Android is the dominant mobile operating system (OS) in the world, running on over 72% of mobile devices, and it runs on over 39% of mobile devices in the US. That’s a lot of Android devices! Your mobile device collects a lot of data about you, you store a lot of data on it, and you access online data from it. So, you must take the time to set your security and privacy settings.
For some settings, I don’t have a recommendation related to security or privacy, so I don’t describe them in this guide. For those, feel free to keep the default, or choose based on your preferences.
Each new version of Android includes new settings and may change your existing settings, so be sure to go through this guide each time you upgrade Android to a new version.
This guide was last updated for Android 10 on a Google Pixel 3. The settings and steps may differ based on the version of Android and the device.
Improve Android Security And Privacy Using Its Settings
To open Android Settings, simply tap the Settings app (a gear icon). We’ll go through the settings it contains in order.
On the Settings screen, tap Connected devices.
If there are any connections you’re not using right now, such as Bluetooth, tap them and toggle them off. Only enable connections when you truly need them. This limits the ways your device could be compromised and limits how your location can be tracked.
Apps & notifications
In the top left, tap the back arrow until you’re back to the Settings screen. Then, tap Apps & notifications.
Tap See all # apps. Go through the App info list and for any that you don’t truly need, tap the app, then tap Uninstall. Many pre-installed apps can’t be uninstalled, so you won’t see an Uninstall button. For those, you can tap Disable to turn the app off and hide it from your device.
In the top left, tap the back arrow. Then, tap the Permission manager. Tap each permission (Body sensors, Calendar, etc.) to see the apps with that permission. If any app shouldn’t have the permission, tap it, then tap Deny.
In the top left, tap the back arrow. Then, tap Advanced, then Emergency alerts. Toggle on any emergency alerts you want to receive.
In the top left, tap the back arrow until you’re back to the Settings screen. Then, tap Display.
Tap Screen timeout. Choose a short time (I recommend 1 minute or less). When you add a screen lock later, this will cause the screen to lock after a short period of idle time, preventing others from using your device.
Go back to the Display screen, then tap Advanced, then Lock screen display, then Lock screen. I recommend choosing Don’t show notifications at all, because notifications can reveal sensitive data (messages, calendar reminders, etc.).
Tap Lock screen message. Here you can set a message that shows on the lock screen. If a Good Samaritan finds your device, this will tell them how to contact you. However, don’t give away too much personal info, because a nefarious person could use it against you. Definitely don’t put your home address. I recommend putting a phone number and/or email address.
In the top left, tap the back arrow until you’re back to the Settings screen. Then, tap Privacy.
Tap Autofill service from Google, if you want your device to automatically fill in personal info, addresses, and passwords for you. If you previously enabled this and now want to disable it, I’ll tell you how in the System section.
Go back to the Privacy screen, then tap Advanced, then Activity controls. I recommend that you toggle off as many as possible, to reduce the amount of data Google collects about you. I cover these controls in the Google Account Security & Privacy Guide.
Go back to the Privacy screen, then tap Ads. Toggle on Opt out of Ads Personalization to reduce the amount of data Google collects about you.
Go back to the Privacy screen, then tap Usage & diagnostics. I generally like to share data that helps make software and services better, as long as my data is anonymized. If you prefer, you can toggle Off.
In the top left, tap the back arrow until you’re back to the Settings screen. Then, tap Location.
If you don’t want to use the location at all, you can toggle off Use location. Note that location must be on for Find My Device to work (which lets you remotely locate, lock, and wipe/erase your device).
Tap Wi-Fi and Bluetooth scanning. I recommend toggling these off unless you truly need accurate locating. If you toggle these on your device can use Wi-Fi and Bluetooth signals for location, even when you’ve turned off Wi-Fi and Bluetooth.
In the top left, tap the back arrow until you’re back to the Settings screen. Then, tap Security.
Tap Google Play Protect, then the gear icon in the top right. Toggle on Scan apps with Play Protect and Improve harmful app detection.
Go back to the Security screen, then tap Find My Device. I recommend toggling this on. It allows you to remotely locate, lock, and wipe/erase your device if it becomes broken, lost, or stolen.
Go back to the Security screen, then tap Security update, if you see it. If it shows an available update, install it.
Go back to the Security screen, then tap Screen lock. Setting a password is best, but because it’s annoying to type a password on a mobile device, consider setting a pattern or PIN. Ensure the pattern is complex, and the PIN is at least 6 digits (the longer, the better).
Go back to the Security screen, then tap Fingerprint. You can choose to use your fingerprint along with another screen lock method.
Go back to the Security screen, then tap Advanced, then Encryption & credentials. If you don’t see Encrypted under Encrypt phone, then tap it to enable encryption. Encrypting your device is one of the best things you can do to secure it, because it means that if someone steals your device, they won’t be able to see or copy your data off the device.
In the top left, tap the back arrow until you’re back to the Settings screen. Then, tap Accounts.
Android is meant to be used with a Google account. If you sign into a Google account, you’ll have many more options. However, you can use an Android device without a Google account. Another option is to create a separate Google account that you use just for Android, and don’t use it for anything else.
You can toggle Automatically sync data if you want apps to automatically sync with accounts. If you toggle it off, you can still manually sync accounts.
Tap an account, then tap Account sync to customize what’s synchronized. Toggle off any items that you don’t need to be synced to your device.
In the top left, tap the back arrow until you’re back to the Settings screen. Then, tap Google.
Tap Account services, then Connected apps. You’ll see the apps and devices connected to your Google account. If any should be disconnected, tap them and click Disconnect.
In the top left, tap the back arrow until you’re back to the Account services screen. Then, tap Search, Assistant & Voice, then Google Assistant. Google Assistant is, well, Google’s digital assistant; the equivalent of Amazon’s Alexa and Apple’s Siri. To work, Google Assistant sends a lot of data about what you say, type, and do to Google. If you don’t want to use it, tap the Assistant tab, and scroll down to Assistant devices. Tap your device. Then, toggle off Google Assistant.
If you want to use Google Assistant, go back to the Account services > Search, Assistant & Voice screen and configure the settings in Google Assistant and Voice.
If your child will be using this device, you can go back to the Google screen and tap Parental controls to set up Google Family Link. It lets you control content, apps, and screen time.
In the top left, tap the back arrow until you’re back to the Settings screen. Then, tap System.
If you previously enabled Autofill service from Google (to automatically fill in personal info, addresses, and passwords) and now want to disable it, tap Languages & input, then Advanced, then Autofill service, then Autofill service. Then, select None.
Go back to the System screen, then tap Backup. Toggle on Back up to Google Drive unless you’ll be using a different backup service. If you’re running Android 9 (“Pie”) or later, Google can’t see your backup data.
If your backups are uploaded in Google, they’re encrypted using your Google Account password. For some data, your phone’s screen lock PIN, pattern, or password is also used for encryption.Google
This decryption key is encrypted using the user’s lock screen PIN/pattern/passcode, which isn’t known by Google. … By design, this means that no one (including Google) can access a user’s backed-up application data without specifically knowing their passcode.Google
Because app updates often fix security vulnerabilities, you should install them as soon as they’re available.
Open the Google Play app, then tap the menu (hamburger icon, 3 horizontal lines in the top left), then tap Settings, then Notifications. Toggle on Updates.
Tap the back arrow in the top right to go back to Settings, then tap Auto-update apps. Set it to Over Wi-Fi only. If you rarely connect to Wi-Fi, set it to Over any network.
Whenever your device shows that updates are waiting to be installed, install them.
Text (SMS) Message Security
Text (SMS) messages aren’t secure. If you’re communicating about anything sensitive or confidential, you consider a secure, private messaging app such as Signal or Wire.
If you’re careful, you probably don’t need anti-malware (antivirus) software to protect your Android device.
One option is to manually scan weekly (run an on-demand scan), rather than having an anti-malware app run constantly in the background (sometimes called real-time scanning).
If you want it, here’s the Android anti-malware that has the best test results from the independent test labs AV-Comparatives and AV-TEST. These are in alphabetical order.
- Avast Mobile Security
- AVG AntiVirus for Android
- Avira Antivirus Security for Android
- Bitdefender Mobile Security
- F-Secure SAFE
- G DATA Mobile Security
- Kaspersky Internet Security for Android
- McAfee Mobile Security
- Trend Micro Mobile Security
These are all free, except Bitdefender Mobile Security, F-Secure SAFE, and Kaspersky Internet Security for Android.
Bitdefender’s software has consistently earned high ratings from multiple organizations over the years, and I recommend it.
BitDefender is the best protection for your Android smartphone and tablet. Includes secure VPN for a fast, anonymous, and safe experience while surfing the web.
Using Android Safely
Install all software updates (for Android and apps) as soon as they’re available. You should set your device to do this automatically (see settings above), but also watch for any update prompts.
Be careful what permissions you grant to apps. When an app asks for access to your camera, microphone, contacts, location, etc., think carefully about whether it truly needs that permission. You can always grant permission later if you change your mind.
Get your apps from Google Play. Getting apps from outside Google Play, such as from a third-party website, is riskier.
Don’t use public Wi-Fi for anything sensitive, because you’re using an insecure, untrusted network. Instead, use your device’s mobile/cellular data, or use a VPN (virtual private network) to protect your traffic when using public Wi-Fi. I like ProtonVPN.
ProtonVPN offers secure VPN through an encrypted VPN tunnel, so your passwords and confidential data stay safe, even when you are using public or untrusted Internet connections.
Chrome is a secure browser, but certainly not a private one, given how much Google can monitor how you use Chrome. Seriously consider using a more private browser, such as Firefox or Firefox Focus, Brave, or DuckDuckGo Privacy Browser. If you use Chrome as your browser (the default for Android), follow the Chrome Security & Privacy Guide.
Disable connections when you don’t need them, such as Bluetooth, NFC, and Wi-Fi. You can easily do this in Quick Settings. This decreases your “attack surface”; it limits the ways your device could be compromised. It also limits how your location can be tracked.
Regularly delete unnecessary apps. This decreases your attack surface.
Android is part of the Google ecosystem, so be sure to also follow the Google Account Security and Privacy Guide.
Rooting an Android device makes it less secure because it removes many of the protections built-in by Google. Avoid rooting.
Manufacturers of Android devices vary in how quickly they push updates, and how long they support devices. Whenever possible, choose a Google Pixel phone, because Google updates them quickly. Also, they have less junk installed than devices from third-party manufacturers. You can buy a refurbished or used phone to save money.
Erase your Android device before you sell or donate it. If you haven’t already, encrypt your device (see instructions in the Security section above). Then, factory reset it in Settings > System > Advanced > Reset options > Erase all data (factory reset).
- Data security and privacy on devices that work with Assistant (google.com)
- The best antivirus software for Android (av-test.org)
- AV-Comparatives test results for Android (av-comparatives.org)