Log your Android device activity with Advanced Protection

With Intrusion Logging, you can log your device and network activities that can be accessed if you notice suspicious activity across your accounts or devices. It collects and stores info about your device's behavior, including applications that run on it.

You can download this log of activity and share it with trusted security experts for a forensic examination. This helps find out if, when, and how your device may have been compromised. You are solely responsible for the security of logs once they are downloaded and decrypted.

Set up Intrusion Logging

To use Intrusion Logging on your Android device, you need to turn on “Advanced Protection Mode.” During set up, you're asked to optionally set up Intrusion Logging. Learn how to turn on Advanced Protection Mode. When you turn off Intrusion Logging, logging stops immediately. Your device uploads any collected but unsent logs before fully deactivating the feature. Previously collected logs will remain stored for a 12-month period.

Download your Intrusion logs

You can download your encrypted logs from any Android device in which your Google Account is signed in.

1. Open your device's Settings app.
2. Tap Security & privacy 👁 and then
   Advanced Protection 👁 and then
   Intrusion Logging 👁 and then
   Access logs.
   • Steps may vary per device. Learn how to improve device security with Advanced Protection.
3. Find the device you want its Intrusion log downloaded and tap Download & decrypt.
   • Your logs can be found in your device’s file manager.
4. After downloaded, you can choose how to share the files with a trusted third party for analysis.

Learn how Intrusion Logging works

Learn what data is logged

With Intrusion Logging, security and network events are recorded. You can use this info to investigate a potential attack. This includes info, like:

• App activity, like when an app process starts.
• App installations, updates, and uninstalls.
• Network connections like starting and stopping Wi-Fi, Bluetooth, DNS lookups, and IP addresses.
• File transfers to or from the device over USB.
• Changes to system certificates.
• When the device is locked or unlocked.

Tips:

• Learn more about security logs.
• Learn more about network activity logging.

Learn about privacy & storage

Strong encryption protects your privacy.

• Your device end-to-end encrypts the log data. The system then stores it on Google servers.
• Your Google Account password and screen lock credentials protect the encryption keys.
• As Google doesn’t know your screen lock or password your logs can’t be accessed or read by anyone other than yourself.

Google stores encrypted logs on its servers for 12 months. After this time, the system automatically deletes them.

Logs cannot be manually deleted by the user or Google before the 12-month expiration. This ensures that the history of all activity stays complete and can't be changed by anyone. You can download your logs at any time and store them elsewhere if you want to keep them longer. During periods of very heavy activity, Intrusion Logging may decrease the frequency of events written to the log.

Understand risks before you turn on Intrusion Logging

This feature provides valuable data for security investigations, but it also comes with risks. You should carefully consider these points before you turn it on.

While Google cannot access your encrypted logs, keep in mind that once you download and decrypt them, you are responsible for their security. In certain legal or regulatory environments, you may be required by law to provide access to your decrypted data or your security credentials. Logs cannot be manually deleted for 12 months after they are created, even if you close your account or disable the feature.

Fix Intrusion Logging issues

Learn why Intrusion Logging records Chrome Incognito browsing

Intrusion Logging operates at the system level and does not distinguish if Chrome is in Incognito mode. It logs network events generated by Incognito tabs, like DNS lookups and IP connections.

Someone with access to the logs can determine visited websites, but they can’t get specific pages on those sites.

Troubleshoot missing Chrome browsing events

This can happen if Chrome uses its own internal DNS resolver instead of the Android operating system's resolver. To record Chrome's DNS events, you should switch from using Chrome’s Secure DNS to Android Private DNS.

In Chrome, turn off Secure DNS:

1. On your Android device, open Chrome 👁 Chrome
   .
2. Tap More 👁 More
   👁 and then
   Settings.
3. Tap Privacy and security 👁 and then
   Use secure DNS.
4. Turn off Use secure DNS.

In Android settings, turn on Private DNS:

1. Open your device's Settings app.
2. Tap Network & internet 👁 and then
   Private DNS 👁 and then
   Automatic or Private DNS provider hostname.

To make sure logs capture Chrome's DNS activity, configure both settings correctly.

Learn what happens when you change or remove your screen lock

• Change your screen lock: You can change your PIN, pattern, or password at any time.
  • This doesn't affect Intrusion Logging.
• Remove your screen lock: If you remove your screen lock, it turns off a key recovery factor that could potentially affect your ability to access your encrypted data.
  • If you lose or damage your device, you may be permanently unable to decrypt your logs. As such, we don’t recommend removing your screen lock.

Related resources

• Use Advanced Protection with Android devices
• Make your account more secure
• How to download your Google data
• Learn about Android security and privacy settings