Let's get one thing out of the way right off the bat: If you're looking for recommendations about Android security suites or other malware-scanning software, you've come to the wrong place.
Why? Because, like most people who closely study Android, I don't recommend using those types of apps at all. Android malware isn't the massive real-world threat it's frequently made out to be, and Google Play Protect and other native Android features are more than enough to keep most devices safe.
There are, however, some areas where third-party apps can add valuable layers onto your Android security picture. They're less about fighting off theoretical boogeymen and more about proactively protecting your accounts and data.
These are the actions that will actually boost privacy and security on your Android device, and the apps I'd suggest installing for each:
Manage your passwords
Your passwords are the gatekeepers to your digital life — for the foreseeable future, at least — and it's up to you to make sure they're properly armed. The secret? Let a password manager serve as your muscle. A good password manager makes it easy to create and maintain strong, unique passwords for however many apps, sites, and services you use.
And on Android, LastPass is the cream of the crop. I recently deemed it to be the best all-around password manager for Android — and for good reason: It's thoughtfully designed, simple to use, and effective as can be at securely storing your credentials and allowing you to sign in anywhere a password is required.
Once LastPass learns (or creates) your various sign-ins, it'll pop up a box with autofill info anytime you're prompted to sign into a service — be it through an app or on a website within your favorite Android browser. All you have to do is touch your finger to your phone's fingerprint sensor, confirm the credentials you want to use, and that's it: LastPass handles the rest.
LastPass works equally well on the desktop and seamlessly syncs your info across multiple devices and platforms (using its own secure cloud storage and device-level encryption). Its core features are completely free, while a US$36-a-year premium subscription will get you expanded storage space for notes and documents, the ability to use advanced two-factor authentication methods, and the ability to create an emergency access plan that'd give someone else access to your account after an extended period of inactivity.
Family plans, team plans, and enterprise plans are also available for $48 a year (for up to six people), $48 per user per year, and $72 per user per year, respectively.
Protect your accounts with 2FA
Aside from using strong passwords, the smartest thing you can do to keep your online accounts safe is to use two-factor authentication everywhere it's offered. Two-factor authentication requires you to have a second form of identifying information — like a code generated by an app on your phone — in addition to your primary password, thus making it substantially more difficult for a modern-day ruffian to get into your account.
The best app for managing two-factor authentication on Android is Authy. The Twilio-owned program outshines Google's own Authenticator offering with a modern, intuitive design that makes it a cinch to find and copy codes for any number of 2FA-enabled accounts. It has handy advanced features like support for app-level fingerprint protection, too, and you can even set Authy up to function on multiple devices — including, if you're so inclined, your desktop computer.
Authy is free.
Secure your connection
Virtual private networks, or VPNs, can be an effective way of keeping your phone-based data transmissions private and secure — particularly when you're using public Wi-Fi networks, which are notorious for letting outsiders "snoop" and see all sorts of sensitive info from your sessions.
Your best bet for work is to use your company's own VPN service, assuming an app for it is available. If not, NordVPN is one of the most widely recommended third-party options, earning strong praise from privacy guru (and frequent Computerworld contributor) Steven J. Vaughan-Nichols and landing within the top Android VPN picks of Android Central, PCMag, TechRadar, Tom's Guide, and numerous other prominent outlets.
The service taps into nearly 5,500 servers across five dozen countries and promises "military-grade" encryption for all your mobile traffic. It'll set you back 12 bucks a month, $7 a month if you pay for a year in advance, or $4 a month if you're willing to pay a lump sum of $96 up front for two years of service.
Now, all of this isn't to say that other Android VPN providers won't be effective. Evaluating a VPN app is incredibly complex and difficult to do definitively — and the number of variables involved makes it virtually impossible to offer an unconditional recommendation. (The good folks at Ars Technica sum up the challenge well.) Heck, one look at this comparison chart by That One Privacy Site — a highly regarded independent VPN reviewer cited by the Electronic Frontier Foundation, among other noteworthy organizations — is enough to make you want to crawl into a bunker and live a life free from all networked technology.
Until we have a standardized system for effectively auditing VPNs and their many layers, most privacy experts suggest going with a well-reviewed and widely evaluated service from a reputable provider. NordVPN fits that description to a T — more so than any other contender at the moment — hence its inclusion in this collection.
Encrypt your emails
When you need to know your emails won't be intercepted, ProtonMail is the app you want to use. Founded by scientists at CERN (the European Organization for Nuclear Research), ProtonMail uses an open-source method of end-to-end encryption to keep your messages safe from prying eyes. You don't have to provide any personal information, and the company says it keeps no records of IP addresses or anything else that could link you to your account. In fact, the company says even its own employees couldn't read or access your messages if they wanted to.
(You might have heard of ProtonMail on the TV show Mr. Robot, by the way — where master hacker Elliot Alderson uses the app to secure transmissions — as well as in the news by way of Cambridge Analytica, the "data analytics" firm at the center of the Facebook data debacle, which apparently used ProtonMail to create secure and self-destructing messages.)
The best part about all of ProtonMail's security is that it requires next to no effort on your behalf: You simply create an account with the service and then email away. If you're emailing someone else with a ProtonMail address, encryption is automatic. If you need to contact someone with a non-ProtonMail address, you can tap an icon in the app's compose tool to create a password and a hint; the recipient will then be sent only that information and will have to use the password to decrypt your message.
Security aside, ProtonMail's Android app is cleanly designed and pleasant to use. The app has customizable labels and folders and even allows you to define custom swipe gestures for your inbox (swiping left on a message to mark it as read, for instance, and swiping right to archive or delete). And, yes, it has an option for creating self-destructing messages, should the need ever arise.
ProtonMail is free at its most basic level, which includes one address, 500MB of storage, and up to 150 messages a day. You can get more storage, more messages per day, and additional features — including email filters, an auto-responder system, and support for custom domains — starting at $48 a year.
Encrypt your texts and calls
Signal does for texting what ProtonMail does for email: The open-source service allows you to communicate securely with contacts, using end-to-end encryption and without any of your data ever being accessed or stored on a remote server. The app also now allows you to conduct encrypted voice and video calls with other Signal users.
On the surface, Signal looks and feels just like any other texting app: You can find people from your regular contacts database or simply enter a phone number to start a conversation. If the other person also uses Signal, the conversation will be secure — and you'll see the option to launch a secure voice or video chat as well. If your recipient isn't using Signal, you'll still be able to text normally and will see a prominent "Unsecured SMS" warning in the message field.
Signal is free, and no accounts are required; you just open the app, input and then verify your phone number, and you're ready to roll.
Turn up your browser privacy dial
Firefox Focus provides the simplest and most effortless private browsing experience on Android. Quite literally, all you do is open the app and go: No history, cookies, or passwords are ever saved, and the app automatically blocks trackers and ads across the web. When you're done with a page, you tap a floating trash can icon in the corner of the screen, and poof: It's gone forever, with no trail left behind.
Firefox Focus, which is free, has a handful of settings for controlling the nuances of its blocking features, but there's really not much more to it. If you want to browse the web without leaving a trace (at least, as far as the browser itself is concerned), this is by far the easiest way to do it.
Note: Mozilla recently announced that it is putting the development of Focus on hold as it works on a new Android browser, currently called Firefox Preview and due to be released later this year. The company says that the new app will have all the privacy features of Focus combined with full browser features, and it sounds like it may eventually replace Focus. We’ll revisit our recommendation when the new app is released, but for now, Focus is still around and still the best and simplest privacy-centric browser out there.
For private browsing power in a more traditional browser environment, Brave Browser is the way to go. The free app — created by a co-founder of Mozilla, the company behind Firefox — looks and acts an awful lot like Google's Chrome Android browser. (Perhaps not surprisingly, the program uses Google's open source Chromium code as its base.)
Brave's main interface and menus are almost undistinguishable from Chrome's, in fact, and the app even has Chrome-reminiscent History, Downloads, and Bookmarks sections along with features for auto-filling information and saving passwords (though the data from those areas won't sync with your Google account or be available on other devices, as it would in Chrome).
On top of that foundation, however, Brave includes a variety of built-in tools for blocking ads, pop-ups, scripts, and different types of website-based tracking systems. Unlike Firefox Focus, it doesn't operate in a permanent incognito mode — so if you want to avoid having your history, cookies, site data, and cache saved, you'll have to either manually open incognito windows (just like you would in Chrome) or dig through the app's settings to clear that data whenever needed.
It's less of a no-frills, purely private browser and more of a standard browser with additional privacy features baked in — which could be an asset or a liability, depending on your preferences.
Avoid unnecessary app permissions
Apps often require sensitive system permissions in order to perform their full range of functions — but if you tap into some of those functions only on occasion, you might not want to leave the associated permissions active forever.
The aptly named Bouncer app is an easy way to make your permission decisions more nuanced. With Bouncer on your phone, every time you give an app a new permission — be it for accessing your location, getting on the internet, viewing your phone's storage, or whatever the case may be — you'll see a notification appear at the top of your device. You can tap that notification to tell Bouncer to remove the permission as soon as you exit the app (by switching to another app or returning to your home screen) or after a set amount of time.
Say, for instance, you're tasked with tweeting from a professional conference, and you want your location to be associated with any tweets you send during the event — but you don't want Twitter to retain access to your phone's location eternally. Just grant Twitter the needed location permission, look for the Bouncer notification, and give Bouncer the order to take the permission away when the day is over.
You can even have Bouncer remove a permission automatically every time it's granted — so something like that Twitter location access can effectively become a temporary permission instead of an ongoing authorization.
Bouncer costs a dollar to download.
Add an extra layer of encryption where you need it
Most current Android phones come with encryption enabled out of the box (you can check by looking for the "Encryption" option within the Security section of your device's system settings) — but if you want an extra layer of protection for certain files or folders, Solid Explorer will get the job done.
As an Android file manager, Solid Explorer lets you browse and manipulate the files on your device's local storage as well as on a variety of third-party cloud storage services — including Dropbox, Google Drive, and Microsoft OneDrive — if you choose to connect them. When you have a file or folder you want to protect, you just find and highlight it within the app and then select "Encrypt" from the main menu.
After that, all you have to do is type in a password and optionally activate fingerprint authentication, and the file will then be viewable only after your credentials have been entered. Even system-level services like the Android Downloads app won't be able to open the file unless you first decrypt it in Solid Explorer.
Solid Explorer costs $3 after a free two-week trial.
This article was originally published in April 2018 and updated in August 2019.