Best way to secure Android? Stop using it.

Before we dive into modifying your Android device, it must be pointed out that Google has a horrible track record of violating user privacy and ignoring any attempts to turn off location services and data collection. In essence, Google wants to monitor everything you do on your Android device because this data helps Google make money through targeted advertisements.

Therefore it may be best to just consider using an alternative, such as going with a Linux-based phone (Librem 5), or using a different operating system on your Android phone (such as Lineage OS.)

Nonetheless, if you want to stick with Android, we shall continue…

Many Android apps have been exposed as dangerous security threats – infecting devices with malware, stealing your bandwidth, and also exposing your private information to third parties. Google is regularly removing malware-infested apps from the Play store. And many of them are highly rated and trusted by millions of users.

Many people are turning to virtual private networks (VPNs) for added security, privacy, and to access blocked content. But be careful when considering VPN apps for your Android device. One team of researchers found that most Android VPN apps are insecure and dangerous.


Delete those Android apps

Given that most applications are a privacy nightmare, consider deleting everything that isn’t absolutely essential for your life. Here are a few categories of apps you may want to remove:

  • Social media (Facebook, Twitter, Instagram, etc.)
  • Games (Angry Birds, Words with Friends, Despicable Me)
  • Weather (GO Weather Forecast & Widgets)
  • Transportation (Uber, Lyft, and other location-tracking apps)
  • Messenger/Photos/Chat (Snapchat, WhatsApp, QQ)
  • Drawing/photo editing

With bad apps, you might not find out they’ve stolen your data or messed up your device until it’s too late. There are other categories that didn’t make the list above, but the general rule still applies: if it’s not absolutely essential, just delete it.

F-Droid

One great alternative to the GooglePlay Store is F-Droid. F-Droid is basically a large catalogue of free and open source software (FOSS.) Unlike the GooglePlay Store, it does not violate your privacy.

Find replacement alternatives to the apps above in our Android repository.

If you don't use an app, uninstall it.

Every application comes with its own security problems. Most Android software vendors do a good job of updating their programs. Most of them. If you're not using an application, get rid of it. The fewer program doors you have into your smartphone, the fewer chances an attacker has to invade it.

Check app permissions

It’s also a good idea to check in on your app permissions every now and again. When you download an app from the Play Store and launch it for the first time, Android asks you if it can have access to things like the microphone, camera, phone, etc. A lot of times we just tap away access without even realizing what they’re asking for, but you can always of back and revoke it after the fact. Head over to the Permissions tab inside Apps in Settings and you’ll be able to see which apps are allowed to do what—and turn off anything that looks suspicious.

Block ads, tracking, and malware…

Recently there has been an explosion of malware and viruses affecting Android devices. The combination of advertisements and malware is known as malvertising. Online ads are an easy attack vector for the following reasons:

  • Most sites host ads that are fed in from untrustworthy, third party domains
  • Third party advertising domains can be hijacked or compromised to inject malware and ransomware into ads
  • No clicks are required – your device can be infected simply by loading the website

This growing problem is even affecting major websites such as the New York Times and BBC.

However, be careful when selecting an ad blocker. Many of the free ad blockers make money off your data and work directly with advertising companies for profit. Remember the old saying, when it’s free, you are the product.

At home...

One great solution for your home network would be NoTrack or Pi-hole it will effectively block: advertisement domains, malware domains, and phishing domains. If you don't want to go that route to run your own software you could also use services from DNS resolvers optimized for content filtering that you can use on your router.

On the go...

You have options such as Adguard, Blokada, Adaway, and DNS66.

  • [Root Required] Adaway replace your /etc/hosts file with one containing a blocklist. You can add your own blocklist, here's a good one.
  • Adguard is a paid solution / could consume resources (do not use on old phones.)
  • Blokada creates a local VPN connection (non third party) and simply blocks any requests towards the hosts defined in the blocklist filters.You can configure Blokada with your own custom filters and whitelists.
  • DNS66 is a little different than Blokada. It still creates a local VPN connection, but with few exceptions: it uses third party servers, i.e Cloudflare etc. for DNS as opposed to local. It blocks any requests towards the hosts defined in the blocklist filters.You can configure DNS66 with your own custom filters and whitelists. DNS66 also allows you to add your own custom DNS upstream.

For your Firefox browser on Android you have UBlock Origin.

Secure messaging

Governments, corporations, and hackers have been spying on text messages and listening to calls for years. The biggest messaging app (WhatsApp) is owned by Facebook, a company that has been helping governments illegally spy on citizens since 2009. Despite claiming to be “secure,” WhatsApp does not use end-to-end encryption and is plagued with known security issues.

Solution (Secure messaging app): You can utilize a secure and encrypted (end-to-end encryption) messaging application, such as Signal or Wire. Despite being a third party app, these are two good options that seem to work well:

Signal is a great, free secure messaging app that utilizes 256-bit AES end-to-end encryption. When you install Signal, it will integrate well with your Android device and also utilize perfect forward security to protect your data. The code is also open source, which is an added plus.

Wire is another great option as well, and it is much more than just a messaging app.

See additional secure messaging apps on the privacy tools page.

2FA (Two-Factor Authentication)

Twofactorauth.org List of websites and whether or not they support 2FA.

You can then use an authenticator app, the best I believe is andOTP, it also supports Time-based One-time Passwords (TOTP) and HMAC-Based One-Time Passwords (HOTP.) Generate unique codes right on your phone rather than sending them over SMS text messages, which can be riskier.

If you want the ultimate protection for your accounts, nothing beats an NFC security key, by Yubico. Roughly the size of a flash driven (so you can attach it to a keychain) a security key dispenses with codes and stores all of your authentication on a physical device. So it’s basically impossible to get into any of your accounts without the key, even if someone manages to steal all of your passwords.

Password management

Storing passwords on your device via unencrypted methods or using Google's built-in password manager isn't ideal. Consider using a password manager such as BitWarden or KeePassXC apps.

Password managers can usually also generate ultra-strong passwords, so you don’t have to put the effort in yourself. And once installed, these apps will auto-fill your logins.

One important note: Do not use Autofill/Autotype. There are proven cases of ad networks deploying fake hidden credential fields to steal your username and password. Disabling auto fill ensures user interaction is required to use your credentials. There is even a demo showcasing autofill abuse.

Wi-Fi Tracking

When the Wi-Fi feature is enabled on your smartphone, it will automatically search for nearby networks, sending out radio signals. These radio signals can be collected and examined. Your smartphone does not have to be logged into a WLAN network. The same applies to Bluetooth. These signals can be used to identify and track devices in shopping malls, streets or congress halls. This can be used to create detailed motion profiles of users who, for example, tell a shop owner how many people are passing a store and how customers are moving in the store. You can prevent this form of "surveillance" by:

Manually disabling your Wi-Fi interface - this also applies to Bluetooth or other interfaces that you do not need.

Automatically with app such as Wi-Fi Automatic.

Lockdown mode

There's a new feature called Lockdown mode which has been added to Android 9 (Pie) that lets you completely secure your phone at a tap. Hold down the power button for a second and you’ll see a Lockdown option at the bottom of the list. (If you don’t, you can enable it in the Lock screen settings.) Tap it and your phone will instantly lock, turn off the fingerprint scanner (so someone can’t force your finger to unlock it), remove all notifications from the lock screen, and disable Smart Lock. And it’ll stay that way until the next time you re-lock your phone.

Keep your device updated

If you want to make sure that your Android device is safe against the latest malicious malware, you should keep your device up to date. Google along with smartphone manufacturers regularly release minor updates for devices, which bring in the latest security patches. While these updates don’t seem very important, they indeed are.

Secure your Android settings

For privacy and security, it’s a good idea to modify your Android settings. Modifying these settings will greatly enhance the security of your device while also protecting your privacy. Here’s what you can do:

  • Stop unauthorized apps from installing. Android devices are susceptible to third-party apps installing on the device outside of the Play store. This of course is a serious security threat as many apps contain malware. Go to Settings > Security > Unknown sources (turned off.)
  • Set a strong password (rather than a fingerprint/passcode.) You can do this from Settings > Security > Screen Lock.
  • Enable auto-lock for your device. Go to Settings > Security > Automatically Lock (Immediately.)
  • Disable built-in Google services. These “services” will collect your data, target you with ads, and put your privacy and security at risk. The best option is to not sign into Gmail, and/or manually change these services in Google Settings.
  • Encrypt your device (optional,) although this may slow down older Android devices. To do this,  go to Settings > Security > Encrypt Device (follow prompts.)
  • Disable cloud back-up storage. Google has been a close partner with law enforcement (and the NSA) for years, providing them with private customer data. And of course this information is also capable of being hacked and published online. So go to Settings > Backup & Reset > Back up my data (disable.)
  • Say no to advertisement tracking. This is another way for Google and it’s advertising partners to track your behavior and then hit you with personalized ads. Go to Google Settings > Ads > Opt out of interest-based ads.
  • Disable location tracking and clear location history. Again, this information is used for customized ads, so turning it off is a great idea. Go to Settings > Location (turn off with top switch) and then Google Location History (scroll to bottom and turn off) and finally Delete Location History.

Just doing the modifications above will go a long way toward improving your privacy and security.

Conclusion

This secure Android setup provides you with the following advantages

  • You won’t have unnecessary/dangerous apps collecting your data.
  • Advertisement, malware, and tracking domains are now blocked.
  • If you need to use messaging or VOIP, all communications/messages will be secured with end-to-end 256-bit encryption.
  • Your Android settings will provide you with further privacy and security, with the recommended changes above.