Android Privacy And Security Guide
A 5 Minute Read
Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!
Update: This guide is now out of date. Please refer to the 2016 version of this guide.
A commonly overlooked aspect of online privacy is the security of cell phones. Modern smart-phones contain a huge amount of personal data, including locational data. It is also the hub of most of our communication, such as phone calls, text messages, social media updates, and emails. One of the frightening aspects of smart-phones today is the fact that we often install apps without paying much attention to the permissions which we are agreeing to. These permissions can allow apps to collect a huge amount of information, turning cell-phones into huge reserves of data waiting to be mined. Not only this, but the 2013 NSA leaks showed us just how our phone calls and text messages can be collected and stored. If you want to learn more about the extent to which our devices can be spied upon, give this a read. Today, we are going to learn about the measures that can be taken to protect against concerns such as these. This tutorial will only focus on securing Android phones. Sorry iOS users.
There are three different aspects of Android privacy: the encryption of data, the permissions of apps, and the operating system itself (Android). This tutorial will focus primarily on the encryption of data. To improve security by restricting app permissions the first step is to actually read them before installing the app. Do this and you'll be 50 feet ahead of the game. Moreover, if you root your device you can individually control permissions (for example not giving Skype access to your contacts). If you want to secure the operating sytem, try rooting the device, and installing a custom ROM such as CyanogenMod or Replicant.
Encrypting the data that your Android phone sends and receives is a simple process. There are three different apps that I'd recommend using. The first app is called Text-Secure. Text-Secure replaces the stock text messaging app on your phone. The difference between the two is that the stock app sends, receives, and stores texts in an unencrypted manner, allowing your text messages to be read by thieves who steal your phone or 'watchful eyes' which may stand in the middle. Text-Secure encrypts the messages that are stored on your phone, as well as the messages that are sent over the air. Encrypting the messages stored on your phone means that if your phone is stolen it's no longer vulnerable, as the messages will appear to be just random data. Encrypting messages sent over the air means that Verizon, Rogers, or Big Brother can't read the messages either. There is, of course, a catch: texts sent over the air are only encrypted if the person you are sending them to ALSO has Text-Secure, otherwise they are sent unencrypted (more reason to evangelize Text-Secure!). The last thing to note about Text-Secure is that it is open source, meaning that if you have the knowledge you can review the code itself to make sure there aren't any backdoors which could harvest your data (its also made by Moxie Marlinspike, who's an absolute beast).
The second app that I recommend encrypts your phone calls and is called Red Phone. Red Phone operates in a way similar to Text-Secure, and is also open-source. Like Text-Secure, it replaces the phone app on your device, and encrypts the calls that you make to other Red-Phone users. Red Phone also does not use your cell phone plan's minutes when talking to other Red-Phone users, and instead uses either wifi or your 3G/4G/LTE data.
A VPN (Private Internet Access)
The last app that I recommend is VPN By Private Internet Access. Private Internet Access is a VPN (Virtual Private Network) which connects to a server and encrypts the data that your phone sends and receives. Essentially what this means is that when you visit a webpage your connection will be sent through a server in 'the cloud' before going to the intended destination. This will make the website think that you're wherever the server is, providing you a higher degree of anonymity. Furthermore, the connection between you and the server will be encrypted, so that your carrier (such as Verizon, AT&T, or Rogers) or your internet service provider (such as Comcast, or Shaw) can't see what you're doing, and will instead just see a bunch of random numbers and letters.
There are other apps that you can use for this as well, such as HotSpot Shield, Hideman VPN, HideNinja VPN, or TunnelBear VPN, to name a few. Some of these services are paid only (such as Private Internet Access), and some are free with limited use. Personally, I use Private Internet Access (PIA) as the VPN on my phone, and have found to get the best speed and reliability (read: no dropped connections) with it versus some of its competitors. PIA is also relatively inexpensive if you buy a years worth, costing $40 a year ($3.33/month).
Update: I've recently switched to Mullvad and am impressed! Highly recommended as an alternative option.
Encrypting The Entire Device
The last step you can take to encrypt your data is to encrypt the phone itself. Many Android phones allow you to go into the menu and encrypt all the storage on the phone. Encrypting the whole phone does have some drawbacks, mainly that it will slow your phone down (the extent to which this will happen depends on the hardware), and if you ever forget your password you will have to reset the entire phone. HowToGeek does a good article on how to enable this, but essentially you need to set a PIN for the lockscreen, and then hit the big "Encrypt Phone" button in the Security menu. This can take quite a bit of time to complete depending on how much data you have stored, but once it's done and you've installed these apps your phone won't be the swiss cheese it was before.
Know The Risks
It should be mentioned that while these measures will increase your privacy against most adversaries, cell-phones are pretty much swiss cheese against more powerful entities. For example, some Samsung Galaxy devices allegedly have back-doors embedded into the chips themselves, meaning that no matter what software you put on top of it there's still a way into the phone. Moreover, location data will be tracked by your cell-phone provider regardless of what privacy preserving apps are on it. These are only two examples in a myriad of ways that cell-phones can put bullet-wounds into your privacy. But in short, recognize your threat model. For example, if you're an investigative journalist and you think that you'll be targeted by state actors, then don't use a phone for secure communications, and leave it at home when you really need privacy (such as meeting a source). On the other hand, if you're just a normal person concerned about your privacy then these apps should give you a major boost towards achieving that goal.