Android is a very secure and robust operating system out of the box. This post will be less of a “hardening guide”, but more of a non-exhaustive list of tips when it comes to buying and using Android phones.
Android Devices
Recommended Phones
Google Pixel phones are the only devices I would recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google’s custom Titan security chips acting as the Secure Element.
When purchasing a device, you should buy one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. Also, beginning with the Pixel 8 and 8 Pro, Pixel devices receive a minimum of 7 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer.
Phones to Avoid
Avoid buying the Fairphone 4, which only has just over 2 years of full security updates since its release date despite them advertising 6 years of support. This is because the System on a Chip they use (Snapdragon 750G) only has 3 years of support from Qualcomm, and the SoC was already old when the phone came out. This is not to mention, the Fairphone 4 uses the Android Verified Boot Test Key as their OEM keys, effectively making Verified Boot useless. In general, you should check for how long the SoC a phone uses is supported for and not blindly trust the phone manufacturer’s claims.
You should also avoid buying the /e/ OS phones (sometimes branded as the Murena phones). /e/ OS in itself extremely insecure, not supporting verified boot, shipping userdebug build, shipping months old version of Chromium, bundling years old version Orbot into their operating system then marketing it as “Advanced Privacy”, etc. They have recently also had an incident where their cloud service mishandled session keys and give users access to each other’s files, then proceeded to mislead the users that the server cannot see their files despite there being no end-to-end encryption.
You should also be very wary of low quality privacy branded phones like the Freedom Phone, BraX2 Phone, Volta Phone, and the like. These are cheap Chinese phones with the Mediatek Helio P60 from 2018, which has already reached end-of-life or is near end-of-life. Needless to say, you should also avoid any vendor who claims they are Zero-day proof like this:
Android-based Operating Systems
In certain cases, installing a custom Android-based operating system can help increase your privacy and security. This is rather tricky; however, as the vast majority of these operating systems (a.k.a. “custom ROMs”) do exactly the opposite - breaking the Android security model, ruining your security while providing no or dubious privacy benefits.
I have written a detailed post on selecting your Android-based operating system, which you can find here.
TLDR: If you are using a modern Pixel, use GrapheneOS. If you are on a device supported by DivestOS, use DivestOS. Otherwise, stick to your stock operating system. Do not blindly use an OS just because it is advertised as “degoogled”.
Use New Android Versions
It’s important to not use an end-of-life version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, prior to Android 10, any apps with the READ_PHONE_STATE permission could access sensitive and unique serial numbers of your phone such as IMEI, MEID, your SIM card’s IMSI, whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution.
Do Not Root Your Phone
Rooting Android phones can decrease security significantly as it weakens the complete Android security model. This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the attack surface of your device and may assist in privilege escalation vulnerabilities and SELinux policy bypasses.
Use a diceware passphrase, avoid pattern unlock
On Android, the phone unlock (Password, Pin, Pattern) is used to protect the encryption key for your device. Thus, it is vital that your unlock secret is secure and can withstand Bruteforce attacks.
Pattern unlock is extremely insecure and should be avoided at all cost. This is discussed in detail in the Cracking Android Pattern Lock in Five Attempts research paper.
If you trust the hardware enforced rate limiting features (typically done by the Secure Element or Trusted Execution Environment) of your device, a 8+ digit PIN may be sufficient.
Ideally, you should use a randomly generated passphrase of 8 words or longer to secure your phone. These are practically impossible to bruteforce with current technology, regardless of the efficacy of any ratelimiting that may be present.
Setup Auditor
Auditor provides attestation for GrapheneOS phones and the stock operating systems on a number of devices. It uses hardware security features to make sure that the firmware and operating system have not been downgraded or tampered with.
Attestation can be done locally by pairing with another Android 8+ device or remotely using the remote attestation service. To make sure that your hardware and operating system is genuine, perform local attestation immediately after the device has been setup and prior to any internet connection.
Use Global Toggles
Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, you should disable these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled.
Manage Android Permissions
Permissions on Android grant you control over what apps are allowed to access. Google regularly makes improvements on the permission system in each successive version. All apps you install are strictly sandboxed, therefore, there is no need to install any antivirus apps.
You can manage Android permissions by going to Settings → Privacy → Permission Manager. Be sure to remove from apps any permissions that they do not need.
Enable VPN Killswitch
Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in Settings → Network & internet → VPN → Block connections without VPN.
Connectivity Check
Connectivity checks on Android do not go through the VPN tunnel (they are not supposed to anyway). This is generally not a cause for concern, however, you should be aware that Google and a network observer on your internet service provider (ISP)’s network can see that there is an Android device with your actual IP address.
On GrapheneOS, connectivity checks by default are done with GrapheneOS’s own servers, instead of with Google ones. A network observer on your ISP’s network can see that you are using a GrapheneOS device. If you are using a VPN and want to appear like a regular Android device to your ISP, go to Settings → Network & internet → Internet connectivity check and select Standard (Google) instead. Note that this will not stop a determined adversarial ISP from finding out you are not using stock OS through your DNS fallback.
If you want to, you can disable connectivity check altogether. Note that this will stop captive portal from working.
- On GrapheneOS and DivestOS, go to Settings → Network & internet → Internet connectivity check and select Disabled
- On other Android-based operating systems, you can disable captive portal via ADB.
To disable:
adb shell settings put global captive_portal_mode 0
To re-enable:
adb shell settings delete global captive_portal_mode
Enable Secure Exec Spawning
GrapheneOS and DivestOS have the option to spawn fresh processes when launching applications instead of using the traditional Zygote spawning model. You can read more about this here.
On GrapheneOS, this feature is enabled by default. On DivestOS, it is not enabled by default, and you should enable it in Settings → Security → Enable secure app spawning.
Restrict USB Peripherals
USB peripherals should be disabled or set to only be allowed when the device is unlocked if possible.
On GrapheneOS, you can adjust this setting in Settings → Security → USB accessories. The OS defaults to “Allow new USB peripherals when unlocked”.
On DivestOS, you can adjust this setting in Settings → Privacy → Trust → Restrict USB. The OS defaults to “Always allow USB connections”, and you should change it to one of the two other options as mentioned above.
Media Access
Quite a few applications allow you to “share” a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your “media and photos”, because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter.
If you are using GrapheneOS, you should utilize the Storage Scopes feature to force apps that request broad storage access permission to function with scoped storage.
User Profiles
Multiple user profiles can be found in Settings → System → Multiple users and are the simplest way to isolate in Android.
With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation.
Work Profile
Work Profiles are another way to isolate individual apps and may be more convenient than separate user profiles.
A device controller such as Shelter is required, unless you’re using CalyxOS which includes one.
The work profile is dependent on a device controller to function. Features such as File Shuttle and contact search blocking or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile.
This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously.
Baseband Modem Attack Surface Reduction
By default, your baseband modem will typically set to support just about every generation of mobile cellular technology, from 2G to 5G. This gives a large attack surface.
You can reduce this attack surface by limiting the baseband modem to just using the generation that in needs. In most cases, this would be 4G/LTE.
GrapheneOS has the LTE only mode exposed in settings. You can set this by going to Settings → Internet → Your carrier name → Preferred network type → LTE Only.
If your Android-based operating system does not expose this setting in the Settings app, or if you want to set your baseband modem to a less restrictive mode, dial *#*#4636#*#* then hit Phone information. Here, you can set preferred network type to just the generations that you intend to use. For example, if you only want to use 5G and 4G, you can set it to NR/LTE.
Carrier Tracking
Carriers can track your coarse location through various means. At minimum, you need to use airplane mode to turn off the baseband modem, and turn off Wifi-calling which bypasses the system VPN. There may also be additional connections to the carrier’s servers outside of the VPN tunnel, so you need to use Wireshark to verify this for your specific setup.
Exact behavior does differ across SoCs and may vary between carriers as well, so I cannot give exact instructions for every setup. On a Google Pixel 7 Pro running GrapheneOS, you need to do the following:
Disable Wi‑Fi calling.
Disable the SIMs/eSIMs in Settings → Network & internet → SIMs. On GrapheneOS, if you are using an eSIM, you will need to enable privileged eSIM management. With certain carriers, there will be an ePDG server defined which the operating system will connect to outside of a VPN tunnel. While unlikely, a malicious carrier can track a user by giving them a unique ePDG server.
Turn on airplane mode. This will turn off the modem and disable all transmission to cell towers. Note that simply removing SIM cards is not enough — your phone will still connect to cellular networks to permit emergency calling.
Disable privileged eSIM management after you have disabled all of the eSIMs. With certain carriers, the eSIM management app will connect to the provisioning server to check for eSIM update, even if the eSIMs are disabled.
On a related note, I have seen recommendations to use PGPP as a carrier to randomize the IMSI by regularly reprovisioning the eSIM. This is unlikely to be beneficial, as the IMEI baked into the modem would remain unchanged, allowing carriers to track you anyways.
Where to Get Your Applications
GrapheneOS App Store
GrapheneOS’s app store is available on GitHub. It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the Auditor, Camera, and PDF Viewer. If you are looking for these applications, I highly recommend that you get them from GrapheneOS’s app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS’s project own signature that Google does not have access to.
Aurora Store
The Aurora Store is a proxy for the Google Play Store. It is great for privacy in the sense that it automatically gives you a disposable account to download apps, and it works on Android-based distributions that do not support Google Play Services. That being said, it lacks security features like certificate pinning and does not support Play Asset Delivery.
My recommendation is to stick with the Google Play Store unless your threat model calls for not logging into Google Services at all.
F-Droid
F-Droid, despite being often recommended in the privacy community, has various security deficiencies. You can read more about them here.
I do not recommend that you use F-Droid at all unless you have no other choice to obtain certain apps. In some rare cases, there may be some apps which require the F-Droid version to work properly without Google Play Services. If you do end up using F-Droid, I highly recommend that you avoid the official F-Droid client (which is extremely outdated and targets API level 25) and use a more modern client with seamless updates such as NeoStore. You should also avoid using the official F-Droid repository as much as possible and stick to the F-Droid repositories hosted by the app developers instead.
GitHub
You can also obtain your apps directly from their GitHub repositories. In most cases, there would be a pre-built APK for you to download. You can verify the signature of the downloaded using apksigner:
- Install Android Studio which includes
apksigner. On macOS,apksignercan be found at~/Library/Android/sdk/build-tools/<version>/apksigner. - Run
apksigner verify --print-certs --verbose myCoolApp.apkto verify the certificate of the apk.
After you have verified the signature of the apk and installed it on your phone, there are several strategies you can use to keep the application up-to-date.
The first strategy is to add the atom feed of the application’s release page to an RSS Reader like ReadYou to get notified of new releases. You will still need to download and install the new releases manually. If you are confused, here is a video that could help with this process:
The second strategy is to use the IzzyOnDroid F-Droid repository with a modern F-Droid client like NeoStore, as mentioned above. The IzzyOnDroid repository pulls new releases from various GitHub repositories to their server, which can then be automatically downloaded and installed by NeoStore. The downside of this strategy is that not every application on GitHub is on IzzyOnDroid, and sometimes IzzyOnDroid fails to pull a new release, resulting in you not getting any updates at all.
It should be noted that since Android has automatic signature checking for existing applications on the system, you only need to manually check the signature of the apk the first time you install an application. If you do use IzzyOnDroid to update the applications, you will need to manually confirm the first update of an application to authorize the NeoStore as the installation source. After that, future updates will be seamless.
If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy.
Enroll in the Advanced Protection Program
If you have a Google account we suggest enrolling in the Advanced Protection Program. It is available at no cost to anyone with two or more hardware security keys with FIDO2 support.
The Advanced Protection Program provides enhanced threat monitoring and enables:
- Stricter two factor authentication; e.g. that FIDO2 must be used and disallows the use of SMS OTP, TOTP and OAuth
- Only Google and verified third-party apps can access account data
- Scanning of incoming emails on Gmail accounts for phishing attempts
- Stricter safe browser scanning with Google Chrome
- Stricter recovery process for accounts with lost credentials
If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with additional benefits such as:
- Not allowing app installation outside of the Google Play Store, the OS vendor’s app store, or via
adb - Mandatory automatic device scanning with Play Protect
- Warning you about unverified applications
Google Play System Updates
In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for some system components via the privileged Play Services.
If you have an EOL device shipped with Android 10 or above (shipped beginning 2020), you may better off sticking with the stock OS in the short term as opposed to running an insecure alternative operating system. This will allow you to receive some security fixes from Google, while not violating the Android security model and increasing your attack surface. You should still upgrade to a supported device as soon as possible.
Disable Advertising ID
All devices with Google Play Services installed automatically generate an advertising ID used for targeted advertising. Disable this feature to limit the data collected about you.
On Android distributions with Sandboxed Google Play, go to Settings → Apps → Sandboxed Google Play → Google Settings → Ads, and select Delete advertising ID.
On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check
- Settings → Google → Ads
- Settings → Privacy → Ads
You will either be given the option to delete your advertising ID or to Opt out of interest-based ads, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID.
Google Messages
Google is currently pushing for the adoption of RCS with end to end encryption to compete with iMessage. On certain Android devices, especially Google Pixels with stock OS, Google Messages is set as the default SMS app to provide this feature.
If you are on an OS with Play Services installed, I highly recommend that you use Google Messages as the SMS app to get opportunistic end to end encryption with your contacts. It works fairly well on GrapheneOS with Sandboxed Play Services, too.
You can disable telemetry in Google Messages by going to ⋮ → Settings → General → Help Improve Messages and toggling it off. There are also some other configurations in ⋮ → Settings → General → Chat features that you might want to go over such as sending typing indicator or read receipt.
If you have trouble connecting to RCS, try disabling your VPN and the VPN killswitch first, then reconnect to RCS. Once you have connected to the server, you can re-enable your VPN and the killswitch and it should work just fine across reboots. I am not sure what is causing this issue, but it might be related to this bug.
Google Fi
Google Fi provides opportunistic end‑to‑end encryption for phone calls between Fi users on Android and includes a VPN service. Fi also implements a unique privacy‑bolstering virtual carrier network architecture on supported devices, but it is temporarily disabled.
This is not without its caveats:
- Google Fi requires Play Services and the Fi app to work properly. Without Play Services, all of the features mentioned above, along with visual voicemail will not work. SMS messages will have random strings added at the end of each of them.
- The Google Fi app needs to be installed in the owner profile for SIM/eSIM activation.
- Google Fi Wi‑Fi calling does not work behind a VPN with the killswitch enabled in the owner profile.
If you are living in the United States and use the stock operating system, I highly recommend using Google Fi as the carrier to take advantage of the end to end encrypted calls and Fi VPN. Pixel 4 and above, users will benefit the most from the VCN as mentioned.
If you are using GrapheneOS and do not mind installing Sandboxed Play Services, Fi is still a better option than to other providers thanks to Google’s general good security practices and the fact that you can enroll in the Advanced Protection Program to have much better protection for your account. Some other provides do not even have multi-factor authentication support, and most will not let you enforce FIDO2 as the authentication method.