When someone believes their phone has been hacked, they experience a specific type of helplessness. Even though the damage may already be done, it has historically been nearly impossible to prove it. Within hours, Android’s system logs are erased. Reports on crashes are rotated out. The evidence is frequently lost by the time a journalist or activist gets in touch with a digital forensics lab. Specifically designed to bridge that gap, Google’s new Intrusion Logging feature was released this spring as part of Android’s Advanced Protection Mode.
It functions similarly to a phone’s black box recorder. When the device is turned on, it begins silently recording security-related events, such as the installation or removal of apps, USB connections, screen unlocking, DNS lookups, and network connections that take place in the background. On a daily basis, none of this is apparent. It simply builds up, encrypts, and is uploaded to the user’s Google account approximately once every day.
The system is intriguing not only because of what it records but also because of who can access it. Before the user ever leaves the device, the logs are encrypted using a key linked to their account password and screen lock. Security researchers seem to agree with Google’s assertion that it is unable to decrypt them on its own. It’s a significant design decision. It makes the feature more akin to a personal forensic vault than a surveillance tool, which is crucial considering the intended user base.
The fact that Reporters Without Borders and Amnesty International’s Security Lab contributed to the feature’s development reveals a lot about its target audience. The head of Amnesty’s Security Lab, Donnchaň Cearbhaill, has characterized it as shifting the balance away from attackers using spyware and toward individuals protecting themselves from it. In addition to being the most vulnerable to nation-state-grade spyware like Pegasus or Graphite, journalists, human rights workers, and activists are also the least likely to have access to forensic evidence months after an attack, which is typically when they become aware that anything had happened at all.
Notably, neither Google nor the user can manually remove the logs before the 12-month period. Although it seems strange to promote that feature as a selling point, it makes sense in the given situation. A log that can be altered or coerced into vanishing is one that can be erased upon request. Here, the whole point is permanence.
However, there is some tension. Once an individual downloads and decrypts their own logs, they are accountable for safeguarding them, and in certain jurisdictions, authorities or courts may require access to that information. Additionally, there is the issue of scope: the feature only functions in the future and does not provide protection against attacks that have already occurred prior to its activation. Additionally, wider vendor support is still pending and is currently mostly limited to Pixel hardware running Android 16 and later.
It’s difficult to ignore the timing. For years, there have been numerous spyware scandals involving journalists and activists, and device manufacturers have mostly reacted after the fact by providing notifications rather than tools. Built on the premise that some users actually need to prove what happened to their phone, not just suspect it, intrusion logging feels like an earlier intervention. The extent to which Google is able to extend it beyond Pixel devices will likely determine whether it becomes a significant check on spyware vendors or just a specialized setting that most people never discover.
