ANDROID

It is common knowledge that Apple iOS devices are safer than Android and I agree with that. One reason, is that you do not find pre-installed spyware or malware on iPhones (more below). Also, there is no consistency with Android. No expert can tell someone how to configure an Android device because they all have a different set of options. This is illustrated below in the item about factory resets after too many bad passwords.

• Block spam calls: In the Android phone app, click/press on the three dots in the upper right corner (it is called the menu button) -> Settings. Most Android phones will have options for blocking numbers and caller ID/spam protection here, although they often go by different names.
• March 17, 2023: A huge security vulnerability affects Android phones with an Exynos modem made by Samsung. Does your phone have a vulnerable modem? Not easy to find out, but surely a lot of Samsung phones. Also the Google Pixel 6 and 7. Google top techies found 18 bugs in the modems, 4 of which are considered critical. To hack your phone, a bad guy just needs to know your phone number. Period. Google told Samsung and waited their usual 90 days before telling the public. The Samsung response has been poor. They fixed one or two of the bugs, but that is very different from owners of Samsung phones having the fixes actually installed. Very different. To me, the most important Defensive Computing lesson from this is to only buy Pixel phones. That said, some reports say a fix for the Pixel 6 has been released, some say no. The Pixel 7 has been fixed. More: Google tells users of some Android phones: Nuke voice calling to avoid infection by Dan Goodin for Ars Technica. And, Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems by Google Project Zero. Oh, and the temporary work-around may disable a phone's ability to make calls.
• November 2022: A huge security vulnerability affects Android 10, 11, 12, and 13. A fix was released in the monthly updates issued on Nov. 7, 2022. If a bad guy (abusive spouse, thief who stole the phone) has physical access to the phone they can unlock it using this flaw. The bad guy uses their own SIM card, enters the wrong PIN three times, provides the PUK number and they are in. See Android phone owner accidentally finds a way to bypass lock screen by Bill Toulas for Bleeping Computer. November 12, 2022
• Medical Emergency: First responders are trained to look at our phones for emergency contacts and medical information. You can make information such as your blood type, medications and allergies available from the lock screen without the need for a pin or password.
  • In general, search Settings for "Emergency information". There will probably be one section for Medical information and another for Emergency contacts.
  • Android 12 and 13: Settings -> Safety & Emergency
  • On Samsung: Phone app -> Contacts tab -> My Profile -> bottom of the page
  • On Pixel with Android 10: Settings -> About phone -> Emergency information
  • The steps to see this information on a locked phone will, of course, vary, as each Android phone is a snowflake. Maybe tap on the word Emergency. On a Pixel with Android 12, swipe up to enter the pin, then click on the Emergency Call button, then View Emergency info. A Pixel with Android 10 had an Emergency Information button at the top of the screen.
  • More here: Emergency contacts on your phone: Set it up right now by Jason Cipriani (Feb 2020).
• Set a lock screen message in the hope that a lost device is found by an honest person. Something like: If found please call 111-222-3333 or email me@somedomain.com. I use an email address that is auto-forwarded to multiple email addresses.
  Android 8: Settings -> Security and Location -> Lock screen preferences -> Lock screen message
  Android 9: Settings -> Lock screen -> Contact information
  Android 10: Settings -> Display -> Advanced -> Lock screen display -> Lock screen message
  Android 11: Settings -> Display -> Advanced -> Lock screen -> Add text on lock screen
  Android 12: Settings -> Display -> Lock screen -> Add text on lock screen
  Android 13: Settings -> Display -> Lock screen -> Add text on lock screen
• The Google app has a new option (added October 2022) that should help you remove your personal data from Google searches. Open the app, click your profile and look for the new "Results about you" option. As of February 2023 and Android 13, it is labeled Beta. You start off doing a Google search on yourself and then it explains how to remove a result with any of your personal information.
• As of Android 13 (at least on a Pixel) you can see which apps, if any, are running quietly in the background. Swipe down twice from the top of the screen. At the bottom of the screen will be a very short description of one of the apps and the number of running apps in a circle. See a screen shot of what it looks like. The example had only one background app, the Mullvad VPN. If you click on this information you get a more detailed explanation. See a screen shot of that.
• SIM PIN
  
  If your phone is lost or stolen, bad guys in possession of the phone can remove the SIM card, put it in another phone and make calls with your phone number. A SIM PIN is designed to prevent this. It is, basically, a password to access the SIM card. The fist time a protected SIM card is put into a phone, you must enter the PIN to get access to the SIM card. The PIN code is also required when your phone reboots, perhaps after installing firmware updates. You can also PIN protect an eSIM. You may need to contact your cellular provider to set it up.
  
  • How to enable SIM lock on your Android phone by Abubakar Mohammed for Android Police. Updated Jan 5, 2023. The SIM card lock has been on Android phones for years, but many people are unaware of the feature. Setting up a SIM card lock requires you to enter the default passcode set by your operator. The default number should be on your SIM card packaging. Use the search box in the Settings app to search for "SIM lock" to enable it. You can also enable SIM lock if you have an eSIM.
  • What is a SIM PIN code and how to unlock a SIM card with a PIN? by Jerry Hildenbrand for Android Central. November 2020.
• PHOTOS LOCKED FOLDER
  
  
  • The Google Photos app has a Locked Folder feature. You unlock the folder the same way the phone/tablet is unlocked, either with a PIN, fingerprint or face. Allowing a distinct password would have been a more secure design.
  • The Locked Folder is locked to the phone. Photos are not backed up to the cloud. If you transfer to a new Android device, the Locked Folder is not copied. If you un-install Google Photos, the Locked Folder is deleted. Photos in the Locked Folder do not appear anywhere else in the Android system.
  • The Locked Folder is only for pictures and videos. No spreadhseets allowed.
  • There is only one Locked Folder
  • Create the Locked Folder: Open the Google Photos app -> Library -> Utilities -> Set Up Locked Folder. After it has been created, it will be listed in the Utilities section of the Photos app.
  • You can add a photo to the Locked Folder in two ways. (1) Open the locked folder and click on the plus sign icon near the top. (2) Open a picture/video in the Google Photos app and click on the three vertical dots in the top right corner. One option will be "Move to Locked Folder".
  • How to Lock Down Sensitive Photos on iPhone and Android by Thorin Klosowski for Wirecutter. November 2022. Article says Locked Folders were added in Android 12, I found it available on Android 10.
  • From W-2s to nudes, here's how to hide sensitive photos By Tatum Hunter for the Washington Post. August 2022. Some phones (a Pixel 3 or a later) can save photos directly to the locked folder. In the camera app, click Photo Gallery -> Locked Folder.
  • Samsung: The article above says that some Samsung models include Secure Folder. Turn it on at Settings -> Biometrics and security -> Secure folder. You can even hide the secure folder using: Settings -> Biometrics and security -> Secure folder -> Show secure folder.
  • There are also apps that do this. The article above mentioned Secret Photo Vault from Keepsafe and Private Photo Vault from Legendary Software Labs
• MESSAGES
  For the default Messaging app on a Pixel phone running Android 12 or 13.
  
  1. In the app: click on the Google account icon in the top right corner of the screen -> Messages settings -> Help improve messages OFF
  2. In the app: click on the Google account icon in the top right corner of the screen -> Messages settings -> Spam protection ON
  3. To have a different notification sound for Text Messages:
     Settings -> Apps -> Pick the Messages app to see its App info -> Notifications -> All default settings notifications ON -> Incoming messages -> Show notifications ON -> set to Default rather than Silent -> Sound -> pick a sound.
  4. Another click stream for configuring a different notification sound for Text Messages:
     Open the Messages app -> Click on the Google account icon in top right corner -> Messages settings -> Notifications -> All Messages notifications ON -> Incoming messages -> Show notifications ON -> verify its set to Default rather than Silent -> Sound.
  5. If you want to insure that you never miss an incoming text you can configure the notification sound to be one that plays longer than a couple seconds. Or, you might want to chose a particularly loud sound. To use your own notification sound after doing the above: My sounds -> plus sign in bottom right corner -> browse either Google drive or local files using File Manager. Once you select a sound file this way, it will remain in the My Sounds section.
  6. NOTE: There seems to be a bug here. If you reply to a text and then receive a reply to your reply, the reply to your reply makes no sound at all. As of Dec 15, 2022, I am investigating this ...
• SAFE APPS
  
  
  1. The developers of GrapheneOS have two open source, privacy focused apps: Secure Camera and Secure PDF Viewer. The PDF viewer does not require any permissions at all. See: GrapheneOS brings its privacy-conscious camera and PDF viewer apps to the Play Store from xda-developers.com (March 2022).
  2. For not spying on you or phoning home to Google or Facebook, Michael Bazzell recommends the Simple Apps at simplemobiletools.com. Also, no ads. Their apps include: Picture Gallery, file manager, notes, calculator, app launcher music player, draw, dialer, voice recorder, flashlight and SMS messenger. They are available both in the Play Store and F-Droid.
  3. Another organization with privacy friendly apps is the SECUSO Research Group. They offer over 30 apps including Notes which does both text and audio. The notes are on just one device, there is no synching over a network to other devices. Their WiFi manager turns Wi-Fi off when you are not at home.
  4. Exodus Privacy is an excellent resource to learn about the trackers and permissions in Android apps (both how many, and which ones). It is available both as a website and as an Android app. As an app, it will scan all the other apps installed on the Android device. If you like baseball, beware that the MLB app is a cesspool of spying with 16 trackers. The CNN app has 14.
  5. The F-Droid app store is free and open source. Likewise, all the apps there are also free and open-source. Apps with ads or tracking are clearly labeled as such. No account is needed to use F-Droid.
  6. appcensus.io evaluated Android apps and reported on the data they phoned home with. When I looked at the site in Feb. 2020, it seemed to have been abandoned. I checked again in January 2022 and they were transitioning from an academic research project to a commercial service. So, still not available.
• UNSAFE APPS
  There are many reasons, shown below, to access a service, when possible, using its website rather than its mobile app.
  If you use a website often, you can make an icon for it that looks just like an app icon.
  
  
  1. As a rule, a website can not spy on you as much a mobile app. This is especially true when apps have their own in-app web browsers. Some apps, like Instagram and Facebook, use their in-app browser to inject JavaScript code into third party websites. This JavaScript comes with potential security and privacy risks. For more on this see iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser by Felix Krause (Aug 2022) and iOS Privacy: Announcing InAppBrowser.com - see what JavaScript commands get injected through an in-app browser also by Felix Krause (Aug 2022).
  2. In addition, there is a Private Mode in all web browsers that apps do not have. Private mode can insure that a website does not save anything locally on the phone/tablet. If you have a Chromebook, then there is also Guest Mode which is even more private than Private Mode in its guarantee that no data is saved locally. The downside of Private Mode is having to enter the userid/password every time.
  3. Websites do not take up any storage space, especially when using Private Mode.
  4. With apps, you never know if data is being encrypted or not, with a browser you do know.
  5. Apps can run constantly in the background a condition that can be hard/impossible to audit. With websites, when you close the tab/browser they are gone (some browsers have options about this).
  6. Some apps that might be best used as a website are Facebook, Instagram and TikTok
• In the Android Google app, click on the circle in the top right corner (with either your initial or picture), then click on Your data in Search. This brings up a number of Google search configuration options, such as saving web and app activity, personalized search results, app info from your devices and more. Customize to your liking.
• With any cellphone, it is good to save the assorted identifying numbers which include: IMEI, IMEI SV, ICCID and EID. For Android see Find your IMEI and other Pixel phone ID numbers.
• PIXEL PHONES
  
  
  1. The safest Android phones are the Pixel line from Google which is updated at the start of every month with bug fixes. This was already my opinion, when famous security expert Alex Stamos said the same thing on the This Week in Google podcast (Nov 30, 2022 episode). Pixel phones are also less likely to come with pre-installed bugs, malware and/or spyware. My guess is that Pixel phones purchased from Google will be safer than those from a cell company. That said, phones running the "Android One" version of the operating system should also be safe, and cheaper.
  2. Get to know Google Pixel from Google
  3. The software life span of Pixel phones: Learn when you'll get software updates on Google Pixel phones from Google
  4. Pixel phone hardware tech specs from Google
  5. Fix a Pixel phone that won't charge or turn on from Google
  6. Repairs: Clearly, information is scattered all over the place. Typical Google. Get your Pixel phone repaired (at support.google.com), Get your Pixel repaired (at store.google.com), Learn more about the repair process, Hardware Warranty Center and finally Repairs, replacements & warranties
• SAMSUNG
  
  
  1. Anyone with a Samsung phone, should go into the settings for the Samsung Pay app and turn on the "Do not sell" option. Samsung users also need to be aware that Samsung has their own spying and tracking as per: Galaxy users, take note: Samsung's probably selling your data (JR Raphael Jan. 2020).
  2. Samsung Galaxy phones have an 'SOS Messages' feature that will sent texts to your emergency contacts, make phone calls and more, all at the touch of a button. Takes a bit of setup. See How to Send SOS Messages from a Samsung Galaxy Phone by Joe Fedewa (Aug 2021)
• SYSTEM WIDE AD AND/OR TRACKER BLOCKING
  
  
  1. Private DNS on Android 10, 11 and 12, Private DNS is a single OS setting that changes the DNS server system-wide, for all Wi-Fi and 4G/LTE networks. It uses DoT for encrypted DNS. You can combine this with DNS based ad and tracker blocking to get blocking without having to install an app or define a VPN. The really amazing aspect of this is that it works even in combination with a VPN (I tested four VPNs). My preferred DNS blocker is nextdns.io (more below). You can also use AdGuard by specifying dns.adguard.com or dns-family.adguard.com.
     -- Note that Private DNS on Android 9 works a bit differently from Android 12, 11 and 10, when it comes to VPNs. By default, an active VPN on Android 9 will impose its DNS servers and the Private DNS setting will be ignored.
     -- Private DNS does not exist on Android 8 or earlier. These older versions require changing DNS settings for each Wi-Fi network and again for 4G/LTE. You will need to install an app that, no doubt, will create a phony VPN just to get control over DNS.
  2. For DNS based blocking, I suggest nextdns.io. The number of features is extensive, but the documentation is poor, so expect it to take some time to get up to speed. Sign up for a free account. Tweaking of the block rules can be done at any time. Make a note of the DNS over TLS hostname, it will be something like abc123.dns.nextdns.io. Turn on Private DNS in Android and set the DNS over TLS hostname as the "Private DNS provider hostname". Extra credit: identify the device in the (optional) logs by using a name like harveyphone-abc123.dns.nextdns.io as the hostname.
  3. As of November 2022, the DuckDuckGo Privacy browser is more than just a web browser. The app also offers free tracker blocking. It is currently in Beta testing. When enabled, it blocks 3rd-party trackers system wide. The App Tracking Protection feature uses a local VPN connection, which means that it works entirely on your device without sending data to DuckDuckGo. The flip side of this is that this feature can not be used when a VPN is connected. VPN apps can be installed, but they can not have an active VPN connection when using the DuckDuckGo tracker blocking feature. See App Tracking Protection Beta is Now Available to All Android Users.
     As of May 2023, the tracker blocking feature is still in Beta. I gave it a try and was very impressed. It even tells you the type of data that each app was trying to collect. I was also impressed with the web browser itself. More: Your Android apps are tracking you. Here's how to stop them by Jack Wallen for ZDNet (May 10, 2023). Some apps will not function if you block their spying. This is discussed here: How to disable DuckDuckGo App Tracking Protection for a specific app on Android by Jack Wallen for ZDNet (May 19, 2023).
  4. TrackerControl is an Android app that allows you to monitor and, maybe, control the hidden data collection in Android apps. It is free and open source and from the University of Oxford in the UK. It installs as a VPN so you can not use it while a real VPN is active. All the processing takes place on your Android device, the creators of the app know nothing about your activities. The version of the app in the Play store is a lite version that only reports on trackers. Google will not let them put an actual blocker in the Play store. The full version, that does block trackers has to be sideloaded. More: How to Monitor and Block Ad Trackers on Android by Jordan Gloor of How To Geek (Dec 2021)
  5. The Blokada ad blocker is free, open source and not allowed in the Play Store. Google profits off ads, so they do no like ad blockers in the Play Store. Thus, you have to side load the app. It installs a VPN, but only to enable the intercepting of all DNS requests. It is not a real VPN and it can not run alongside a real VPN. It may also block some trackers. Great feature: customized white and black lists. Blokada also offers a paid VPN in the Play Store, see the VPN topic for details. More: How Blokada works and Blokada Help.
  6. The Lumen Privacy Monitor spies on the apps that spy on you. It seems to have been abandoned, but I found it functional on Android 9 and10. It was/is from the International Computer Science Institute at UC Berkeley. It is not a VPN, but it installs as a VPN and thus can not run alongside a real VPN. It shows all the domains an app calls out to and lets you block them just for the one app or system-wide. It also shows how often an app uses HTTPS vs. HTTP. Although it identifies ad/tracker domains, it does not block anything by default. It reports on data leaks, showing both the type of data that was leaked and which app leaked it. It intercepts TLS, a feature that requires you to install their certificate. There is no one list of blocked domains, so when a blocked domain stops an app from working, ugh. It does not replace or encrypt DNS. It phones home as part of the research project. Website haystack.mobi.
• A big reason for Android's security problems are the lack of bug fixes. Most Android devices are shamefully vulnerable both because fixes are late in being issued (if they are ever issued) and then late in being installed. Here's an idea: before buying an Android phone try to find out when bug fixes for it will be released. Lotsa luck. The correct answer is once a month. Better still, try to find out when the last bug fixes for the phone will be issued, that is, when the software will be abandoned. You will not get an answer to either question.
• Annoyance: There is no solution to this problem. Press the power button to put the device to sleep. A couple seconds later press the power button again and you have to re-enter the PIN code despite the very short sleep time. As of Android 12, there is no configuration option that controls this. Smart Lock comes close, but it is not a real solution.
• WHEN OFF DOES NOT MEAN OFF
  There are options for both Wi-Fi and Bluetooth that let apps turn them on even when you have turned them off. Why? The better to locate you, my dear. If you don't want to be spied on, then turn these off. If you are a parent, wanting to track to location your child, turn them on in the child's phone.
  • On Android 10 the option for "Wi-Fi scanning" allows apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is of. The Android 10 "Bluetooth scanning" option also allows apps and service to scan for nearby devices at any time, even when Bluetooth is off. Find both settings at: Settings -> Location.
  • Android 12: the settings are at: Settings -> Location -> Location services
• DEFENSE
  • Only install apps from the Play store (miserable name for the app store). Do not use side loading (aka sideloading) to install apps from outside the Play store. Side loading is OFF by default. Also, do not install apps that come to you via Telegram or WhatsApp messages. If you must sideload, APK Mirror is a trustworthy source.
    Android 8 and 9: Settings -> Apps & Notifications -> Advanced -> Special App Access -> Install Unknown Apps. For each app capable of sideloading, it will say "Not allowed" by default. Again, this is the safe setting.
  • Every now and then turn the phone/tablet off and then back on a minute later. While every operating system benefits from a clean boot/startup, if you are targeted by bad guys, certain malicious stuff might be removed when the device is powered off. It is not a perfect defense, but the NSA recommends rebooting/restarting a phone every week. Reboots to install bug fixes count. More: Turn off, turn on: Simple step can thwart top phone hackers by AP News (July 2021)
  • Disable some pre-installed certificates. I have never seen this advice suggested anywhere, perhaps because it is hard to understand. I will skip the explanation, other than to say that pre-installed certificates are used to trust software and websites. But these certificates come from hundreds of companies that no one knows who they are. So, maybe disable some certificates from China. Just do these one a time in case it breaks something. Search Settings for "Encryption and credentials", then "Trusted credentials". Among the companies that created these certificates/credentials you may find the Hong Kong Post Office (Hongkong Post), China Financial Certification Authority, Chunghwa Telecom Co., Ltd. and GUANG DONG CERTIFICATE AUTHORITY CO., LTD. Which of the hundreds to disable? Dunno. I have never seen an article about this.
    As per this November 2022 article in the Washington Post, I also disabled three entries for TrustCor Systems S. de R.L. See screen shot.
• NEARBY SHARE

  This is Google's version of AirDrop. It transfers files and/or apps. It started rolling out in August 2020. Originally called Fast Share, then called Nearby Sharing and finally Nearby Share. Nearby Share works with Android devices running version 6 and later, and with Chromebooks. When it was first released, Google blogged about it.

  To turn Nearby Share off: Settings -> Google -> Devices & Sharing -> Nearby Share. I verified this on Android 10 and 12.

  After reading this August 2020 article, it seems too complicated to setup, too complicated to use and miserably documented. My guess is that it will be ignored.

  Technologies: It requires Location Services and Bluetooth to be enabled. It can make transfers even when devices are not on-line. It automatically chooses one of these protocols: Bluetooth, Bluetooth Low Energy, NFC, WebRTC, UWB or peer-to-peer WiFi. It is said to use Bluetooth for device discovery. I found conflicting information on how data is transferred. One source said it uses Wi-Fi Direct. Another source said it will only work when devices are very close together, perhaps just one foot, which is not true of Wi-Fi direct.

  Configure: You can configure Nearby Sharing so that a device is either hidden, visible to some contacts, visible to all contacts , visible to just your own devices or visible to everyone in the world. Visible to everyone can be enabled on a temporary basis. Originally, the recipient had to approve any transfer before it happens. As of September 2022, if you are transferring something between devices that are logged into the same Google account, then the recipient does not have to approve it.

  Google seems to be spying on your sharing activity. In this September 2022 article, How we're making it easier to share files with nearby devices someone from Google was asked about sharing between devices using the same Google account. The response: "... this is one of the most common ways people use Nearby Share."

• ANDROID 13 (released August 2022)
  1. There is a new Active apps button in the Quick Settings menu (at the bottom) which shows currently running apps and makes it easy to stop them.
  2. Android 13: 6 settings to update immediately by Jon Gilbert of Android Police (Aug 2022). Bilingual Android users can now set the language on a per-app basis, if the app supports it. Shrink the huge clock on the lock screen.
  3. There are little to no improvements in version 13 when it comes to privacy or security or defense against anything.
  4. The Privacy Dashboard, introduced in Android 12 covered only 1 day. In Android 13 it covers a week
  5. See the main Google page for Android 13
• ANDROID 12
  1. When first setting up a new copy of Android 12, you may be asked to improve the messaging app. Say no.
  2. Android apps can auto-update but on every Android device I have used that option defaulted to off. To enable it: Play Store -> click on your picture or initial in the top right corner -> Settings -> Network Preferences -> Auto-update apps. While there, you may also want to change the Auto-play videos setting.
  3. Also in the Play Store Settings, in the General section, is an option, App install optimization, that sends data to Google. Maybe turn that off.
  4. A new feature lets you quickly cutting off access to the camera and/or microphone system-wide. However, the buttons for this are not in the Quick Settings by default. To add them: swipe down from the top of the screen with two fingers to bring up Quick Settings. Then click on the pencil (bottom left) and tap and hold and drag up the buttons for Mic access and Camera access.
  5. There is a new Privacy Dashboard screen that shows which apps are using assorted permissions and how often they use them. See it at Settings -> Privacy -> Privacy dashboard. I suggest checking this periodically. Unfortunately the report only covers the last 24 hours. And, its pretty lame. Still, it does let you revoke permissions that you find apps were using. It just doesn't tell you this - long press on an app in the report that used a permission.
  6. Settings -> Privacy -> turn on Show clipboard access to see when apps access copied data. Maybe turn off "Personalize using app data" which allows apps to send data to the Android system. Exactly what this means is not clear to me, but any personalization infers spying. Turn off "Usage and diagnostics" which is definitely spying.
  7. Settings -> Display -> Lock screen -> Turn off the Show wallet option.
  8. There are six different Location services. Review them and adjust as you see fit. They are at Settings -> Location -> Location services. The Google location accuracy is sneaky, as it lets the phone use WiFi even when WiFi is off.
  9. Turn off the option to send usage and diagnostic data to Google at: Settings -> Privacy -> Usage and Diagnostics
• ANDROID 10 (AKA Q)
  
  • When an app asks for access to location data, there is a new option to only allow this while the app is in use
  • There is a new Privacy section in system Settings
• MULTIPLE USERS
  Android 10, 11 and 12 devices (not sure about v9) support multiple userids, including a Guest user. The feature is off by default. Google says: "Each user has a personal space on the phone for custom Home screens, accounts, apps, Settings and more." The Guest user can be blocked from making phone calls. On a Pixel phone running v11: Settings -> System -> Advanced -> Multiple users. DO NOT USE THIS. The messaging app is buggy when logged on as a secondary user and Google is not prepared to accept bug reports from normal people (me). This feature is clearly not a priority as the bugs I found were very obvious. Google says text messages are not shared between users, this is not true, they are shared.
• CHROME BROWSER
  Configure by pressing the three vertical dots in the top right corner -> Settings
  
  
  • Site Settings -> Motion sensors -> Off. By default the Chrome browser has access to the accelerometer (aka motion sensors). This can be used to spy on you and offers no benefit. Verified Nov. 2021 on Android 10 and 11.
  • Privacy & Security. Turn on Always use secure connections and Secure DNS. For a DNS provider use NextDNS or Quad9. Turn off Access payment methods and Preloading pages. Turn off Privacy Sandbox trial features.
  • Downloads -> Turn on Ask where to save files
  • Site settings -> Cookies. Either Block third-party cookies all the time (will break some websites) or only in Incognito mode.
• Browsers: There are many available web browsers for Android, such as Firefox and Brave. The Kiwi Browser supports most chrome desktop extensions. It also blocks ads and trackers.
• CONTROL THE USAGE OF 4G/LTE/5G DATA
  
  STEP 1: You can ask to be warned about mobile data usage after a megabyte (MB) or gigabyte (GB) amount you specify. You can also prevent any Mobile data over a certain amount which is probably a good idea for a child but not for an adult. What is not at all obvious is how you set the end date of your monthly cycle. On the Data warning & limit screen click/press on "Mobile data usage cycle" (as of Android 13). If your monthly billing cycle ends on the 7th day of the month, set this value to 8.
  • Android 12 and 13: Settings -> Network & internet -> Internet -> Gear icon next to your 4G or 5G data provider -> Data warning & limit
  • Android 11: Settings -> Network & internet -> Mobile network -> Data warning & limit
  • Android 10: Settings -> Network & internet -> Mobile network ...
  STEP 2: You can see the apps using the most mobile data with the click streams below.
  • Android 12 and 13: Settings -> Network & Internet -> Internet -> Gear icon next to your 4G or 5G data provider -> App data usage
    Or, maybe search settings for "Mobile data usage"
    Best: there is a widget for this. Long press a home screen -> Widgets -> Settings -> Data usage
  • Android 11: Settings -> Network & internet -> Mobile network -> App data usage
  STEP 3: Finally, you can prevent a data hogging app from using mobile data while it is running in the background. In the list of apps generated above in Step 2, click on an app and there will be an option to turn off "Background data".
• One thing to learn from Jeff Bezos having his iPhone hacked is to periodically check the data used by the apps on your phone. Android reports Wi-Fi usage separately from 4G/LTE usage. Below are from Pixel phones. Another option is to search the Settings for "data usage".
  Android 13: Settings -> Network and Internet -> Internet -> Non-carrier data usage
  Android 10: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi data usage -> see example. And, Mobile network -> App data usage -> see example.
• Gboard is the Google Keyboard app. If it is installed, go to Settings and search for Gboard. Turn off the "Share usage statistics" option. This sends keyboard usage statistics to Google. Maybe also disable the "Improve Gboard" option.
• Stop the phone from listening to you:
  Disable the Hey Google command, which invokes Google Assistant. You have to be online when you do this.
  • Android 12: search Settings for "Hey Google"
  • Android 10 and 11: Settings -> Google -> Account Services -> Search, Assistant and Voice -> Voice -> Voice match -> Hey Google -> turn off
  • To see what else is allowed to listen to you, search in the Settings app for "Microphone". Some apps are allowed all the time, some only when in use and others are always denied. Review each list to see that it makes sense to you.
• ADS
  • Android 12: Settings -> Privacy -> Ads -> Delete advertising ID
  • Android 10 and 11: Settings -> Privacy -> Advanced > Ads. Turn on "Opt out of Ads Personalization". Or, it might be at: Settings -> Google -> Ads. While there, also click on "Reset advertising ID".
  • Android 8 or 9: The Ads Personalization option may not exist, so try searching in Settings for "ads".
  • A January 2020 report from the Norwegian Consumer Council points out that there is no OS enforcement of your opting out of personalized ads, it is up to each app to honor this request. So, a scam.
• USAGE & DIAGNOSTICS
  Turn off the option to send usage and diagnostic data to Google.
  • Android 12: Settings -> Privacy -> Usage & diagnostics -> turn it off
  • Android 10 and 11: Settings -> Privacy -> Advanced -> Usage & diagnostics -> turn it off
• AUTOFILL
  This ease-of-use feature lets Google save still more information about you. Turn it off.
  • Android 10, 11 and 12: Settings -> Privacy -> Autofill service from Google.
• NFC
  Near Field Communication is used by Google Pay. Maybe you need it, maybe not. Turning it off is the safer default. If you do need it, the option below makes it safer.
  • Android 12: Settings -> Connected Devices -> Connection Preferences -> NFC -> turn it off
  • Android 12: If you want to use NFC, turn on the option "Require device unlock for NFC" which only allows NFC when the screen is unlocked. It is at Settings -> Connected Devices -> Connection Preferences -> NFC
• To change the default app for a function: Settings -> Apps -> Default Apps (as of Android 12)
• PERMISSIONS:
  1. By app: If you have nothing to do for a month, you can check and change app permissions. Android 12: Settings -> Apps -> See all apps -> click on an app to see/change its permissions
  2. By permission: Settings -> Privacy -> Permissions manager
  3. One common permission to block is to not give the Camera app access to your Location. On some Android devices, camera apps have their own GPS setting. To see if a photo has location info, view it in the Google Photos app and swipe up. The Google Photos app can strip location info from a photo before you share it: Open the Google Photos app, click the hamburger menu in top left -> Settings -> turn on Remove geo location. This only works in the Google Photos app.
• Notification History: Just an FYI. Android 12 (and earlier?) can store old notifications. See: Settings -> Notifications -> Notification History. From here you can turn the feature on/off, and, if its on, see old notifications.
• Hard of hearing? In a noisy place? Some Android phones can do live captioning of detected audio. Android 12: Settings -> Sound and Vibration -> Live Caption. As of September 2022, this only works in English.
• Poor eyesight? You can make text larger. Android 12: Settings -> Display. The Font Size option applies to text. The Display Size option applies to everything, including icons and menus.
• BATTERIES
  • Repeatedly charging a Lithium Ion battery to 100 percent reduces the life span of the battery.
  • I find it very useful to see the battery percentage in the Status Bar. To enable this (in Android 12 and 13) search Settings for "Battery Percentage"
  • Battery info apps: Accu​Battery from Digibites and Battery by MacroPinch.
  • Search settings for "Battery" and you may find these options (from Android 10, 12 and 13)
    1. Battery Saver: turns on Dark theme and limits or turns off background activity, some visual effects, certain features, and some network connections. Note that the option to set a schedule is misleading. It can also turn on Battery Saver based on a battery percentage. The default is 5%. The Battery Saver on/off option in v12 is also misleading. "On" means always on, no matter what, it does not mean enable the Schedule. In v10 there is a clear and obvious blue button that turns on Battery Saver. More: Use Battery Saver on a Pixel phone from Google.
    2. Adaptive Battery:
       v12: "Extend battery life based on your phone usage" and "Adaptive Battery may reduce performance and background activity. Some notifications may be delayed."
       V10: "Limit battery for apps that you don't use often" and "To extend battery life, Adaptive Battery limits battery for infrequently used apps. Your phone will learn how you use apps over time. Notifications may be delayed for these apps".
    3. Adaptive Charging: Charge steadily overnight to preserve long-time batter life. Uses alarm to completely charge by wakeup. This option does not exist in Android 10.
• Storage: If to see the apps using the most storage on Android 12: Settings -> Storage -> Apps
• You may be able to set an Android device to erase all data after too many failed attempts to enter the PIN/passcode. On one Android 10 device: Settings -> Lock screen -> Secure lock settings -> Auto factory reset (after 15 bad passcodes). However, other Android devices I checked (an Android 11 phone, two Android 10 tablets and an Android 8 tablet) had no option for this at all. I have read that it might be at Settings -> Security & Location -> Screen lock.
• Backup: How to back up Android devices: The complete guide by JR Raphael for Computerworld (Jan 2020)
• The Fairphone is only sold in Europe. It runs Android, and the reason to consider it, is that the hardware is designed to be easily replaceable. This September 2023 article on the new Fairphone 5 Fairphone 5 review: could this be the first phone to last 10 years? (by Samuel Gibbs in The Guardian) says that is thinner, lighter and more refined compared to older models. It is also a big step up in terms of longevity, repairability and quality. It costs about $750 US, more than older models but offers up to 10 years of software support. It runs Fairphone OS which is based on Android 13 and includes the Play Store. You can install another OS such as Linux or other versions of Android. This older article (NY Times, Sept 2022) says the battery and camera can both be easily replaced and it implies the screen can too. As for bug fixes, the Fairphone model that came out six years ago (as of Sept 2022) is still getting Android updates.
• The Android Play Store allows many apps to share the same name. Before installing an app, check who created it, to insure it is really the app you think it is.
• The Jumbo Privacy + Security app increases your privacy on Facebook, Twitter, Amazon, Google and Alexa. It adjusts Facebook privacy settings, deletes old tweets, erases Google Search history, deletes voice recordings stored by Alexa and more. As of Jan 2, 2020 it was rated 687 times in the app store with an average rating of 4.8 (very high). More here and here.
• As bad as it gets: Millions of Android phones can be hacked. Original source: Over 400 vulnerabilities on Qualcomms Snapdragon chip threaten mobile phones' usability worldwide from Checkpoint (August 2020). This research was dubbed "Achilles" no doubt because it is an Achilles Heel for Android. Checkpoint found about 400 bugs in a DSP chip from Qualcomm that is used in phones from Google, Samsung, LG, Xiaomi, OnePlus and others. iPhones are not affected by these flaws. If the bugs are exploited, you can be spied on or lose all your data. More here.
• PRE-INSTALLED CRAP
  Cheaper Android phones are the worst when it comes to pre-installed crap and none of this happens on iOS.
  
  
  1. Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices by Fyodor Yarochkin, Zhengyu Dong, Paul Pajares of Trend Micro. May 17, 2023. An overview of the Lemon Group’s use of preinfected mobile devices, and how this scheme is potentially being developed and expanded to other internet of things (IoT) devices. This research was presented in full at the Black Hat Asia 2023 Conference in Singapore in May 2023. Sadly, the researchers do not name names, so there is nothing useful here for Defensive Computing. Other than avoiding cheap Android phones. Even the Indicators of Compromise are useless.
  2. Chinese-Made Smartphones Are Secretly Stealing Money From People Around The World by Craig Silverman for Buzzfeed (Aug. 2020). Preinstalled malware on low-cost Chinese phones has stolen data and money. The malware, xHelper and Triada, secretly downloads apps and attempts to subscribe the victim to paid services. A factory reset does not remove the malware. The phone cited was a Tecno, made by Transsion, which is the fourth-biggest handset maker in the world, behind Apple, Samsung, and Huawei. The article cites other cases of pre-installed malware on Android phones.
  3. We found yet another phone with pre-installed malware via the Lifeline Assistance program by Nathan Collier of Malwarebytes (July 2020). The phone was from ANS (American Network Solutions).
  4. US Funds Free Android Phones For The Poor - But With Permanent Chinese Malware by Thomas Brewster (Jan 2020). Malware discovered by MalwareBytes. No comment from the FCC or Assurance Wireless, which made the phones.
  5. In An open letter to Google, over 50 organizations plead with Google to do something about exploitative pre-installed software. (Jan 2020) The letter references this research paper: An Analysis of Pre-installed Android Software (2019).
  6. A Nov. 2019 report from Kryptowire looked at pre-installed threats (bugs and vulnerabilities) on phones sold by US carriers. They looked at a range of Android devices, from low-end to flagship. See also their Mobile Vulnerability Analysis) (PDF).
  7. Backdoor found in four smartphone models (Catalin Cimpanu June 2019). An un-removable backdoor Trojan was found in four low end Android phones.
• ANDROID ARTICLES
  
  1. Android privacy settings to change now by Chris Velazco and Tatum Hunter. Last Updated October 2022.
  2. How to enhance privacy on your Android phone by Manuel Vonau for Android Police (December 2021). Long article with many suggestions.
  3. How to stay private when using Android by Ludovic Rembert for ProtonMail (Dec 2019). 14 suggestions.
  4. 9 Apps to Boost Your Phone's Security and Privacy by David Nield in Wired (Aug 2016). Access Dots shows if an app has secretly enabled the camera or the microphone. Norton App Lock password protects apps. Authy for 2FA. Firefox Focus for private browsing. Re-purpose an old phone or tablet into a security camera with Alfred Home Security Camera. And more.
• LOCKING
  
  1. To lock an Android device, a password/passcode is more secure than a fingerprint or your face. In the US, the government can not compel you to reveal the password. The longer the password/passcode, the more secure.
  2. A different type of locking is to lend a device to someone but limit them to only run one app. See How to Safely Lend Someone Else Your Phone by David Nield for Wired (July 2022). The article does not refer to a version of Android, but 12 was current when it was written. The feature the article describes is App Pinning. On older versions of Android this was called Screen Pinning.
• Periodically review the list of Wi-Fi networks your mobile device has previously connected to and remove those you no longer need.
• FYI: The Settings That Make Smartphones Easier for Everyone to Use by J. D. Biersdorfer (September 2022). The accessibility features Apple and Google include in their mobile software can help people of all abilities get more from their devices.
• GETTING RID OF OLD ANDROID DEVICE
  Note that you can not restore a backup from a higher Android version to a device running a lower Android version.
  • Back it up: Back up or restore data on your Android device from Google
  • Reset it: Reset your Android device to factory settings from Google and How to factory reset your Google Pixel phone from Google
• If your phone needs fixing, make sure your secrets are safe first by Chris Velazco in the Washington Post (October 2022). To maintain control of your phone number, remove the SIM card and put in another phone. If the phone has an embedded SIM, call your wireless carrier to discuss the options. As for a repair person having access to your files, the only way to be sure to block them is to delete all the files before you hand your phone over.
• Take Google out of Android: The January 14, 2022 episode of the Privacy Security and OSINT podcast, by Michael Bazzell, was on Android Sanitation, which means removing Google apps and services from Android without having to resort to custom ROMs, unlocked boot-loaders, or rooted devices. The technique uses Android Debug Software running on a computer, not on the phone.
• REPLACING ANDROID
  
  
  1. The Best mobile device not from Google or Apple, by Mark Hurst. Last updated October 14, 2022. A list much like this one. The recommended phone is The Light Phone which has its own stripped down operating system. It costs $300 and the screen is the same type as a Kindle, so only black/white. As of February 2023, it is in stock and for sale.
  2. The app development company, Simple Mobile Tools sells a non-Google Android phone called Simple Phone. See their FAQ and their blog: Why Simple Phone? As of February 2023, it cost 350 Euros and was out of stock. As of November 2022, it cost 400 Euros and was only sold in the EU. Some techie details on how they removed Google from the OS: How de-googled is SimpleOS?
  3. August 2022: I tried completely de-Googled Android - here's what happened by Jordan Palmer of Toms Guide. Installing and using /e/OS version 1 and GrapheneOS. "Both try to do similar things, but offer vastly different experiences. Neither was as easy to install as I thought at the outset..." As for /e/OS, "...the documentation and recovery aren't good experiences, even for someone experienced with custom ROMs." As for GrapheneOS, "It's barebones and simple, and the stock apps seem pretty good for the most part."
  4. In May 2022, Brad Linder wrote about Simple Phone: Open source, privacy-focused smartphone coming soon from Android app maker Simple Mobile Tools. The goal of the phone and its new OS is to provide a privacy-focused phone with support for Android apps at a budget price. It will ship with only open source apps pre-installed. It will be released in Europe first, no time estimate yet for a US release. More.
  5. GrapheneOS is a version of Android focused on privacy and security. It is built from a minimal version of Android (AOSP) and it has no Google apps or services. Being Android, it preserves all the standard software and hardware security features. Development seems pretty rapid. They were six releases in February 2021, two in January 2021 and two in December 2020. It only runs on Google Pixel phones. As of March 2021, it is supported on: Pixel 5, Pixel 4a (5G), Pixel 4a, Pixel 4 XL, Pixel 4, Pixel 3a XL, Pixel 3a, Pixel 3 XL and Pixel 3. More: What Is GrapheneOS, and How Does It Make Android More Private? by Joe Fedewa (March 2022).
  6. GrapheneOS is preferred by Michael Bazzell of The Privacy, Security, & OSINT podcast. He discussed it on his podcast in June 2021, August 2021 and September 2021. He also wrote a GrapheneOS Installation Guide (undated) and a GrapheneOS VOIP Calls Guide (also undated)
  7. The Shiftphone, from Germany, is available only in the EU (as of December 2022) where it costs 633 Euros. On January 5, 2023 they will announce something new. Out of the box it is Android with no bloat, just the minimal set of Google Apps are pre-installed. The article describes how to convert it to a Google-free system: Android without Google: Shiftphones.
  8. A company called /e/ sells smartphones running /e/ OS, which is Android with Google stripped out of it. Initially they were only available in Europe, but as of Feb. 2021, they are sold in the US and Canada. They offer two refurbished Samsung Galaxy S9 models for $380 and $430. There is no Google Play Store, instead there is a variety of free and/or open source applications. Techies can try installing the software themselves on a short list of compatible phones. Brad Linder has more (Feb 2021).
  9. In Dec. 2019, Ludovic Rembert of ProtonMail wrote that LineageOS was the most developed (and stable) alternative version of Android but he warned that installing it requires technical knowledge. Max Eddy of PC Magazine wrote about installing LineageOS on an old Android phone (May 2019).
• LINUX PHONES
  I know of three companies working on releasing a phone running Linux.
  
  
  1. The Librem 5 from Purism will be $700. It has been delayed a number of times and, as of Jan 2020, was still not finished. It started shipping sometime in 2020. It runs PureOS, has a user-replaceable battery and three hardware kill switches (WiFi & Bluetooth, Cellular baseband, Cameras & mic).
  2. The PinePhone from Pine64 runs multiple Linux distros. It has a removable back cover, a removable battery, and a set of hardware kill switches. It is designed to make it easy to choose your own Linux OS. The phones ship with a version of Manjaro Linux and you can boot an alternate OS by flashing it onto a bootable microSD card and inserting it in the phone. The PinePhone started shipping in January 2020. In Dec. 2020, Brad Linder wrote about new versions of Manjaro, Mobian, and OpenSUSE that all run on the PinePhone. As of January 2022, the first generation sells for $150 to $200 US. The second generation, the PinePhone Pro Explorer Edition, was expected to ship at the end of Jan. 2022. The price was supposed to be $600 US, but as of August 2022, it was $400. More here and here.
  3. Necuno Solutions is working on a phone that will be manufactured in Finland.
• The simple question, does an Android device have the latest available bug fixes, is far too hard to answer. iOS does this much better.
  
  
  1. Finding the right place in the Settings to check for OS updates has always been like navigating a rat maze
  2. For years the initial screen has lied to us and said that the device is up to date on patches/bug fixes. Many times, it said it last checked hours ago, yet when I clicked on the CheckForUpdates button, it found a missing update (last verified Feb. 2020 with a Pixel 3A running Android 10).
  3. Android is not honest enough to admit when the software has been abandoned. That is, when there are no more bug fixes being issued because the software is too old. Like iOS, Android lies and tells you the software is up to date. This October 2019 tweet by Will Dormann has examples.
• Also see the Stalkerware topic
• Also see the Bluetooth topic to change the default public Bluetooth device name
• Also see the Location Tracking topic
• Also see the Mobile OS Spying section which has some privacy focused Android alternatives.
• And see the Mobile Scanning and Sharing topic