If you're thinking about encrypting your smartphone, the good news is your device is very likely already encrypted! Simply by using a PIN/passcode on your iPhone or Android phone, you've automatically enabled full system encryption. This means that if someone got their hands on your device, they won't be able to get any data off it unless they have the PIN or password. The bad news is the data you store off the device in the cloud, that data probably isn't encrypted and that's where you need to be vigilant.
How do I make sure my device is encrypted?
For iPhones, as long as you have a passcode or password set the entire device is encrypted automatically. Here are instructions to set a passcode on your iPhone if you haven’t already done so, but chances are you did this when you set up your phone for the first time.
Modern Android devices (phones running Android 10 and above) are very similar. If you set a passcode or password (aka "a screen lock" in Android terminology), device encryption is enabled automatically. Google has instructions on how to set an Android device screen lock on their website.
Many Android devices allow you to store data on a microSD card. If you do that, you should probably know that the contents of that microSD card are not encrypted. On your phone, go to Settings, then Security, and there should be an option to encrypt the external storage. Note: doing this will mean the data on the microSD card can only be accessed by that phone.
If you want to get even more secure, you can set a password instead of a PIN. Because the password is longer than 4 or 6 digits, it's much more difficult for someone to guess. It's slightly more annoying to type in every time you want to unlock your phone, but it's the best way to avoid someone guessing their way into your device.
Passcodes and passwords to log in to your phone each time can be kinda annoying, so it's tempting to just YOLO it and keep your device unlocked at all times – but it also means anyone who picks up your phone can look at what's on it. That includes law enforcement, not just sticky beaks or petty crooks. By setting a PIN/passcode/password on your device, you're making it incredibly difficult for anyone to pick up your phone and have a poke around.
In some parts of the world it may be legal for law enforcement, customs or immigration officers to force you into unlocking your device via biometrics (e.g: you have to press your finger on the device's sensor, or you must look into the device's face scanner), but it is not legal for them to force you into handing over a password or a PIN. This greatly varies from country to country, or even regions within countries (i.e: different US states have different laws around this) and the law is constantly changing as law enforcement continues to convince lawmakers that the second coming of Satan will occur unless they're allowed to look at everything on our devices whenever they like.
Beware the cloud
While data stored on your device is pretty secure by default, when that data enters the cloud you expose that data to much more risk. It's a computer someone else has control of, so you're really trusting that they give a damn about you and the data they're storing.
I've published an article previously on this blog about all the ways storing stuff in the cloud can fuck you over, so if you haven't read that, go check it out.
Sometimes the cloud is unavoidable, particularly with iOS devices, so if you do need to put your stuff up there, it's worth enabling something Apple calls Advanced Data Protection. According to Apple, it is an "optional setting that offers Apple's highest level of cloud data security. If you choose to enable Advanced Data Protection, the majority of your iCloud data — including iCloud Backup, Photos, Notes and more — is protected using end-to-end encryption".
We all love end-to-end encryption, but why doesn't Apple make this the default for everyone? The big reason is because if you forget a password, Apple can't help you. You can't go to the Apple store, have a little whinge and get access to your iCloud account again. But if you're comfortable with that risk, enabling Advanced Data Protection is a great idea.
Android unfortunately doesn't have a similar system for when you're interacting with Google's services like Calendars, Contacts or Photos to enable end-to-end encryption, or even to control your own encryption keys for their cloud services. There are alternatives to Google’s services that are end-to-end encrypted, but they are not built-in to the device like the iPhone and require additional configuration.
Encrypt everything
Encrypting your device is one of the easiest things you can do to make sure your data is safe. It's automatically enabled when you set a PIN or passcode, so if you've done that on your phone, you're set! For more information on device encryption, read the EFF's Surveillance Self-Defence guide.
