The Tin Hat

Android Privacy And Security Guide

Category: misc
A 5 Minute Read

Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!

Update: This guide is now out of date. Please refer to the 2016 version of this guide.

A commonly overlooked aspect of online privacy is the security of cell phones. Modern smart-phones contain a huge amount of personal data, including locational data. It is also the hub of most of our communication, such as phone calls, text messages, social media updates, and emails. One of the frightening aspects of smart-phones today is the fact that we often install apps without paying much attention to the permissions which we are agreeing to. These permissions can allow apps to collect a huge amount of information, turning cell-phones into huge reserves of data waiting to be mined. Not only this, but the 2013 NSA leaks showed us just how our phone calls and text messages can be collected and stored. If you want to learn more about the extent to which our devices can be spied upon, give this a read. Today, we are going to learn about the measures that can be taken to protect against concerns such as these. This tutorial will only focus on securing Android phones. Sorry iOS users.

There are three different aspects of Android privacy: the encryption of data, the permissions of apps, and the operating system itself (Android). This tutorial will focus primarily on the encryption of data. To improve security by restricting app permissions the first step is to actually read them before installing the app. Do this and you'll be 50 feet ahead of the game. Moreover, if you root your device you can individually control permissions (for example not giving Skype access to your contacts). If you want to secure the operating sytem, try rooting the device, and installing a custom ROM such as CyanogenMod or Replicant.


Text Secure

Encrypting the data that your Android phone sends and receives is a simple process. There are three different apps that I'd recommend using. The first app is called Text-Secure. Text-Secure replaces the stock text messaging app on your phone. The difference between the two is that the stock app sends, receives, and stores texts in an unencrypted manner, allowing your text messages to be read by thieves who steal your phone or 'watchful eyes' which may stand in the middle. Text-Secure encrypts the messages that are stored on your phone, as well as the messages that are sent over the air. Encrypting the messages stored on your phone means that if your phone is stolen it's no longer vulnerable, as the messages will appear to be just random data. Encrypting messages sent over the air means that Verizon, Rogers, or Big Brother can't read the messages either. There is, of course, a catch: texts sent over the air are only encrypted if the person you are sending them to ALSO has Text-Secure, otherwise they are sent unencrypted (more reason to evangelize Text-Secure!). The last thing to note about Text-Secure is that it is open source, meaning that if you have the knowledge you can review the code itself to make sure there aren't any backdoors which could harvest your data (its also made by Moxie Marlinspike, who's an absolute beast).


Red Phone

The second app that I recommend encrypts your phone calls and is called Red Phone. Red Phone operates in a way similar to Text-Secure, and is also open-source. Like Text-Secure, it replaces the phone app on your device, and encrypts the calls that you make to other Red-Phone users. Red Phone also does not use your cell phone plan's minutes when talking to other Red-Phone users, and instead uses either wifi or your 3G/4G/LTE data.


A VPN (Private Internet Access)

The last app that I recommend is VPN By Private Internet Access. Private Internet Access is a VPN (Virtual Private Network) which connects to a server and encrypts the data that your phone sends and receives. Essentially what this means is that when you visit a webpage your connection will be sent through a server in 'the cloud' before going to the intended destination. This will make the website think that you're wherever the server is, providing you a higher degree of anonymity. Furthermore, the connection between you and the server will be encrypted, so that your carrier (such as Verizon, AT&T, or Rogers) or your internet service provider (such as Comcast, or Shaw) can't see what you're doing, and will instead just see a bunch of random numbers and letters.

There are other apps that you can use for this as well, such as HotSpot Shield, Hideman VPN, HideNinja VPN, or TunnelBear VPN, to name a few. Some of these services are paid only (such as Private Internet Access), and some are free with limited use. Personally, I use Private Internet Access (PIA) as the VPN on my phone, and have found to get the best speed and reliability (read: no dropped connections) with it versus some of its competitors. PIA is also relatively inexpensive if you buy a years worth, costing $40 a year ($3.33/month).

Update: I've recently switched to Mullvad and am impressed! Highly recommended as an alternative option.

Encrypting The Entire Device

The last step you can take to encrypt your data is to encrypt the phone itself. Many Android phones allow you to go into the menu and encrypt all the storage on the phone. Encrypting the whole phone does have some drawbacks, mainly that it will slow your phone down (the extent to which this will happen depends on the hardware), and if you ever forget your password you will have to reset the entire phone. HowToGeek does a good article on how to enable this, but essentially you need to set a PIN for the lockscreen, and then hit the big "Encrypt Phone" button in the Security menu. This can take quite a bit of time to complete depending on how much data you have stored, but once it's done and you've installed these apps your phone won't be the swiss cheese it was before.

Know The Risks

It should be mentioned that while these measures will increase your privacy against most adversaries, cell-phones are pretty much swiss cheese against more powerful entities. For example, some Samsung Galaxy devices allegedly have back-doors embedded into the chips themselves, meaning that no matter what software you put on top of it there's still a way into the phone. Moreover, location data will be tracked by your cell-phone provider regardless of what privacy preserving apps are on it. These are only two examples in a myriad of ways that cell-phones can put bullet-wounds into your privacy. But in short, recognize your threat model. For example, if you're an investigative journalist and you think that you'll be targeted by state actors, then don't use a phone for secure communications, and leave it at home when you really need privacy (such as meeting a source). On the other hand, if you're just a normal person concerned about your privacy then these apps should give you a major boost towards achieving that goal.


I personally use NordVPN and Digital Ocean.
Show some love by signing up using my affiliate links:
Or support me directly on Patreon

Help Me Out: Share, Follow, & Comment

Latest Posts

What is Device Fingerprinting?

Learn what browser fingerprinting is and how it canb e used to track you online.

How To Torrent Privately & Anonymously For Free

Learn the pros and cons of using a VPN to torrent, as well as how to use I2P to anonymously torrent for free!

VPN Drop Protection Using Simple Linux Firewall Rules

Learn how to protect against your VPN dropping using these simply Linux firewall rules

Ledger Nano S Review | Why You Need a Bitcoin Hardware Wallet

A review of the Ledger Nano S, and an explanation of why hardware wallets just make life better when using Bitcoin

What is Two Factor Authentication (2FA) And Why Use It?

What 2FA is, why you should use it, and why we need FIDO U2F.

Support The Tin Hat on Patreon!

The Tin Hat now has a few more ways to support the site.

What is a hash?

A simple explanation of what hashing is, and how hashes are used.

Trump's Toolbox | Future Attribute Screening Technology

FAST is a program that attempts to wirelessly detect whether youre a terrorist, and its in Trump's back pocket.

uBlock Origin, The Best AdBlock Alternative

For AdBlock (Plus) alternatives, look no further than uBlock Origin. This tutorial explains why, and how, you should use it.

I2P Browser Setup Tutorial | Using The Tor Browser For I2P

Learn how to browse I2P using the Tor Browser with this short guide

Privacy On Android | 2017 Android Privacy Guide

A tutorial on how to build privacy on your Android device. Learn what you need to do to stay safe and secure.

New I2P Portal For TheTinHat

TheTinHat has moved to a new server, with a new I2P hidden service to accompany it.

Rebranding 'The Dark Net'

Disassociating decentralized networks with the term 'darknets'.

In Defense of Browser-Based Email Encryption

Why I've reversed my opinion on Protonmail and Tutanota

Privacy Focused Blog Platform

A rundown of the tools I use to power my blog, hidden services.

A Lighter-weight Firefox

How I've set up a lightweight, yet still private browser.