​The 10 best ways to secure your Android phone

Malware makers, phishers, they really are all out to get you. Here's how to stop them in their tracks.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The most secure smartphones are Android smartphones. Don't buy that? Apple's latest version of iOS 11 was cracked a day -- a day! -- after it was released.

So Android is perfect? Heck no!

Android is under constant attack and older versions are far more vulnerable than new ones. Way too many smartphone vendors still don't issue Google's monthly Android security patches in a timely fashion, or at all. And, zero-day attacks still pop up.

So, what can you do to protect yourself? A lot actually.

Here are my top 10 ways to keep you and your Android device safe from attackers. Many of these are pretty simple, but security is really more about doing safe things every time than fancy complicated security tricks.

1) Only buy smartphones from vendors who release Android patches quickly.

I recently got a Google Pixel 2. There were many reasons for this, but number one with a bullet was that Google makes sure its smartphones, such as the Pixel, the Pixel 2, Nexus 5X, and 6P get the freshest updates. This means they get the newest security patches as they're released.

As for other major vendors, Android Authority, the leading Android publication, found, the best vendors for keeping their phones up to date were, in order, from best to worse: LG, Motorola, HTC, Sony, Xiaomi, OnePlus, and Samsung.

2) Lock your phone.

I know, it's so simple. But, people still don't do it. Trust me. You're more likely to get into trouble by a pickpocket snatching your phone and running wild with your credit-card accounts than you from malware.

What's the best way to lock your phone? Well, it's not sexy, but the good old PIN remains the safest way. Fingerprints, patterns, voice-recognition, iris scanning, etc. -- they're all more breakable. Just don't, for the sake of Android Oreo cookies, use 1-2-3-4, as your PIN. Thank you.

3) Use two-factor authentication.

While you're securing your phone, let's lock down your Google services as well. The best way of doing this is with Google's own two-factor authentication.

Here's how to do it: Login-in to your Google account and head to the two-step verification settings page. Once there, choose "Using 2-step verification" from the menu. From there, follow the prompts. You'll be asked for your phone number. You can get verification codes by voice or SMS on your phone. I find texting easier.

In seconds, you'll get a call with your verification number. You then enter this code into your web browser's data entry box Your device will then ask you if you want it to remember the computer you're using. If you answer, "yes" that programs will be authorized for use for 30-days. Finally, you turn on 2-step verification and you're done.

You can also make this even simpler by using Google Prompt. With this you can authorize Google apps by simply entering "yes" when prompted on your phone.

4) Only use apps from the Google Play Store.

Seriously. The vast majority of Android malware comes from unreliable third party application sources. Sure, bogus apps make it into the Google Play Store from time to time, like the ones which messaged premium-rate text services, but they're exception, not the rule.

Google has also kept working on making the Play Store safer than ever. For example, Google Play Protect can automatically scan your Android device for malware when you install programs. Make sure it's on by going to Settings > Security > Play Protect. For maximum security, click Full scanning and "Scan device for security threats" on.

5) Use device encryption.

The next person who wants to snoop in your phone may not be a crook, but a US Customs and Border Protection (CBP) agent. If that idea creeps you out, you can put a roadblock in their way with encryption. That may land you in hot water with Homeland Security, but it's your call.

To encrypt your device, go to Settings > Security > Encrypt Device and follow the prompts.

By the way, the CBP also states "border searches conducted by CBP do not extend to information that is located solely on remote servers." So, your data may actually be safer in the cloud in this instance.

6) Use a Virtual Private Network.

If you're on the road -- whether it's your local coffee shop or the remote office in Singapore -- you're going to want to use free Wi-Fi. We all do. We all take big chances when we do since they tend of be as secure as a net built out of thread. To make yourself safer you'll want to use a mobile Virtual Private Network (VPN).

In my experience, the best of these are: F-Secure Freedome VPN, KeepSolid VPN Unlimited, NordVPN, Private Internet Access, and TorGuard. What you don't want to do, no matter how tempted you may be, is to use a free VPN service. None of them work worth a darn.

7) Password management.

When it comes to passwords, you have choices: 1) use the same password for everything, which is really dumb. 2) Write down your passwords on paper, which isn't as bad an idea as it sounds so long as you don't put them on a sticky note on your PC screen; 3) Memorize all your passwords, not terribly practical. Or, 4) use a password management program.

Now Google comes with one built-in, but if you don't want to put all your security eggs in one cloud basket, you can use other mobile password management programs. The best of the bunch are: LastPass, 1Password, and Dashlane.

8) Use anti-virus software.

While Google Play Protect does a good job of protecting your phone, when it comes to malware protection I believe is using a belt and suspenders. For my anti-virus (A/V) suspenders, I use Germany's AV-TEST, an independent malware detection lab, results as my guide.

So, the best freeware A/V program today is Avast Mobile Security & Antivirus. It's other security features, like its phone tracker, doesn't work that well, but it's good at finding and deleting malware. The best freemium A/V software is Norton Mobile Security. All its components work well and if you elect to go for the full package, it's only $25 for 10 devices.

9) Turn off connections when you don't need them.

If you're not using Wi-Fi or Bluetooth, turn them off. Besides saving some battery life, network connections can be used to attack you. The BlueBorne Bluetooth hackers are still alive, well, and ready to wreck your day. Don't give it a chance.

True, Android was patched to stop this attack in its September 2017 release. Google's device family got the patch and Samsung deployed it. Has your vendor protected your device yet? Odds are they haven't.

10) If you don't use an app, uninstall it.

Every application comes with its own security problems. Most Android software vendors do a good job of updating their programs. Most of them. If you're not using an application, get rid of it. The fewer program doors you have into your smartphone, the fewer chances an attacker has to invade it.

If you follow up with all these suggestions, your phone will be safer. It won't be perfectly safe -- nothing is in this world. But, you'll be much more secure than you are now, and that's not a small thing.


    Google's October Android patches have landed: There's a big fix for dnsmasq bug

    Google's October Android security bulletin fixes only 14 bugs, but a new Pixel/Nexus bulletin details dozens more bugs that Android partners can optionally fix.

    Android security: Google patches dozens of dangerous bugs, including some in Oreo

    Pixel and Nexus owners will get the September Android patch as part of the Android 8.0 Oreo rollout.

    Android security: Coin miners show up in apps and sites to wear out your CPU

    Expect to see more miners silently chewing up CPU resources through your browser.

    Editorial standards