tl;wr: I am paranoid about my personal data – especially when it comes to my phone. These are the things I do to try and make my phone secure.
Step 0: root
About half of the stuff I’m using requires rooting your phone, so you’ll need to start there. I won’t go into specifics on this, because as far as I know, rooting is different for every phone. I will say that rooting Nexus phones is pretty easy. I have never had a non-Nexus Android phone, so I don’t know if carriers make it more complicated, but as long as your phone is even remotely popular, you should be able to find instructions.
Step 1: full disc encryption (does not require root)
Police have begun scanning phone data without cause. Here are just two reports: Michigan State Police scanning cell phones and Travelers’ mobile phone data seized by police at border
Enabling full disc encryption is the best way to prevent the police (or anyone else, for that matter) from ripping the data off your phone. It’s worth noting, however, that this only works when the phone is off. When the phone is on, the disc is unencrypted. There are also already exploits to get around this. However, some protection is better than none.
Conveniently, this feature is built into Android (beginning with 4.0, I think). To enable it, you’re going to need either a PIN or Password lock already setup on your phone. Then, go to Settings -> Security -> Encrypt Phone. Note that this takes quite a while to do – the more storage, the longer it will take – and you can’t even start the process unless your battery is more than 90% charged AND plugged into the wall.
Step 2: cryptfs (requires root)
Security is always a trade-off with convenience. The most secure computer is one that isn’t connected to the Internet – but that isn’t terribly useful these days. The most secure way to enable full disc encryption on your phone is to do it with a full password, as opposed to a PIN. However, with Android, you have to use the same password or PIN to encrypt your phone as to unlock your screen. This means when you turn your phone on, you have to enter the same thing twice: once as the phone boots, to unencrypt the phone; then again at the lock screen after the phone boots.
cryptfs is an app that changes this. Regardless of what you used to enable full disc encryption, cryptfs allows you to change what password is used to unlock the disc. This means I have a strong password set to unencrypt my phone when it boots, but I can still be lazy and have a PIN to unlock the screen.
Step 3: rekey.io (requires root)
If you have an Android phone, the odds are pretty good that it is vulnerable to the Master Key Exploit. I don’t fully understand the implications of how it works, but it is possible for an attacker to modify applications with this exploit in such a way that Android will not be able to detect they have been tampered with. A patch has already been developed, but Android phones are notoriously bad with updates.
rekey is an app that applies the patch on any Android phone. It’s super simple to use. Just open it, and it will immediately tell you if your phone is vulnerable. If it is, you press a button which applies the patch. That’s all there is to it.
Step 4: Prey (does not require root)
Prey Project is like Find My iPhone, but for any kind of device; not just iOS. I have their Android app running on my phone and tablet, and their OS X app on my laptop. If my device is lost or stolen, I can enable geo-location to find it, and/or get screenshots or camera pictures emailed to me. The only feature I can think of that’s missing is remote wipe.
Misc: in-app PIN settings (does not require root), Titanium Backup encryption (does require root – I think)
Another important thing to note is that some apps that require account information have the option to enable a PIN. I make sure to enable this feature on any app that has it. And it’s definitely worth pointing out that I use different PINs from the one to unlock my screen.
Finally, I use Titanium Backup to back up installed programs and their settings. I have it set up to save these back ups to my Dropbox. As a result, I also have it set up to encrypt these files before they are uploaded. Titanium Backup is a great app, but it’s super complicated, and their menu system is pretty bad. The setting is there, but you’ll have to dig for it yourself.
I am certain that my phone is not bullet-proof, but I did everything I could think of to keep my data as private as possible. If I missed anything, or you have questions, suggestions, etc, please let me know via twitter or email.