Google adds Intrusion Logging to Android Advanced Protection

Google introduced Intrusion Logging as an opt-in feature within Android’s Advanced Protection Mode. The tool captures daily forensic records of device and network activity, encrypts them on the device, and stores them on Google’s servers. The feature is rolling out to devices running the Android 16 December update and newer.

The logs record app behavior and connectivity events each day. Entries include when app processes start, app installations, updates and removals, network connections such as Wi‑Fi and Bluetooth start and stop events, DNS lookups and IP addresses, file transfers over USB, changes to system certificates, and when the device is locked or unlocked.

Google wrote that the data is end-to-end encrypted on the device and that encryption keys are protected by the user’s Google Account password and screen lock credentials. Encrypted logs are retained on Google servers for 12 months and are deleted automatically after that period. Users cannot remove stored logs before the 12‑month expiration, even if they close their account or disable the feature. Users can download and decrypt logs for offline storage, but Google warns that once logs are decrypted the user is responsible for securing them and may be legally required to provide access to decrypted data or credentials.

Because logging operates at the system level, it captures network events generated during Incognito browsing in Chrome, including DNS queries and IP connections. Those entries can show which sites a device contacted but do not record specific pages visited.

Google developed Intrusion Logging in collaboration with Amnesty International and Reporters Without Borders for high‑risk users who suspect targeted surveillance. Donncha Ó Cearbhaill, head of Security Lab at Amnesty International, welcomed the feature and said making consensual forensic data available will help researchers and civil society hold attackers accountable. Reporters Without Borders noted that storing encrypted logs on a secure server prevents malware on a device from accessing or altering them and that end‑to‑end encryption limits access by Google or state actors.

Google announced a set of additional privacy and security updates for Android alongside Intrusion Logging. The updates include a verified financial calls feature and call‑spoofing protections that check incoming calls against participating banks’ apps and can end a call if the bank did not initiate it. Google will expand Live Threat Detection to warn about suspicious app behavior used by banking trojans, evaluate APKs downloaded through Chrome with Safe Browsing enabled, tighten controls on accessibility APIs, and add measures to limit brute‑force PIN attempts and improve device recovery.

Other planned changes cover hiding SMS one‑time passwords from most apps for several hours, adding post‑quantum cryptography protections, expanding binary transparency for official builds, and introducing hardware‑backed isolation for AI processing. Eugene Liderman, director of Android security and privacy, described the updates as extensions of Live Threat Detection and Advanced Protection capabilities intended to increase device protections.