This page is a draft. It may be missing essential content covering basic aspects of the topic. Do not rely upon it without input from more complete resources.
If you're familiar with this topic, please consider contributing.
Android is a smartphone operating system developed by Google and supported by a very loose collective of other companies called Open Handset Alliance. While open source (in the sense that the basic source is available) means the software is free, it is also true that open source comes nowhere when it comes to privacy. Android is tightly controlled by Google and turned into one of the most potent weapons of surveillance capitalism. Google uses Android to actively erode user's privacy in new and innovative ways, and yet our modern life is nigh impossible with this one side of the smartphone duopoly coin.
Yet, some things can be done to improve things, which is what this page seeks to achieve.
Manufacturer skins[edit | edit source]
Virtually all manufacturers produce their own variant of Android commonly referred as manufacturer skin.
This page is for Android in general and content found here is applicable to most, if not all, Androids.
Check out specific manufacturer skin's pages for specifics relating to individual manufacturer skins.
- The software skin produced by Google for it's Pixel line-up. It tends to have the least amount of difference compared to the source code of the Android itself. However, there are still exclusive features on Pixels.
- Samsung's take on Android. Historically considered a bit ugly, it runs on the roughly 956 million Samsung devices in the wild.
- Found on Huawei's phones, this skin is quite divisive. Western nations, particularly USA government, consider it close to w:spyware. Be that as it may, Huawei phones are very popular in Europe and Asia.
- Xiaomi's attempt at Android. Much like Huawei, it faces heavy criticism in the West, but somewhat less than Huawei.
- Near-stock skin by OnePlus. OnePlus is the Western facing brand of w:BBK Electronics.
Easy wins[edit | edit source]
These measures are 'easy wins'. They will not significantly inconvenience you or get in your way. They are recommended for almost anyone.
Screen lock[edit | edit source]
Let's start with the most obvious privacy feature of any phone; the screen lock.
Most Android phones offer a few different ways to lock you screen. Some are good, others are near useless.
Starting with the near useless ones, swipe pattern and camera unlock should never be used, by anyone. They have repeatedly been proven to be insecure and easily defeated. It is pretty trivial for a shoulder surfing attacker to see and memorise your swipe pattern, no matter how complicated it is, not to mention that unless you're absolutely overzealous about screen cleanliness, most times you can still see the swipe smudges left by the previous unlocks.
Camera unlocks on the other hand are primarily a jump on the bandwagon started by Apple's much better FaceID solution. But, while Apple uses actual 3D face analysis, most Androids do simple facial recognition analysis on the front facing camera which is nowhere near secure enough.
PIN and fingering recognition are much better, but hardly fool proof. Most PINs are simply too short to stand up to serious scrutiny, and fingerprint sensors have reliably been defeated by security researchers.
Ultimately, there is no substitute for a good password, but we also recognise the reality that some users unlock their phone upwards of 150 times a day and won't bother with a 12 character password.
Therefore, on balance, probably the best option is using the fingerprint sensor or, lacking that, a PIN to keep up casual snoops.
Legal status of passwords[edit | edit source]
Biometric security, such as fingerprint readers, have one legal weakness however. Certain jurisdictions provide a defendant with a right to remain silent or a right to not self-incriminate, which often protects them from being forced to disclose a password or a PIN when faced with such requests from law enforcement. Where these right do apply, biometric unlocks are usually not similarly protected, meaning that a police officer usually cannot compel you to give them your password, but can lawfully force you to unlock you phone with a fingerprint scan.
To help with this, some Android versions offer a lockdown mode which will lock the device and disable the biometric unlock until the PIN or password is manually entered. All modern Androids do, however, disable biometric unlock for the first unlock following a boot. If you're expecting to interact with law enforcement, and you plan not to record the interaction (which you really should), it is a good practice to shut down you phone to prevent the law enforcement for from using the biometrics loophole.
Of course, if you are ever in this situation, everything hinges on your password strength or police's access to data extraction tools such as product of Cellbrite or GrayKey.
Permission management[edit | edit source]
Since mid-2015 and w:Android Marshmallow, the platform has supported app permission, where the user could opt to deny an app access to a certain features.
Although we understand that the urge to make that little window go away is very great, it is worth to take a moment to consider the impact of such decision. Ask yourself: does it makes sense that at simple chat app or a video player is asking for your location? If app purpose justifies the requested, does the request have to be granted right now, rather than just prior to actually using the app. If the chat app needs storage permission to let you attach files, why not grant that just prior to files being attached, rather than letting the app rummage through the contents of your storage at will?
In the computing circles this is called the w:principle of least privilege, but you might know it as w:need to know basis.
Always ask yourself 'does this app **need to know** this about me?' and err on the side of '**no**'.
Temporary permissions[edit | edit source]
Currently, a permission, once granted, does not expire or get removed unless the user manually removes it. This is not ideal, but there is a hacky workaround via a proprietary app called Bouncer. This app will use Android accessibility service to quickly remove permissions from other apps based on your rules.
Prior to Marshmallow[edit | edit source]
Prior to the advent of deniable app permissions, the system simply told you about permissions that the app wanted and granted all of them.
However, in the interest of compatibility, it is still possible to install those old apps, and they will be granted all permissions they want, even on modern devices. If you encounter this sort of interface upon installing an app, it'd be wise to cancel it instead as you have no control over the permissions. Not to mention that such old apps are not required to use secure communication via TLS/SSL.
At this time, we highly encourage you to pause what you're doing and go review all the current permissions on your device.
Private DNS[edit | edit source]
From version 9 'Pie' Android supports private DNS using the DNS over TLS protocol. By default Android uses either the WiFi's DNS server (usually from the w:ISP of the WiFI) or the mobile provider's DNS server. While this is not necessarily a bad thing, the problem lies in the fact that the DNS requests are completely unprotected and transparent to the network provider or anyone listening in on the network.
This metadata, when collected and analysed, grants a deep insight into your personal behaviours and habits. It is, essentially, your browsing history, except in this case you cannot delete it as it is held by a third party. To avert this, you can use any private DNS server compatible with DNS over TLS protocol.
Set Private DNS[edit | edit source]
To set private DNS on most devices, go to Settings -> Wifi & Network -> Private DNS. In the new window add the hostname of the DNS server and click Ok.
Filter tracking and ads[edit | edit source]
Additional privacy benefit from Private DNS is using an adblocking and tracker blocking DNS server.
While a standard Private DNS server will resolve all DNS requests over an encrypted connection, there are certain servers which will refuse to resolve ads, tracking, malware or other undesired content. The result of this is that when your phone tries to resolve and ad or a request by an app to access a tracker, the server will instead respond saying that this ad or tracker does not exist. This will result in the ad not being loaded and the tracking information not being sent to the tracker.
A recommended service to achieve this is blahdns.com but, of course, any other valid DNS over TLS server may be used. A fairly comprehensive list is maintained by the good folks over at privacytools.io.
Free and open source first approach[edit | edit source]
Whenever you consider installing an app or signing up to a service, it is always good to consider whether the same or similar experience can be achieved by Concept:free and open source software.
Free and open source software can be more easily checked by the community of it's users, and it is much harder to hide nefarious code or functionality as all the code is transparent. There are also far fewer incentives to do anything untoward as most open source software is written with the public benefit in mind.
F-Droid[edit | edit source]
The easiest way to do this is to install Recommended:F-Droid. This Android store only hosts free and open source apps, thus, anything you find here will be inherently more trustworthy than closed source software.
A step further[edit | edit source]
Following steps may require a little bit of effort or adjustement, but they are still recommended for most people.
Secure your communication[edit | edit source]
This step is actually very easy, although the difficult part comes in when you attempt to get other people to contact you via these privacy preserving options.
If you use text messaging aka SMS or standard phone calls your communications are transmitted in plain text and are easily visible to your service provider. Depending where you live, your service provider or government may be logging and analysing this information, building a model of your behaviour, and building a permanent record which may be used against you in many ways. Even if you mainly correspond via apps such as Facebook messenger or WhatsApp, you're hardly any better off. Rather than with your provider, your messages and/or the metadata are now in the hands of big companies such as Facebook who's core business model is to violate your privacy. Those companies are, of course, subject to coercion by government in charge of their servers.
When it comes to secure communication, the gold standard is always-on enabled-by-default end-to-end encryption. To break this down further:
- always-on - the encryption is always on and cannot be disabled by either yourself or any third party, including the service provider or the government
- enabled-by-default - the encryption is on for all users of the service, by default and without any additional opt-in steps
- end-to-end encryption - the encryption is structured in such a way that no third party, not even service provider or the government, has access to the shared secret, a so called 'private key', which can be used to decrypt the communication
A 'nice to have' property of a communication systems is also peer to peer communication, but this often is not achievable without significant sacrifice in usability.
Sadly, not many service meet these requirements. These are recommended options.
Texting and calling[edit | edit source]
Signal[edit | edit source]
At this moment, the best choice for texting and calling is the Signal app.
Developed and operated by not-for-profit Signal Foundation, this app meets all three of the above outlined criteria. It is based on the well-regarded E2EE w:Signal Protocol, developed by the Signal Foundation's co-founder Moxie Marlinspike and it has also received an independent audit which did not find any notable flaws or omissions which could result in a breach of privacy.
Signal is great for direct one-on-one messaging, small group messaging, voice calls, as well as video calls . It also can send and receive SMS, though SMS is not protected by the encryption. Aside from SMS, every other form of communication through the app is end-to-end encrypted.
Don't use Telegram[edit | edit source]
One piece of bad advice that is often given out by people who should know better is to use Telegram.
Telegram is not end-to-end encrypted, its server software is closed source, and the service provider can read all your messages.
Video calls and conference[edit | edit source]
Jami[edit | edit source]
Jami is a pretty feature complete Skype/ Zoom/ Teams replacement that allows you to have virtual calls and meetings without any third party in the middle spying on what you're saying. It's service is decentralised, and aside from a little bit of help from a central server to established the initial connection, all the data is sent and received directly between the parties who are using the program.
Jitsi[edit | edit source]
Jitsi is another strong contender, particularly if you want to speak with somebody who is resistant towards having to install another app/program. With Jitsi, you simply create a new meeting on one of many community-ran instances, and send out the unique link. Anyone can use this link to simply join you using any modern browser.
Avoid Google services[edit | edit source]
Once again, this step is pretty easy to perform, but can be much harder to commit to.
Your Android comes preloaded with a suite of Google access offering you an easy and convenient access to plethora of Google services. The services are free, apps are of high quality and Google's dark patterns seamlessly guide you into sharing your every thought and feeling with Google who will be eager to monetise it.
Going all the way[edit | edit source]
These steps are not for the feint of heart, either because they require a degree of technical know-how or because they may requires certain sacrifice of convenience or a change of established habits.
This however does not mean that these steps are not effective in protecting your privacy or that they are not 'worth it'. The reality is that if you're willing to learn something new or spend some time re-adjusting, the end result will be a reasonable usability sacrifice with significant privacy gains.
Flash a custom ROM[edit | edit source]
Custom ROMs are community-created versions of Android, usually focusing on making significant changes to how Android runs, more than what is possible by just installing an app. Custom ROMs allow you to take back control of your device and fully remove Google's control over your Android phone.
There are many different custom ROMs, focusing on all kinds of enhancements, so it can be a bit hard to separate the wheat from the chaff, however, from the privacy perspective, these are good bets:
- GrapheneOS - Google-free version of Android usually considered the gold standard when it comes to privacy on Android
- LineageOS - formerly known as CyanogenMod, while this project is not specifically focused on privacy, if you simply avoid installing Google Apps you'll have yourself a pretty decent phone privacy-wise
- CalyxOS - developed by not-for-profit Calyx Institute, which was founded by Nicholas Merrill, this is another solid solution
Living without Google services[edit | edit source]
You might wonder how does one obtain or update apps on a device without Google services. Well, there are few ways.
- F-Droid - aforementioned open source-only app store should be the first stop for app needs on Google-free devices
- Auroroa Store - despite the name, not really a store, but a way to download app off Google Play store without using the actual Google Play Store app. It will also update your apps.
LineageOS with MicroG[edit | edit source]
If you can't quite manage a Google-free existence, one halfway step is using MicroG on previously mentioned LineageOS. MicroG project is an effort to clean room re-implement many of the services Android apps have come to depend on due to Google's anticompetitive behaviour, such as Google Play Services, Google's location services and Maps API.
This means you would still be using a reduced set of Google services, but only the ones that are necessary to prevent the app from malfunctioning. Because MicroG code is open source, only necessary functionality is implemented, and any client-side tracking is absent.
- LineageOS with MicroG - While you can just take almost any custom ROM and add MicroG to it, an easier solution is simply flashing a ROM from LineageOS with MicroG project.
Additional reading[edit | edit source]
Footnotes[edit | edit source]
- they're working on group video calls, although they're not currently available