How the AC editors do phone security

Keeping your personal data secure is important. That's your stuff, and most of us don't want anyone else peeking at the things we'd rather keep private or semi-private. I treat my personal data the same way I treat my underwear — I don't care that you know I'm wearing a pair, but I'd rather not have you digging through my top dresser drawer even though you'll only find boring solid-color boxers. You don't have to have anything fancy or embarrassing in your top drawer to want to keep people out of it, it's still something you're not ready to share.

As phones do more and hold more personal info, keeping them secure matters.

As phones do more, and we depend on them to manage our lives more, keeping them secure matters. Things like pictures, banking information, website login details and your daily activities are all in your phone and you would be surprised at how many people would like to take a look at it. We're not afraid to ask what Google or Microsoft or Facebook is doing with all the information they have on us — so being concerned about what happens when someone can get the same data from your phone is equally important. You — and only you — should decide who gets to see what color your undies are.

All of us here at Android Central have previously mentioned the different things we do to keep personal things from turning into public things, but usually only in passing. Today, we're going to focus on that a little more closely.

Phil Nickinson

Phil on security

The first rule about Fight Club is you do not talk about Fight Club. That's also the general rule (and the second rule) about security. Don't tell folks exactly how you do things.

Trading a little security for simplicity.

So here's how I do things. It starts with the password. (It probably should start with the username itself, now that I think about it.) I use one of the password management services to not just keep track of my passwords, but to make them, as well. I don't even know what most of my passwords are. They're strong passwords, full of random letters and numbers and characters and symbols. The down side is that I have to have a single password to get into that password manager. But you trade security for simplicity, and that's the compromise I've made for making sure my passwords aren't all 123456.

I also use two-factor authentication on just about every service I use — I use Authy to handle all that across multiple phones. But there are still several layers of security therein, even when it's available on multiple devices at once. Again, that's the trade-off I made.

I don't use Authy for everything. I use different methods for other services — generally just because I never switched them over. And that's OK. 2FA is 2FA. And it's one of the most important things you can do.

On my phone itself, I use a long password or PIN code or pattern. And I use fingerprints for simplicity — and they've meant that none of my devices goes without a lockscreen anymore. And, for that matter, you have to know the code to decrypt the device on boot.

Layers and layers of security, folks. It takes a little more thought, but not a lot of effort. And it's a must.

Alex Dobie

Alex on security

I've used two-factor authentication on my Google accounts and other mission-critical stuff (Dropbox, VPNs, and so on) for the past few years. In that time it's gotten a lot easier to use 2FA, in particular with Google accounts on Android and iOS. (Gone are the days when you'd need to create a rat's nest of app-specific passports for Mail, Calendar, and so on.) Many of the pain points have disappeared — aside from the requirement of having to open the app on your phone, of course.

Really good fingerprint scanners mean there's no excuse to not lock things up.

As for device security, I've used a bunch of different phones — both with and without fingerprint scanners — over the past year. In the pre-fingerprint days, Smart Lock was my weapon of choice, tying my lock screen security to whichever smartwatch I happened to be using at the time. But with newer devices featuring really good, fast fingerprint scanners — like the LG G5, Galaxy S7 and HTC 10 — there's basically no excuse to not set a lock screen PIN or pattern of some sort. It also makes it easier to use a relatively complex pattern or PIN (as I do), as the times you actually need to input it are fewer and further between.

That's besides all the stuff Android now does as standard, like allowing the Android Device Manager to remotely wipe and lock by default. Which amounts to a lot of extra stuff I just don't have to think about now.

And finally, with Marshmallow and the full-disk encryption requirement for new Android phones, it's less burdensome to require a PIN or pattern to start your phone, which is a great protection against theft. (Oftentimes the first thing a thief will do is shut down a phone and yank the SIM.)

Overall I'm not hyper-paranoid about security, but I like to think I've got the essentials covered pretty well.

Andrew Martonik

Andrew on security

I've always been diligent about keeping at least a pattern lock screen on my phones, but with the proliferation of great fingerprint sensors on newer phones we have no excuse not to secure them. The fingerprint sensors are secure and convenient, and having one means I'm not tempted to use a long screen timeout setting or other features like Smart Lock that could potentially open up my phone to unwanted eyes. Having my fingerprints registered also open up possibilities for quickly unlocking secure areas of apps, which is an added convenience.

Having my fingerprints registered also open up possibilities for quickly unlocking secure areas of apps.

When it comes to online accounts — either on my phone or a computer — I keep everything safe inside the Enpass app (opens in new tab). The app is also locked up behind fingerprint authentication, and keeps everything encrypted locally before syncing across my devices. Not only do I keep regular usernames and passwords in here, but also other sensitive information like credit card numbers. Having this app do it all means I'm never tempted to have important data in unsecured places.

The final part is enabling two-factor authentication for every possible service that offers it. Rather than go insane with different authentication methods for each service, I keep all of my codes locked up in the Authy app (opens in new tab), which keeps me sane by syncing the codes across my phones as a switch. It may not be as convenient as just typing in a username and password to log in somewhere online, but knowing that nobody can get into your account without the two-factor code relieves a lot of stress about my online security.

Russell Holly

Security on your phone is incredibly important. It keeps other people from joke-posting a picture of a cat that looks kinda like your cat in a microwave to your Facebook on your behalf, which of course leads to a 20 minute phone call with relatives about how that photo made it to your wall.

We're getting off topic.

What I do on the phone is fairly simple. Six-digit pin to encrypt the phone, so you can't start the phone without using that code. Pattern lock or fingerprint to unlock on a day-to-day basis. It's simple, mostly stays out of the way, and Android Device Manager lets me remotely wipe the phone if I "lose" it.

Off the phone, I use two-factor authentication for anything and everything that supports the feature. Google's 2FA works well for Google stuff, and I use Authy for everything that doesn't require a dedicated app or SMS because I like the way the app looks.

It doesn't matter if your life is an open book and you really don't want to be inconvenienced by a password when trying to check Twitter, shut up and do it anyway. When your phone is compromised — yeah, when — you introduce every person you talk to on that phone to the person or software that will attempt to target them next. Secure your phone.

Daniel Bader

Dan on security

These days, there is no excuse for poor security. I believe in two things: setting up a strong six-digit passcode, and ensuring that it is required to start my phone. That way, should my device fall into the wrong hands, there is a very small chance its contents will be accessible to a would-be hacker. Moreover, using Android Device Manager ensures that I can remotely locate or wipe my phone in a worst-case scenario.

1Password Family keeps our shared logins in sync.

Once inside the operating system, I use the excellent 1Password, which recently went through a Material Design overhaul, to keep safe all my login information. While I used to synchronize my personal 1Password account through Dropbox, I now use the impressive and secure 1Password Family feature with my wife to keep our shared logins in sync. While 1Password Teams is accessible through a web portal, each login requires a unique access code that the company generates upon account creation, and is only stored locally; should you lose the code, you lose access to the account. That, along with a strong password, reassures me that my information is safe.

Of course, I do use a fingerprint on devices that support it, which is an increasing number even at entry level price points, but I understand that I am sacrificing some level of security for the convenience of it. Still, if it gets more people to enable six-digit passcodes as a result, I am all for it.

Jerry Hildenbrand

Jerry on security

For starters, I want to say my way isn't necessarily the right way. You need to decide what things you can do that work best for you. A fingerprint scanner or password manager that stores a database online isn't the most secure thing in the world, but both are immeasurably better than a security routine that you won't bother using. It's just too easy to keep your stuff pretty damn secure to not do it.

If it's not running the latest version of Android, I'm going to pass on it.

I start with the phone software itself. If it's not updated with the latest security patch and running the latest version of Android (or has secondary security measures in place like Samsung or BlackBerry) I'm going to pass on it, because there are other great choices that are up to date where it counts. Seeing Samsung push patches so quickly to the Galaxy S7 since it was released makes me incredibly happy. Sure, it's only been two months, but so far they are batting a thousand. Hopefully the next Note is the same way. Then they can work on pushing out those timely updates to the rest of their models ...

I encrypt my phones, and make sure a password is required decrypt and start them. I also encrypt my SD card if the phone has a slot for one, which means I'm diligent on keeping everything backed up in case I break a phone. I get that some people want the small performance gain that comes with disabling encryption, but I'm not one of them. If you are, that's OK, just be careful in other ways. You don't want someone like me finding your unencrypted phone at the park or Red Robin, right?

I keep my phone lock screen password protected, and I don't use my fingerprints to make unlocking easier. Yes, this can be a pain in the ass, and I have no good reason for it other than a tinge of paranoia. My fingerprints are my identity, not my password — something that never changes. I certainly hope nobody ever finds a way to break in and figure out how to "fake" a fingerprint-generated secure token, but if they do I can't change it. So far, it looks pretty damn secure and my reasoning is unfounded. Fingerprint security on Android is awesome, because it looks to be pretty secure and so easy that everyone will use it. Pay no mind to me unless you think the same way about it, and use that finger.

I also use a password manager for things like website logins, insurance information and banking details. I prefer mSecure (opens in new tab) because it allows me to sync with a computer on my local network to keep the database updated. (A directory on my little closet server mounted as a remote share on my desktop and laptop, if you're interested.) I trust companies like 1Password or LastPass to keep my cloud database records safe, but I just trust myself a little more. You should use the password manager you trust and find easy to use — that means you'll use one, and that's the important part.

I just switched to Authy for two-factor authentication token management. So far I like it, as much as one can actually like an app that only exists to serve 2FA tokens. Using 2FA is another of those things everyone needs to enable, because you don't have to be a movie star or millionaire to get your accounts hacked.

Your way?

None of us claim to be security experts or that our lives are unhackable. We just make a conscious effort to keep it as secure as we can.

We're always ready to hear your ideas about the things you do, and we'll not be shy about copying the good ones. Drop a comment and let everyone know how you do it so we can all learn a thing or two.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

58 Comments
  • My devices all use a 4 digit pin to lock the screen. I don't have a device with fingerprint scanner so I don't have that luxury but the pin is no biggey. Posted with the Nexus 6, Nexus 5, or Surface Pro 3
  • Fingerprint sensor + 6-digit PIN on my iPad Pro 12.9, 6-digit PIN on the LG G4, 2FA on my accounts which support it. On my next device, definitely the finger scanner plus a backup password.
  • Don't use a screen lock on any of my devices except my laptop. They're always in my hand so there's no point for me. AT&T Galaxy Note 4
  • While the phone maybe always in your sight, there may maybe a chance when the phone will be left somewhere, ie store counter.
  • Lots of pickpockets still steal phones. Posted via the Android Central App
  • +100000000000000 Posted via the Android Central App
  • I need something better. I use LastPass on desktop and hate it. You've convinced me to try Enpass!
  • I'm using enpass and love it! Posted via the Android Central App
  • I'm rather fond of Lastpass.
  • Roboform. Brilliant on desktop. OK on Android and windows phone.
  • Pattern only. Now I feel like a victim lol Posted via the Android Central App
  • I love the security articles lately. You can't talk enough about how to secure our most important information. I think Jerry is paranoid and I like it that way. Lol. His kind of thinking might seem a bit extreme but doing half of what he does will make you so much safer. I love hearing about the latest and greatest in security from him. Posted via the Android Central App
  • I know this is an old saying but, better to be safe then sorry. I feel 100% confident that if my phone or computer is stolen, I have little to worry about in having my data accessed "easily". They are going to have to work at and be damn good at doing it to get anything. I use bitlocker on my PC which requires a USB drive with a special key to even start my PC or access my encrypted drives. I use hidden drives that are backed up automatically while encrypted. Then, anything delicate, is encrypted again with TrueCrypt. I use encryption on phones and also use Enpass on my phones and PC to store anything delicate and passwords. So again double encrypting. I use password generators for any password. I use 45 character random passwords I change once a month on financial logins or personal data type websites etc. I locked down my internet router and all open ports and don't broadcast my SSID. I had identity theft once to the tune of 100K+, so I learned the hard way. Never again. And I wan't careless to begin with. All this sounds complicated, but really, I think I have less than $100 invested into doing all of it with Apps and Drives, USB etc. Everything is automatically backed up daily, so really just changing the passwords and keeping back up keys locked up are the only chores once it is setup.
  • If I have a good pattern lock and fingerprint lock, is there really much point to require a separate PIN on startup as well? Posted via the Android Central App
  • If you use fingerprints I'd upgrade to a PIN or password... but yes, the point of the boot PIN is without it your phone is encrypted. If it's at the lock screen your phone is decrypted. It's best to assume I'm being sarcastic. if I'm ever serious I'll type "/s" to make it clear.
  • Oh! So if my phone is encrypted but I don't have a password on startup, then I'm kind of defeating the purpose of having it encrypted in the first place. Posted via the Android Central App
  • Well, if your device doesn't ask to be unlocked when it boots, I very much doubt it's encrypted. As you say, without a password there would be very little point. Plus encryption actually needs a key to compare... It's best to assume I'm being sarcastic. if I'm ever serious I'll type "/s" to make it clear.
  • You can have the phone encrypted but not require the boot PIN (my Nexus 6P was like that, as is my current Galaxy S7). I did have to use my pattern or whatever the first time I unlocked the phone though - fingerprint wouldn't work. I did go and enable Secure Startup now though, so it asks for my PIN before it fully boots up. Yes, I changed it to a good PIN too. Posted via the Android Central App
  • I use Dashlane and Authy for passwords and to factor, lock screen has a 10 digit PIN and fingerprint (I actually agree with Jerry that fingerprints are maybe not the best idea, but I'm a slave to convenience)... all made potentially useless by my unlocked bootloader lol. It's best to assume I'm being sarcastic. if I'm ever serious I'll type "/s" to make it clear.
  • I'm surprised no one mentioned setting the phone to self-destruct after x number of wrong password attempts. If you have that option, then set it for say 10 tries. Also a short lock time of say 2 minutes or even less. With a fingerprint reader this is sufficient without being too annoying. I do all the things mentioned above and also use Cerberus as well as Android Device Manager. Cerberus has the advantage of recording audio, video or pictures and all kinds of connection info remotely should the device be stolen. You can also set it so you can't power down the device if it is locked. Sure you can remove the SIM to kill the cellular, but since I'm on Project fi, I would hope a thief at some point passes a Google approved WiFi and it automatically connects and sends me your location and photo so I can contact the police. ;-)
  • That is an excellent idea, which I do.
  • Just beware if kids play with your phone and they try unlocking your phone a number of times... SiDi™
  • This Posted via the Android Central App
  • I never let my kids play with my phone when they were little. I'd never hand an $800 piece of glass and electronics to a kid to play with. I cringe when I see kids holding mom's expensive cell phone hanging over the edge of a grocery cart.
  • I'm with you on that one! Kids and phones are a bad combo. Check out the forums from all the ppl who got locked out of their phones by kids. I don't have much sympathy, it's not that hard to say no and keep the expensive piece of kit away from small sticky hands.
  • Rewired my G4. If you don't enter the correct password in 30 seconds, the phone explodes and blows your hand off.
  • Do you have children lol. It's best to assume I'm being sarcastic. if I'm ever serious I'll type "/s" to make it clear.
  • ..........dammit. Back to the drawing board :)
  • I read the article with interest.
    I have a question. Why use Authy, as opposed to going to my accounts and enabling 2fa? Joe
    Verizon s6, marshmallow
  • After you've gone to your account and enabled two factor authentication, Authy is where you go to get a key when you log in. It's best to assume I'm being sarcastic. if I'm ever serious I'll type "/s" to make it clear.
  • It still doesn't make sense to me, I feel like Mr. Dense.
    I have 2fa enabled on my Google account.
    When I log in, a text message is sent to my phone with the code, which I enter. I still don't understand where
    Authy comes in. What does it do exactly? Joe
    Verizon s6, marshmallow
  • It works the same way, except the code is generated by the app instead of being reliant on a text message. This means you can still log in if you don't have a mobile connection, and it can't be lost or intercepted en route. It also means you can have more than one device with access, and someone can't gain access simply by putting your SIM into a different phone. It's best to assume I'm being sarcastic. if I'm ever serious I'll type "/s" to make it clear.
  • I think I have it now. Thank you. Joe
    Verizon s6, marshmallow
  • 10 digit password - rarely used , since I have Trusted Devices connected most of the time (Pebble, Car BT) and if they get disconnected I use the NFC chips (moto skip stickers) to unlock Moto XPE/VZW Moto X DE/N7
  • Authy / 2FA, Lastpass, lock screen pattern and Cerberus for me Posted via the Android Central App
  • Pin code for me, with Smartlock locking down the phone when I leave home or exit the car. If I'm going to be someplace of concern, I'll dig out my HTC Fetch and pair it up for amusement parks and such. Passwords always contain mixed upper and lower case with numbers and special characters, and I use a password manager which gets synced between our two phones so my wife does not have to call me and ask, and I don't have to tell her a password verbally or send it in a text message. Posted via the Android Central App
  • I use fingerprint scanner and a backup password. I also have 2FA enabled and use Authy for that. Posted via the Android Central App
  • I'm totally w Jerry on fingerprints - why take chance w something I can't every really change Moto XPE/VZW Moto X DE/N7
  • I'll be honest and admit that until a week ago my only security was a fingerprint lock (and I just started using that in October when I got my note 5 on my phone, before I never even used a lockscreen) and passwords on my desktop.
    I had 3 or 4 passwords that I used in groups, one for banking, one for social media, one for almost everything else kind of deal. Pretty much the worst security, I the only way it could have be worse if is I kept them in a text documents named passwords.txt on my desktop or on a sticky note. The podcast last week and the fact that my debit card info was stolen thee week before finally made me rethink that Strategy. (Not that I think my debit card was stolen electronically per sea.
    I've started using Lastpass with 2FA and have changed all of my important passwords to a strong generated password.
    I will get around to all my accounts eventually but it's a process so I started with the most important.
    I reviewed a number of password managers and lastpass seemed to be the one I was most likely to use consistently. Thanks AC for the security focused talks and articles.
  • Fingerprint sensor is not secure as long as a unscrupulous judge and law enforcement can force you to unlock a device secured with a fingerprint. Once the fingerprint is given the same status as a password, then maybe using a fingerprint is an option. Posted via the Android Central App
  • 8-digit pin on the lock screen, will probably do fingerprint with my next phone. 2FA for accounts that support it. On the computer (chrome browser) using a fido usb u2f token, with sms codes for accounts that don't support fido or when accessing via mobile. Then when I got to Amazon, Amazon didn't support SMS so I had to use Google Authenticator (or Authy) so I may switch the SMS stuff to GA. KeePassDroid for password management/generation, synced to other devices. there are KeePass varients for windows/linux/mac and other platforms. OpenKeyChain to manage GPG crypto keys. Currently have to sync my keychain manually to other device. At some point will get a sigilance NFC token to further secure OpenKeyChain. Set up github account for 2FA and to sign my check-ins with my PGP key. Secure email client on android and Mailvelop plugin in chrome on PC to encrypt gmail/yahoo mail/etc. in the browser before sending should I feel the need to. Fido alliance (Google is a member and fido key is supported in Chrome desktop only) https://fidoalliance.org/ fido usb key I use: http://www.amazon.com/dp/B00OGPO3ZS/ref=wl_it_dp_o_pC_nS_ttl?tag=hawk-fu... SIgilance nfc/smart card info: https://www.sigilance.com/
  • I just use a password for now.
  • One critical feature missing in Android is PIN Scramble pad. Scramble pad means the order of numbers is changed each time you use it so as to prevent a smudge attack or over-the-shoulder spying to get your pin. Why Google refuses to implement scrample pad when their own buildings using scramble pad is beyond me.
  • What are everyone's thoughts on Dashlane as a password manager? I picked them earlier this year but was also considering Enpass. Previously, I was using Lastpass but switched after the LogMeIn acquisition. I've been happy with Dashlane but also believe they store vaults online? Posted via the Android Central App
  • I've actually liked lastpass more since they were acquired. Posted via the Android Central App
  • I often worry that using a generated password would be easier to crack since it uses an algorithm to create it as opposed to the endless randomness that is the human mind and just using passwords that are a combo of absurd compound words and 1337 speak. Posted via the Android Central App
  • I use an 8 digit pin on my tablet and phone. My Chromebook and my desktop have passwords, but my Chromebook also has the smart lock feature. So essentially I just use my phone's fingerprint sensor to unlock my Chromebook. My Nexus 5X and Shield Tablet K1 require that 8 digit pin to boot up also. I built my desktop computer, and I decided to spend the extra $15 on a TPM. That allows me to use Bitlocker to encrypt the C drive. My other 2 SSD's and the large spinning disk are all encrypted too. I use 2FA on all my accounts that have the capability, and I use Authy to manage those. Every account has a long, unique password containing letters, numbers, and symbols. I've been happily using Lastpass for years to manage all those passwords. Lastpass also manages my banking information, my identifiable information, and many other things I need to keep secure. I love that I can use my fingerprint to unlock Lastpass on my phone, and I'm hoping that Authy gains this feature soon. Pretty much every app that supports it's own lock pin I keep locked, and the ones that support fingerprint unlocking I also have enabled. The biggest, most important phone security habit I practice is not installing any third party APK files. I only get my apps from the play store. This doesn't guarantee not getting malware, but it significantly minimises the risk. Posted via the Android Central app on my Nexus 5X with Project Fi
  • Knock Code!
  • @Andrew TOTP was a welcomed addition to Enpass. Now you can dispense with a separate app like Authy.
  • Most of the time I have no security because I am pretty good at keeping up with my phone however I just recently started using a pattern along with the smart lock to keep it unlocked at my house (hate the inconvenience of having to put one in) I am wanting a phone with a fingerprint scanner though and that would be my default Droid Maxx 2
    Nexus 7 2013
  • i have my N6 encrypted but it doesnt ask me for a password at boot. yes i have a passlock set for my phone.
  • Meh... I don't do anything. My banking is all password protected and I working in the industry so I know exactly how to go about getting any of my funds back in short order. When I have a fingerprint reader I use it, especially because my online banking app supports it, but my nexus 6 doesn't use one and I feel perfectly fine rocking one without. I know the editors all disagree but it is my device, my life, and my choice. Everyone should weigh their own risks against their own plan of action.
  • How do you change the PIN once you've set it up initially? I have a 4 digit PIN, but think I should change it to a 6 digit one.
  • Seems to me the first step is to make sure your phone gets timely security updates. That means you get either a Nexus or an iPhone. If you are using something else you have already compromised your security.
  • I would love to see a step by step instruction guide as to how Authy is initiated and how it works. Posted via the Android Central App
  • Step 1) Install from Google Play.
    Step 2) Open app.
    Step 3) Follow onscreen instructions. I works like every other TOTP app with the addition of syncing so you can use 2FA from your PC, for example.
  • I have 2FA enabled on every account that supports it. I also use KeePass2Android on my S5 & K1 and KeePass on my Windows 10 PCs, all synced via BitTorrent Sync so my passwords are never even in the cloud.
  • Don't talk to me about security. I am so fed up with this password business. I have an iMac and it is constantly asking for passwords for everything. Even though I live in London, I don't think the wi-fi signal is very good and I wonder if, when typing in a password and the signal goes off, if it causes the program to tell you that you have tried to put in the code too may times and it is locked? I have just bought a TFL android phone and found that it had loads of apps. Happily started deleting them, think I may have gone too far, because now all I have is a phone with a 'transparent' phone keyboard - i.e. a number with 3 letters underneath, asking for a pin that I don't remember setting - how do you use the letters? It will do nothing else until it gets its phantasmagorical pin number. The online manual is in back to front English and doesn't cover the problem anyway. Or do you get what you pay for and the phone is useless?