Android phones and tablets come equipped with a wealth of privacy and security features, but many of them are disabled by default or, in the case of app permissions, get set almost without consideration over the course of using your device.
Our guide will take you through the most important settings to ensure the security of your phone and your data, both on the web and from your device’s menus. We’ve used the current vanilla version of Android Oreo 8.1, but the same settings can be found on most recent Android devices.
Set a PIN
If you’re not using a PIN to log in: you really ought to be. If you are using one, make sure it’s not too obvious (0000) and that you’ve not given it to anyone who shouldn’t have it.
To check your security options, open settings by pulling down the notification bar and tapping the gear icon. Scroll down to security & location.
Under device security, you’ll see the screen lock setting. This will show you what unlock security mode is currently enabled, and a gear icon next to it will allow you to change your lock screen settings.
In the Choose screen lock screen, you can set or change your PIN or set other unlock method such as a lock screen pattern or – the most secure option – a password.
If you don’t want the trouble of entering a password every time you log in, a six-digit pin is a good compromise option if you want to enhance your security with a minimum of inconvenience.
Android’s security & location settings also allow you to set up fingerprint scanning, which conveniently allows you to unlock your phone at a touch, and is sufficiently secure for the average user.
However, proof-of-concept methods of tricking scanners have been demonstrated by security researchers in lab settings. Additionally, both police and criminals can compel you to unlock a finger-print secured phone, so the ultra security-conscious will probably want to stick with the humble password.
Some devices, such as Google’s Nexus and Pixel phones, also have a range of Smart Lock options, which let you set specific circumstances under which your phone will remain unlocked for convenience.
This includes when it’s on your body (detected via the accelerometer), while it’s in your home and when it’s connected to a trusted Bluetooth device, as well as facial and voice recognition settings. All of these reduce your phone’s security, although the extra convenience may be worth it for you, depending on your circumstances.
Find my phone
While you’re still in the Security & location settings, scroll down to device admin apps and tap into it to make sure that Google’s Find My Device service has permission to erase your phone. If your employer uses G-Suite device management, Google Apps Device Policy will also have permission to wipe your phone.
Find my phone is one of Android’s most useful features, not least of all because you can type “find my phone” into Google and press an icon to have it ring until you’ve worked out where you left it.
Find my phone also provides a small but effective range of other device management tools. It can remotely lock your lost phone with a secure password and a message asking anyone who finds it to call a specific number, sign out of the device to prevent anyone accessing your data or, if you’ve granted the appropriate permissions and are sure your phone has been stolen, remotely wipe all your data from the phone.
Do the two-step
Note that, if you have two-step verification enabled on your Google account, logging in to the Find my phone service may require a second verification step if you’re not connecting from a trusted computer.
As this usually prompts you to use a Google Prompt or Authenticator on your phone – the one you’ve presumably just lost – to verify, you should set up some backup options in advance.
These include backup phone numbers that codes can be sent to via voice or text messaging and a set of printable or downloadable backup codes that you can keep safe in case you lose access to all other authentication devices.
Two-factor verification is incredibly useful for securing your online activities, so we don’t recommend turning it off. If you’re not currently using it to secure your Google accounts on the web, this would be a good time to enable it, in fact.
Get a quick check-upGoogle prompts its users to run through its web-based Security Checkup tool at least once a year, but you can use it at any time.
Security Checkup presents you with a summary of devices that have access to your account, warning if any of them haven’t been used lately, gives you a list of any recent security alerts such as sign-ins from unexpected places, ensures your verification methods are up-to-date, and lists all the apps with access to your Google services, along with any potential security risks associated with them.
Privacy and advertising
Google’s business is its users, and specifically getting their eyes onto its advertising customers’ content. To this end, it retains a lot of information about your browsing habits, interests and activities.
To see what advertising information Google has collected about you, use a web browser to check your Ads Settings. You can also disable personalised ads presented to you via Google services.
To see what information is saved about your activities, including browsing, location and voice search data, go to your Activity controls. Here, the privacy-conscious can check, delete and disable their web and app activity tracking, location history, voice activity and more.
An overview of all this information can be reached from the main My Account website and most of these settings can also be accessed on your phone by going to Google Services & Preferences on the settings screen.
Consider all angles
It’s easy to associate multiple accounts with an Android device. This is an incredibly useful feature for family tablets and users who have separate personal and employer-issued Google accounts.
However, if you have multiple accounts set up on your Android phone or tablet, you should go through the security, advertising and privacy settings for each of them. You can do this by switching accounts in your web browser, or on your phone via an account selection pull-down that appears in the title bar of relevant settings screens.
Check your apps
Finally, let’s make sure that none of the apps you’ve installed are taking liberties with the permissions they’re requesting. Android 8.1 provides fine-grained permissions monitoring, which makes it easy to see which apps are allowed to do what.
From the settings screen, select apps & notifications, then scroll down and tap app permissions. This will give you a list of all available access permissions, from sending or receiving SMS messages to using your phone’s mic and camera. Tap into each to see which apps have these permissions, and individually withdraw them if you see fit.
The apps & notifications screen also allows you access notifications settings, where you can disable all app notifications or turn the feature off for specific apps that you don’t want pestering you.
It’s also worth making sure that your apps are up to date with any necessary security patches. Go to the Play Store and press the hamburger menu icon (☰) at the top left of the screen. Tap my apps and games, go to the updates tab and hit update all.
To ensure that you get updates as needed, re-open the ☰ menu, scroll down to settings and tap auto-update apps. If you have a generous mobile broadband allowance, give your apps permission to update at any time. Otherwise, enable Wi-Fi updates and remember to connect to a wireless network regularly to make sure you get them.
As above, if you have multiple Google accounts on your device, you should repeat this process for each of them.