The smartphone is one of the most invasive devices ever invented. It’s easy to forget that, of course, because we are so familiar with them, and they are so useful. But while you might value your smartphone for the convenience it gives you, tech companies value it for an entirely different reason: it is collecting data on everything you do.

If you believe, like us, that privacy is a human right, Android is something of a nightmare. Most people who use Google services are aware the company is tracking their location, checking which websites they go to, recording their voice, and reading their emails. What a lot of people forget is that Android was developed by Google, and is one of the most important tools for this data collection.

It is possible, though, to use Android in a way that drastically limits the amount of data you are sharing with Google (and other companies who want your data). In this guide, we’ll show you how to do that.

In each step below, we’ll show you how to use the settings menu on your device to increase your security and privacy. Most of the menus we mention will be the same for most current Android devices, but since devices vary you might find these options in a slightly different location or named differently. With a little poking around in your device’s menu, you should be able to find the relevant option.

The basic principle: Turn everything off

Before we begin with the specific steps necessary to make your Android device more private, let’s highlight a basic principle of using your phone: turn off all the connectivity you do not need.

This goes for whatever smartphone, and whichever operating system, you have. Don’t let your phone connect to unknown WiFi networks because they may be a source of malware. Don’t leave your Bluetooth on because there are plenty of Bluetooth security vulnerabilities. Don’t connect your phone to your computer (if you can avoid it), because smartphones can also act as a reservoir of malware, and your phone can be infected without you realizing it.

In short: if you are not using a service right now, turn it off.

With that out of the way, let’s make your phone more secure. Here is a short(ish) list of how to do that.

1. Avoid Google Data Protection

First and foremost, you should be aware of Google’s fake commitment to privacy and limit the data the company collects from your phone. Android phones let you do this, but it is hidden. Go to your settings, and look for “activity controls.” Here, you can limit the data that Google is collecting via your phone.

Going further, you can even use your Google device without signing into your Google account. Unfortunately, this really limits what you can do with your phone.

2. Use a PIN

Another basic privacy step is to lock your phone with a personal identification number (PIN). Locking your phone prevents random strangers from being able to get into it and keeps your data private in the event that your phone is stolen or one of your friends “borrows” it.

When you set up a PIN on your device, some versions of Android will ask you if you want to encrypt the device as well. This is also a good idea, and we’ll come to that process shortly.

In 2019, it might seem a bit old-fashioned to use a PIN (or, even better, an alphanumeric password), but in terms of data privacy, a PIN is still king. That’s because if you are using the other locking methods that Android provides — your fingerprint or face recognition — you are consenting for this biometric information to be stored on your phone, and occasionally transmitted to Google.

3. Encrypt your device

Encrypting your entire phone is pretty simple, but not many people do this. Encryption, though, is by far the best way to keep your data private, whether your phone is hacked or stolen.

Encrypting your phone can be done from the “security” menu in Android. You need to enter a PIN to do this, and the phone needs to be plugged in. Just don’t forget the PIN, because if you do all of the data on your phone may be lost forever.

4. Keep your software up-to-date

Everyone knows that keeping your software up-to-date is incredibly important, but even the most security-conscious people sometimes skip that annoying notification. If you don’t keep your phone updated, you are opening yourself up to vulnerabilities that can be exploited by hackers to steal your data.

In Android, you can update your software at any time by going to Settings > About Phone > System Update.

5. Be wary of unknown sources

By default, Android locks down the sources of software you can use by only allowing you to download apps from “approved sources” that have been vetted by Android developers. This is actually something that Android has inherited from Linux, which the OS is based on. However, sometimes your phone asks you to enable “unknown sources” for software, and if you’re in a rush you can accidentally turn this on. You should never trust software from these sources: some of it is malware, and some of it is merely riddled with security flaws.

To disable unknown software sources, go to Settings > Security > Unknown Sources, and uncheck the box. It’s probably not enabled anyway, but it doesn’t hurt to check.

6. Check app permissions

Yep. You know already that you should carefully check all of the permissions that an app asks for when you install it, but in a hurry you may not. There is no hard-and-fast rule when it comes to checking these permissions, but there is a good guiding principle: are the permissions an app is asking for appropriate for what it does? Does this silly game you’ve downloaded really need to access your camera, contacts, and microphone? Probably not.

The situation, when it comes to app permissions, has improved in recent years. In response to user concerns over privacy, Android apps now ask for (almost) all of the permissions they need. They will also ask for these selectively, so you can use an app without granting it all the permissions it asks for. An app will ask for Bluetooth permission, for instance, only when you try to use this functionality.

On the other hand, there are some permissions that are so “basic” that they are not even counted as permissions by Android. The most striking example of this is access to your Internet connection. All apps are granted this permission by default, they will not ask you to confirm this, and you cannot disable it. This means that even your flashlight app can send and receive data.

You should check the permissions that an app asks for when you install it, but you should also audit your apps frequently to make sure that you have not granted them more permissions than they need. Building this kind of audit into your monthly schedule is a great way of staying on top of your cybersecurity, since you can easily spot extra permissions that you may have granted in a rush. To check these permissions, go to Settings > Apps > ⚙ icon > App permissions.

In general, if you think an app is asking for greater permissions than necessary, look for an alternative that takes your privacy more seriously.

7. Review your cloud sync

Plenty of apps request permission to sync data with the cloud, and sometimes you might want them to do this. There are many advantages of cloud storage for messaging apps and those that store important data. But, just like checking the permissions they ask for, you should also limit the number of apps you have syncing to the cloud.

You can turn off cloud syncing for individual apps by going to Settings > Accounts, and then tapping on the app name.

8. Hide notifications

An often overlooked way of making Android devices more private is simply to turn off notifications on the lock screen. That way, someone who picks up your phone won’t be able to see your contacts, message previews, reminders, and alerts.

Turning off these notifications is easy. Just go to Settings > Sound & Notifications.

9. Review default apps

Now we’re getting to some more technical measures. Android opens certain types of files with certain apps, and these are controlled by a list held in Settings > Apps > ⚙ icon > Default. Here, you can see which apps Android uses for each type of file.

The key here is to make sure that Android is using the most secure apps available to open particular files. If you’ve installed ProtonMail, for example, make this your default app for email. The same goes for any other secure app you download because by default Android opens everything with the least privacy-focused apps available (i.e. the apps made by Google, which wants to spy on you).

10. Don’t share your location with apps

Many apps request that you share your location with them. For some apps, this is incredibly useful. In fact, some apps lose all functionality unless you give them your location data.

On the other hand, plenty of apps that don’t need to know where you are ask for this information. This, in fact, has been one of the major security concerns of the 5G network, and why Huawei is banned from taking part in it. There was a fear that the Chinese tech giant was collecting location data by default for everyone who used their hardware, and that this could be used to identify individuals even when they had taken precautions against this.

To turn off location permissions for your apps, go to Settings > Apps > ⚙ icon > App permissions > Location.

A more general way of limiting access to your location data is to disable Google’s attempts to track your every move. You can do that by going to Settings > Location > Google Location History.

Limiting which apps have location permission is even more important now that Vice reported on Locate X, a service that aggregates and sells location data harvested by users’ apps. An internal Secret Service document confirms that the agency has purchased location data, information that it would normally need a warrant or court order to access, from Locate X. Other federal agencies, like Immigration and Customs Enforcement and the Internal Revenue Service, have engaged in similar practices.

11. Use a non-Google version of Android

If you take your privacy seriously, you could also consider using a version of Android that is not built by Google and won’t send them data.

Though most device manufacturers make their own “flavor” of Android, most of these variant systems are built around the core functionality that Google provides. As a result, almost all “mainstream” versions of Android will share your data with Google.

There are some versions of Android, however, that do not do this. Installing them is a pretty major and complicated step, though, so you should carefully consider whether you want to wipe the existing OS from your phone. At the moment, the most developed (and stable) alternative Android OS is LineageOS. This is based on CyanogenMod, which limits access to your phone by third parties. Installing an alternative OS requires technical knowledge, though there are plenty of install guides to help you.

12. Don’t use Google for search

You might be wondering why this option is not higher up on this list. It should be easy to change your default search engine within Android, right? Well, yes and no. No surprise, Android doesn’t let you use any other search service from within its default browser.

In order to use a more secure search engine, you need to download an alternative browser. These let you change the default search engine and avoid Google collecting data on your queries.

13. Use a VPN

A virtual private network (VPN) encrypts all of the data passing between your phone (or computer, or tablet) and the wider Internet.

There are plenty of VPN providers out there, but you should be careful about which one you choose. In general, VPN providers often are not transparent about who operates them or how they may or may not use your data. In addition, be wary of VPN providers that are based in the EU or (even worse) the US, because they may be required to share data with foreign intelligence agencies. With our own VPN service, we have gone to great lengths to demonstrate why we offer a VPN worthy of your trust.

14. Use a secure email provider

Finally, you should use an email provider that doesn’t read your emails. It may sound pretty obvious. But you should remember that everything you do on Gmail is being read by Google. If you are uncomfortable with that, there are plenty of secure (and private) email providers out there.

One of them is ProtonMail. We use PGP encryption to keep your emails private when they are in transit, and zero-access encryption to secure your data at rest. As a result, no one but you can access your messages, not even us. It’s also quite easy to transfer your data from Gmail using the ProtonMail Import-Export application (now in beta).

Learn more: why ProtonMail is trustworthy

Using Android privately

In closing, it’s also worth pointing out that, although Android is a risk to your privacy if you don’t lock it down correctly, smartphones per se are not evil.

In fact, if used correctly they can be extremely useful in securing other parts of your online life. The clearest example of this is two-factor authentication, in which a time-based code from a smartphone app is required in addition to your password to log in to your account. (Where possible, you should set up this kind of system for all of your online accounts.)

The trick to using a smartphone securely, as with any other device, is to take the time to find out how it actually works. That way, you can disable the data-collection and data-sharing “functions” that you don’t need.

And just by reading this article, you’ve taken the first step on that road.

Best Regards,

The ProtonMail Team

UPDATE August 17, 2020: This article was updated to incorporate Vice’s reporting on Locate X and the Secret Service purchasing user location data.

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.