Google and the company that made your phone are tasked with keeping your information secure, but so are you. Doing your part is easy enough; be diligent about the things you download and install, and make sure you have a secured lock screen with a strong backup password or PIN.
Google and the company that made your phone don't have it nearly as easy. They both need to make sure bugs and vulnerabilities are found, fixed, and the relevant software updates filter out so you can install them.
How this is handled might be worth thinking about when you decide which Android phone is best for you.
Security: Doing your part
There are three things you can do to make sure your phone is as secure as it can be. Thankfully, none of them are hard to do!
Start with your Google account. You need one to use all of the Google services that come with your phone, like the Play Store or Google Photos. Make sure that your password is strong (if you're not sure, you can change it here and Google will help you pick a good one) and that you have two-factor authentication (2FA) enabled. 2FA seems inconvenient but it's really not, and once it's set up, you'll barely notice you're using it.
The next step is making sure you use a lock screen on your phone. Setting one up is easy enough, even if you skipped through it during the initial setup of your phone. You'll find everything you need in the settings app. Make sure you pick a password or PIN that nobody can guess easily. You can also enable biometrics like a fingerprint sensor to make unlocking your phone even easier.
Finally, be careful and read before you tap those "yes" buttons. Websites can get your phone to automatically download things, but they can never automatically install anything without your consent. Make sure you trust everything you install and you should be fine.
Security: Google's part
Android is a giant open-source software project, but it is tended to by Google. That doesn't mean that Google writes all the software in-house; only that it's their job to incorporate everything together in a way that works well, and is secure enough to use on billions of phones around the world.
Security starts with every release of Android, and features that make our phones safer are built into each new version. Android, as written with no modifications or user changes, is one of the most secure operating systems available to consumers. The thing is that oftentimes nobody wants to use Android as written, so changes have to be made very carefully.
There are a lot of smart people who want to find a way to bypass all the security features in Android, and new ways to defeat them are being found all the time. This is true for every piece of software — flaws and bugs are inevitable. This is why security patches are very important. Google needs to address bugs and exploits and then implement fixes that don't break something else. Once done, these fixes need to be sent to companies that make phones because they are the ones who build and tailor Android for each device.
Security: Phone makers
The company that made your phone has the most difficult task when it comes to keeping it secure. Google doesn't make Android for all the phones that use it; it allows and encourages phone manufacturers to customize Android to meet the needs of their customers. Google does this by providing the Android source code for free to everyone — including companies like Samsung or Motorola.
With this source code in hand, a phone maker will usually change much of it before they start clicking buttons that build the Android operating system that each company uses. When you hear something like One UI, what that means is a distinct version of Android built by Samsung for their phones and tablets. This system puts much of the support — including keeping things secure — on manufacturers.
A phone maker needs to take the code for each version of Android and incorporate their changes and improvements without affecting the baseline security Android itself offers. Then they have the difficult task of adding their own services while making those are also secure. Finally, some companies even add extra security features to Android, like Samsung Knox.
When flaws and exploits are found and merged into the Android base, the phone maker has to do the hard work of adding those changes into their version of Android, then work with carrier partners and try to get them sent out to everyone. This is the really hard part. In a software project as big as Android, even the smallest change can have a ripple effect and break something else. Phone makers have to do the coding work, then take the time to rigorously test everything before any changes get sent out to users.
It takes a village
To make sure an Android phone is secure and stays secure, all of these things need to work together. The hard work done by Google or Samsung (for example) means little if you leave your phone unlocked all the time, or if you install any random download from the internet. Conversely, your diligence doesn't mean you're protected if you don't have secure software to start with.
Thankfully, Android has matured, and most of the time these three things work as intended. You probably will never have your phone "hacked" as long as you do your part.
Get the Android Central Newsletter
Instant access to breaking news, the hottest reviews, great deals and helpful tips.