“Intrusion Logging logs may include sensitive information such as browser navigation history. Secure sharing of logs and informed consent are therefore more essential than ever,” Amnesty International warned in a May 12 report.
What Android Intrusion Logging is and who it targets
Google released Android Intrusion Logging on May 12 as part of Android Advanced Protection Mode (AAPM). The feature is designed for high-risk Android users who suspect targeted spyware attacks. AAPM itself, launched in 2025 and likened in the source to Apple’s Lockdown Mode, bundles pre-determined protections intended to reduce exposure to scams, fraud and targeted intrusions.
What the logs record and how they are created
Intrusion Logging lets opted-in devices record device and network activity for periods when a user notices suspicious behaviour. According to Google’s description, the logs capture security events (for example, device unlocking, physical access and abusive interactions), instances of spyware installation and removal, and domain name system (DNS) and connection events. The feature also records applications that run on the device during the logged interval.
Encryption, ownership and secure sharing
Forensic logs are collected once a day by default and are encrypted with a user-generated key before being archived in the user’s Google account. Google says these logs can later be accessed and decrypted by the user but not by Google or any unauthorized third parties. When forensic analysis is required, the device owner must explicitly share the logs from the device itself in a secure manner with the forensic analyst.
Amnesty’s warning underscores the sensitivity of the material: the organisation flagged that logs may include browser navigation history and therefore stressed the need for secure sharing and informed consent.
Who built this, and the surrounding forensic toolset
Google developed Intrusion Logging in partnership with civil society technical teams, including Amnesty International’s Security Lab and Reporters Without Borders’ Digital Security Lab. Amnesty Tech has publicly supported the capability: Donncha Ó Cearbhaill, head of security at Amnesty Tech, praised Google on X and noted that spyware forensic work “has so far relied on incidental logs that were never designed for security analysis and are too often partial and short-lived.” He added, “Now we have the possibility to detect advanced spyware, exploits, unauthorized physical access, even months after the fact.”
In parallel, Amnesty International has released updates to Android Quick Forensics (AndroidQF), described as a lightweight open source forensic tool for quickly extracting and analysing critical evidence, and to the Mobile Verification Toolkit (MVT), an open source toolkit intended to simplify and automate gathering forensic traces to identify potential compromise on Android and iOS devices.
Other AAPM updates and deployment constraints
Intrusion Logging is opt-in and currently available on Pixel devices running Android 16 and later with Advanced Protection Mode enabled; users must also have a Google account linked to the device. Google plans to roll Intrusion Logging out beyond Pixel devices in the future and will expand Advanced Protection support to managed devices through Android Enterprise later this year.
Google released a package of additional AAPM changes at the same time. These include USB Protection — now available on all Pixel devices running Android 16 and newer — which blocks new USB data connections while the screen is locked; removal of accessibility service access for apps not explicitly labelled as accessibility tools beginning with Android 17; disabled device-to-device unlocking to enhance physical security; removal of Chrome WebGPU support within the mode; and new chat notification scam detection targeted at blocking fraudulent messages.
What this means for high‑risk users, forensic analysts, and managed device administrators
- High-risk Android users: Those who want forensic traces will need a Pixel device on Android 16 or later, enable AAPM, link a Google account, and opt in. Logs are user encrypted and must be explicitly shared by the owner, a design intended to keep control with the user but which requires careful handling of sensitive data.
- Forensic analysts and civil-society responders: Intrusion Logging offers structured, longer-lived records that Amnesty Tech says can reveal advanced spyware, exploits and unauthorised physical access months after incidents. Analysts will also be able to use updated tools such as AndroidQF and MVT to extract and analyse traces, but only after the device owner shares the encrypted logs.
- Managed device administrators and enterprises: Google’s announcement includes forthcoming Android Enterprise support and changes (such as restricted accessibility services starting with Android 17) that will affect how administrators balance functionality and attack-surface reduction in managed fleets.
Google’s Intrusion Logging ties together user-controlled, encrypted logging with civil-society forensic tooling and a suite of mode-level protections. The feature foregrounds informed consent and secure sharing, while Amnesty International and Reporters Without Borders bring forensic operational experience to the effort. The next, measurable developments to watch will be how broadly Google rolls the capability beyond Pixel devices, how managed-device support is implemented later this year, and how secure sharing practices perform in real-world investigations.
