How to: Get to Know Android Privacy and Security Settings

This page was translated from English. The English version may be more up-to-date.

Open up your Android phone’s Settings app and you’ll find dozens of different options with little guidance on what those options do. Some of these settings have a serious impact on your privacy and security, altering what data gets shared automatically with apps, data brokers, and Google itself.

What sorts of changes you should make depends on how you use your phone and your security plan. There is no one-size-fits-all collection of recommended settings to change. Instead, we’ll explain what settings do to help you decide if they’re worth altering. This guide cannot cover everything, so for a deeper dive, check out our Privacy Breakdown of Mobile Phones guide.

How to use this guide: because of the sheer amount of privacy and security choices in Android, we’ve broken this into three sections, starting with the settings everyone should consider changing, and moving deeper from there. This guide is written for and is accurate as of Android 15.

Note: There are many different versions of Android and the instructions may differ depending on which company made your phone and which version of the operating system it runs. The instructions here are for the newest version of Android Google provides manufacturers and includes in its Pixel phones.

Level 1: Everyday Essentials

Level 2: Additional Steps for Some Security Plans

Level 3: Extra Credit

Level 1: Everyday Essentials anchor link

No matter what your specific security plan is, everyone should take a look at these settings on their phone to increase their privacy and security.

Enable Two-Factor Authentication on Your Google Account anchor link

Why
If you’ve owned an Android phone for a long time, there’s a chance you’ve already enabled two-factor authentication—a way to make your online accounts more secure by requiring additional proof it’s actually you (“factors”), alongside your password , to log in. This means that even if someone has access to your password, they wouldn’t be able to get into your Google account without this second factor. Your Google account can hold loads of sensitive data, including photos, contacts, notes, and just about anything else you’ve saved to your Google account. So it’s crucial to secure it as best as possible.

Once enabled, any time you want to log into your Google account from a new device or log into your account from a new web browser , you’ll need to enter a verification code or confirm your login on a “trusted device” (this might be your phone or laptop if you’ve logged into your Google account there). If this sounds tedious, don’t worry too much. After running through the authentication process one time, you won’t be asked to enter the verification code again unless you sign out of a device completely or erase the device and start over.

What to do
Google pushed for two-factor authentication requirements on all accounts, but it’s still possible to set up a new account without this enabled. If you’re not sure if you’ve turned it on, it’s worth checking to make sure. You can do this from any device you’re logged into your Google account on, but here’s how to check on Android:

Open Settings (you may need to then scroll down in the Settings menu and tap “Google Account” on some versions of Android) and then tap your profile picture, and tap “Manage Your Google Account.”
On the top scroll over to Security, on the right. Select it and scroll down to “Authenticator” or “2-Step Verification phones” to enable two-factor authentication with either an app (preferred) or your phone number.
From this menu you can also set up a passkey for your Google account. Instead of requiring you to enter your password and a code, passkeys include a second factor from your device. Each time you use the passkey to log in, your browser or operating system may ask you to re-enter your device unlock PIN. To create a passkey, tap “Passkeys and security keys,” then “Create a Passkey,” and follow Google’s directions.

If you’re at a high risk of targeted attacks, consider using a security key to lock down your Google account even stronger. Security keys are phishing resistant, but carry the risk of locking you out of your account forever if you lose the key. To set up a security key, follow these instructions.

There is yet another way to further protect your Google account with the company’s Advanced Account Protection Program. Google recommends this for at risk accounts, such as activists, journalists, and political campaigns. Once enabled, Advanced Account Protection adds new security features, such as blocking more harmful file downloads in Chrome, restricting which apps can access your personal information, and better protecting you from phishing. In order to turn this feature on, you must use either a passkey or a physical security key.

Lock Your Phone Behind a Strong Passcode or Biometrics anchor link

Why
If your device is lost, stolen, or confiscated by police, “device encryption ” helps protect the data stored on your device. Modern Android phones have device encryption capabilities built into them.

What to do
You should protect your Android phone with a strong password: 8-12 random characters that are easy to remember and type in when you unlock your device. If devices are not protected by a strong password, the encryption may be easier to break using a brute-force attack. To enable or change your passcode:

Open Settings > Security & privacy > Device unlock > Screen lock and select the type or length of passcode you'd like to use.

Once a passcode is set, you can choose to enable biometric login, using either your face or fingerprint , depending on which type of login your phone supports. This is optional and speeds up the process of unlocking your phone, but doesn’t have the same legal footing that passcodes do. Only you can decide if it's a safe choice to enable biometric login for your device, but if you want to turn it on, here’s how to do so:

Open Settings > Security & privacy > Device unlock > Fingerprint Unlock > Add fingerprint and follow the onscreen instructions to register your face or fingerprint.

In the United States, using a biometric—like your face scan or fingerprint—to unlock your phone may also compromise legal protections for the contents of your phone afforded to you under the Fifth Amendment privilege against compelled incrimination. Under current law at time of writing, using a memorized passcode generally provides a stronger legal footing to push back against a court order of compelled device unlocking/decryption. While EFF continues to fight to strengthen our legal protections against compelling people to decrypt their devices, there is currently less protection against compelled face and fingerprint unlocking than there is against compelled password disclosure.

Audit Your Privacy Permissions anchor link

Why
Just about every app you download asks to access some sort of information about you or your device. This includes everything from obvious uses, like a camera app asking to access your camera and photos, to less obvious ones, like a newspaper app asking to access your local network.

All these permissions can be hard to keep track of. For that reason, it’s good to go through and double-check app permissions now and again. Doing so can ensure you are not sharing any data you don’t need or intend to share.

Before auditing your privacy permissions, it’s a good idea to go through all your apps and delete any you don’t need. This makes the audit easier, and the fewer apps you have installed on your phone, the fewer chances there are for your data to end up in the wrong hands.

What to do
To get started, open Settings > Security & Privacy > Privacy Controls > Permission manager. Here, you’ll get to a page with an abundance of different permissions, each listing how many apps have access to that permission. Not all of these are only “on” or “off.” Some, like photos and location, offer more nuanced permissions. It’s worth going through each of these to make sure you still want that app to have that permission. If not, you can tap on the app in the permissions screen to revoke the permission. Don’t worry about breaking anything, you can always reverse the decision if an app loses functionality.

These permissions are broken into a few different sections, and there are a lot of them. It’s worth going through them all, but the most important permissions to focus on are:

Location Services

Location services are one of the most critical permissions that many apps ask for excessively. This permission gives apps access to your location (determined from GPS and Wi-Fi signals) so it knows where you’re at. Take a look through your apps listed here and ask yourself if they really need your location in order to function. If not, then it’s worth disabling location access completely or limiting it to only when you have the app open. Location services have a lot of variety for when an app can access your location:

Don’t allow: the app will not get any location information from your Android device.
Ask every time: Any time you open the app, it will ask for your location info.
Allow only while using the app: The app can only access your location information when you have the app open. When you close the app, it’ll stop getting that information.
Always: The app will receive your location information all the time.

You can change how exact the location information an app gets is, granting access to either your precise location, or a more generalized location. Disabling the precise location option means the app will only be able to access your general location. Precise location is necessary for mapping apps in particular, but may not be needed for many others.

Contacts

If an app needs access to your contacts, you can either grant it full access—which provides the app with your entire contact list, including all the information stored on their contact card—or not allow it to see your contact list at all.

Photos and videos

You can change a number of aspects around how apps access your photo roll:

Always allow all: an app can access your entire photo roll.
Allow limited access: you pick and choose specific photos an app gets access to.
Don’t allow: the app can’t access your phone’s photo library at all.

Consider limiting access to your photo library in any app where you’d prefer some photos couldn’t get uploaded, even by accident. For example, if you use Slack at work, it may be best to limit access so you don’t accidentally upload your full set of vacation photos when you just intend to share one photo from the beach.

Camera

Here, you’ll find apps that have asked to access your camera. The most obvious use is third-party camera apps, but you may also see apps that use QR code scanning for two-factor authentication, notes apps, and more.

If an app has access to your camera and you do not understand why, disable it. You can always turn it back on if you need to.

Microphone

For the most part, you’ll find only apps you use for voice calls or video here. But if there’s an app that appears to be accessing your microphone and you can’t figure out why, disable it.

If you don’t open an app for a while, Android automatically resets your permissions to the default, so an app cannot access any extra data from your device at all.

Disable Ad Tracking anchor link

Why
The ad identifier—aka “AAID” on Android— enables most third-party tracking on mobile devices. Disabling it will make it substantially harder for advertisers and data brokers to track and profile you, and will limit the amount of your personal information up for sale.

What to do
If preventing advertisers and data brokers from tracking you is important, you can disable the advertising ID entirely on an Android device:

Open Settings > Security & privacy > Privacy controls > Ads, and tap “Delete advertising ID.”

Set Up “Find My Device” anchor link

Why
Find My Device is best known as a tool that allows you to see the location of your Android if you lose it or it’s stolen. This is helpful, but the security and privacy benefits of setting this up are more about the assumption you won’t get your phone back. If you think your phone is long gone, you can remotely wipe it and delete everything on it.

Once enabled, if you lose a device or it’s stolen, you can find it on a map, or more importantly, remotely wipe its contents. You can find directions for doing so here.

By its nature, Find My Device uses location information to find your phone. To do this, it uses a combination of Wi-Fi, cellular, and other nearby Google devices with Bluetooth. Google claims this information is end-to-end encrypted and the location is “only visible to you and those you share your items with in Find My Device.” There is always some risk with using any sort of location-based tracking that the information will leak or be used in a surprising way.

What to do

Open Settings > Security & privacy > Device Finders > Find My Device, and enable “Use Find My Device.”
On this screen, you can also optionally enable “Remote Lock.” This feature allows you to remotely lock your device using just your phone number. This is useful if your device is stolen or taken while unlocked.
You may also consider enabling “Theft Protection.” This feature uses your device’s motion sensors, Wi-Fi, and Bluetooth to detect if someone takes your device and runs away. If a theft like this is detected, your screen will be locked. Open Settings > Security & privacy > Device Unlock > Theft Protection, and enable “Theft Detection Lock.” You can also enable “Offline Device Lock,” which can lock your screen if it’s stolen and the thief immediately turns off location services.

Run Through Google’s “Privacy Checkup” anchor link

Why
You likely use your Google account across devices, like on a computer and your Android phone. Many of the most critical privacy settings are tucked away not on some specific page in your Android’s settings, but on your Google account itself. For this reason, it’s a good idea to run through the company’s “privacy checkup” to make sure you’re not inadvertently sharing information about your YouTube habits, location, or anything else.

What to do

On your phone, open up Settings (you may need to then scroll down and tap “Google Account” on some versions of Android) and tap your profile icon. Tap the “Review your privacy settings,” option at the bottom of the page, or if that option isn’t available, tap “Manage Your Google Account,” then scroll down to “Privacy suggestions available.”
In a browser, you can also go directly to the Privacy Checkup page so long as you’re logged into your Google account.
Run through each page to make sure you are not saving or sharing data you do not mean to.

Level 2: Additional Steps for Some Security Plans anchor link

Decide How You Want to Handle Backups anchor link

Why
Device backups are an important way to protect your data in case you lose your phone or it breaks. On Android, the backup process is divided into two options: photos and videos, and everything else. All photos and videos are stored in Google Photos, and are not end-to-end encrypted. This means the photos and videos do not use a type of backup storage that prevents Google (or anyone else with access to Google’s backup system) from seeing that content.

You can also choose to back up everything else: device data, like contacts, call history, settings, app data, and messages. Some of this information, like app data, should be end-to-end encrypted if you use a device passcode such that Google does not have access, though it is not always clear what data is encrypted this way and what is not.

What to do
Android allows you to customize how backups are handled to some extent, but not by much.

Open Settings > System > Backup.
Here, you can choose to automatically back up just your photos and videos to Google, or everything else. Remember, some of this data is end-to-end encrypted with your device’s passcode, but not all of it.

Set Up a Private Space anchor link

Why
If you want to hide sensitive apps, the “private space” feature is the simplest way to do so. Think of private space like an entirely different Android device that functions inside your primary one. Once set up, you get a secondary set of apps, which can optionally be tied to a completely different Google account. These apps have then all of their data isolated from the rest of your phone. This can be useful for information you want private, like encrypted communication apps or a photo library, or for apps you know aren’t private but you have to use occasionally, like a mapping app or ride share app.

Note: This is available on Android 15 and above for devices with at least 6GB of RAM. If you don’t see the following menu items, your device may not be supported.

What to do

Open up Settings > Security & privacy > Private space and follow the directions to create a new space. You can choose to use a separate PIN or the one you use to unlock your phone.
When prompted, optionally create a new Google account. This isn’t required, but setting up a new account means you don’t run the risk of accidentally syncing information to your primary account—like browsing history, photos, or whatever else you decide to use the private space for.
Once setup is complete, the apps in your Private space are accessible at the bottom of your app drawer.

Read Google’s documentation for more information on all the nuances of what is and is not available in a private space.

If you share your phone with others often or have a second profile for work, multiple user profiles might be a better fit than a private space. To create a new profile, open up Settings > System > Multiple users, and enable “Allow multiple users.” Tap the button to either add a new user, with their own Google account, or a guest user, which doesn’t require an account. Each profile is encrypted with its own encryption key and a person using one profile cannot access any data from another profile without a password.

Disable 2G anchor link

Why
IMSI catchers—also known as Cell Site Simulators and Stingrays—are a tool that law enforcement and governments can use to track the location of phones, intercept or disrupt communications, and gain new entry points into your phone to install malware . IMSI catchers can also be used to send spam and engage in fraud. IMSI catchers may try to trick your phone into connecting to a fake 2G cell tower. To prevent your phone from automatically connecting to one of these, you can disable 2G on your phone. Despite very little concrete evidence of cell site simulators being used against protesters in the U.S., we also think that the steps required to protect yourself are simple enough that this is a reasonable protective measure for most people to take and doesn’t really change how you’ll experience using your device:

What to do

Depending on which version of the operating system you're running, the manufacturer of your phone, and your carrier, you may be able to disable 2G, require encrypted cell connections, or both. Open up Settings > Network & Internet > SIMs > [Your carrier name], find the "Allow 2G" option, and turn it off to disable 2G entirely.
You may also see an option on the SIMs page to "Require Encryption." If you see this option, turn it on to prevent your phone from using a "null cipher" when connecting to a cell tower. Since most U.S. cellular companies do not have 2G networks anymore, you can expect little disruption to connectivity..

Level 3: Extra Credit anchor link

Not everyone has the same needs, and some changes in Android are easier than others. Here are a few more things to consider changing, depending on your needs:

Disable the ability to connect to WEP Networks anchor link

WEP is an older Wi-Fi network protocol with major security issues. It’s old enough that most people will not need to worry about running into networks that use it, but it still happens. This feature was added in Android 15 and is not available on older devices.

To ensure you can’t connect to one of these networks, open Settings > Network & internet > Internet, then scroll down to Network preferences and disable the option to “Allow WEP networks.”

Obscure Lockscreen Notifications anchor link

By default, the notifications you receive are visible on the lockscreen, meaning if you leave your phone out, someone could see any messages you receive and what apps you’re using without needing to unlock your device.

If you want to disable these previews, open Settings > Notifications > Notifications on lock screen, then disable the option for “Sensitive notifications.” What is and is not sensitive is defined by the app that’s sending the notification, and every app treats this differently, so this may not always work as you want. If you are very concerned with a notification revealing information, you may need to consider disabling notifications for that app entirely.

Install a Custom Distribution anchor link

Google’s services are deeply integrated in Android. While the above steps can mitigate some of the most privacy-invasive issues with Google, you cannot remove that threat completely without using a different operating system entirely. That is possible, though. A number of “custom ROMs” exist that can increase your privacy while using an Android device by installing customized versions of the operating system on your phone. This will fundamentally change the way your phone works and may make some apps you need not work at all.

Custom ROMS also introduce new risks, as these distributions are not vetted in the same ways and with the same amount of resources as Google puts into Android. Because of this, we only recommend using custom ROMs if you have a deep understanding of these potential threats.

A custom ROM can increase the privacy and security of your Android device, extend security updates if Google or your device-maker has stopped issuing them, and add special new features. If they’re designed to be private by default, they also require less tinkering of settings to ensure you’re using them as privately as possible. Popular custom ROMs that focus on security and privacy include:

EFF cannot vouch for any custom ROM. Take time to research recommendations and news stories to reveal any glaring issues they have, or that security researchers may find in the future. By their nature using a custom ROM may compromise many of the built-in security features of Android. Do not use a custom ROM that you do not trust.