malwarebytes (July 2020). The phone was from ANS (American Network Solutions).
- US Funds Free Android Phones For The Poor - But With Permanent Chinese Malware by Thomas Brewster (Jan 2020). Malware discovered by MalwareBytes. No comment from the FCC or Assurance Wireless, which made the phones.
- In An open letter to Google, over 50 organizations plead with
Google to do something about exploitative pre-installed software. (Jan 2020) The letter references this research paper: An Analysis of Pre-installed Android Software (2019).
- A Nov. 2019 report from Kryptowire looked at pre-installed threats (bugs and vulnerabilities) on phones sold by US carriers. They looked at a range of Android devices, from low-end to flagship. See also their Mobile Vulnerability Analysis) (PDF).
- Backdoor found in four smartphone models (Catalin Cimpanu June 2019). An un-removable backdoor Trojan was found in four low end Android phones.
- ANDROID ARTICLES
- How to enhance privacy on your Android phone by Manuel Vonau for Android Police (December 2021). Long article with many suggestions.
- How to stay private when using Android by Ludovic Rembert for ProtonMail (Dec 2019). 14 suggestions.
- 9 Apps to Boost Your Phone's Security and Privacy by David Nield in Wired (Aug 2016).
Access Dots shows if an app has secretly enabled the camera or the microphone. Norton App Lock password protects apps. Authy for 2FA. Firefox Focus for private browsing.
Re-purpose an old phone or tablet into a security camera with Alfred Home Security Camera. And more.
- LOCKING
- To lock an Android device, a password/passcode is more secure than a fingerprint or your face. In the US, the government can not compel you to reveal the password. The longer the password/passcode, the more secure.
- A different type of locking is to lend a device to someone but limit them to only run one app. See How to Safely Lend Someone Else Your Phone by David Nield for Wired (July 2022). The article does not refer to a version of Android, but 12 was current when it was written. The feature the article describes is App Pinning. On older versions of Android this was called Screen Pinning.
- Block the camera from having access to location information. Android 10: Settings -> Privacy -> Permissions manager -> Location -> Camera app -> choose Deny. On some Android devices, camera apps have their own GPS setting. To see if a photo has location info, view it in the Google Photos app and swipe up. The Google Photos app can strip location info from a photo before you share it: Open the Google Photos app, click the hamburger menu in top left -> Settings -> turn on Remove geo location. This only works in the Google Photos app.
- Periodically review the list of Wi-Fi networks your mobile device has previously connected to and remove those you no longer need.
- Take Google out of Android: The January 14, 2022 episode of the Privacy Security and OSINT podcast, by Michael Bazzell, was on Android Sanitation, which means removing Google apps and services from Android without having to resort to custom ROMs, unlocked boot-loaders, or rooted devices. The technique uses Android Debug Software running on a computer, not on the phone.
- REPLACING ANDROID:
- In May 2022, Brad Linder wrote about Simple Phone: Open source, privacy-focused smartphone coming soon from Android app maker Simple Mobile Tools. The goal of the phone and its new OS is to provide a privacy-focused phone with support for Android apps at a budget price. It will ship with only open source apps pre-installed. It will be released in Europe first, no time estimate yet for a US release. More.
- GrapheneOS is a version of Android focused on privacy and security. It is built from a minimal version of Android (AOSP) and it has no Google apps or services. Being Android, it preserves all the standard software and hardware security features. Development seems pretty rapid. They were six releases in February 2021, two in January 2021 and two in December 2020. It only runs on Google Pixel phones. As of March 2021, it is supported on: Pixel 5, Pixel 4a (5G), Pixel 4a, Pixel 4 XL, Pixel 4, Pixel 3a XL, Pixel 3a, Pixel 3 XL and Pixel 3. More: What Is GrapheneOS, and How Does It Make Android More Private? by Joe Fedewa (March 2022).
- GrapheneOS is preferred by Michael Bazzell of The Privacy, Security, & OSINT podcast. He discussed it on his podcast in June 2021, August 2021 and September 2021. He also wrote a GrapheneOS Installation Guide (undated) and a GrapheneOS VOIP Calls Guide (also undated)
- A company called /e/ sells smartphones running /e/ OS, which is Android with Google stripped out of it. Initially they were only available in Europe, but as of Feb. 2021, they are sold in the US and
Canada. They offer two refurbished Samsung Galaxy S9 models for $380 and $430. There is no Google Play Store, instead there is a variety of free and/or open source applications. Techies can try installing the software themselves on a short list of compatible phones. Brad Linder has more (Feb 2021).
- In Dec. 2019, Ludovic Rembert of ProtonMail wrote that LineageOS was the most developed (and stable) alternative version of Android but he warned that installing it requires technical knowledge. Max Eddy of PC Magazine wrote about installing LineageOS on an old Android phone (May 2019).
- Also see the Location Tracking topic
- Also see the Mobile OS Spying section which has some privacy focused Android alternatives.
- And see the Mobile Scanning and Sharing topic
- Also see the WhatsApp section.
- The simple question, does an Android device have the latest available bug fixes, is far too hard to answer. iOS does this much better.
- Finding the right place in the Settings to check for OS updates has always been like navigating a rat maze
- For years the initial screen has lied to us and said that the device is up to date on patches/bug fixes. Many times, it said it last checked hours ago, yet when I clicked on the CheckForUpdates button, it found a missing update (last verified Feb. 2020 with a Pixel 3A running Android 10).
- Android is not honest enough to admit when the software has been abandoned. That is, when there are no more bug fixes being issued because the software is too old. Like iOS, Android lies and tells you the software is up to date. This October 2019 tweet by Will Dormann has examples.
------- 119 views of the Google Android topic since August 3, 2022 --------