With everyone from local scammers to government agencies trying to get hands on your data, there's never been a better time to beef up your privacy game. Fortunately, there are a ton of options out there to keep your messages, files and phone safe on Android.
Before we begin, we should point this out: Using a smartphone is always going to be a risk. Especially one running services from Google. You can use these tips and apps to protect some of your communication, but you're never going to be totally off the grid as long as you're using an Android phone. That doesn't mean you have to make it easy on an attacker, though.
Change These System Settings to Protect Your Privacy
When you first get your phone, it's a good time to start protecting yourself. During the setup, make sure you disable any options asking to track your data. After that (or if you've already set up your phone), there are a number of precautions you can and should take. We recommend everything on the following list, but they all come with some convenience sacrifice, so decide for yourself which ones you need:
- Set a strong alphanumeric password. Android gives you the option to use a pattern or PIN to lock your phone, but to be safe, you should use a strong alphanumeric password. Open the Settings app and head to Security > Screen Lock. Set a password that includes numbers and letters.
- Don't use your fingerprint to sign in. Fingerprint sensors are convenient, but the law around them is complicated. While it's still being hashed out in the courts, currently in the US police can compel you to use your fingerprint to unlock your phone. It's better to just not use it at all. On Nexus and Pixel devices, head to Settings > Security > Pixel Imprint and delete any fingerprints you've saved.
- Encrypt your phone (if it isn't already). Some manufacturers don't encrypt your phone by default. If you have to enter a PIN before the phone boots up, it's probably encrypted already. Just to be sure, head to Settings > Security. Under Encryption, you should see "Encrypt phone". If it says "Encrypted" below that, you're good. Otherwise, tap it and follow the instructions to encrypt your phone. This may take a while and it may slow down some older phones, but it's worth it to protect your data.
- Hide notification information from the lock screen. Android will show notifications even when your phone is locked, but you can hide sensitive information if you don't want prying eyes to see. Head to Settings > Notifications then tap the gear icon at the top. Finally, tap "On the lock screen". You can either choose "Hide sensitive notification content" to conceal things like messages and email contents, or "Don't show notifications at all" to ensure no one sees anything.
- Disable Google's tracking activity. Google is the biggest glutton for data around, so disabling their tracking is almost a Sisyphean task, but you can at least turn off as much as you can. Head to this link, click the menu button at the top and choose "Activity Controls". Here, you can disable location tracking, search tracking, voice tracking and even your YouTube history. Note, Google may still keep some anonymised info about you, but this can minimise how much they have.
- Turn off Google backup. Google backs up a ton of information about your device, including call history, apps and even what Wi-Fi network you're connected to. If you'd rather Google not have that info, head to Settings > Backup & reset > Backup. You can either disable backups entirely (and make your own) or selectively disable the data you don't want to store.
- Turn off any unnecessary app permissions. As of Android 6.0 (Marshmallow), Google finally lets you pick which permissions to give to apps. For starters, that means you should probably get an Android phone running Marshmallow if you're concerned for your privacy. Then, head to Settings > Apps and tap the gear icon at the top. Then tap "App permissions". Here you'll be able to see permissions for things like Calendar, Contacts, Location and Microphone. Tap each one and disable any apps you don't trust. Keep in mind, this may break some apps if you're not sure why they need that permission. If you're really not sure you can trust an app, you might be better off uninstalling it.
- Turn on two-factor authentication. Your account is only as safe as your password (which isn't very safe) unless you enable two-factor authentication. You can turn it on for your Google account here, and then for any of your other accounts on this list. It's also a good idea to use an app like Authy to manage your authentication tokens, since it lets you lock the app with a PIN. This protects your tokens in the event someone steals and unlocks your phone.
- Enable Android Device Manager. ADM can find your phone remotely, so it might be a bit of a toss up from a privacy standpoint. On the one hand, it means Google will have information about where you are. However, you can also use it to locate or wipe your phone remotely. If you want that nuclear option in case you lose your device, this might be a good tool to have.
That should handle a lot of the data and vulnerabilities that come with having an Android phone (though you should still assume there's some kind of data being tracked from your account). However, that's only part of the equation. Next, you'll need to take a look at the apps you use every day.
The Productivity Apps That Protect Your Privacy
Most productivity apps are designed to help you get stuff done as conveniently as possible. Protecting your privacy, however, is rarely the most convenient. Consequently, you might need to use apps that are designed to protect as much data as possible, even if they have to forego useful features like cloud syncing or complex computer analysis. Some, like a VPN, you might not need all the time, but you should almost always be using apps like a password manager.
Also keep in mind that if you received your phone from your company through the Android at Work program, your data will still be visible to them even if you use these apps. If you want to keep your information as private as possible, use your own phone and keep it as locked down as possible.
Web Browser: Brave
While lots of browsers claim to protect your privacy, we've found that Brave stood out as one of the best. It uses HTTPS Everywhere to keep your traffic encrypted and it blocks scripts, cookies, phishing and pop-ups. If you find that a site doesn't work with Brave, you can selectively re-enable each of those features to figure out what's breaking the site and even whitelist it if you decide it's worth it to you.
On the desktop, Brave has a weird system that lets users choose to pay publishers. However, this doesn't appear to exist in the mobile version, so you can safely ignore it. It isn't perfect, but it gives you a lot more flexibility to block third-party data tracking than Chrome does.
Your web browser knows a lot about you, and tells the sites you visit a lot about you as well -- if you let it. We've talked about which browsers are best for privacy before, and the best tools to lock your browser down, but there are also entire browsers designed to keep your data as secure and private as possible. Let's take a look at some of them.
Email: ProtonMail or Gmail
For the most thorough email privacy, ProtonMail is the way to go. It encrypts all of your messages by default. You can send email to other ProtonMail users and they will be able to read it like normal. If you send it to anyone else, they will be given a link where they will need to enter a password in order to read your message. This is a very inconvenient way to send email, but if you need to guarantee that no one but the recipient reads your email, this is the way to go.
If you're slightly less paranoid, Gmail is still an excellent way to keep your email private from everyone except, well, Google. Every email is sent over SSL and Google encrypts each message from sender to receiver. Unfortunately, Google itself is still able to see and scan your emails, and it may even have to turn some data over to the government if they receive a legal request. However, Gmail will at least protect your messages from some random snooper or someone who finds your phone (as long as you have a strong password and two-factor authentication, like we mentioned earlier).
In general, email is pretty hard to secure since it always relies on a third-party server to send messages. If you have a good reason to wear your tinfoil hat, you can always try rolling your own email server, but keep in mind it's really hard.
Messaging: Signal or WhatsApp
If you really need to communicate with someone securely, Signal and WhatsApp are going to be much better for your privacy than email. Both of these apps feature end-to-end encryption, they don't store your messages after they have been delivered and they can both do voice calls on top of text messages. Inconveniently, both parties will need to have the app installed to use it, but it's fairly easy to set up an account.
For those who want the absolute most privacy possible, however, Signal offers a slight edge. It doesn't store metadata about who you're talking to, but WhatsApp does. Neither app knows what you're talking about, but WhatsApp knows who you're talking with and when. If WhatsApp receives a legal warrant, it can hand over that data. WhatsApp can also backup your messages to Google Drive, though they're encrypted so that shouldn't be that big of a deal. Even if law enforcement requested it from Google, they wouldn't be able to read it. Still, it's important to know that the backup is there.
Password Manager: LastPass or 1Password
The best way to protect a strong password is to not know what it is. Password managers can generate long, complicated passwords for you and automatically enter them into the sites you visit. Our favourite password managers are LastPass and 1Password.
LastPass is free and lets you sync your password vault across platforms, but the downside is that it uses its own servers to do it. While your data is encrypted while it's on LastPass's servers, it's still possible for it to get hacked if someone targets the company, which happened once. Their encryption was strong enough to prevent the attackers from gaining access to users' stored passwords which is encouraging, but if you need to be super careful, you might not want to risk it.
1Password, on the other hand, offers two kinds of syncing. You can pay $US3 ($4)/month to sync your account through 1Passwords servers, or you can just use your own Dropbox account. You can also skip syncing altogether and store all your passwords in a local vault and manually copy them from one device to another when you need to. This makes sure that no one can get access to your vault, even if they attack a third-party.
VPN: Hideman, Tunnelbear or NordVPN
Using a VPN is the most basic way to secure all of your web traffic. Once you connect to a VPN, your traffic is encrypted so no one snooping can see what you're looking at. This is particularly useful when you're on public networks where you might not control your internet connection.
On this front, we like Hideman, NordVPN and TunnelBear. Each service requires a monthly fee, but you get a small allotment of data for free each month. You won't want to watch hours of Netflix with it, but it can help cover your traffic when you're at the airport or hotel.
Notes: Notes Lock
Google Keep was a surprise hit for note takers, but you can't lock your notes down and they're all stored on Google's servers to boot. Notes Lock on the other hand keeps all your notes on your device and secures them behind a pass code, PIN or pattern lock (though for the best security, you should probably use the pass code). You can use Notes Lock to write down notes or create to-do lists in a variety of colours and fonts. Even as a generic notes app it's pretty robust, which makes the security features the icing on the cake.
If you want to sync your notes, you can choose to save your notes vault to Dropbox to share it between devices. Like with 1Password, this gives you more control over how your data is stored, rather than passing it off to a company like Google. Of course, this means someone could find your notes vault in Dropbox, but it will still be encrypted so they shouldn't be able to read it anyway.
Cloud Storage: SpiderOak
Dropbox is pretty good at protecting your data, but if you need to go one step further, SpiderOak is the best way to store data in the cloud and keep it secure. The company employs a "zero knowledge" policy, using local encryption so it can't read what's in your files before you even upload them. SpiderOak doesn't offer any free storage, but it offers 100GB/month for $US5 ($6) which is competitive with services like Dropbox and Google Drive.
This should be a good start to protecting your typical Android usage from prying eyes. Nothing in here (or anywhere, really) is 100 per cent bulletproof, but you'll be one step ahead of the pack, which is often enough to get your everyday attacker off your back.