How to stay private when using Android

illustration of Android privacy

The smartphone is one of the most invasive devices ever invented. It’s easy to forget that, of course, because we are so familiar with them, and they are so useful. But while you might value your smartphone for the convenience it gives you, tech companies value it for an entirely different reason: it is collecting data on everything you do.

If you believe, like us, that privacy is a human right, Android is something of a nightmare. Most people who use Google services are aware the company is tracking their location, checking which websites they go to, recording their voice, and reading their emails. What a lot of people forget is that Android was developed by Google, and is one of the most important tools for this data collection.

It is possible, though, to use Android in a way that drastically limits the amount of data you are sharing with Google (and other companies who want your data). In this guide, we’ll show you how to do that.

In each step below, we’ll show you how to use the settings menu on your device to increase your security and privacy. Most of the menus we mention will be the same for most current Android devices, but since devices vary you might find these options in a slightly different location or named differently. With a little poking around in your device’s menu, you should be able to find the relevant option. 

The basic principle: Turn everything off

Before we begin with the specific steps necessary to make your Android device more private, let’s highlight a basic principle of using your phone: turn off all the connectivity you do not need.

This goes for whatever smartphone, and whichever operating system, you have. Don’t let your phone connect to unknown WiFi networks because they may be a source of malware. Don’t leave your Bluetooth on because there are plenty of Bluetooth security vulnerabilities. Don’t connect your phone to your computer (if you can avoid it), because smartphones can also act as a reservoir of malware, and your phone can be infected without you realizing it. 

In short: if you are not using a service right now, turn it off.

With that out of the way, let’s make your phone more secure. Here is a short(ish) list of how to do that.

1. Avoid Google Data Protection

First and foremost, you should be aware of Google’s fake commitment to privacy and limit the data the company collects from your phone. Android phones let you do this, but it is hidden. Go to your settings, and look for “activity controls.” Here, you can limit the data that Google is collecting via your phone. 

Going further, you can even use your Google device without signing into your Google account. Unfortunately, this really limits what you can do with your phone. 

2. Use a PIN

Another basic privacy step is to lock your phone with a personal identification number (PIN). Locking your phone prevents random strangers from being able to get into it and keeps your data private in the event that your phone is stolen or one of your friends “borrows” it.

When you set up a PIN on your device, some versions of Android will ask you if you want to encrypt the device as well. This is also a good idea, and we’ll come to that process shortly.

In 2019, it might seem a bit old-fashioned to use a PIN (or, even better, an alphanumeric password), but in terms of data privacy, a PIN is still king. That’s because if you are using the other locking methods that Android provides — your fingerprint or face recognition — you are consenting for this biometric information to be stored on your phone, and occasionally transmitted to Google

3. Encrypt your device

Encrypting your entire phone is pretty simple, but not many people do this. Encryption, though, is by far the best way to keep your data private, whether your phone is hacked or stolen.

Encrypting your phone can be done from the “security” menu in Android. You need to enter a PIN to do this, and the phone needs to be plugged in. Just don’t forget the PIN, because if you do all of the data on your phone may be lost forever.

4. Keep your software up-to-date

Everyone knows that keeping your software up-to-date is incredibly important, but even the most security-conscious people sometimes skip that annoying notification. If you don’t keep your phone updated, you are opening yourself up to vulnerabilities that can be exploited by hackers to steal your data.

In Android, you can update your software at any time by going to Settings > About Phone > System Update.

5. Be wary of unknown sources

By default, Android locks down the sources of software you can use by only allowing you to download apps from “approved sources” that have been vetted by Android developers. This is actually something that Android has inherited from Linux, which the OS is based on. However, sometimes your phone asks you to enable “unknown sources” for software, and if you’re in a rush you can accidentally turn this on. You should never trust software from these sources: some of it is malware, and some of it is merely riddled with security flaws.

To disable unknown software sources, go to Settings > Security > Unknown Sources, and uncheck the box. It’s probably not enabled anyway, but it doesn’t hurt to check.

6. Check app permissions

Yep. You know already that you should carefully check all of the permissions that an app asks for when you install it, but in a hurry you may not. There is no hard-and-fast rule when it comes to checking these permissions, but there is a good guiding principle: are the permissions an app is asking for appropriate for what it does? Does this silly game you’ve downloaded really need to access your camera, contacts, and microphone? Probably not.

The situation, when it comes to app permissions, has improved in recent years. In response to user concerns over privacy, Android apps now ask for (almost) all of the permissions they need. They will also ask for these selectively, so you can use an app without granting it all the permissions it asks for. An app will ask for Bluetooth permission, for instance, only when you try to use this functionality. 

On the other hand, there are some permissions that are so “basic” that they are not even counted as permissions by Android. The most striking example of this is access to your Internet connection. All apps are granted this permission by default, they will not ask you to confirm this, and you cannot disable it. This means that even your flashlight app can send and receive data.

You should check the permissions that an app asks for when you install it, but you should also audit your apps frequently to make sure that you have not granted them more permissions than they need. Building this kind of audit into your monthly schedule is a great way of staying on top of your cybersecurity, since you can easily spot extra permissions that you may have granted in a rush. To check these permissions, go to Settings > Apps > ⚙ icon > App permissions.

In general, if you think an app is asking for greater permissions than necessary, look for an alternative that takes your privacy more seriously.

7. Review your cloud sync

Plenty of apps request permission to sync data with the cloud, and sometimes you might want them to do this. There are many advantages of cloud storage for messaging apps and those that store important data. But, just like checking the permissions they ask for, you should also limit the number of apps you have syncing to the cloud. 

You can turn off cloud syncing for individual apps by going to Settings > Accounts, and then tapping on the app name. 

8. Hide notifications

An often overlooked way of making Android devices more private is simply to turn off notifications on the lock screen. That way, someone who picks up your phone won’t be able to see your contacts, message previews, reminders, and alerts.

Turning off these notifications is easy. Just go to Settings > Sound & Notifications.

9. Review default apps

Now we’re getting to some more technical measures. Android opens certain types of files with certain apps, and these are controlled by a list held in Settings > Apps > ⚙ icon > Default. Here, you can see which apps Android uses for each type of file. 

The key here is to make sure that Android is using the most secure apps available to open particular files. If you’ve installed ProtonMail, for example, make this your default app for email. The same goes for any other secure app you download because by default Android opens everything with the least privacy-focused apps available (i.e. the apps made by Google, which wants to spy on you).

10. Don’t share your location with apps

Many apps request that you share your location with them. For some apps, this is incredibly useful. In fact, some apps lose all functionality unless you give them your location data. 

On the other hand, plenty of apps that don’t need to know where you are ask for this information. This, in fact, has been one of the major security concerns of the 5G network, and why Huawei is banned from taking part in it. There was a fear that the Chinese tech giant was collecting location data by default for everyone who used their hardware, and that this could be used to identify individuals even when they had taken precautions against this.

To turn off location permissions for your apps, go to Settings > Apps > ⚙ icon > App permissions > Location.

A more general way of limiting access to your location data is to disable Google’s attempts to track your every move. You can do that by going to Settings > Location > Google Location History.

11. Use a non-Google version of Android

If you take your privacy seriously, you could also consider using a version of Android that is not built by Google and won’t send them data.

Though most device manufacturers make their own “flavor” of Android, most of these variant systems are built around the core functionality that Google provides. As a result, almost all “mainstream” versions of Android will share your data with Google. 

There are some versions of Android, however, that do not do this. Installing them is a pretty major and complicated step, though, so you should carefully consider whether you want to wipe the existing OS from your phone. At the moment, the most developed (and stable) alternative Android OS is LineageOS. This is based on CyanogenMod, which limits access to your phone by third parties. Installing an alternative OS requires technical knowledge, though there are plenty of install guides to help you.

12. Don’t use Google for search

You might be wondering why this option is not higher up on this list. It should be easy to change your default search engine within Android, right? Well, yes and no. No surprise, Android doesn’t let you use any other search service from within its default browser. 

In order to use a more secure search engine, you need to download an alternative browser. These let you change the default search engine and avoid Google collecting data on your queries. 

13. Use a VPN

A virtual private network (VPN) encrypts all of the data passing between your phone (or computer, or tablet) and the wider Internet. 

There are plenty of VPN providers out there, but you should be careful about which one you choose. In general, VPN providers often are not transparent about who operates them or how they may or may not use your data. In addition, be wary of VPN providers that are based in the EU or (even worse) the US, because they may be required to share data with foreign intelligence agencies. With our own VPN service, we have gone to great lengths to demonstrate why we offer a VPN worthy of your trust

14. Use a secure email provider

Finally, you should use an email provider that doesn’t read your emails. It may sound pretty obvious. But you should remember that everything you do on Gmail is being read by Google. If you are uncomfortable with that, there are plenty of secure (and private) email providers out there. 

One of them is ProtonMail. We use PGP encryption to keep your emails private when they are in transit, and zero-access encryption to secure your data at rest. As a result, no one but you can access your messages, not even us. It’s also quite easy to transfer your data from Gmail using the ProtonMail Import-Export application (now in beta).

Learn more: why ProtonMail is trustworthy

Using Android privately

In closing, it’s also worth pointing out that, although Android is a risk to your privacy if you don’t lock it down correctly, smartphones per se are not evil.

In fact, if used correctly they can be extremely useful in securing other parts of your online life. The clearest example of this is two-factor authentication, in which a time-based code from a smartphone app is required in addition to your password to log in to your account. (Where possible, you should set up this kind of system for all of your online accounts.)

The trick to using a smartphone securely, as with any other device, is to take the time to find out how it actually works. That way, you can disable the data-collection and data-sharing “functions” that you don’t need. 

And just by reading this article, you’ve taken the first step on that road. 

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Ludovic Rembert

Ludovic Rembert is a security analyst, researcher, and founder of PrivacyCanada.net. He spent his career (before semi-retirement) as a network security engineer working in both industry and academia, and more recently has begun freelance writing on a variety of technical topics.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

50 comments on “How to stay private when using Android

  • It would be great to see a ProtonMail app version on F-Droid, like tutanota is doing, so people could actually use LineageOS and PM.

    Reply
  • Wow. I fail the first step! There doesn’t seem to be an “activity controls” under settings for the Samsung S7 device. Alternate description?? What exactly should be changed?
    Thanks!

    Reply
    • Hi! I checked with one of my colleagues who has a Samsung S7. It seems there are a couple of places where you can update this.

      If you go to Settings -> Google, you can opt in or out of personalized ads. There’s also a hamburger menu in the upper right of the Google Settings which has a ‘Usage and diagnostics’ option, which where you can toggle whether you send data to Google to improve Android. And finally there’s a ‘manage your Google Account’ under your name, which has a Data and Personalization header. And under this there is Activity Controls. This is for the whole Google account, not just the phone (the same menu you can find on the web if you go into your Google Account settings). There you can turn off location tracking, personalized ads, etc., for your account.

      Hope that helps!

      Reply
  • May i ask an related question regarding ProtonMail Registration Human Verification? I don’t want to be identified. It seems to me that phone number or email address can only be used once to register ProtonMail account, how LONG do you store cryptographic hashes of contact information provided? Do they have timestamps? You said you only save a cryptographic hash of your email or phone number which is not permanently associated with the account that you create, and I assuming that each ProtonMail account has account creation timestamp down to seconds. would it be possible to figure out if ProtonMail account is somewhat linked to the cryptographic hash of number or email address by comparing these two variables?

    Reply
    • We do indeed periodically delete and clear the hashes. While it is not impossible to try to match a hash to a number, it is a very unlikely procedure because we use a slow hash that would require an extreme amount of computing power to do this.

      Reply
  • Could you expand on point number 11 ( Use a non-Google version of Android)? I easily see this when comparing older outaded devices no longer supported by google, or even devices that only get quarterly or yearly updates from their manufacturer. But what about devices, specifically Pixel & Essential PH-1 that get monthly updates? Also, who is verifying that the software is more secure from LineageOS? Thanks!

    Reply
  • Thank you so much for those helpful tips.
    I really appreciate you explaining them in simple and clear terms as I consider myself a techno-dummy.
    Best wishes
    Grace

    Reply
  • “Going further, you can even use your Google device without signing into your Google account. Unfortunately, this really limits what you can do with your phone. ”

    E.g. you cannot install ProtonMail 🙂

    Great article, thank you!

    Reply
  • Thank you for this information. Do you know if there is an app to perform a security check? I do use one which does some things but does not, for instance, check all the app permissions.

    Reply
  • You guys are the absolute BEST!!! I’ve been a fan for a few years now… And I have been so fortunate to have found you!!! Please don’t ever give up the fight… You guys are a dying breed, and a pillar of light and strength within our community! much love and respect ALWAYS!! The HaTTeR!

    Reply
  • Can I use the Proton VPN on my router, so that all traffic is going through the Proton VPN? Will I sacrifice speed by doing so?

    Reply
  • Mainly I wanted to write and say THANKS! It’s becoming increasingly difficult to find information on how to avoid the security vulnerabilities on cell phones and computers. You used to be able to find loads of information through forums and message boards. Unfortunately search engines are eliminating this ability, preventing the ability to search for independent data from individuals.

    I really wish you, or someone else, would create an alternative OS for android that would eliminate the spy ware that infects the majority of electronic devices. If nothing else it would be nice to be able to “crack” an OS to allow users to see when and who their devices are communicating with. I’m certain this is possible but don’t possess the knowledge of how to do it. Regardless, thank you Proton!

    Merry Christmas! Happy New Year! And all the other forbidden phrases 😉

    Reply
  • Very Interesting. I chose an Android phone because I didn’t like the way Apple try to control your life.
    Now I’m wondering if I made a mistake! Which is the lesser of the two evals, Apple or Android ?

    Reply
    • Sadly, there aren’t any perfect answers, and this is the problem Proton is on a mission to solve. In the meantime, it’s up to each of us to assess our threat model, learn as much as we can, and choose the products that make the most sense for us.

      Reply
  • Great article. The majority of people are clueless as to how much privacy they can loose by not knowing how to properly use their devices.

    Reply
  • Hi,
    Very interesting. Thank you for all theses information.
    Concerning the internet access, it is actually possible to control which app can access the internet with a special App called “no root firewall.”
    It would be really super-great if you could include this funtion inside you app “protonvpn”. For example, it should be an option because for some people it is too complicated to manage this. But once this option activated, each app trying to access internet trough the protonvpn will be blocked by default and the user must allow the app to access internet.
    With this function you will really increase the privacy off people, because as you said, many app doesn’t really need internet access to work. (Or only sometimes, so you can choose when you allow the app)
    Thank you very much

    Reply
  • Thanks for writing this. I feel that it is being written a little late but it’s still appreciated. I would like to see this post/topic updated in the future. I’m already doing 99% of the things listed, but it was still a fun reminder. I have to admit I didn’t know that “Android was developed by Google”.

    Reply
  • Thanks for this article. Maybe you could make a level2 version showing how one can use the F-Droid.org repository (an exception to #5) to replace Google apps by alternatives (AnySoft keyboard instead of Google’s one, Aurora Store and New Pipe or SkyTube as anonymous front-ends to PlayStore and YouTube, etc) and thus remove the Google account without losing functionnalities.

    Reply
  • Hi,
    There il another problem I think I discovered using Android:
    Keying a message using protonmail, I think the spelling is conncted to Google and some of my personnal jokes are proposed to me…
    By this way, all the messages are transmettted directly to Google with their corrections..?
    Am I right ?
    Is there any way to avoid that ?
    Thanks for your expertise and best regards

    Reply
  • Great article to read. Thank~You Ludovic Rembert & ProtonMail. I’m awakening to the fact of privacy on smartphones and coming across this article is a fortunate read. Appreciate the concern of are privacy. Wishing you all Success in your Endeavors & Great Adventures in the coming year of 2020 & the years to follow.

    Reply
  • Thank you for the article; it was informative and helped to find additional privacy settings on my phone that I didn’t know about.

    Reply
  • Hi Ludo,

    thanks for these guidelines, just took my free afternoon to go through these and set up my new phone.

    Bouncing on what you write about 2FA at the end of your article, has anyone @PM written guidelines on the good ways of setting up 2FA across multiple devices?

    Having it enabled on the same device as the app I want to connect to doesn’t sound very safe to me.
    Un avis éclairé serait le bienvenu.

    Cheers.

    Reply
  • Thanks for a great article on options available to make a smartphone more private. I have a few comments though …
    1. Your article mixes general privacy with locking out Big Brother Google which I think is the greatest threat, and hackers.
    2. Your Menu selection notes have not been updated for the latest Android V9. (though you warn about that)
    E.g Settings > Location > Google Location History no longer exists. The Settings – Apps – ⚙ icon has been replaced by the 3-dot menu icon

    You make no mention of Anti-virus apps for Android. Do you not recommend these?

    Thanks, Pieter

    Reply
  • Thanks, Ludovic, for a highly professional article.

    There is one point which to me is the biggest and most outrageous Google Greedy Grab invasion: Google forbids me from reading my own documents and notes without first demanding I surrender a copy to the Google Docs cloud. The message appears:

    “YOU’RE OFF LINE
    To save as Google Docs, you’ll have to go online. Try again when you’re connected.”

    Hijacked.

    There have been times when I found it impossible to view my own file without uploading it first.

    Likewise, I am forbidden from copying my own personal notes from my Huawei to my computer without first going through email or “the cloud”, there is no way to find or access my notes within Android.

    The masked burglars rummage through our writing desks with gleeful impunity. 🙂

    Reply
  • Writing about Non-Google android and not mentioning e OS is somewhat surprising.
    They have been working on this since their campaign and it is working fine for everyday use.
    Lineage gets often installed with GApps, which makes it google spyware.

    Reply
  • 1) you can install protonmail with no play store. it’s called Aurora store.
    2) just install netguard firewall and you discover what’s really send you phone.
    3) you can install lineage OS obly after you studied well point 1 e 2., if you install lineage with no study and you install playstore and all normal “mass app “you obtain at the end… the same spy-phone.
    4) proton vpn with a normal phone it’s only a waste of time.

    Reply
  • Many thanks for this article.
    In the same line of “How to stay private when using Android” I would like to read an article about privacy and security of communication applications (WhatsApp, Signal, Threema, Telegram, etc..).

    Which one to use, which one is more secure. How to make our exchanges more secure.

    We look forward to reading you on this subject.

    Emmanuel

    Reply
  • Good article and I agree fully. This is why I never will do Online Banking with my Smartphone.

    Some points have been raised already, e.g. how to get away from the Google Store and you already mentioned that you are working on it. One particular challenge I have is Two-Factor Authentication. I use it on my PC with the Authenticator app running on a local tablet which is essentially stationary. But to me it does not make sense to have both protected app and token generator on the same device as would be the necessary for the smartphone use case (another Online Banking sin). Is there any support for hardware tokens (e.g Yubikey or Solo) planned? Because if not, I either have forego Two-Factor Authentication in general or not use Protonmail on the smartphone (and with the calendar now coming as well, that would be a shame). Or am I missing something here?

    Reply
    • There is still a security benefit to using 2FA, even if it’s on the same device you’re using to log in to your Proton account. For example, someone trying to remotely access your account would not be able to do so.

      Reply
  • Do you know if Apple’s iOS is any safer? Also what 3rd party browsers are not owned by Google? Is Windows in danger of these same problems as well? Can you make a request for Google to delete any data or info they have of you stored even after you’ve deleted your account? I’ve been a naive Android/Google user for many yrs & never did I know these things about Google. It is upsetting & kinda starting to nag at my anxiety a bit. We deserve our privacy.

    Reply
  • Does Google also monitor my emails when I use a webmail service like GMX / Web via the browser or is this only the case when I use Gmail?

    Reply
  • Great article, but I’d like to add some advise:
    First thing I do after buying a new smartphone? No, wrong, I don’t insert the SIM-card. I’m driving home, connect the SM to my sceure desktop (which never has been on internet and uses the latest debian).
    Then the phone is switched on and booted directly into the download screen. Latest TWRP recovery, LineageOS and a superuser app (like Magisk) will be flashed to the phone (there are plenty of guides in the net, see f.e. xdadevelopers page). Then, the phone is allowed to boot. Encryption of the device is switched on. If TWRP, LineageOS et al. are working correctly (otherwise repeat the flashing, but this time via TWRP only) the SM is switched-off, the SIM-card is inserted and then we go …

    Next thing is installing FDroid to get access to AFWall and Blockada (for use outside of my own local LAN secured with my own DNS and extensive filterlists and no way to connect to it via VPN) and other useful security and privacy related apps.

    With privacy related add-ons in Firefox like PrivacyBadger and uMatrix I think I carefully can use the internet then.

    Reply
  • Another idea just came to me:
    I’m using ProtonVPN. There I have to use another DNS than my homebased one. That one has an adblocker.sh script running which uses many (selectable) filterlists to block ads, tracking and malwaredistribution sites.

    For me it would be a good idea if the ProtonVPN DNSs provide a (opt-in) solution for those DNS-Filtering.

    Reply