10 Android phone security tips you need to know
How to turn your phone into a mobile Fort Knox
Most of us use our phones far more often than our laptops – but where we used to obsess about laptop security, when it comes to our our Android handsets… not so much.
This is partly because many of the security basics have been patched away and firmed up. However, there are still ways to make sure your phone isn't compromised, along with all your passwords and sensitive data.
So here are our top 10 security tips that will help you to enjoy a smooth, secure and worry-free experience on your Android phone.
1. Consider using a password manager
Isn’t it strange that a disembodied, almost-conscious voice can control our homes, but we’re still using clunky old passwords to get into our devices? And many of us still use the same handful of simple but easy-to-remember passwords for multiple logins. This is bad.
A password manager like Lastpass is the solution. It 'hides' your passwords behind a master password, and this is the only one you actually need to remember.
Password managers can usually also generate ultra-strong passwords, so you don’t have to put the effort in yourself. And once installed, these apps will auto-fill your logins.
Some security experts say you should disable autofill on your phone and laptop, but the less we have to think about and interact with passwords the better, we say.
Get daily insight, inspiration and deals in your inbox
Sign up for breaking news, reviews, opinion, top tech deals, and more.
If you want some more variety in your choice, then apps like Dashlane, 1Password and Enpass are a good alternative.
- Check out our list of the best password managers
2. Don't sideload apps
Flexibility is one of the attractions of Android over iOS. However, this flexibility also gives you the opportunity to do some serious damage to your phone, by way of side-loading.
Android lets you install apps from their raw installer files, just as you might do on a Windows computer – this is side-loading. You can download 'apk' app files directly from your browser, or from a third-party app store like Getjar or SlideMe.
This is dead handy for distributing work-in-progress apps, or ones that, for whatever reason, would not be allowed on Google Play. However, there’s no easy way to tell if the files have been infected with malware – so stick to Google Play unless you know the origins of those app files.
3. Don't use 1234 as your PIN
There are arguments for and against using a fingerprint scanner as your main security measure. It’s not as secure as a strong password or PIN, but you can’t beat the convenience of a fast scanner.
If you do use your phone's digit scanner, however, it's important that your back-up PIN isn't one that's easy for others to guess – 1111, 0000 or 1234 are not suitable passwords, and if you use them there’s really not much point having any security on your phone at all.
The same is true of 'pattern' unlocks: if it’s simple, it’s not good enough. Balancing complexity with ease of typing and memorability is the key here – as you end up using these logins all the time, you should find they work their way into your muscle memory pretty quickly.
4. Don't send sensitive data over public Wi-Fi
If you live in a city, it’s pretty hard to avoid using public Wi-Fi – these networks are everywhere, and many of them are offered by the same handful of providers. Most security experts advise treating public Wi-Fi with suspicion, if not avoiding it altogether.
Several different kinds of attack can mean that data stored on your phone, and information you type into in, falls into the hands of an opportunist hacker – and you really don’t have to be an IT genius to mount an attack.
The best policy is to only browse sites with an 'https' URL, as this means they're secured. And never input your card details or use online banking while on public Wi-Fi – all bank websites may be secured, but that security will do nothing to prevent a so-called 'man in the middle' attack, where the hacker intercepts information being sent from your phone to a banking or other website.
5. Consider using a VPN
A VPN, or virtual private network, acts like an extra layer of protection for your browsing, as all your data is passed through an encrypted connection between your phone and the VPN provider’s servers.
It sounds rather technical, but using a VPN is quite simple. Many of the most popular VPN services have Android apps, and you simply run these, choose the location of the server you want and then you’re away – your phone can 'pretend' it’s halfway across the world if you like.
Top VPN services include Tunnelbear, NordVPN and ExpressVPN, among many others.
- Want to watch your home TV abroad? Stay safer online? Or just enjoy pretending to be in Thailand? Check our TechRadar's best VPNs
6. Check for security patches
The least fun kind of updates are often the most important. Brand-new features in a fresh version of Android are exciting, but it’s security updates that keep your phone safe.
Google releases these once a month, and they tackle any new threats and vulnerabilities uncovered since the previous update. You can see the last time your phone received a security update by going to Settings > Security & Lock Screen > Security Update.
If the date under this entry is from months ago, or even a year or more, your phone is not particularly safe. Unfortunately there’s no fix for this, as you can’t make your own security updates.
Frequency of security updates should be a consideration when you're buying a phone. Google Pixel phones such as the Google Pixel 3 get security updates first, and Android One phones guarantee at least three years of security updates.
7. Update your apps
It’s not only your phone’s core software that needs regular updates – apps do as well. Even simple app updates can, on occasion, patch up security problems.
To check for app updates, go to Google Play, select My Apps & Games, and then the Updates tab.
Turn on Auto updates and you can avoid ending up with an old, potentially vulnerable, version of one of your favorite apps. You’ll find the Auto update option in Settings > Auto-update Apps.
8. Turn on 2-step verification
The best way to avoid your Google account being hijacked is to use two-step verification. When you enable this a code will be sent to your phone whenever you try to log in to your Google account on another device.
It may sound like an inconvenience – a pain even – but it dramatically improves your security. Even if your password is compromised, others still can’t get access to your information.
You can sign up for Google’s free two-step verification feature at Google's dedicated website. Whenever you log in you can choose to be sent an SMS verification code, be called with the code, or use the Google app to confirm the login.
9. Enable remote lock and wipe
It’s important to know where you stand when your phone is lost or stolen. Android actually gives you some fantastic controls if your phone goes missing.
A Find My Phone dashboard enables you to play an alert sound through the phone's speaker, remotely wipe the entire phone, or sign out of your accounts and lock the handset. This may not help you get your phone back, but it does let you rest easier about the threat of having your identity stolen.
To make sure you can access these controls, turn on Location access on your phone, found in Security & Lock Screen, and enable Find My Phone in the same menu.
10. Be careful about following links in SMS messages
We know many people who are relatively savvy in most areas of life, but who have fallen foul of SMS scams. Classic examples include texts that purport to be from your bank, and ask you to log in to your account, and the WhatsApp scam, which asks you to pay a small sum in order to continue using the service, and then promptly nicks your card details.
The best way to deal with these scams isn't a security option on your phone or a piece of software – you simply need to use common sense, and be very suspicious of any unsolicited messages you receive.
However, certain security apps will scan your texts for ones that look like phishing scams, including Kaspersky Internet Security.
Andrew is a freelance journalist and has been writing and editing for some of the UK's top tech and lifestyle publications including TrustedReviews, Stuff, T3, TechRadar, Lifehacker and others.