A Defensive Computing Checklist    by Michael Horowitz
HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

ANDROID

SOME TOPICS BELOW
Theft Protection, Android 15, Find My Device Network, Scam Call Detection, Photos Locked folder, Messages, Safe Apps, UnSafe Apps, SIM PIN, Pixel Phones, Samsung, System Wide Ad/Tracker Blocking, Assorted Tidbits, Defense, Nearby Share, Android 13, Android 12, Android 10, Multiple Users, Chrome Browser, Control Usage of 4G/LTE Data, Ads, Usage & Diagnostics, NFC, Permissions, Pre-Installed Crap, See Also

It is common knowledge that Apple iOS devices are safer than Android and I agree with that. One reason, is that you do not find pre-installed spyware or malware on iPhones (more below). Also, there is no consistency with Android. No expert can tell someone how to configure an Android device because they all have a different set of options. This is illustrated below in the item about factory resets after too many bad passwords.

START HERE

THEFT PROTECTION  top

In October 2024, Google started rolling out three Theft Protection features for Android phones. Despite the name, they do not protect against a bad guy stealing a phone. Rather, the features do two things: lessen the monetary value of a stolen phone and protect your data on the phone. The features are part of Android 15 and they are expected to eventually make their way to Android 10, 11, 12, 13 and 14. I personally used them on Android 14 in October 2024. They should be available on phones from all manufacturers. All three options are off by default. One article said these features will also appear on a tablet, but they were not available on the Samsung Android tablet I tested.

To see if a phone has the new Theft Protection features, search the Settings for "Theft protection" or just "theft". If its there, it should be at
Settings -> Google -> All services -> Personal & device safety

1) The first feature, known as Theft Detection Lock, defends against a bad guy stealing your phone while it is unlocked. The accelerometer should detect the quick movement of the theft and fast movement away from the original location. If it does, the phone locks itself. If it makes a mistake, no big woop, just unlock it.

2) After a theft, a new Remote Lock feature is designed to let you very quickly lock the phone. Of course, the phone must be online for this to work. If the stolen phone is off-lne when this command is issued, it will be locked when it next goes back online. After the theft, you can use any Internet connected device to go to android.com/lock and give Google your phone number to lock the phone. This can be used no more than twice a day, probably to prevent some asshole friend from locking your phone all day long. After locking the phone, it unlocks as usual, so if the bad guy has the unlock PIN code, this is useless.

However ....

Articles have said that you will also need a security question to register the phone number. In my experience, on two Pixel phones in October 2024, that was not the case. Each phone required "Automatic phone verification". WTF? Google's explanation of this was useless. There was no security challenge or question. The phone number as Google stores it has no dashes and starts with a 1. I tested it and the target phone locked itself in a matter of seconds. First, however, I had to pass a CAPTCHA.

3) There is also an Offline Device Lock that should lock your phone when it is taken offline for an extended period.

October 18, 2024: Excellent article. I tested Android's new Theft Detection and learned how to properly steal a phone by Nick Fernandez for Android Authority. The author stole his wife's phone a few times, but the Theft Detection feature never kicked in and never locked the phone. In addition, he could not get the feature to trigger with the phone idle on the home screen. So, don't leave a phone unlocked on a table. And he points out a design flaw: after a detected theft, the next unlock should require both the PIN code and a biometric unlock. Excellent point. If your phone is stolen, it is suggested here to call your carrier and have them blacklist the phone's IMEI. Great idea, if you know the IMEI. Maybe keep it on paper in a wallet. Maybe keep it on your spouse's phone.

October 8, 2024: How to activate Google's newest Android security enhancements by JR Raphael for Computerworld. If the features are not on your phone, the article suggests searching system settings for "Play system update" to see if there is update available. This worked for me on a somewhat older, Pixel phone. It required a reboot. The article notes that the Remote Lock feature seems to be rolled out separately and slightly later than the other two features.

May 15, 2024: Android's theft protection features keep your device and data safe by Suzanne Frey of Google. A brief overview of many anti-theft features. Too brief to be informative. One feature prevents a stolen phone that has been factory reset from being usable by anyone but you. In theory this makes the stolen phone unsellable.

ANDROID 16  top

April 2025: It is expected that Android will add a new feature called Advanced Protection Mode that will be a poor man's version of Lockdown Mode in iOS.

ANDROID 15  top

Android 15 was released in the middle of October 2024.

February 8, 2025: I don't know him but @jack@mastodon.sdf.org said: "If you have an Android phone, a new app that doesn't appear in your menu has been automatically and silently installed (or soon will be) by Google. It is called AndroidSystemSafetyCore and ... [it] scan all images on your device as well as all incoming ones (via messaging). The new spin is that it does so 'to protect your privacy'. You can uninstall this app safely via System -> Apps." The AndroidSystemSafetyCore app was installed on the first Android 15 device that I checked and it did uninstall as Jack suggested. Jack linked to this Google writeup: Google System APK Transparency. In the Play Store, the full description of Android System SafetyCore is: "Android System SafetyCore is a system service that provides safety features for Android devices." The comments/reviews are an interesting read.

No more WEP: WEP is a very old security scheme for Wi-Fi networks. It was replaced by WPA, then came WPA version 2, then WPA version 3. The use of WEP should have been flagged as bad long ago. Finally it is, there is a new "allow WEP networks" toggle at
Settings -> Network & Internet -> Internet -> Network preferences
You should disable connections to WEP networks. On the two Android 15 devices I checked, this was ON by default. That's bad. It would have been even better if Android also let you block WPA version 1. This does not exist, probably, because it might cause too many tech support requests. Maybe in Android 16? No one has used WEP for years and years, but there might still be some networks using WPA version 1 (aka WPA). More: Android 15 wants to help you move on from this outdated Wi-Fi protocol by Chethan Rao for Android Police (April 2024).

If you look at the list of all installed apps, you may find Google TV. I did. While it can not be un-installed, you can Force Stop it and then Disable it.

At Settings -> Security & privacy -> More security & privacy
There are new "cellular network security" options: "security notifications" and "require encryption". You do want to require encryption for cellular connections.
set Personalize using app data to OFF
set Usage and diagnostics to OFF
In the Android System Intelligence section, set Customize the experience using your Google Account data to OFF. Maybe also Clear the data and look at the Keyboard suggestions to decide if you want them or not.

PRIVATE SPACE: Undated documentation from Google: Hide sensitive apps with private space

PRIVATE SPACE: From a Defensive Computing standpoint, this is the biggest feature in Android 15. From: Here's what's new in the Android 15 update for Pixel devices by Mishaal Rahman for Android Faithful. October 15, 2024. "Private Space essentially creates another profile on your phone, complete with its own apps and data that's siloed from the main profile. Apps and data in this secondary, or 'private', profile are hidden when the profile is locked - not just in the app drawer but also in Settings, the recents screen, and the notifications panel." Needless to say, the private space is opened with a password and this does NOT have to be same PIN, pattern or biometric that unlocks the phone itself. Better still, you can hide the fact that a Private Space even exists. This reminds me of a feature in TrueCrypt/VeraCrypt which hides a volume inside a volume. Excellent Defensive Computing.
Set it up: Settings -> Security & privacy -> Private space

PRIVATE SPACE: Android 15 will include a new security feature called "Private Space". It will be a place where we can store sensitive apps. This seems, to me, like great protection from a bad guy who has stolen your phone and can unlock it. Also good for lending an Android device to someone while keeping some apps away from prying eyes. The apps are in a new hidden-by-default portion of the app drawer that requires a second lock-screen authentication to reveal. The hidden/sensitive apps are further isolated by running on a separate profile, in effect, another Android user. Regular apps will not be able to see the hidden apps or their data. When the Private Space is hidden, private apps will not even be able to show notifications. This summary was taken from: Android 15 gets Private Space, theft detection, and AV1 support by Ron Amadeo for Ars Technica (May 15, 2024).

PRIVATE SPACE: Quoting Google: "Private space uses a separate user profile. When private space is locked by the user, the profile is paused, i.e. the apps are no longer active. The user can choose to use the device lock or a separate lock factor for private space." From The Second Beta of Android 15 May 15, 2024. The article also has a video showing the Private Space in the list of Apps.

PRIVATE SPACE: April 9, 2024: According to Lance Whitney: "The main goal behind Private Space is to prevent a thief, a hacker, or another unauthorized user who gains access to your phone from viewing certain data.". This is great and way overdue. He says it works similarly to the Secure Folder option on Samsung Galaxy phones. While you can set up a separate account for the protected apps, this is not required. He also notes that the Google Files app already has a Safe Folder feature but it only works with files, not with apps.

SCAM CALL DETECTION  top
   Section added November 2024.

Coming (not so) soon to a phone near you :-)

In November 2024 Google starting rolling out a new feature - the ability to detect a scam phone call in real time, based on the conversation, and warn the potential victim. This is their writeup: Safer with Google: New intelligent, real-time protections on Android to keep you safe (November 13, 2024).

The feature is coming first to the Pixel, then later to other Android phones. Initially, only people that signed up to be Beta-testers will get it. The first version only works in English. By default, Scam Detection will be OFF. They did not say which versions of Android would support it.

The elephant in the room is whether Google is listening to your phone calls. They claim not to be. All the computing is done on your phone. Google says it is not sending anything to them, not a transcript, not an audio recording. Further they claim that nothing is stored on your phone, not the audio, not a transcript.

The feature will use the latest AI in the Pixel 9. However, it will eventually be available on the Pixel 6, 7 and 8 where it will use a different technology. Google says that Scam Detection looks for "conversation patterns commonly associated with scams." So, bad guys can not switch accents to avoid this.

When a call is considered a scam, there will be an audio alert, a haptic alert and a visual warning.

Scam Detection will be configured in the Phone app settings, but Google did not say what the option is called or exactly where it will be.

FIND MY DEVICE NETWORK  top
Section added May 2024. Some updates July 2024.

Google made an expansion push to their Find My Device network in May 2024. The early versions of the network/app let you find devices that were connected to the Internet. The new version also lets you find off-line devices. It also lets you find disconnected earbuds, headphones and trackers that are compatible with something called "Fast Pair". Yes, there are Android compatible trackers that do what Apple Air Tags do. Of course, it finds phones and tablets.

Off-line devices are found by tracking them all the time and reporting their recent locations when requested. Android devices use Bluetooth to scan for nearby trackable thingies. Apparently, they do this ALL the time. They send the location of any found thingies back to Google which claims the location is encrypted such that you can read it but they can not read it.

As part of finding, the Google network can also cause a lost device to play a sound. It will play the sound at full volume, even if a device is set to silent. If the current location is not available, Google shows you the last online location. In addition to finding, the network can also be used to lock or erase a device. It can even add a custom message and contact info on the lock screen. And, like the Google Maps tracking feature, it shows the battery status of the lost device.

PHOTOS LOCKED FOLDER  top

MESSAGES  top
For the default Messaging app on a Pixel phone running Android 12 or 13 or 14.

  1. In the app: click on the Google account icon in the top right corner of the screen -> Messages settings -> Help improve messages OFF
  2. In the app: click on the Google account icon in the top right corner of the screen -> Messages settings -> Spam protection ON
  3. To have a different notification sound for Text Messages:
    Settings -> Apps -> Pick the Messages app to see its App info -> Notifications -> All default settings notifications ON -> Incoming messages -> Show notifications ON -> set to Default rather than Silent -> Sound -> pick a sound.
  4. Another click stream for configuring a different notification sound for Text Messages:
    Open the Messages app -> Click on the Google account icon in top right corner -> Messages settings -> Notifications -> All Messages notifications ON -> Incoming messages -> Show notifications ON -> verify its set to Default rather than Silent -> Sound.
  5. If you want to insure that you never miss an incoming text you can configure the notification sound to be one that plays longer than a couple seconds. Or, you might want to chose a particularly loud sound. To use your own notification sound after doing the above: My sounds -> plus sign in bottom right corner -> browse either Google drive or local files using File Manager. Once you select a sound file this way, it will remain in the My Sounds section.
  6. NOTE: If you reply to a text and then receive a reply to your reply, the reply to your reply makes no sound at all. Bug? Feature?

SAFE APPS  top

  1. The developers of GrapheneOS have two open source, privacy focused apps: Secure Camera and Secure PDF Viewer. The PDF viewer does not require any permissions at all. See: GrapheneOS brings its privacy-conscious camera and PDF viewer apps to the Play Store from xda-developers.com (March 2022).
  2. An organization with privacy friendly apps is the SECUSO Research Group. They offer over 30 apps including Notes which does both text and audio. The notes are on just one device, there is no synching over a network to other devices. Their WiFi manager turns Wi-Fi off when you are not at home.
  3. Exodus Privacy is an excellent resource to learn about the trackers and permissions in Android apps (both how many, and which ones). It is available both as a website and as an Android app. As an app, it will scan all the other apps installed on the Android device. If you like baseball, beware that the MLB app is a cesspool of spying with 16 trackers. The CNN app has 14.
  4. The F-Droid app store is free and open source. Likewise, all the apps there are also free and open-source. Apps with ads or tracking are clearly labeled as such. No account is needed to use F-Droid.
  5. For not spying on you or phoning home to Google or Facebook, Michael Bazzell at one time recommend the Simple Apps at simplemobiletools.com. Also, no ads. Their apps include: Picture Gallery, file manager, notes, calculator, app launcher music player, draw, dialer, voice recorder, flashlight and SMS messenger. But, in December 2023, the apps were sold to a company that specializes in monitization. They now have both ads and subscriptions. Brutally expensive subscriptions. See Android app maker Simple Mobile Tools acquired by ZipoApps by Brad Linder (December 3, 2023). Linder notes that you can still get pre-acquisition versions of the Simple apps. Also, the F-Droid versions may remain clean. See also the REDDIT posting: SimpleMobileTools was Sold - Alternatives from December 2023.
  6. appcensus.io evaluated Android apps and reported on the data they phoned home with. When I looked at the site in Feb. 2020, it seemed to have been abandoned. I checked again in January 2022 and they were transitioning from an academic research project to a commercial service. So, still not available.

UNSAFE APPS  top

There are many reasons, shown below, to access a service, when possible, using its website rather than its mobile app.
If you use a website often, you can make an icon for it that looks just like an app icon.

  1. As a rule, a website can not spy on you as much a mobile app. This is especially true when apps have their own in-app web browsers. Some apps, like Instagram and Facebook, use their in-app browser to inject JavaScript code into third party websites. This JavaScript comes with potential security and privacy risks. For more on this see iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser by Felix Krause (Aug 2022) and iOS Privacy: Announcing InAppBrowser.com - see what JavaScript commands get injected through an in-app browser also by Felix Krause (Aug 2022).
  2. In addition, there is a Private Mode in all web browsers that apps do not have. Private mode can insure that a website does not save anything locally on the phone/tablet. If you have a Chromebook, then there is also Guest Mode which is even more private than Private Mode in its guarantee that no data is saved locally. The downside of Private Mode is having to enter the userid/password every time.
  3. Websites do not take up any storage space, especially when using Private Mode.
  4. With apps, you never know if data is being encrypted or not, with a browser you do know.
  5. Apps can run constantly in the background a condition that can be hard/impossible to audit. With websites, when you close the tab/browser they are gone (some browsers have options about this).
  6. Some apps that might be best used as a website are Facebook, Instagram and TikTok

SIM PIN  top

If your phone is lost or stolen, bad guys in possession of the phone can remove the SIM card, put it in another phone and make calls with your phone number. A SIM PIN is designed to prevent this. It is, basically, a password to access the SIM card. The fist time a protected SIM card is put into a phone, you must enter the PIN to get access to the SIM card. The PIN code is also required when your phone reboots, perhaps after installing firmware updates. You can also PIN protect an eSIM. You may need to contact your cellular provider to set it up.

PIXEL PHONES  top

  1. The safest Android phones are the Pixel line from Google which is updated at the start of every month with bug fixes. This was already my opinion, when famous security expert Alex Stamos said the same thing on the This Week in Google podcast (Nov 30, 2022 episode). Pixel phones are also less likely to come with pre-installed bugs, malware and/or spyware. My guess is that Pixel phones purchased from Google will be safer than those from a cell company.
  2. TLDR: the most important Defensive Computing lesson from this story is to only buy Pixel phones.
    March 17, 2023: A huge security vulnerability affects Android phones with an Exynos modem made by Samsung. Does your phone have a vulnerable modem? Not easy to find out, but surely a lot of Samsung phones. Also the Google Pixel 6 and 7. Google top techies found 18 bugs in the modems, 4 of which are considered critical. To hack your phone, a bad guy just needs to know your phone number. Period. Google told Samsung and waited their usual 90 days before telling the public. The Samsung response has been poor. They fixed one or two of the bugs, but that is very different from owners of Samsung phones having the fixes actually installed. Very different.That said, some reports say a fix for the Pixel 6 has been released, some say no. The Pixel 7 has been fixed. More: Google tells users of some Android phones: Nuke voice calling to avoid infection by Dan Goodin for Ars Technica. And, Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems by Google Project Zero. Oh, and the temporary work-around may disable a phone's ability to make calls.
  3. Starting with the 8 series (8, 8A, 8 Pro) Google offers 7 years of bug fixes. No phone (as of mid-2024) offers longer software support. Below is the software lifespan of assorted Pixel models.
    The Pixel 9A gets 7 years of security bug fixes - until April 2032
    The Pixel 9 (all models) gets 7 years of security bug fixes - until August 2031
    The Pixel 8a gets 7 years of security bug fixes - until May 2031
    The Pixel 8 and 8 Pro get 7 years of security bug fixes - until October 2030
    In December 2024, Google extended support for the Pixel 6, 7 and Fold from 3 to 5 years
       The Pixel Fold gets security bug fixes until June 2028
       The Pixel 7a gets security bug fixes until May 2028
       The Pixel 7 and 7 Pro get security bug fixes until October 2027
       The Pixel 6a gets security bug fixes until July 2027
       The Pixel 6 and 6 Pro get security bug fixes until October 2026
    The Pixel 5a reached End-of-Life in August 2024
    The Pixel 5 reached End-of-Life in October 2023
    Sources:
       Learn when you'll get software updates on Google Pixel phones from Google
       Google is being slightly less explicit with Pixel end-of-life dates by Damien Wilde for 9to5Google April 16, 2025
       endoflife.date/pixel
  4. To use satellite messaging requires a Pixel 9. The 9A does not allow for satellite messaging. For more, see the Satellite Communication topic.
  5. Fix a Pixel phone that won't charge or turn on from Google
  6. Repairs: Clearly, information is scattered all over the place. Typical Google. Get your Pixel phone repaired (at support.google.com), Get your Pixel repaired (at store.google.com), Learn more about the repair process, Hardware Warranty Center and finally Repairs, replacements & warranties
  7. FYI: Pixel Phones home page at store.google.com
  8. FYI: using a Pixel phone: illustrated Pixel Guidebook from Google.
  9. FYI: Compare specs of different Pixel models: Which Pixel phone is right for you? from Google
  10. FYI: Pixel phone hardware tech specs from Google
  11. FYI: The main Pixel Phone Support page from Google

SAMSUNG  top

  1. May 23, 2024: A warning to anyone with (or thinking of buying) a Samsung phone: Samsung Requires Independent Repair Shops to Share Customer Data, Snitch on People Who Use Aftermarket Parts, Leaked Contract Shows by Jason Koebler for 404 Media. The first paragraph: "In exchange for selling them repair parts, Samsung requires independent repair shops to give Samsung the name, contact information, phone identifier, and customer complaint details of everyone who gets their phone repaired at these shops, according to a contract obtained by 404 Media. Stunningly, it also requires these nominally independent shops to 'immediately disassemble' any phones that customers have brought them that have been previously repaired with aftermarket or third-party parts and to 'immediately notify' Samsung that the customer has used third-party parts."
  2. Samsung has a Secure Folder feature that lets you store apps, photos, videos, documents, etc in a password protected area. You lock the files/apps with either a fingerprint, PIN, or password. It should NOT be the same thing that unlocks the phone itself. A Samsung account is required. If the app is not pre-installed, you have to get it from the Samsung Galaxy Store. It is not available from the Google Play Store. The app is available for Android 12 and later (maybe earlier too?). By default the apps/files are stored on-device only, they can be backed up, but only to Samsung. For more see What is Samsung Secure Folder and how can you make the most of it? by Mitja Rutnik for Android Authority. May 15, 2024. Sections of the article: How to add files and apps to the Samsung Secure Folder, How to back up Samsung Secure Folder data, How to hide Samsung Secure Folder on your device and change the icon and How to customize the Secure Folder icon.
  3. August 2021: Samsung Galaxy phones have an 'SOS Messages' feature that will sent texts to your emergency contacts, make phone calls and more, all at the touch of a button. Takes a bit of setup. See How to Send SOS Messages from a Samsung Galaxy Phone by Joe Fedewa for How To Geek.
  4. January 2020: Anyone with a Samsung phone, should go into the settings for the Samsung Pay app and turn on the "Do not sell" option. Samsung users also need to be aware that Samsung has their own spying and tracking as per: Galaxy users, take note: Samsung's probably selling your data by JR Raphael for Computerworld.

SYSTEM WIDE AD and/or TRACKER BLOCKING  top

  1. Private DNS on Android 10, 11 and 12, Private DNS is a single OS setting that changes the DNS server system-wide, for all Wi-Fi and 4G/LTE networks. It uses DoT for encrypted DNS. You can combine this with DNS based ad and tracker blocking to get blocking without having to install an app or define a VPN. The really amazing aspect of this is that it works even in combination with a VPN (I tested four VPNs). My preferred DNS blocker is nextdns.io (more below). You can also use AdGuard by specifying dns.adguard.com or dns-family.adguard.com.
    -- Note that Private DNS on Android 9 works a bit differently from Android 12, 11 and 10, when it comes to VPNs. By default, an active VPN on Android 9 will impose its DNS servers and the Private DNS setting will be ignored.
    -- Private DNS does not exist on Android 8 or earlier. These older versions require changing DNS settings for each Wi-Fi network and again for 4G/LTE. You will need to install an app that, no doubt, will create a phony VPN just to get control over DNS.
  2. For DNS based blocking, I suggest nextdns.io. The number of features is extensive, but the documentation is poor, so expect it to take some time to get up to speed. Sign up for a free account. Tweaking of the block rules can be done at any time. Make a note of the DNS over TLS hostname, it will be something like abc123.dns.nextdns.io. Turn on Private DNS in Android and set the DNS over TLS hostname as the "Private DNS provider hostname". Extra credit: identify the device in the (optional) logs by using a name like harveyphone-abc123.dns.nextdns.io as the hostname.
  3. As of November 2022, the DuckDuckGo Privacy browser is more than just a web browser. The app also offers free system-wide tracker blocking. It is currently in Beta testing. They refer to this as "App Tracking Protection" and it uses a local VPN connection, which means that it works entirely on your device without sending data to DuckDuckGo. The flip side of this is that this feature can not be used when a VPN is connected. VPN apps can be installed, but they can not have an active VPN connection when using the DuckDuckGo tracker blocking feature. See App Tracking Protection Beta is Now Available to All Android Users.
    As of May 2023, the tracker blocking feature is still in Beta. I gave it a try and was very impressed. It even tells you the type of data that each app was trying to collect. I was also impressed with the web browser itself. More: Your Android apps are tracking you. Here's how to stop them by Jack Wallen for ZDNet (May 10, 2023). Some apps will not function if you block their spying. This is discussed here: How to disable DuckDuckGo App Tracking Protection for a specific app on Android by Jack Wallen for ZDNet (May 19, 2023).
    As of December 2023, App Tracking Protection is out of beta.
  4. TrackerControl is an Android app that allows you to monitor and, maybe, control the hidden data collection in Android apps. It is free and open source and from the University of Oxford in the UK. It installs as a VPN so you can not use it while a real VPN is active. All the processing takes place on your Android device, the creators of the app know nothing about your activities. The version of the app in the Play store is a lite version that only reports on trackers. Google will not let them put an actual blocker in the Play store. The full version, that does block trackers has to be sideloaded. More: How to Monitor and Block Ad Trackers on Android by Jordan Gloor of How To Geek (Dec 2021)
  5. The Blokada ad blocker is free, open source and not allowed in the Play Store. Google profits off ads, so they do no like ad blockers in the Play Store. Thus, you have to side load the app. It installs a VPN, but only to enable the intercepting of all DNS requests. It is not a real VPN and it can not run alongside a real VPN. It may also block some trackers. Great feature: customized white and black lists. Blokada also offers a paid VPN in the Play Store, see the VPN topic for details. More: How Blokada works and Blokada Help.
  6. The Lumen Privacy Monitor spies on the apps that spy on you. It seems to have been abandoned, but I found it functional on Android 9 and10. It was/is from the International Computer Science Institute at UC Berkeley. It is not a VPN, but it installs as a VPN and thus can not run alongside a real VPN. It shows all the domains an app calls out to and lets you block them just for the one app or system-wide. It also shows how often an app uses HTTPS vs. HTTP. Although it identifies ad/tracker domains, it does not block anything by default. It reports on data leaks, showing both the type of data that was leaked and which app leaked it. It intercepts TLS, a feature that requires you to install their certificate. There is no one list of blocked domains, so when a blocked domain stops an app from working, ugh. It does not replace or encrypt DNS. It phones home as part of the research project. Website haystack.mobi.

ASSORTED TIDBITS

DEFENSE  top

NEARBY SHARE  top

This is Google's version of AirDrop. It transfers files and/or apps. It started rolling out in August 2020. Originally called Fast Share, then called Nearby Sharing and finally Nearby Share. Nearby Share works with Android devices running version 6 and later, and with Chromebooks. When it was first released, Google blogged about it.

To turn Nearby Share off: Settings -> Google -> Devices & Sharing -> Nearby Share. I verified this on Android 10 and 12.

After reading this August 2020 article, it seems too complicated to setup, too complicated to use and miserably documented. My guess is that it will be ignored.

Technologies: It requires Location Services and Bluetooth to be enabled. It can make transfers even when devices are not on-line. It automatically chooses one of these protocols: Bluetooth, Bluetooth Low Energy, NFC, WebRTC, UWB or peer-to-peer WiFi. It is said to use Bluetooth for device discovery. I found conflicting information on how data is transferred. One source said it uses Wi-Fi Direct. Another source said it will only work when devices are very close together, perhaps just one foot, which is not true of Wi-Fi direct.

Configure: You can configure Nearby Sharing so that a device is either hidden, visible to some contacts, visible to all contacts , visible to just your own devices or visible to everyone in the world. Visible to everyone can be enabled on a temporary basis. Originally, the recipient had to approve any transfer before it happens. As of September 2022, if you are transferring something between devices that are logged into the same Google account, then the recipient does not have to approve it.

Google seems to be spying on your sharing activity. In this September 2022 article, How we're making it easier to share files with nearby devices someone from Google was asked about sharing between devices using the same Google account. The response: "... this is one of the most common ways people use Nearby Share."

ANDROID 13 (released August 2022)  top

  1. There is a new Active apps button in the Quick Settings menu (at the bottom) which shows currently running apps and makes it easy to stop them.
  2. Android 13: 6 settings to update immediately by Jon Gilbert of Android Police (Aug 2022). Bilingual Android users can now set the language on a per-app basis, if the app supports it. Shrink the huge clock on the lock screen.
  3. There are little to no improvements in version 13 when it comes to privacy or security or defense against anything.
  4. The Privacy Dashboard, introduced in Android 12 covered only 1 day. In Android 13 it covers a week
  5. See the main Google page for more on Android 13
  • ANDROID 12  top
    1. When first setting up a new copy of Android 12, you may be asked to improve the messaging app. Say no.
    2. Android apps can auto-update but on every Android device I have used that option defaulted to off. To enable it: Play Store -> click on your picture or initial in the top right corner -> Settings -> Network Preferences -> Auto-update apps. While there, you may also want to change the Auto-play videos setting.
    3. Also in the Play Store Settings, in the General section, is an option, App install optimization, that sends data to Google. Maybe turn that off.
    4. A new feature lets you quickly cutting off access to the camera and/or microphone system-wide. However, the buttons for this are not in the Quick Settings by default. To add them: swipe down from the top of the screen with two fingers to bring up Quick Settings. Then click on the pencil (bottom left) and tap and hold and drag up the buttons for Mic access and Camera access.
    5. There is a new Privacy Dashboard screen that shows which apps are using assorted permissions and how often they use them. See it at Settings -> Privacy -> Privacy dashboard. I suggest checking this periodically. Unfortunately the report only covers the last 24 hours. And, its pretty lame. Still, it does let you revoke permissions that you find apps were using. It just doesn't tell you this - long press on an app in the report that used a permission.
    6. Settings -> Privacy -> turn on Show clipboard access to see when apps access copied data. Maybe turn off "Personalize using app data" which allows apps to send data to the Android system. Exactly what this means is not clear to me, but any personalization infers spying. Turn off "Usage and diagnostics" which is definitely spying.
    7. Settings -> Display -> Lock screen -> Turn off the Show wallet option.
    8. There are six different Location services. Review them and adjust as you see fit. They are at Settings -> Location -> Location services. The Google location accuracy is sneaky, as it lets the phone use WiFi even when WiFi is off.
    9. Turn off the option to send usage and diagnostic data to Google at: Settings -> Privacy -> Usage and Diagnostics
  • ANDROID 10 (AKA Q)  top
  • MULTIPLE USERS  top

    Android 10, 11 and 12 devices (not sure about v9) support multiple userids, including a Guest user. The feature is off by default. Google says: "Each user has a personal space on the phone for custom Home screens, accounts, apps, Settings and more." The Guest user can be blocked from making phone calls. On a Pixel phone running v11: Settings -> System -> Advanced -> Multiple users. DO NOT USE THIS. The messaging app is buggy when logged on as a secondary user and Google is not prepared to accept bug reports from normal people (me). This feature is clearly not a priority as the bugs I found were very obvious. Google says text messages are not shared between users, this is not true, they are shared.
  • CHROME BROWSER  top
    Configure by pressing the three vertical dots in the top right corner -> Settings

  • Browsers: There are many available web browsers for Android, such as Firefox and Brave. The Kiwi Browser supports most chrome desktop extensions. It also blocks ads and trackers.
  • CONTROL THE USAGE OF 4G/LTE/5G DATA  top

    STEP 1: You can ask to be warned about mobile data usage after a megabyte (MB) or gigabyte (GB) amount you specify. You can also prevent any Mobile data over a certain amount which is probably a good idea for a child but not for an adult. What is not at all obvious is how you set the end date of your monthly cycle. On the Data warning & limit screen click/press on "Mobile data usage cycle" (as of Android 14). If your monthly billing cycle ends on the 7th day of the month, set this value to 8. To get there on a Pixel device:

    STEP 2: You can see the apps using the most mobile data with the click streams below. On a Pixel phone the section is App data usage. On another Android phone, try searching the Settings for "Mobile data usage". Better yet: there is a widget for this. To add it: Long press a home screen -> Widgets -> Settings -> drag the widget to a home page -> Data usage. Last verified on Android 14.

    STEP 3: Finally, you can prevent a data hogging app from using mobile data while it is running in the background. In the list of apps generated above in Step 2, click on an app and there will be an option to turn off "Background data".
  • One thing to learn from Jeff Bezos having his iPhone hacked is to periodically check the data used by the apps on your phone. Android reports Wi-Fi usage separately from 4G/LTE usage. Below are from Pixel phones. Another option is to search the Settings for "data usage".
    Android 13: Settings -> Network and Internet -> Internet -> Non-carrier data usage
    Android 10: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi data usage -> see example. And, Mobile network -> App data usage -> see example.
  • Gboard is the Google Keyboard app. If it is installed, go to Settings and search for Gboard. Turn off the "Share usage statistics" option. This sends keyboard usage statistics to Google. Maybe also disable the "Improve Gboard" option.
  • Stop the phone from listening to you:
    Disable the Hey Google command, which invokes Google Assistant. You have to be online when you do this.
  • ADS  top
    Note: These click trails are from Pixel phones.

  • USAGE & DIAGNOSTICS  top
    Turn off the option to send usage and diagnostic data to Google.

  • AUTOFILL
    This ease-of-use feature lets Google save still more information about you. Turn it off.
  • NFC  top
    Near Field Communication is used by Google Pay. Maybe you need it, maybe not. Turning it off is the safer default. If you do need it, the option below makes it safer.
  • To change the default app for a function: Settings -> Apps -> Default Apps (as of Android 12)
  • PERMISSIONS  top
    1. By app: If you have nothing to do for a month, you can check and change app permissions. Android 12: Settings -> Apps -> See all apps -> click on an app to see/change its permissions
    2. By permission: Settings -> Privacy -> Permissions manager
    3. One common permission to block is to not give the Camera app access to your Location. On some Android devices, camera apps have their own GPS setting. To see if a photo has location info, view it in the Google Photos app and swipe up. The Google Photos app can strip location info from a photo before you share it: Open the Google Photos app, click the hamburger menu in top left -> Settings -> turn on Remove geo location. This only works in the Google Photos app.
  • Notification History: Just an FYI. Android 12 (and earlier?) can store old notifications. See: Settings -> Notifications -> Notification History. From here you can turn the feature on/off, and, if its on, see old notifications.
  • Hard of hearing? In a noisy place? Some Android phones can do live captioning of detected audio. Android 12: Settings -> Sound and Vibration -> Live Caption. As of September 2022, this only works in English.
  • Poor eyesight? You can make text larger. Android 12: Settings -> Display. The Font Size option applies to text. The Display Size option applies to everything, including icons and menus.
  • Storage: To see the apps using the most storage on a Pixel running Android 14 (and also Android 12): Settings -> Storage -> Apps.
  • You may be able to set an Android device to erase all data after too many failed attempts to enter the PIN/passcode. On one Android 10 device: Settings -> Lock screen -> Secure lock settings -> Auto factory reset (after 15 bad passcodes). However, other Android devices I checked (an Android 11 phone, two Android 10 tablets and an Android 8 tablet) had no option for this at all. I have read that it might be at Settings -> Security & Location -> Screen lock.
  • BACKUP
  • The Android Play Store allows many apps to share the same name. Before installing an app, check who created it, to insure it is really the app you think it is.
  • The Jumbo Privacy + Security app increases your privacy on Facebook, Twitter, Amazon, Google and Alexa. It adjusts Facebook privacy settings, deletes old tweets, erases Google Search history, deletes voice recordings stored by Alexa and more. As of Jan 2, 2020 it was rated 687 times in the app store with an average rating of 4.8 (very high). More here and here.
  • As bad as it gets: Millions of Android phones can be hacked. Original source: Over 400 vulnerabilities on Qualcomms Snapdragon chip threaten mobile phones' usability worldwide from Checkpoint (August 2020). This research was dubbed "Achilles" no doubt because it is an Achilles Heel for Android. Checkpoint found about 400 bugs in a DSP chip from Qualcomm that is used in phones from Google, Samsung, LG, Xiaomi, OnePlus and others. iPhones are not affected by these flaws. If the bugs are exploited, you can be spied on or lose all your data. More here.
  • PRE-INSTALLED CRAP  top

    Cheaper Android phones are the worst when it comes to pre-installed crap. None of this happens on iOS, a big advantage to the way Apple does business.

    1. Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices by Fyodor Yarochkin, Zhengyu Dong, Paul Pajares of Trend Micro. May 17, 2023. An overview of the Lemon Group’s use of preinfected mobile devices, and how this scheme is potentially being developed and expanded to other internet of things (IoT) devices. This research was presented in full at the Black Hat Asia 2023 Conference in Singapore in May 2023. Sadly, the researchers do not name names, so there is nothing useful here for Defensive Computing. Other than avoiding cheap Android phones. Even the Indicators of Compromise are useless.
    2. Chinese-Made Smartphones Are Secretly Stealing Money From People Around The World by Craig Silverman for Buzzfeed (Aug. 2020). Preinstalled malware on low-cost Chinese phones has stolen data and money. The malware, xHelper and Triada, secretly downloads apps and attempts to subscribe the victim to paid services. A factory reset does not remove the malware. The phone cited was a Tecno, made by Transsion, which is the fourth-biggest handset maker in the world, behind Apple, Samsung, and Huawei. The article cites other cases of pre-installed malware on Android phones.
    3. We found yet another phone with pre-installed malware via the Lifeline Assistance program by Nathan Collier of Malwarebytes (July 2020). The phone was from ANS (American Network Solutions).
    4. US Funds Free Android Phones For The Poor - But With Permanent Chinese Malware by Thomas Brewster (Jan 2020). Malware discovered by MalwareBytes. No comment from the FCC or Assurance Wireless, which made the phones.
    5. In An open letter to Google, over 50 organizations plead with Google to do something about exploitative pre-installed software. (Jan 2020) The letter references this research paper: An Analysis of Pre-installed Android Software (2019).
    6. A Nov. 2019 report from Kryptowire looked at pre-installed threats (bugs and vulnerabilities) on phones sold by US carriers. They looked at a range of Android devices, from low-end to flagship. See also their Mobile Vulnerability Analysis) (PDF).
    7. Backdoor found in four smartphone models (Catalin Cimpanu June 2019). An un-removable backdoor Trojan was found in four low end Android phones.
  • LOCKING
    1. To lock an Android device, a password/passcode is more secure than a fingerprint or your face. In the US, the government can not compel you to reveal the password. The longer the password/passcode, the more secure.
    2. A different type of locking is to lend a device to someone but limit them to only run one app. See How to Safely Lend Someone Else Your Phone by David Nield for Wired (July 2022). The article does not refer to a version of Android, but 12 was current when it was written. The feature the article describes is App Pinning. On older versions of Android this was called Screen Pinning.
  • Periodically review the list of Wi-Fi networks your mobile device has previously connected to and remove those you no longer need.
  • FYI: The Settings That Make Smartphones Easier for Everyone to Use by J. D. Biersdorfer (September 2022). The accessibility features Apple and Google include in their mobile software can help people of all abilities get more from their devices.
  • GETTING RID OF OLD ANDROID DEVICE
    Note that you can not restore a backup from a higher Android version to a device running a lower Android version.
  • If your phone needs fixing, make sure your secrets are safe first by Chris Velazco in the Washington Post (October 2022). To maintain control of your phone number, remove the SIM card and put in another phone. If the phone has an embedded SIM, call your wireless carrier to discuss the options. As for a repair person having access to your files, the only way to be sure to block them is to delete all the files before you hand your phone over.
  • Take Google out of Android: The January 14, 2022 episode of the Privacy Security and OSINT podcast, by Michael Bazzell, was on Android Sanitation, which means removing Google apps and services from Android without having to resort to custom ROMs, unlocked boot-loaders, or rooted devices. The technique uses Android Debug Software running on a computer, not on the phone.
  • ANDROID ARTICLES
    1. Android privacy settings to change now by Chris Velazco and Tatum Hunter. Last Updated October 2022.
    2. How to enhance privacy on your Android phone by Manuel Vonau for Android Police (December 2021). Long article with many suggestions.
    3. How to stay private when using Android by Ludovic Rembert for ProtonMail (Dec 2019). 14 suggestions.
    4. 9 Apps to Boost Your Phone's Security and Privacy by David Nield in Wired (Aug 2016). Access Dots shows if an app has secretly enabled the camera or the microphone. Norton App Lock password protects apps. Authy for 2FA. Firefox Focus for private browsing. Re-purpose an old phone or tablet into a security camera with Alfred Home Security Camera. And more.
  • The simple question, does an Android device have the latest available bug fixes, is far too hard to answer. iOS does this much better.

    1. Finding the right place in the Settings to check for OS updates has always been like navigating a rat maze
    2. For years the initial screen has lied to us and said that the device is up to date on patches/bug fixes. Many times, it said it last checked hours ago, yet when I clicked on the CheckForUpdates button, it found a missing update (last verified Feb. 2020 with a Pixel 3A running Android 10).
    3. Android is not honest enough to admit when the software has been abandoned. That is, when there are no more bug fixes being issued because the software is too old. Like iOS, Android lies and tells you the software is up to date. This October 2019 tweet by Will Dormann has examples.

    • SEE ALSO  top

    1. Also see the Satellite Communication topic for the various options for communicating when there is no cell service and no Internet access.
    2. Also see the Android Alternatives topic
    3. Also see the Batteries topic
    4. Also see the Stalkerware topic
    5. Also see the Bluetooth topic to change the default public Bluetooth device name
    6. Also see the Location Tracking topic
    7. Also see the Mobile OS Spying section which has some privacy focused Android alternatives.
    8. Also see the Mobile Scanning and Sharing topic
     This page: 9 views per day (over 1,014 days)   Total views: 9,525   Created: August 3, 2022
    This Page
    Last Updated
    April 17, 2025    		Site Page
    Views TOTAL
     1,191,141    		Site Page
    Views TODAY
      633    		 Website by
    Michael Horowitz    		 top
    Copyright 2019 - 2025