How to Get the Most Out of Your Smartphone's Encryption

Both iPhones and Androids are encrypted by default. But there are steps you can take to safeguard your data on backups and messaging apps.
person using phone underneath a table
Photograph: Frank Herholdt/Getty Images

You may not think much about encryption day to day, but it’s the reason the FBI can't easily get at the data on the iPhones that come into its possession; it also means if someone steals your phone, they won't be able to get anything off it without the PIN code.

In terms of individual apps, it stops anyone from snooping on your WhatsApp and Signal conversations when they’re in transit from one device to the other—and that includes anyone who works at WhatsApp or the Signal Foundation. In short, it makes it much, much harder for anyone to get at your photos, messages, documents, and everything else you've got stored on your phone. Here’s how to make sure it’s working for you.

iPhone Encryption

It was the 2014 release of iOS 8 that encrypted every iPhone back to the 4S by default. Much to the chagrin of various law enforcement agencies, that encryption has only gotten tougher over time.

Everything on an iPhone is locked down as soon as you set a PIN code, a Touch ID fingerprint, or a Face ID face—your PIN, fingerprint, or face acts as the key to unlock the encryption, which is why you're able to read your messages and view your files as soon as your phone is unlocked.

This is also why you should never leave your phone lying around unlocked if you value the data on it. You can configure the screen lock on your iPhone by going to Face ID & Passcode—or Touch ID & Passcode—on the iOS Settings menu. If you go the PIN route, use at least a six-digit alphanumeric code. Anything shorter, or using numbers only, is too easy for forensic devices to brute-force.

Encryption extends to backups of your iPhone made through Apple's own software too, whether that's on the web in iCloud, or in iTunes or Finder on a connected computer. (Tap your name at the top of the iOS Settings screen, then iCloud and iCloud Backup to set which one you're using.) You can choose to leave local iTunes or Finder backups unencrypted if you want, via the tick box labeled Encrypt local backup on the Summary or General tab.

iCloud backups are encrypted, but Apple can potentially get at them if needed.

Courtesy of Apple

However, there’s a crucial distinction between data on your iPhone and data in your iCloud backups. While the latter are encrypted and thus protected against hackers, Apple does hold its own key to decrypt them and will pass the data on to law enforcement if forced to. Apple will also use it to help you regain access to your backup if you lose it. If that’s a concern for you, keep your backups stored locally on a Windows or Mac laptop.

Android Encryption

The encryption picture used to be patchy for Android, but in the past three or four years most new Android smartphones—including the popular Samsung Galaxy and Google Pixel lines—have come with encryption enabled by default. You can check this under Advanced and Encryption and Credentials in the Security page of Settings.

As with iOS, the PIN code, fingerprint, or face that you've set up to unlock your phone acts as the decryption key, unscrambling the data on your phone and allowing you to read it. From Settings in Android, pick Security then Screen lock to set this up.

Only the cheapest, low-end Android devices—usually the ones sold in developing nations—aren't encrypted, to ease the demands on the scarce system resources of those phones. That is starting to change now too, with the latest encryption protocols able to be run by even low-end devices.

If you're using Google's own cloud services (you can double-check by going to Settings, then System, Advanced, Backup), your backups are fully encrypted as well—and there's no way in through the back, as there is with Apple's iCloud backups. Even Google can't access your data in the cloud.

Android's built-in backup function encrypts your data.

Courtesy of Android

If you're using a different cloud backup service with your Android phone, you need to check whether it supports encryption for its backups and whether they're stored on the web or on a connected computer. If you can't find a satisfactory answer, or there's no sign of any encryption, you can always switch to Google's built-in option.

Messaging App Encryption

WhatsApp uses end-to-end encryption, but its Google Drive backups don't.

Courtesy of Whatsapp

While your phone’s encryption protects the files on the device, plenty of data finds its way out into the ether. Here it's important to look out for end-to-end encryption, where data is protected while it's being transferred and when it's being stored. This type of encryption will thwart hackers, law enforcement, and the tech companies themselves from snooping on your messages. Just remember, though, that it won’t hide your data if someone manages to get access to your device itself.

In terms of security practices and comprehensiveness, Signal leads the way for end-to-end encrypted messaging apps, while iMessage and WhatsApp also offer the feature. Facebook Messenger, Telegram, and Skype also offer end-to-end encrypted conversation modes, but they're not switched on by default.

Consider cloud backups of your messages as well. We’ve already talked about how Apple can theoretically get at some of your data if it's stored in an iCloud backup, which Paul Manafort learned the hard way in court. If you're backing up WhatsApp messages to Google Drive in the cloud, it's important to note that these backups aren't encrypted when they're stored.

In other words, always check the small print for the apps and services you use. Instagram messages aren't encrypted, for example, although it's something Facebook is apparently working on. End-to-end encryption has also been promised for messages inside Gmail for years, but it isn't here yet.

Using services without end-to-end encryption doesn't mean your data is necessarily at a high risk of being exposed, and any kind of encryption is better than none. But it does mean government agencies or the app developer might be able to get at your data, if needed. As always, the fewer apps and services you're using, the better.


More Great WIRED Stories