Smartphones are horrible for security and privacy. They constantly broadcast your location (to all cell-towers,
not just those of your provider), they constantly look for known Wi-Fi networks,
the cell-service provider knows your location and calls and messages, they're pre-loaded with apps you can't remove, all
apps have a lot of access to your data, some apps have terrible security, etc.
Of course, do the basics right: have a PIN or password on your phone,
turn on encryption, write your email address
on the outside so it can be returned if lost, do backups,
use a case to protect it if dropped, record serial numbers and model number
so you can report them in case of theft or loss.
Have a PIN or password on your carrier's Support account for your SIM/number/account,
so any change to your SIM or number or account requires a password,
even if you're calling Support on the phone.
Carry your phone as little as possible. Leave it at home when you can.
Keep your phone turned off as much as possible.
If your phone is turned on, keep it in a Faraday bag as much as possible. That way you can pull it out when you need it
and it will be ready to use right away.
Keep the phone's camera pointed at something uninteresting
when you're not using the phone. Or put a piece of tape over the lens.
If you need to plug the USB cable into a USB charging station (such as in an airport),
use a data-only USB cable or a "data blocker" USB connector. Better yet, plug into AC instead
using your AC adapter.
Any time your Android phone pops up a Google dialog saying "hey, time to set
a payment method you can use in apps !", choose Skip instead of PayPal or any other choice.
Don't reply to SMS's or call back to calls from unknown numbers. They could
be premium-charge services.
One of the worst things about smartphones is that usually you're forced to
log in to a cloud service associated with the phone, such
as Android's Google Services or iPhone's AppleID. And on Android the manufacturer (e.g. Samsung)
may encourage you to log in to their cloud service too. That's a recipe for having unknown ties
between phone and service, including automatic backups or sharing, telemetry, etc.
Try to avoid logging in if you can. You would lose some nice features, mainly backup/restore, and easy migration
of data to a new phone.
Each time you change to a new phone or phone number for some reason
is an opportunity to create a new Apple or Google account,
separate from past accounts you used. Unless you need to bring across lots of info
from iCloud or Google's cloud, keep new separate from old.
Use as few apps as possible; each additional app installed means a greater chance
of getting a malicious app or a security hole. Use browser access to web pages
as a safer alternative to apps.
ClassyShark3xodus (app to scan other apps for trackers) Exodus Privacy (check apps for trackers)
[Exodus Privacy has better UI, but ClassyShark3xodus tests 2x or 3x as many apps; use both.]
Many apps harvest data from your Contacts list. Maybe keep only essential contacts in there, not everybody.
And for those contacts, keep only essential data (name and phone number) in there. Maybe
even abbreviate the names a bit.
Keep as little data as possible on your phone, and backed up into the phone's cloud account.
I sweep pictures from my phone to my laptop via USB cable within hours of taking the photos.
Don't save a lot of downloaded documents and cached data on your phone.
Check to see if apps such as WhatsApp are doing backups (thus retaining deleted photos).
Go through the permission settings for every app.
Try to set app permissions to the smallest set possible.
The default settings are chosen to benefit the app company, not you.
Some apps demand a huge list of permissions, to everything in your phone. Maybe don't install those apps;
choose other apps that take fewer permissions, or
access the services through a browser instead. For example,
use m.facebook.com or mbasic.facebook.com through a browser instead of the Facebook app (or, some people
say use apps Tinfoil for Facebook or FaceSlim).
Review the permissions given to each app, in Settings / Apps.
But expect some tweaking; I found my Camera app refuses to run unless given permissions
for recording audio and making phone calls.
VPN. I use Windscribe, and I've found that the open-source client app strongSwan works
better than the proprietary Windscribe app.
There are claims that some apps may listen to you through the phone's microphone, even
when you're not using the app. Major apps such as those from Facebook and Google don't do this; they've
been tested, and anyway those companies have much easier ways of learning all about us. Rachel Sandler article
Older versions of Android give less control over app permissions. So upgrade the version (which may
require getting a new phone, or installing a new OS).
Backup on phone:
Make sure you know where the backup is going to; I tried Titanium and it just backed up to
a different partition on same phone, no help if phone dies or gets reinstalled.
My experience with IDrive starting 3/2018:
Bought a lifetime mobile subscription for $20. It's limited to 5 mobile devices,
and you can't delete one and add another in its place. So it's "lifetime" of each phone,
not your lifetime. No limits on amount of data.
Started using it only on my partner's Android phone; my phone is almost empty.
Initial backup of 7 GB or more took 6 hours or more.
Contacts pulled from Google Contacts server and displayed with Google Contacts app.
Calendar pulled from Google Calendar server and displayed with Google Calendar app.
Privacy Scanner (AntiSpy) Free by lighthouse app.
GMail, K-9 Mail, ProtonMail apps.
Firefox browser, with DuckDuckGo home page, and add-ons: uBlock Origin, Privacy Badger, Smart HTTPS,
CanvasBlocker, Location Guard.
Mainly, I use my phone for WhatsApp to a couple of people, for photography while walking around, and occasionally while
in an airport or something. But now I'm using it to have full offline access to my emails and calendar and contacts too.
I need to get away from the Google apps and servers, but I'm not there yet.