Smartphones are inherently bad for privacy. You've basically got a tracking device in your pocket, pinging off cell towers and locking onto GPS satellites. All the while, the handset's data connection ensures that tracking cookies, advertising IDs, and usage stats follow you around the internet.
So no, there's no such thing as a perfectly secure and truly private smartphone, let's get that out of the way now. But in the information age, you practically need a smartphone just to get by in society, so the question then becomes: Which phone manages to be the lesser of all the evils?
With critical vulnerabilities such as the KRACK exploit and Blueborne, not to mention the FBI attempting to find a backdoor into practically every phone, that's a hard question to answer. So to find the most security-hardened devices, we tested the top smartphones on the market, looking for key factors like encryption strength, biometrics, hardware-assisted security, VPN availability, and security patch timeframes. Our research narrowed the list down to five great phones, so let's discuss how well each of these devices protects your privacy.
When it came to comparing our five finalist phones, these were the key differentiating factors for privacy and security:
- Biometrics: There are two schools of thought involving fingerprint scanners and other biometric unlocking methods. First, there's the idea that if your biometric identifiers were ever stolen, you wouldn't be able to change them like a password, making them permanently compromised. The second line of thinking is that if a security method is easier for the user, they'll be more likely to actually use it, in which case biometrics are better for security in general. So in the end, it's your call as to whether biometrics are a good or bad thing, but note that we did give the iPhone XS Max the win in this category, as Face ID is harder to fool than any of the other available methods.
- Authentication Methods: The different ways in which a user can unlock the lock screen and access data on the phone. Authentication methods include those listed in biometrics (listed above), but to avoid needless repetition, we didn't include those here.
- Encryption: Each of these phones uses one of two types of encryption: file-based (FBE) or full disk (FDE). File-based encryption is the more effective method of the two, as it allows individual files to be locked with different keys, whereas full disk encryption uses only one key to lock the entire data partition. All five phones use the AES encryption standard, with BlackBerry being the only one on our list to opt for the less secure (but easier to process) 128-bit key.
- Hardware-Stored Keys: Each of the phones on our list calls upon a specific hardware component to store cryptographic keys. These keys are stored in isolated parts of the processor (or on isolated chips), which are then used to unlock the device and verify each stage of the boot process.
- Hardware Security Modules: The isolated processor or separate chip where the phone stores sensitive data to perform transactions which involve this data. Only the Pixel 3 XL uses a chip, which is completely independent of the SoC. The remaining devices include an isolated processor located on the SoC.
- Sandboxed User Accounts: If privacy is one of your top considerations, you may want to maintain separate user spaces on your phone — perhaps one for work, and another for your personal usage. If so, it's important that the data from each user account be truly separated (or "sandboxed"), and the Android phones in this list offer that feature.
- Restrict Ad Tracking: Phones that ship with Apple and Google services preinstalled use a system-wide advertising tracking ID to help marketing partners deliver targeted ads. This ID follows you around as you use apps and services on your phone, which is sketchy behavior when it comes to privacy. Both platforms allow you to restrict apps' abilities to view and use this identifier, preventing bad actors from using this ID to track you.
- Always-On VPN: A virtual private network, or VPN, allows you to reroute internet traffic through an external server. A good VPN service will even let you encrypt all data traffic for increased anonymity. With Android devices, you can funnel all types of internet traffic through a VPN. With an iPhone, however, you can only use a VPN over Wi-Fi, unless you're willing to reset your device and enable "Supervised Mode" to get the VPN working on your mobile data connection.
- Block Internet Access for Apps: If you don't want apps "phoning home," the ability to block internet access on a per-app basis is a huge plus. With Android, this can be done by setting up a local VPN like Netguard, which takes a little extra work. With iOS, you can easily disable mobile data access for an app, however, it's not possible to restrict Wi-Fi connectivity.
- Data Wipe After Failed Login: Some phones have a feature that triggers an automatic factory reset when someone attempts to enter your PIN or password too many times. This is very effective when it comes to fending off intruders, as it makes brute-force password attacks all but impossible.
- DNS over TLS: DNS is the server which finds the IP address corresponding to a specific URL (such as gadgethacks.com) and directs your phone to the site or data. Typically, this interaction is unencrypted, but thanks to DNS servers such as CloudFlare, this can now be a secure and private interaction using Transport Layer Security (TLS). Android 9 introduced a "Private DNS" option, which automatically switches all DNS connections (whether on Wi-Fi or cellular) to your DNS server of choice. For older versions of Android and iOS, you have to change this setting for each network connection manually.
- Force Password to Unlock Phone: The ability to disable biometrics in a pinch, limiting access to your password, PIN, or whatever other backup authentication methods you use. This feature prevents others from forcing their way into your phone using the fingerprint scanner or facial recognition.
- Restrict Usage of Data Port: Having the ability to prevent a device which connects with your phone via the data port from communicating with your phone. Known as USB Restricted Mode, this feature disables the Lightning port one hour after you last unlocked it. So far, this feature is exclusive to iOS.
- Anti-Theft Protection: Whether the device has built-in protection to prevent your phone from being stolen and your data from being accessed. There are three main features a phone's anti-theft protection must provide in order to qualify here: remote wipe, remote tracking, and remote lock.
- Built-in Password Manager: The name of the included feature that stores your various login credentials. These screen names and passwords are stored in an encrypted vault, which offers the ability to auto-fill the stored information in the appropriate app or website.
- Password Generator: The password manager can generate a new password which is more secure than your existing passwords.
- Autofill Passwords: The ability to autofill passwords without the use of the clipboard. Every phone on our list supports this feature with both the built-in password manager as well as third-parties options.
- Password Protected Apps: Because there are times when we need to lend our phone to others, being able to lock individual apps is key to preventing others from accessing data even after unlocking your phone. Listed is the name of the preinstalled application which allows you to lock apps using a password or biometrics.
- Password Protected Files: Similar to apps, protecting sensitive files (such as photos and videos) is important when more than one person can access a phone. These apps allow you to protect files as well, using a password (which is separate from your lock screen password) or biometrics.
- Stock Security Center App: If you're security-minded, it's good to have a centralized app that helps you handle all of your phone's security needs. For example, the DTEK security platform gives you an overview of your phone's security health and allows you to easily tweak important security settings, among other things.
- Security Patch Timeframe: Apple doesn't adhere to a specific timeframe with its security patches, however, updates are generally issued within a month of critical bugs being found. Android releases security patches monthly and leaves it to the OEM to distribute to their devices. Since Apple has shown to release critical security patches in under a month, the iPhone gets the win here.
- Bug Bounties: Device manufacturers will usually offer a cash prize for anyone who can find glaring weaknesses in their phone's software, effectively crowd-sourcing the process of discovering and closing security loopholes. With a higher bounty, people will generally be more motivated to find these bugs. Some companies invite only trusted bug reporters to earn a bounty (depicted as "Closed" in the above chart), while others will let anybody report bugs and claim the bounty (shown as "Open" here).
Our first requirement in choosing these phones was that they all had to be available for sale in the United States from a major carrier or manufacturer. Secondly, for a phone to make this list, it had to be encrypted by default to ensure that your data is protected against external access.
Another requirement was that the phones all offered granular permission management, which allows you to revoke an app's permission to access certain features like your camera and microphone. Then, to ensure that your data remains safe even when your phone is lost or stolen, we only selected phones with anti-theft protection.
But what really helped narrowed down our list was keying in on additional security features.
We focused only on phones which include some extra security features besides those which come with the Android operating system — for example, strengthening the hardware or adding a security center. With these features, we know these phones took a more dedicated approach to protect your security, compensating for Android's shortcomings.
Because of this requirement, we were able to eliminate many popular phones such as the LG V40, LG G7 ThinQ, Moto Z3 Play, and OnePlus 6T.
It's also worth noting that some of the phones which made our final cut had sibling devices that could've also been listed here — for example, Apple's iPhone XR and Samsung's Galaxy S9 lineup. We left these devices off the list since the higher-end option was more future-proof.
We also listed the larger model for phones which come in different sizes, but if you happen to prefer smaller phones (or want to save a bit of money), all but the Sirin Finney and the Galaxy Note 9 have a less expensive smaller variant (although, technically, the Galaxy S9+ is a great substitute for the Note 9 even if it's not in the same series).
After eliminating the phones which didn't meet our requirements, the finalists were ranked based on how well they scored in the key comparison points above, and with that, the following phones rose to the top.
On last year's list, the BlackBerry KEYone won our top spot for privacy and security. Thanks to its low price and the numerous BB10 security enhancements which it brought to the Android platform, it was easy to recommend this device for anyone looking to prioritize their security and protect their privacy.
With the release of its sequel, our expectations were high that it would replace its predecessor on our list. And while pricing is no longer as strong an advantage as it once was, it is still the best smartphone for privacy and security.
Each time you boot the device up, the BlackBerry KEY2 takes extra steps to ensure your phone wasn't tampered with. Known as the Hardware Root of Trust, cryptographic keys are injected into the processor to verify the device and to ensure no tampering occurred. These keys are unique to the smartphone and one of the key reasons why the KEY2 will likely remain unrooted. On each bootup, every layer of the device is checked for any modification or tampering. From the hardware to the operating system, the KEY2 looks for any changes and will not boot up if any layer doesn't pass inspection.
Because the Linux kernel is a craved target for smartphone hacking, BlackBerry hardens the kernel during manufacturing. BlackBerry signs and verifies each KEY2 leaving the factory to ensure that every phone leaves in the desired state, both its hardware and software. But the hardening process doesn't end after the phone leaves the factory.
BlackBerry promises two years of Android monthly security patches which address any new vulnerabilities, including any potential compromises to the kernel. And it's not just Google's security commits — BlackBerry adds their own security patches to address any vulnerabilities found that might specifically compromise their device. So far, BlackBerry has lived up to this promise with my device currently running the latest security patch from Android at the time of this writing.
Once again, BlackBerry opted for full-disk encryption instead of Android's newer file-based encryption. While file-based encryption can isolate some files from others, full-disk encryption ensures everything stored on your hard drive (from your pictures to the root folder) is secured via AES-128 encryption standard. While file-based does have its advantages, full disk encryption can be more secure as it prevents someone from even seeing your notifications without first bypassing the lock screen.
Not all of the KEY2's security enhancements are under the hood; there are some improvements that you can not only see, but interact with. A great example of this is the Privacy Shade, which obstructs the view of all but a small section of your screen. Especially when using your phone in public, this protects your privacy against those nosey neighbors who can't help but look at your screen.
There is also the BlackBerry Locker which protects your files and apps. Access is restricted to a password (which is different than the one to unlock the lock screen), although you can use the fingerprint scanner (located in the space bar) for a more convenient method of authentication. You can even send photos directly to the Locker using the space bar instead of the capture button to take a photo. You can also jump straight into your Locker when your phone is locked. You set up Locker to unlock when you use a different fingerprint on the fingerprint scanner, such as a different thumb or another finger altogether.
DTEK is the dashboard which allows you to interact with many of the software-based changes implemented by BlackBerry and acts as is the central hub for your KEY2's security. DTEK automatically monitors the operating system and apps for any potential risk to your privacy and rates the device's level of integrity using a gauge. If DTEK discovers any privacy risks, it will recommend a course of action which can be performed within the app.
However, with the KEY2, BlackBerry stepped up DTEK's abilities. The KEY2 introduces a new feature known as BlackBerry Integrity Protection which alerts users of malicious apps performing suspicious behavior (such as turning on the microphone in the background). Additionally, users can set up their own triggers for similar unwanted behaviors such as when an app requests use of the camera in the background.
There are too many security enhancements in the BlackBerry KEY2 to mention them all in this article. For a cliff notes version, when it comes to security and privacy, there is no other smartphone we recommend more. BlackBerry builds the KEY2 from the ground up with security in mind, allowing them to be ahead of their competition.
And if you want to save a bit of money, the BlackBerry Key 2 LE is a great option. For a few downgrades in specs, you get the same security and protection, but at $250 cheaper.
The Google Pixel 3 and 3 XL are the more secure Pixel phones yet. Thanks to the security improvements of Android 9.0 Pie and the Titan M chip, the Pixel 3 XL shows how secure Android is as a platform, even before the enhancements added by OEMs such as BlackBerry. While it lacks some of the built-in privacy apps included by BlackBerry, it makes up for this by always being on the latest version of Android.
At the heart of every Google Pixel 3 XL is the Titan M chip. The Titan M is an enterprise-grade security chip which was custom-built for smartphones. Based on the Titan chip used to protect Google Cloud data center, it is tailored to provide the top tier security for mobile devices. Unlike the Secure Enclave and ARM's TrustZone, this chip is physically separated from the SoC. This separation adds to Titan chip ability to avoid tampering as it isn't accessible even if the SoC is compromised.
The Titan M chip handles sensitive transactions such as payment with Google Pay. Any app targeting the StrongBox KeyStore API (which is new for Android 9.0 Pie) can also take advantage of it to conduct transactions, assuring users that data is safely processed and transferred when handled by their device.
The Titan M also protects against tampering of the bootloader, the firmware in charge of handling interactions between the hardware and the software. The Titan M checks for any outside tampering and provides rollback protection, a feature which prevents your device from running earlier (and less secure) versions of Android.
Titan M also verifies your lock screen passcode. Because of the chip's resistance to tampering, it's nearly impossible for a hacker to capture your lock screen password via malware, as its verification is conducted outside of any areas that malware can access. And to ensure Titan M remains uncompromised, the firmware on the Titan M will never be updated unless you input your passcode, making it nearly impossible for malicious actors to bypass your lock screen and "upgrade" Titan M to a more exploitable version.
Google also has one of the best bug bounty programs of all the manufacturers on this list. They'll offer up to $200,000 for critical bugs found, and the program is open to the public, so there should always be plenty of folks scouring the Pixel 3 XL's code base for security loopholes.
Another big advantage of the Google Pixel 3 XL is that unlike most Android devices, it will always run the latest version of Android and security patches — Google has even pledged to offer at least three years of full OS updates (36 months from release date or 18 months after the device is discontinued, whichever comes last). The monthly security patches are important as they address any new vulnerabilities caught by the Android team.
One of the new features of Android 9.0 Pie is the ability to use a private DNS. DNS is the server you first connect to when you input a URL in the browser. The DNS server locates the corresponding IP address and directs your phone to the proper website. Usually, this communication is unencrypted and therefore is able to be viewed by others. However, with DNS over TLS, this connection is encrypted, making your browsing history safe from hackers, carriers, and ISPs. A great DNS server which supports TLS is CloudFlare which can be configured for all networks on the Pixel 3 XL, not just individuals Wi-Fi networks like the other phones in this list.
There are many more improvements that come with Android 9.0 Pie. Except for the Galaxy Note 9, no other phone on our list even has an estimated timeline for when it will get this software update. However, even when these phones eventually get upgraded to Android Pie, they will still lack the security of the Titan M, which adds to the Pixel's ability to resist tampering. When combined with Android's flexibility, the Pixel 3 XL is one of the most secure smartphones on the market.
A majority of the security and privacy features available to the iPhone XS Max come courtesy of iOS. Since Apple manufactures a large portion of the components within the iPhone XS Max and develops the operating system its runs, it has a better handle on the security flaws of its device. iOS can be better integrated into the hardware, ensuring that only authorized users have access to your information.
A great example of this is software updates. You might have heard the word "fragmentation" get tossed around when talking about Android. Among other things, this issue highlights the fact that most Android devices aren't running the latest (and most secure) Android version. Apple doesn't have this problem, as it has fewer devices (and thus, less variability), allowing them to support a device five years after its release. As a result, while every iPhone from the iPhone 5s onward can currently run the latest version of iOS, less than 0.1% of users are running the latest Android version (as of October 2018, two months after it was released).
Another advantage of iOS is how it handles encryption. While both Android and iOS utilize file-based encryption, Apple's implementation is a much more refined model. iOS encrypts both files and their metadata (information about the file) separately using unique keys. These keys are then encrypted by another key that's derived from the user's passcode and the hardware.
This second set of keys protects files based on their contents. For files requiring a higher level of security, the keys unlock its content only after the device is turned on and unlocked. For other files, authentication is needed only once to access them. There are four classes of security for these keys, which allows Apple more refined control over file encryption.
Recently, iOS 12 introduced Password AutoFill which makes logging into your account safer and easier. With Password AutoFill, using either the built-in password manager or a third-party manager, you can autofill your user name and password into an app. This data is transferred without the use of the clipboard, protecting your password from hackers trying to capture them within the RAM. It also makes password managers easier to use, giving you no excuse for not using a password manager.
Apple has also implemented one of the best biometrics available in a smartphone, Face ID. According to Apple's testing, Face ID has a 1 in 1,000,000 chance of registering a false positive (unlocking your device for the wrong person). For context, Touch ID (which was considered one of the best fingerprint scanners in the industry) had a false positive rate of 1 in 50,000, much higher than Face ID.
The reason for this disparity is the uniqueness of individuals' faces and how Face ID is able to capture these details. Over 30,000 dots are projected onto your face to create a 3D depth map. This map is then encrypted and stored in the Secure Enclave, an isolated piece of hardware inside of the iPhone XS Max. Each time you unlock your phone, a new map is made and compared to the one stored. If it is a match, it unlocks your device. And for added protection, it requires your eyes to be open (by default), preventing someone from unlocking your phone while you are sleeping.
There's another nice privacy feature that comes along with Face ID. When someone besides you picks up your iPhone XS Max, any notifications will be blocked, preserving your privacy. However, once the TrueDepth camera authenticates a valid user (you), it will reveal the contents.
All security benefits from the iPhone XS Max will also apply to Apple's iPhone XS Max and iPhone XR. If you're not willing to pay the $1,099 price tag, these are viable options which have no differences when it comes to security and privacy. That said, the XS Max is a phenomenal phone for those looking to protect their data, and the best option for those who prefer iOS.
A few years back, Samsung decided it wanted to become the phone of choice for enterprise customers. With their phones already in the hands of millions of Android consumers, the logical course of action was enterprise. However, for businesses to trust their devices, they need to guarantee security beyond what was provided with Android at the time. Thus, Samsung Knox was formed, and it has been equipped on nearly every Samsung Galaxy device ever since. Samsung Knox is a security platform which provides deep-level protection using a combination of hardware and software solutions. Knox's goal is to separate your work environment from your personal environment and provide the necessary protection to isolate each area effectively.
Protection from Samsung Knox starts with its hardware which has a similar implementation to BlackBerry. The Device Root Key (a cryptographic key) is injected into each Galaxy Note 9 during the manufacturing process and is only accessible in a secure environment known as the ARM Trust Zone. This key is unique to each Galaxy Note 9 and is therefore used to identify the device. These keys are also used to encrypt enterprise data, permanently tying the data to the phone.
The Galaxy Note 9 also has a Secure Boot key, which is used to validate each component during bootup to ensure nothing was manipulated. These keys are used to conduct Secure Boot, a mechanism that looks to prevent users from changing the bootloader or operating system of the device. Making these changes to your device severely impacts the integrity of the security. However, unlike the KEY2, Knox devices have been rooted.
Samsung Knox devices also have an e-fuse. The e-fuse indicates whether the device was tampered with, such as in the case of rooting. When any unauthorized firmware is detected, the e-fuse is tripped and the device will no longer be able to access the Knox Workspace, the app container which allows users to switch between Personal and Work mode (this feature has to be enabled by your IT Administrator).
Samsung Knox also protects the sensitive data processed by specific Samsung apps. Samsung Pay, Samsung Health, Secure Folder, and Samsung Pass are all protected by Knox.
While the Knox platform is extensive (with many more features that aren't relevant to this article), its inability to prevent rooting does show an attack surface not found on the KEY2. Also, unlike the other smartphones on this list, much of the Knox platform is behind a paywall. While the Note 9 is one of the best overall phones on our list, these limitations have forced it to the number four position.
In the first half of 2018, cryptocurrency became all the rage. When BTC hit an all-time high of $20,000 in late 2017, the new year started with millions of new investors swarming to try to jump in on the action. Companies in all fields realized the potential of this market, and thus, phones such as the Sirin Finney came to fruition.
Its starts with Sirin OS, the proprietary Android skin created by Sirin Labs and built from the ground up to secure all possible weak links that could compromise the security of cryptocurrency transactions. The heart of this is the BlockShield, a multi-layer protection system which provides features such as IP address hiding and MAC address randomization. Similar to other phones on our list, the Sirin Finney uses a hardware root of trust system to ensure no component has been tampered with before booting up the phone. It even includes a feature known as Trusted Display which protects all inputs (such as touches on the screen) using ARM's TrustZone so hackers can't use a keylogger.
Another significant component of the security is the Behavior-based Intrusion Prevent System. Using machine learning, the IPS is able to detect attacks from virtually every aspect of the phone. This system continues to learn your behavior, allowing it to improve its detection, understanding the differences between an activity you conducted versus something abnormal and likely from a hacker. And because the IPS engine is in an always-on state, it will protect your phone in real-time, even when offline or in airplane mode.
The Sirin Finney comes with a number of apps to ensure all your communications are secure as well. For example, ProtonMail comes preinstalled to provide encrypted emailing, and the Koolspan Trust Call app provides encrypted voice calls.
These apps , along with several others such as Wallet, are sandbox from the rest of the OS to strengthen their security. Known as the SecureShield, this feature isolates these apps from accessing sensors and components which could, when used maliciously, compromise the security of the phone. These sensors include the camera and the microphone.
There are many more ways in which Sirin Labs protects its customers. Sirin Finney is a phone that they hope will become the go-to device for cryptocurrency. The skin, Sirin OS, provides protection on all levels, so you can securely house your alt coins and your data. While it lacks some other security features found on other devices, it is more than worthy of a spot on our list.
The KEYone continues BlackBerry's tradition of enterprise-grade privacy and security, so it tops our list pretty easily. With its DTEK security platform, Full Disk Encryption and extensive Verified Secure Boot, BlackBerry has designed this device for those who wish to keep their phones and their data secure.
The KEY2 is one of the best BlackBerry devices in years. It embodies BlackBerry's security reputation and adapts it to the preferences of the current market. The result is one of the most secure smartphones which just so happens to benefit from the Android OS and its millions of apps.
While the KEY2 is more expensive than its predecessor, the increased cost does come with some improvements. The KEY2 has a smaller "forehead," a 20% larger physical keyboard, a faster Qualcomm Snapdragon processor, and 6 GB of RAM.
Having said that, if you'd rather not use an Android phone, then the iPhone XS Max is the best iOS device for the privacy-conscious user. Not only does iOS have amazing features built into the OS to protect its users, but Apple improved authentication with the introduction of Face ID. And once again, an iPhone was able to thwart the best efforts of the FBI after the Texas Church Shooting, providing a real-world example of how secure iOS is.
This article was produced during Gadget Hacks' special coverage on smartphone privacy and security. Check out the whole Privacy and Security series.