Tech Friend: How secure is screen casting?

Tips & tricks
5 mins
Tech Friend 3 by ExpressVPN

Tech Friend is our advice column covering cybersecurity, privacy, and everyday technology. Email your question to techfriend@expressvpn.com. If you have questions about your ExpressVPN subscription or need troubleshooting help, please contact Support.


Remote control

How does media casting work, and how secure is it? I use Google Chromecast to cast from my phone to my TV. Can streaming services or Google see what I’m watching?

Submitted by: Pip

Media casting, also known as screen casting, is commonly used for displaying an app from your phone, tablet, or computer onto your TV screen. The purpose of casting is to enjoy a larger display, especially for content that you can’t get on your TV directly. For example, you can cast the TikTok app to your TV to watch the latest dance trend on a bigger screen.

Casting is similar to screen mirroring. With mirroring, what shows up on your smaller device is shown on the TV exactly, including your background wallpaper, battery level, and notifications—your TV is essentially used as a large monitor. Casting displays only the chosen app. One benefit of casting is you can use your TV to, say, watch a video playing on your phone while freeing up your device for other use.

To cast, you need a service like Google’s Chromecast. Casting works over Wi-Fi, so both devices (the ones you’re casting to and from) will need to be connected to the same network.

By relying on Wi-Fi, casting can be affected by Wi-Fi vulnerabilities. Security researchers and hackers have repeatedly demonstrated that they could hijack Chromecasts and get them to show whatever content they choose. This is a deauthentication attack, which disconnects Chromecast from the Wi-Fi network and forces it to reconnect to a network controlled by the attacker.

Someone could use this method to trick you into revealing login details or install malicious programs. As one security researcher mentions, they could use your Chromecast to play a command to your voice assistant, asking it to order expensive goods or disable your home’s alarms. They could also simply prank you with content you don’t want to watch, causing a nuisance. Changing your router settings could help prevent such an attack (see our tips below).

As for your privacy, casting devices like Chromecast (and therefore Google) collect usage data, which includes device interactions, playback quality, and information about your media sessions like the apps you’re using.

It should come as no surprise that your streaming services, like Netflix, know what you’re watching on their services (learn how to delete your Netflix history), but they also collect data about how you watch. For example, Netflix records the devices you use to stream. This means it knows that you watched an Oscar-nominated movie and that you cast it to your TV from your phone with a Chromecast.

Here are some tips on protecting your Wi-Fi so you can cast securely.

  • Use a strong Wi-Fi password. A strong Wi-Fi password is resistant to brute-force attacks.
  • Change your router’s admin credentials from the default. Don’t stick with “admin” and “password”.
  • Enable ‘Encryption of Management Frames’, if your router has the option, and disable WPS and UPnP. These are ways of preventing deauthentication attacks.
  • Avoid casting on public networks. Public Wi-Fi is often unsecured. Just as you shouldn’t access private and sensitive information on public Wi-Fi networks, you should avoid casting on them too.
  • Hide your router’s SSID. This means your Wi-Fi won’t show up in lists of nearby networks. While it’s less convenient to connect to your Wi-Fi, it can lower the chance of someone attacking it.
  • Keep your devices up to date. This applies to your router firmware, too.
  • Use a VPN. While a VPN cannot hide account-based data collected by streamers and casting devices, it can encrypt and shield your activity from your Wi-Fi router (accessible by admins) and your ISP.

App tracking protection vs. VPN

Can I use DuckDuckGo’s App Tracking Protection feature with my ExpressVPN subscription?

Submitted by: Allan

If you use an iPhone or iPad, you would be familiar with App Tracking Transparency, a feature built into iOS and iPadOS that lets you opt out of apps’ tracking of your activity. If you use an Android phone, you don’t get to block tracking natively from your phone’s settings. DuckDuckGo aims to plug this privacy gap with its App Tracking Protection feature built into its Android app.

But what is app tracking? Many apps contain multiple third-party SDKs (software development kits) that share activity data with one another—these are known as trackers. Trackers are how Facebook knows when you search for a new phone case and serves you ads from different case companies for your device.

While DuckDuckGo already blocks tracking from websites while using the browser app, App Tracking Protection blocks tracking across all apps on your Android phone. You should note that the feature is still in beta, though. DuckDuckGo notes that it can cause usability problems in some apps.

When you opt into DuckDuckGo’s App Tracking Protection, the feature detects trackers from DuckDuckGo’s self-maintained list of trackers and blocks their traffic.

One issue, though, is App Tracking Protection is registered as a VPN on your Android phone. Importantly, you need to know it is not a DuckDuckGo VPN. App Tracking Protection will not encrypt your traffic or give you a new IP address. It simply leverages the VPN functionality within Android to monitor and control traffic, allowing it to block app trackers.

This also means you cannot use ExpressVPN if you use App Tracking Protection. Android only allows for one VPN connection at a time. You will have to choose between enabling your VPN or App Tracking Protection.

While it may be tempting to enable the new App Tracking Protection feature, we’d caution otherwise. And no, it’s not because we run a VPN. App Tracking Protection’s coverage starts and ends with app trackers, leaving other elements of your online privacy vulnerable. It’s worth reiterating that while App Tracking Protection shows up as a VPN on your phone, it isn’t one. App Tracking Protection cannot provide you with all the privacy and security benefits that a VPN can.

Read more: Why should you keep your VPN on all the time?

A VPN encrypts your internet traffic, keeping your activity and information safe from third parties. You get a new IP address in a different location with a VPN, increasing your anonymity and allowing you to bypass censorship and access content restricted by your school or office Wi-Fi. DuckDuckGo contends that using a VPN means allowing the VPN company to see your network traffic. While this could be true for some VPNs, ExpressVPN has a strict no-logs policy, meaning we don’t know what you use your VPN for and keep no record of it.

While we don’t recommend you enable App Tracking Protection instead of a VPN, we do recommend using the DuckDuckGo search engine together with your VPN for maximum privacy.

stream on smart tvs and phones
Best VPN for smart TVs and streaming devices
What is a VPN?
A phone with a padlock.
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
Answering your online privacy, cybersecurity, and other everyday technology questions.