How the AC editors do phone security
Keeping your personal data secure is important. That's your stuff, and most of us don't want anyone else peeking at the things we'd rather keep private or semi-private. I treat my personal data the same way I treat my underwear — I don't care that you know I'm wearing a pair, but I'd rather not have you digging through my top dresser drawer even though you'll only find boring solid-color boxers. You don't have to have anything fancy or embarrassing in your top drawer to want to keep people out of it, it's still something you're not ready to share.
As phones do more, and we depend on them to manage our lives more, keeping them secure matters. Things like pictures, banking information, website login details and your daily activities are all in your phone and you would be surprised at how many people would like to take a look at it. We're not afraid to ask what Google or Microsoft or Facebook is doing with all the information they have on us — so being concerned about what happens when someone can get the same data from your phone is equally important. You — and only you — should decide who gets to see what color your undies are.
All of us here at Android Central have previously mentioned the different things we do to keep personal things from turning into public things, but usually only in passing. Today, we're going to focus on that a little more closely.
Phil Nickinson
The first rule about Fight Club is you do not talk about Fight Club. That's also the general rule (and the second rule) about security. Don't tell folks exactly how you do things.
So here's how I do things. It starts with the password. (It probably should start with the username itself, now that I think about it.) I use one of the password management services to not just keep track of my passwords, but to make them, as well. I don't even know what most of my passwords are. They're strong passwords, full of random letters and numbers and characters and symbols. The down side is that I have to have a single password to get into that password manager. But you trade security for simplicity, and that's the compromise I've made for making sure my passwords aren't all 123456.
I also use two-factor authentication on just about every service I use — I use Authy to handle all that across multiple phones. But there are still several layers of security therein, even when it's available on multiple devices at once. Again, that's the trade-off I made.
I don't use Authy for everything. I use different methods for other services — generally just because I never switched them over. And that's OK. 2FA is 2FA. And it's one of the most important things you can do.
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
On my phone itself, I use a long password or PIN code or pattern. And I use fingerprints for simplicity — and they've meant that none of my devices goes without a lockscreen anymore. And, for that matter, you have to know the code to decrypt the device on boot.
Layers and layers of security, folks. It takes a little more thought, but not a lot of effort. And it's a must.
Alex Dobie
I've used two-factor authentication on my Google accounts and other mission-critical stuff (Dropbox, VPNs, and so on) for the past few years. In that time it's gotten a lot easier to use 2FA, in particular with Google accounts on Android and iOS. (Gone are the days when you'd need to create a rat's nest of app-specific passports for Mail, Calendar, and so on.) Many of the pain points have disappeared — aside from the requirement of having to open the app on your phone, of course.
As for device security, I've used a bunch of different phones — both with and without fingerprint scanners — over the past year. In the pre-fingerprint days, Smart Lock was my weapon of choice, tying my lock screen security to whichever smartwatch I happened to be using at the time. But with newer devices featuring really good, fast fingerprint scanners — like the LG G5, Galaxy S7 and HTC 10 — there's basically no excuse to not set a lock screen PIN or pattern of some sort. It also makes it easier to use a relatively complex pattern or PIN (as I do), as the times you actually need to input it are fewer and further between.
That's besides all the stuff Android now does as standard, like allowing the Android Device Manager to remotely wipe and lock by default. Which amounts to a lot of extra stuff I just don't have to think about now.
And finally, with Marshmallow and the full-disk encryption requirement for new Android phones, it's less burdensome to require a PIN or pattern to start your phone, which is a great protection against theft. (Oftentimes the first thing a thief will do is shut down a phone and yank the SIM.)
Overall I'm not hyper-paranoid about security, but I like to think I've got the essentials covered pretty well.
Andrew Martonik
I've always been diligent about keeping at least a pattern lock screen on my phones, but with the proliferation of great fingerprint sensors on newer phones we have no excuse not to secure them. The fingerprint sensors are secure and convenient, and having one means I'm not tempted to use a long screen timeout setting or other features like Smart Lock that could potentially open up my phone to unwanted eyes. Having my fingerprints registered also open up possibilities for quickly unlocking secure areas of apps, which is an added convenience.
When it comes to online accounts — either on my phone or a computer — I keep everything safe inside the Enpass app. The app is also locked up behind fingerprint authentication, and keeps everything encrypted locally before syncing across my devices. Not only do I keep regular usernames and passwords in here, but also other sensitive information like credit card numbers. Having this app do it all means I'm never tempted to have important data in unsecured places.
The final part is enabling two-factor authentication for every possible service that offers it. Rather than go insane with different authentication methods for each service, I keep all of my codes locked up in the Authy app, which keeps me sane by syncing the codes across my phones as a switch. It may not be as convenient as just typing in a username and password to log in somewhere online, but knowing that nobody can get into your account without the two-factor code relieves a lot of stress about my online security.
Russell Holly
Security on your phone is incredibly important. It keeps other people from joke-posting a picture of a cat that looks kinda like your cat in a microwave to your Facebook on your behalf, which of course leads to a 20 minute phone call with relatives about how that photo made it to your wall.
We're getting off topic.
What I do on the phone is fairly simple. Six-digit pin to encrypt the phone, so you can't start the phone without using that code. Pattern lock or fingerprint to unlock on a day-to-day basis. It's simple, mostly stays out of the way, and Android Device Manager lets me remotely wipe the phone if I "lose" it.
Off the phone, I use two-factor authentication for anything and everything that supports the feature. Google's 2FA works well for Google stuff, and I use Authy for everything that doesn't require a dedicated app or SMS because I like the way the app looks.
It doesn't matter if your life is an open book and you really don't want to be inconvenienced by a password when trying to check Twitter, shut up and do it anyway. When your phone is compromised — yeah, when — you introduce every person you talk to on that phone to the person or software that will attempt to target them next. Secure your phone.
Daniel Bader
These days, there is no excuse for poor security. I believe in two things: setting up a strong six-digit passcode, and ensuring that it is required to start my phone. That way, should my device fall into the wrong hands, there is a very small chance its contents will be accessible to a would-be hacker. Moreover, using Android Device Manager ensures that I can remotely locate or wipe my phone in a worst-case scenario.
Once inside the operating system, I use the excellent 1Password, which recently went through a Material Design overhaul, to keep safe all my login information. While I used to synchronize my personal 1Password account through Dropbox, I now use the impressive and secure 1Password Family feature with my wife to keep our shared logins in sync. While 1Password Teams is accessible through a web portal, each login requires a unique access code that the company generates upon account creation, and is only stored locally; should you lose the code, you lose access to the account. That, along with a strong password, reassures me that my information is safe.
Of course, I do use a fingerprint on devices that support it, which is an increasing number even at entry level price points, but I understand that I am sacrificing some level of security for the convenience of it. Still, if it gets more people to enable six-digit passcodes as a result, I am all for it.
Jerry Hildenbrand
For starters, I want to say my way isn't necessarily the right way. You need to decide what things you can do that work best for you. A fingerprint scanner or password manager that stores a database online isn't the most secure thing in the world, but both are immeasurably better than a security routine that you won't bother using. It's just too easy to keep your stuff pretty damn secure to not do it.
I start with the phone software itself. If it's not updated with the latest security patch and running the latest version of Android (or has secondary security measures in place like Samsung or BlackBerry) I'm going to pass on it, because there are other great choices that are up to date where it counts. Seeing Samsung push patches so quickly to the Galaxy S7 since it was released makes me incredibly happy. Sure, it's only been two months, but so far they are batting a thousand. Hopefully the next Note is the same way. Then they can work on pushing out those timely updates to the rest of their models ...
I encrypt my phones, and make sure a password is required decrypt and start them. I also encrypt my SD card if the phone has a slot for one, which means I'm diligent on keeping everything backed up in case I break a phone. I get that some people want the small performance gain that comes with disabling encryption, but I'm not one of them. If you are, that's OK, just be careful in other ways. You don't want someone like me finding your unencrypted phone at the park or Red Robin, right?
I keep my phone lock screen password protected, and I don't use my fingerprints to make unlocking easier. Yes, this can be a pain in the ass, and I have no good reason for it other than a tinge of paranoia. My fingerprints are my identity, not my password — something that never changes. I certainly hope nobody ever finds a way to break in and figure out how to "fake" a fingerprint-generated secure token, but if they do I can't change it. So far, it looks pretty damn secure and my reasoning is unfounded. Fingerprint security on Android is awesome, because it looks to be pretty secure and so easy that everyone will use it. Pay no mind to me unless you think the same way about it, and use that finger.
I also use a password manager for things like website logins, insurance information and banking details. I prefer mSecure because it allows me to sync with a computer on my local network to keep the database updated. (A directory on my little closet server mounted as a remote share on my desktop and laptop, if you're interested.) I trust companies like 1Password or LastPass to keep my cloud database records safe, but I just trust myself a little more. You should use the password manager you trust and find easy to use — that means you'll use one, and that's the important part.
I just switched to Authy for two-factor authentication token management. So far I like it, as much as one can actually like an app that only exists to serve 2FA tokens. Using 2FA is another of those things everyone needs to enable, because you don't have to be a movie star or millionaire to get your accounts hacked.
Your way?
None of us claim to be security experts or that our lives are unhackable. We just make a conscious effort to keep it as secure as we can.
We're always ready to hear your ideas about the things you do, and we'll not be shy about copying the good ones. Drop a comment and let everyone know how you do it so we can all learn a thing or two.
Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Threads.