Android phone privacy 101

posted on 2019-11-08

If you have an Android phone, you get quite some technical options that can increase or decrease your privacy.

Here are some basic steps you could take to increase your privacy. They are presented in random order.

DNS settings

Every time you visit a website, your phone will ask a so called DNS server (domain name service server) where it can find the website you are looking for.

Normally this is either provided by your mobile internet provider, or a DNS server hosted by Google. Companies love this information, because it reveals statistics about which domains are visited on the internet.

To protect your privacy, Google will translate your IP address to a geographical location before storing the fact that you accessed that website permanently. For more information, read the public DNS privacy information at https://developers.google.com/speed/public-dns/privacy .

Your mobile provider will have a different policy, but probably logs and stores more information because you are a direct customer of theirs.

Both Google and your mobile provider are not good for your privacy: permanently storing you geo-location with your website usage is bad and your mobile provider probably stores even more information.

Alternative is to trust Cloudflare and use their public DNS servers: 1.1.1.1 and 1.0.0.1.

Short story, find the private DNS setting and put in the address 1dot1dot1dot1.cloudflare-dns.com. Read the full story at https://blog.cloudflare.com/enable-private-dns-with-1-1-1-1-on-android-9-pie/

Using a Cloudflare free VPN like service

The Cloudflare VPN like service is called WARP. It won't mask your IP address like payed VPN services, but it will make your mobile network faster and you get an IPV6 address (not linked to your mobile phone provider).

You have to install an app from the Play store and enable WARP:

https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone

Public sniffers

When your phone is on the move, it is sending out various radio signals. Mostly your phone is looking for other devices to talk to: NFC, Wifi, Bluetooth, GSM (Mobile network).

Most of the times your device is looking for devices, it will broadcast a unique identifier to let other devices know which device it is.

One example is for a store to determine if you are a return customer or not, and how long you spent in the store last time. Valuable information to know if you have been browsing there before or are a new customer.

Combating Wifi sniffers

iPhones have a partial solution in iOS 8 using wifi MAC randomization.

For Android there is no such thing, but we can do one better: turn off Wifi when you are not near a known location using Smarter Wifi manager.

This app will turn off your Wifi when you are not near a location you normally use Wifi, and can determine your location based on mobile phone towers and/or GPS.

Combating Bluetooth sniffers

I don't know of a way to effectively combat Bluetooth sniffers. One problem I have is that I use the Bluetooth connection in my car and on the go for Bluetooth headphones.

Turning it off is currently the only option, but not something I want to do atm.

Combating GSM location tracking

I don't know of any method to stop the phone company from tracking your location. They anonymize this information and sell it third parties, like you can read in the dutch Vodafone privacy notice:

Elke keer als je met ons netwerk verbonden bent, genereert het netwerk gegevens. Zoals bijvoorbeeld het tijdstip van het gebruik, duur van het gesprek, hoeveelheid verstuurde/ontvangen data of gebruikte zendmast/wifispot. Wij kunnen deze gegevens geanonimiseerd ten behoeve van mobiliteitsanalyses ter beschikking stellen aan derde partijen.

So they will sell the location of "some unknown customer" to third parties.

You can try to find a mobile provider not doing that, or remove your sim card when at home and/or only use Wifi and WhatsApp to make calls. That last option having the issue of Facebook collecting data on who you are calling and for how long.

Messaging apps

With Facebook now watching and storing everything that is happening on WhatsApp (except for the content of the text messages and calls), there is only one Privacy aware chat app left as far as I know, and that's Signal: https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms

Most people will also mention Telegram but all of their messages are sent with a plaintext fingerprint of the message. What this means is that if they can guess the content, they can prove in court that you sent that message and when.

You can read a full article on Telegram security issues here: https://courses.csail.mit.edu/6.857/2017/project/19.pdf