I recently abandoned (and left-for-dead), Windows 10 mobile and switched to Android. My first order of business was to see what sort of security and privacy options I have. I found some excellent news and some horrible news. Here is my current take on how to be relatively secure and private on an Android device.
The Good, the bad, and the ugly:
Android has a notorious reputation for being overwhelmed with malware. Not because of the operating system, but from apps who ask for permissions, and people who simply allowed it. I was SHOCKED to see even the most innocuous of apps asking for permission for my location, my contacts, and other private things.
Take Pandora Radio for example. This is a mainstream technology and should be safe, right? If you look at the permissions, they are pretty intrusive:
it’s clever that they don’t let you see all of them at once. Take a look at the scrollbar on the right, there are a LOT more permissions it “needs” to run. Why would Pandora radio righteously need to see and MODIFY my calendar and send emails on my behalf?! That’s outrageous, but there were plenty that were worse. So, this was annoying. Out of ignorance, the Android user based allowed this to become the norm, which sucks.
The other fundamental thing which makes me uneasy is that since Android is made by Google, it wants to use a Google account to do everything on the phone. Now, we all know by now that Google uses every byte it can access from you, to strengthen their profile of you, and to sell your data to other vendors. So, I created a new Google account just for the phone, which I guess is better than nothing. But when it comes to using any Google functionality, I full expect that all of that is logged.
So, right out of the gate, we are not starting out great. However, there is some really great news, when it comes to security and privacy, too!
First, using Open VPN Connect, the phone connects and STAYS connected to VPN, keeping raw data out of the hands of my cellular provider. As mentioned, I really like Private Internet Access (click the logo, it’s $3.33/month):
and here’s what that looks like when connected on the Android:
Next, the Tor project (www.torproject.org) has Orbot, a proxy application which can route all of your network traffic – or just application-specific network traffic, over the Tor network. If you are not familiar, this typically means your network traffic is sent encrypted, across 3 Tor nodes, which makes your identity and the ability for marketing agents and government agents to track your behavior:
and Android has a Tor browser too, called Orfox – since it uses the Onion Router and is based-on Firefox:
When you use the Tor browser, it routes all of the traffic from JUST this browser, over the Tor network, offering the same protections.
Lastly, Signal is an in-place replacement for your SMS/MMS app. It lets you send/receive text and picture messages, but if the other party is also using Signal, then the entire conversation has end-to-end encryption. Within the app, you can also make phone calls that are fully-encrypted too.
Here are some key resources for this:
The main website with more detail:
“You Should Really Consider Installing Signal, an Encrypted Messaging App for iPhone” (this is a little dated, and for Android too – but it gives the background of the Edward Snowden angle)
How to make an encrypted phone call with Signal
So, when you put all of this together, it’s a net-positive in my book. Sure, the device itself and some of the apps might compromise some of your data, but your internet usage, text messages, and phone calls can all be quite secure and private.
What to install:
So, if you have an Android device, here’s what I recommend you install (all for free) from the Google Play store:
- OpenVPN Connect (because although the PIA VPN app worked initially, it stopped. OpenVPN works very well too)
- Signal Private Messenger
- Orbot (Tor-proxy)
- Orfox (Tor browser)
- Firefox (if you use the default Google Chrome, all of your activity is tracked, because you are logged-into your phone)
- DuckDuckGo (a standalone search app which does anonymous searches via the DDG search engine)
As two final steps, you should also encrypt your phone, and set a very good passcode.
If you installed and used these apps, on your encrypted phone with a great passcode, then you have a remarkably more-secure setup than when you started. It should be quite difficult to lose your information to hackers, governments, or other thieves.
Before and After:
I’m generally a visual person, so I drew a crude diagram. Why would you go through all of this trouble? Well, I would argue it’s not a lot of trouble. These are things that take just a few minutes to set up. Once they are set up, they are effortless to use. But still, why go through the effort?
Worse, is when you consider data breaches. Here are the top 20 worst data breaches from 2014. Here are several of the largest data breaches from 2015. It is just a matter of time before your mobile provider is breached. What data do their have? Your data. What sites you visit, perhaps data that can be used to steal your identity, and it’s not just you – it will be the same for your spouse and children too. There is ZERO value to you, for the mobile provider stalking you and storing your data. In fact, it ONLY has downsides for you. They just do it because it’s a way to make money off of you, not because it offers any value to you.
So, by default, your mobile provider owns your data access, phone, and text. All of this is collected, correlated, and sold… and just sitting there waiting to be hacked:
by installing a few apps, that changes the availability and confidentiality of this data to something radically different, like this:
If you use Signal for text and phone, if the recipient also uses Signal (it’s free for all parties), then all of that is encrypted “end-to-end” which means no part of your phone calls or text messages will be observable by your mobile carrier anymore.
Similarly, if you use VPN to go out past your mobile provider and then also use things like OpenDNS to prevent DNS leaks, and Tor for browsing or as a proxy service, you make it quite difficult for any provider, hacker, or government to follow what you are doing. As described above, this is not air-tight, but it at least gets rid of the peeping toms outside your window, and gets people to stop digging through your trash bags. I just mean, that is what the real world equivalent is, to me.
Although no phone platform is perfect, and I’m not super-happy about some core features that aren’t secure in Android, I am pretty happy with the overall solution. Just by installing a few free apps, I can make secure/private phone calls, communicate over SMS privately, and even use VPN and Tor to browse the web without organizations or people observing my every move.
If you have an Android, why not install the apps above and give it a shot? If you are on iPhone, I didn’t verify but I know at least OpenVPN Connect is available for iPhone and the website says that Signal is available for iPhone too.
Since I’m still new to modern-Android, is there anything else I’m missing for this platform?