How to minimise the risk of smartphone snooping (Android privacy tips guide)

Smartphone snooping, or more accurately your data it and your apps harvest, is a given. All apps leak different data about you to Telcos, social media, web cookie makers, and apps specifically designed to scrape data to monetise it.

All that data links together via a few things

  • Mobile phone number (which most keep for life),
  • IMEI number (which changes with each new phone)
  • Birth date/gender (which don’t change – hint they don’t have to be true)
  • Advertising ID (generally with you for life, but you can change and delete it).
  • Some data links via a gamers ID, Facebook ID and Google logins (this article is about Android – assume Apple has similar issues).

In Australia, the data gold for criminals includes your Passport number, Driver’s license, Medicare number (for life), Centrelink customer numbers (for life), Utility Bills, and now company director numbers (for life).

Now bits of data by themselves appear benign but start mashing that data together, and it is easy to build an accurate picture of where we go; who we talk or SMS to; who our friends are; where we shop; what we buy; what we like; and so much more. There is a scientific paper on this here

More? Location shows

  • Your home and office address
  • Can link your family/neighbours together
  • Identify your significant other and children (time of day calls)
  • Demographics (approx. age, gender, renting or buying the home)
  • iIf you spend too much on Uber Eats (et al.)
  • and for contact tracing.

Using several easily accessible databases, researchers have granularised (deanonymised) metadata to achieve a data confidence factor of 95%.

The deanonymised data is worth a fortune, especially to flesh out your ID Theft profile on the dark web.

How to reduce smartphone snooping

It is impossible to eliminate smartphone snooping because any internet-connected device (whether mobile or Wi-Fi) exfiltrates data via the net. To stop it, you would need to go totally off the grid, use a pre-paid, activated burner phone (not available here as you can’t get onto a Telco network without ID), no Internet, no smart TV, pay cash for everything and live under a rock. But you can reduce it to a minimum.

The best way to use this guide is to get your phone and tick off each of the following tips.

Step 1 – you must trust someone, and it is Google within limits.

Fact: Google does not sell your data.

Google’s business model is making money by getting users to click on adverts. It does this via information it collects and you unwittingly provide. On the flip side, if Google did not do this, phones would be more expensive.

These steps are for typical recent Android devices. If you can’t find the setting, search for it.

Go to Settings, Privacy and turn off Camera and Microphone Access (this is temporary as it is required for camera use and phone use later). When an app wants to use this, it will flash up a warning and allow you to choose only while the app is in use – or ask every time.

Next, go to Settings, Privacy, Permissions manager. You will see a list of permissions and apps that can access them. For example, Body Sensor may show a Bluetooth fitness watch (which is benign) but clicking through it wants Location, Microphone, Phone and Storage. Why would a watch want these?” Body sensor is likely the phones accelerometer/gyroscope for fall detection and reporting. Location is necessary for Bluetooth, Microphone and Phone for handsfree calls and storage for access to on-device music. Tick!

Calendar will likely need Gmail, Google (for voice assistant), Outlook (alternative mail and calendar client) and Google Wear (smartwatch), Tick! Why does the Weather want to know? Because it’s a data harvester, Fail!

Contacts will need Gmail or your mail client, Messages, Phone, Search and Google Wear. But why would Chrome, Google Drive, Google News, Google Play, password manager, smart lights, security cameras, routers, Spotify, Uber and many more need access? They don’t!

While you are doing this for every sensor, uninstall any unused apps.

Step 2 – use a PIN, fingerprint or FACE ID

90% of misuse is from unprotected devices.

At the very least, install a PIN or fingerprint or Face ID.

You can also lock specific apps – say, your bank or other finance apps with a PIN under Settings, Privacy.

Step 3 – Manage notifications on the lock screen

It may be convenient to read notifications without unlocking your phone, but it is open to abuse. Go to Settings and search for Notifications, Manage Notifications. Under Display, Title and Body, select either Title only or Don’t Show. Under More, turn off Show banner notifications on full screen.

Step 4 – find, fix and limit what Google has on you (on your phone)

Warning – some changes affect the entire Google ecosystem, and wrong choices can stop Google Home and Assistant from working.

Go to Settings, Google. This should show your Gmail name and Manage your Google Account (we will come back to that separately). Below are several headings.

  • Ads: Reset Advertising ID and Delete Advertising ID – do both. It just means any adverts are not personalised.
  • Auto-fil: Turn off along with Google and Phone Number Sharing. Leave SMS verification codes on.
  • Backup: You get 15GB free cloud storage, and it is useful to let Google make a copy of all items if you want to reinstall or move to a new Android phone. I usually turn Photos/videos off as I store these on a PC. While many experts suggest this is an unnecessary security risk, convenience may outweigh this
  • Devices and Sharing: Leave this alone
  • Find my Device: Turn this off because it tracks your device.
  • Mobile Data and Messaging: Leave this alone
  • Parental controls: If you are one, then enable it!
  • Personal Safety: Leave alone
  • Personalise using shared data: This is the pot of data harvesting gold. Any App here is allowed to share Google data, and you should switch them all off
  • Set up and Restore: Useful if you are moving to a new device
  • Settings for Google Apps: Another data gold mine. Check Connected Apps and remove any you don’t want to know about you – Facebook, Instagram, WhatsApp.
  • Search Assistant and voice should be left alone if you have Google Assistant, but you can disable some general features – Recent Pages, Discover, Autocomplete with trending searches (optional). Under Channels and Interests, you can remove any ‘following’ items.

Step 5 – Location

This is hard as you need a basic location level for the phone to work. But you can make it harder by turning off Wi-Fi and Bluetooth scanning. And you can turn off Google Location Accuracy, Google Location History, and Google Location Sharing.

Step 6 – Avoid Google Chrome Brower

Google Chrome is a web browser app and is outside Google Android system settings. It and the Google Search engine are data harvesters by default. Chrome primarily needs location to give you localised results, and I set it to Ask Every time and turn off precise location. It is a pain, but it stops tracking. Remove any other permissions.

The best Android browser is Firefox and DuckDuckGo search, as it does not report to Google. But if you must use Chrome, here are a few tips.

Open the browser, and you will see three vertical dots on the top right. Tap this, go to Settings, and make sure Sync across all devices is off.

I won’t go through all settings, but you should. For example, do you want Chrome to autofill payment methods if you use Google Pay? I don’t. Do you need it to save addresses – no.

The biggie is the Privacy and Security heading.

  • Safe Browsing: On
  • Always use secure HTTPS connection: On
  • Access Payment methods: Off
  • Preload pages: Off
  • Use secure DNS: Automatic
  • Do not track: On
  • Privacy Sandbox (may be device-specific): On

At the bottom, click the Link to Google Services:

  • Allow Chrome Sign-in: Off
  • Autocomplete searches and URLs: Off
  • Help Improve Chrome: Off
  • Make searches and browsing better: Off
  • Google Assistant in Chrome: Off
  • Touch to search: Off

Under Site settings

  • Cookies: Change to Block Third-party cookies (this may stop some site loading, so you may have to back off a step.
  • Camera and Microphone (ask first)
  • Pop-Ups: Block
  • Ads: Block

Step 7 – Google itself

Go to a PC or Mac and log in to https://myactivity.google.com/ with your Gmail name and password.

This can be a minefield if you are using Google Assistant, so be careful and note what you do if you need to undo it.

First, go to Google Account, Home and take the Privacy and Personalisation and Security recommendations test. At a minimum, make sure 2-step verification is enabled.

  • Web and App activity: you need this on, but you can turn various apps off. In particular, disable Chrome History and Audio recordings.
  • You can turn off most apps
  • In Other Google Activity, you can view and delete app activity

General tips to stop smartphone snooping

  • If an app asks for your birthday – lie and take off ten years (unless it is a government app).
  • Set up a junk Google Gmail account for all web activity and use it instead of your personal Gmail or Outlook account
  • Use a Pseudonym for the email address and your name so if someone emails [email protected], you know it is not a personal email.
  • Use an avatar instead of your picture (stops face ID rip-off)
  • Don’t give any more information than necessary
  • Use Google apps over the phone provided alternative apps with questionable privacy policies. Having said that, MS Outlook, Office and Firefox are more secure.
  • Never set up family or friends’ groups (unless you need it)
  • Never store passwords or personal information in Google contacts as apps like Facebook suck them up. Use the cloud-based Outlook contacts if you must.
  • Never use your Facebook or any social media account to log in to any app. Use your junk email instead.
  • Get a junk credit card for all online transactions with a low spend limit that you can afford to lose.
  • Keep Android versions and security patches up to date. Don’t use Android 9 or older.
  • Turn off Location, Wi-Fi, NFC and Bluetooth until needed. These are all in your drop-down menu.
  • Use a recognised paid (not free) anti-virus and malware solution

CyberShack view – smartphone snooping is real and can be reduced

First, let me say that while I trust Google not to sell my data, I know it uses it to serve relevant advertisements which I block anyway. I tolerate that because I want an OK Google experience. I don’t trust the so-called ‘helpful’ defaults that Google assumes you want. Most of this article on smartphone snooping is about turning these off.

I don’t trust WeChat, TikTok, Zoom or Fakebook, WhatsUp, or Instantgratificationagram – a.k.a. Zuckerberg’s revenge on humanity. #Delete Facebook.

I don’t trust any social media or Twitter, and if forced to use them, only give the absolute rubbish details that cannot identify you or your friends. Securing Facebook is an even longer article.

And in particular, I don’t trust any app. Try to read the privacy policy and ensure it has just enough permission to do the job.

Finally, there is no such thing as a secure phone, conversation or text as the FBI/AFP Anom phone scam proved. There are things like VPNs and encrypted Voice over IP apps, but for the most part, law enforcement has backdoors to these too.

A little care goes a long way.

Cybershack smartphone snooping news and reviews here