Android / WIRED
Android phones and tablets come equipped with a wealth of privacy and security features, but many of them are disabled by default or, in the case of app permissions, get set almost without consideration over the course of using your device. Our guide will take you through the most important settings to ensure the security of your phone and your data, both on the web and from your device’s menus . We’ve used the current vanilla version of Android Oreo 8.1, but the same settings can be found on most recent Android devices.
Set a PIN
If you’re not using a PIN to log in: you really ought to be . If you are using one, make sure it’s not too obvious (0000) and that you’ve not given it to anyone who shouldn’t have it. To check your security options, open settings by pulling down the notification bar and tapping the gear icon . Scroll down to security & location. Under device security, you’ll see the screen lock setting .
This will show you what unlock security mode is currently enabled, and a gear icon next to it will allow you to change your lock screen settings. In the Choose screen lock screen, you can set or change your PIN or set other unlock method such as a lock screen pattern or the most secure option a password. If you don’t want the trouble of entering a password every time you log in, a six-digit pin is a good compromise option if you want to enhance your security with a minimum of inconvenience.
Android’s security & location settings also allow you to set up fingerprint scanning, which conveniently allows you to unlock your phone at a touch, and is sufficiently secure for the average user. However, proof-of-concept methods of tricking scanners have been demonstrated1 by security researchers in lab settings . Additionally, both police2 and criminals can compel you to unlock a finger-print secured phone, so the ultra security-conscious will probably want to stick with the humble password. Some devices, such as Google’s Nexus and Pixel phones, also have a range of Smart Lock options, which let you set specific circumstances under which your phone will remain unlocked for convenience. This includes when it’s on your body (detected via the accelerometer), while it’s in your home and when it’s connected to a trusted Bluetooth device, as well as facial and voice recognition settings . All of these reduce your phone’s security, although the extra convenience may be worth it for you, depending on your circumstances.
Find my phone
While you’re still in the Security & location settings, scroll down to device admin apps and tap into it to make sure that Google’s Find My Device service has permission to erase your phone . If your employer uses G-Suite device management, Google Apps Device Policy will also have permission to wipe your phone.
Find my phone3 is one of Android’s most useful features, not least of all because you can type “find my phone” into Google and press an icon to have it ring until you’ve worked out where you left it. Find my phone also provides a small but effective range of other device management tools . It can remotely lock your lost phone with a secure password and a message asking anyone who finds it to call a specific number, sign out of the device to prevent anyone accessing your data or, if you’ve granted the appropriate permissions and are sure your phone has been stolen, remotely wipe all your data from the phone.
Do the two-step
Note that, if you have two-step verification enabled on your Google account, logging in to the Find my phone4 service may require a second verification step if you’re not connecting from a trusted computer. As this usually prompts you to use a Google Prompt or Authenticator on your phone the one you’ve presumably just lost to verify, you should set up some backup options5 in advance. These include backup phone numbers that codes can be sent to via voice or text messaging and a set of printable or downloadable backup codes that you can keep safe in case you lose access to all other authentication devices. Two-factor verification6 is incredibly useful for securing your online activities, so we don’t recommend turning it off . If you’re not currently using it to secure your Google accounts on the web, this would be a good time to enable it, in fact.
Get a quick check-up
Google prompts its users to run through its web-based Security Checkup tool7 at least once a year, but you can use it at any time. Security Checkup presents you with a summary of devices that have access to your account, warning if any of them haven’t been used lately, gives you a list of any recent security alerts such as sign-ins from unexpected places, ensures your verification methods are up-to-date, and lists all the apps with access to your Google services, along with any potential security risks associated with them.
Privacy and advertising
Google’s business is its users, and specifically getting their eyes onto its advertising customers’ content . To this end, it retains a lot of information about your browsing habits, interests and activities. To see what advertising information Google has collected about you, use a web browser to check your Ads Settings8 . You can also disable personalised ads presented to you via Google services. To see what information is saved about your activities, including browsing, location and voice search data, go to your Activity controls9 . Here, the privacy-conscious can check, delete and disable their web and app activity tracking, location history, voice activity and more. An overview of all this information can be reached from the main My Account10 website and most of these settings can also be accessed on your phone by going to Google Services & Preferences on the settings screen.
Consider all angles
It’s easy to associate multiple accounts with an Android device . This is an incredibly useful feature for family tablets and users who have separate personal and employer-issued Google accounts. However, if you have multiple accounts set up on your Android phone or tablet, you should go through the security, advertising and privacy settings for each of them . You can do this by switching accounts in your web browser, or on your phone via an account selection pull-down that appears in the title bar of relevant settings screens.
Check your apps
Finally, let’s make sure that none of the apps you’ve installed are taking liberties with the permissions they’re requesting . Android 8.1 provides fine-grained permissions monitoring, which makes it easy to see which apps are allowed to do what. From the settings screen, select apps & notifications, then scroll down and tap app permissions . This will give you a list of all available access permissions, from sending or receiving SMS messages to using your phone’s mic and camera . Tap into each to see which apps have these permissions, and individually withdraw them if you see fit.
The apps & notifications screen also allows you access notifications settings, where you can disable all app notifications or turn the feature off for specific apps that you don’t want pestering you. It’s also worth making sure that your apps are up to date with any necessary security patches . Go to the Play Store and press the hamburger menu icon ( ) at the top left of the screen . Tap my apps and games, go to the updates tab and hit update all. To ensure that you get updates as needed, re-open the menu, scroll down to settings and tap auto-update apps . If you have a generous mobile broadband allowance, give your apps permission to update at any time . Otherwise, enable Wi-Fi updates and remember to connect to a wireless network regularly to make sure you get them.
As above, if you have multiple Google accounts on your device, you should repeat this process for each of them.
- ^ demonstrated (ieeexplore.ieee.org)
- ^ police (www.theatlantic.com)
- ^ Find my phone (myaccount.google.com)
- ^ Find my phone (myaccount.google.com)
- ^ backup options (support.google.com)
- ^ Two-factor verification (www.wired.co.uk)
- ^ Security Checkup tool (myaccount.google.com)
- ^ Ads Settings (adssettings.google.co.uk)
- ^ Activity controls (myaccount.google.com)
- ^ My Account (myaccount.google.com)
The announcement comes a full seven days after journalist Rachna Khaira first identified the alleged breach in an article in the Tribune newspaper1, in which it was claimed reporters were able to buy access to citizens’ personal details, such as names, addresses, phone numbers and even photos, via an anonymous WhatsApp account for as little as $8.
The database, known officially as Aadhaar, was launched in 2009 as a voluntary program intended to help prevent benefit fraud, it has since grown, and is now home to the collected data — including fingerprints and iris scans — of more than a billion Indians, or upwards of 90% of the entire population. Users are issued with a personal 12-digit identity number which they can then use to access welfare payments, and other government controlled services. Authorities have been widely criticized for their handling of the allegations, which if proven correct, could expose users to identity fraud and privacy invasions. The Unique Identification Authority of India (UIDAI), which is responsible for maintaining the database, initially denied the claims, dismissing the Tribune story as “clearly a case of misreporting being incorrect and misleading.”
A day after Khaira’s report, the UIDAI filed a police complaint against her, the Tribune newspaper, and the anonymous individuals who allegedly provided them with access to the database, a move that served only to inflame the crisis further, and stoke wider concerns over diminishing press freedoms. Reporters Without Borders (RSF), the Paris-based NGO which publishes an annual index of press freedom, last year ranked India at 136 out of 180 countries, down 3 places from the previous year, and lagging behind the likes of Myanmar, Colombia and even Zimbabwe. The controversy led Edward Snowden, the former US National Security Agency contractor and high profile whistle blower, to weigh in with a tweet offering his support to Khaira, Tuesday.
“The journalists exposing the #Aadhaar breach deserve an award, not an investigation . If the government were truly concerned for justice, they would be reforming the policies that destroyed the privacy of a billion Indians . Want to arrest those responsible ? They are called @UIDAI,” said Snowden. The agency quickly backtracked, and by late Tuesday afternoon had tweeted its support for press freedoms and its apparent willingness to work with the Tribune to investigate the problem. It remains unclear, however, whether the UIDAI has in fact dropped its police complaint against Khaira.
The newest government security measures, announced late Wednesday, will allow users to generate a randomly-generated virtual ID or token to avoid sharing their direct Aadhaar number for authentication, according to the government notice . A second security measure prevents secondary agencies from storing an individual’s Aadhaar number.
Experts say the move will go some way in addressing issues raised in the Tribune report, as well as broader safety concerns. Amber Sinha, a senior program manager at the Centre for Internet and Society, a research institute based in Delhi and Bangalore described the government’s announcement as a welcome measure. “There have been various kinds of security incidents, but tokenization can definitely address some of them,” said Sinha. According to Sinha, the database’s biometric data, which contains the most sensitive information, such as retinal scans, has not been breached and reports in the press are related to demographic data, which can also exist in separate databases, owned by different government agencies or state governments. Though implemented under the previous administration, Prime Minister Narendra Modi’s government has championed the database, and pushed to make Aadhaar cards mandatory. The new security measures come a day after a report from a research institute affiliated with the Reserve Bank of India labeled the database “a prime target.”
“Thanks to Aadhaar, for the first time in the history of India, there is now a readily available single target for cyber criminals as well as India’s external enemies .. . The loss to the economy and citizens in case of such an attack is bound to be incalculable,” said the report by the Institute for Development and Research in Banking Technology3.
While the authorities did not cite a specific reason for the new security measures, they did say there were “heightened privacy concerns,” according to the statement from the Ministry of Electronics and Information Technology.