8
100% FOSS Smartphone Hardening non-root Guide 4.0 - Lemmy
lemmy.ml(1/5) Edit(11/1/2022): * MIUI has no biometric Lockdown, solution. * FFUpdater
and UntrackMe apps recommended. * Added back Vinyl Music Player. NOTE (June)
15/06/2020: r_privacy moderator trai_dep revengefully
[https://np.reddit.com/r/privatelife/comments/h8hsdh/exclusive_rprivacy_moderator_deleted_smartphone/]
deleted my highly gilded 1.0 guide post
[https://np.reddit.com/r/privacy/comments/em8doj/smartphone_hardening_guide_for_normal_people/]
before. # NOTE: I will NOT respond to prejudiced and political trolls. Hello! It
took a while before I could gather enough upgrades to create this fourth
iteration of the smartphone guide so many people love. It seems to have
benefitted many people, and it was only a matter of time before things got
spicier. It is time to, once again, shake up the expectations of how much
privacy, security and anonymity you can achieve on a non rooted smartphone, even
compared to all those funky “security” custom ROMs. It is time to get top grade
levels of privacy in the hands (pun intended) of all you smartphone users. Steps
are as always easy to apply if you follow the guide, which is a pivotal
foundation of this guide I started 2 years ago. After all, what is a guide if
you feel unease in even being able to follow its lead? Unlike last year, I want
to try and fully rewrite the guide wherever possible, but some parts will seem
similar obviously, as this, while technically being an incremental improvement,
is also a massive jump for darknet users. This version of the guide took a while
compared to the previous versions. A kind request to share this guide to any
privacy seeker. ----- # User and device requirement * ANY Android 9+ device
(Android 10+ recommended for better security) * knowledge of how to copy-paste
commands in Linux or Mac Terminal/MS-DOS Command Prompt (for ADB, it is very
simple, trust me) * For intermediate tech users: typing some URLs and saving
them in a text file ----- # What brings this fourth iteration? Was the previous
version not good enough? No, it was not, just like last time. There is always
room for improvement, but I may have started to encounter law of diminishing
returns, just like Moore’s Law has started to fail with desktop CPU transistor
count advancements. This does not mean I am stopping, but upgrades might get
marginal from here on. The upgrades we now have are less in number, higher in
quality. So, we have a lot explanation to read and understand this time around.
A summary of new additions to the 3.0 guide
[https://np.reddit.com/r/privatelife/comments/lpyl1s/100_foss_smartphone_hardening_nonroot_guide_30/]:
* Update to the Apple section * Many additions in section for app
recommendations and replacements * NetGuard replaced with Invizible Pro (this is
massive) * A colossal jump in your data security in the event of a possible
physical phone theft using a couple applications * An attempt at teaching the
importance of Android/AOSP’s killswitch feature for VPNs/firewalls * (FOR XIAOMI
USERS) How to configure Work Profile, as Second Space causes issues, and adding
back biometric Lockdown * How to be able to copy files from work profile to main
user storage without Shelter/Insular’s Shuttle service * Some changes in phone
brand recommendations * Caveat(s) ----- # Why not Apple devices? iPhone does not
allow you to have privacy
[https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d] due to its
blackbox nature, and is simply a false marketing assurance by Apple to you.
Recently, an unpatchable hardware flaw was discovered
[https://9to5mac.com/2020/08/01/new-unpatchable-exploit-allegedly-found-on-apples-secure-enclave-chip-heres-what-it-could-mean/]
in Apple’s T1 and T2 “security” chips, rendering Apple devices critically
vulnerable. Also, they recently dropped plan for encrypting iCloud backups after
FBI complained
[https://www.reuters.com/article/us-apple-fbi-icloud-exclusive/exclusive-apple-dropped-plan-for-encrypting-backups-after-fbi-complained-sources-idUSKBN1ZK1CT].
They also collect and sell data quite a lot [https://i.imgur.com/n8Bk0bA.jpg].
Siri still records conversations 9 months after Apple promised not
[https://www.theregister.co.uk/2020/05/20/apple_siri_transcriptions/] to do it.
Apple Mail app is vulnerable, yet Apple stays in denial
[https://9to5mac.com/2020/04/27/iphone-mail-vulnerabilities-2/]. Also, Apple
sells certificates to third-party developers that allow them to track users
[https://www.theatlantic.com/technology/archive/2019/01/apples-hypocritical-defense-data-privacy/581680/],
The San Ferdandino shooter publicity stunt was completely fraudulent
[https://www.aclu.org/blog/privacy-technology/internet-privacy/one-fbis-major-claims-iphone-case-fraudulent],
and Louis Rossmann dismantled Apple’s PR stunt “repair program”
[https://invidio.us/watch?v=rwgpTDluufY]. Apple gave the FBI access to the
iCloud account of a protester accused of setting police cars on fire
[https://www.businessinsider.com/apple-fbi-icloud-investigation-seattle-protester-arson-2020-9].
Apple’s authorised repair leaked a customer’s sex tape during iPhone repair.
[https://www.youtube.com/watch?v=xt3YSD36ZNc] This is how much they respect your
privacy. You want to know how much more they respect your privacy? Apple’s Big
Sur(veillance) fiasco seemed not enough
[https://np.reddit.com/r/privatelife/comments/jvdokk/writeup_beware_of_shills_defending_apple_big/],
it seems. Still not enough to make your eyes pop wide open? Apple’s CSAM
mandatory scanning of your local storage is a fiasco that will echo forever.
This blog article
[https://www.hackerfactor.com/blog/index.php?%2Farchives%2F929-One-Bad-Apple.html]
should be of help. But they lied
[https://www.icenterpro.eu/apples-csam-system-was-hacked-but-the-firm-claims-it-is-protected/]
how their system was never hacked. I doubt
[https://np.reddit.com/r/MachineLearning/comments/p6hsoh/p_appleneuralhash2onnx_reverseengineered_apple/].
They even removed CSAM protection references
[https://www.macrumors.com/2021/12/15/apple-nixes-csam-references-website/] off
of their website for some reason. Pretty sure atleast the most coveted privacy
innovation of App Tracking protection with one button tracking denial would
work, right? Pure. Privacy. Theater.
[https://www.yahoo.com/news/former-apple-engineer-says-button-164452709.html]
Surely this benevolent company blocked and destroyed Facebook and Google’s ad
network ecosystem by blocking all those bad trackers and ads. Sigh. Nope.
[https://twitter.com/PatrickMcGee_/status/1449608262492459011] Now it is just
Apple having monopoly over your monetised data. Also, Android’s open source
nature is starting to pay off in the long run. Apple 0-day exploits are far
cheaper [https://www.wired.com/story/android-zero-day-more-than-ios-zerodium/]
to do than Android. ----- # LET’S GO!!! ALL users must follow these steps except
the “FOR ADVANCED/INTERMEDIATE USERS” tagged points or sections. Firstly, if
your device is filled to the brim or used for long time, I recommend backing up
your data and factory resetting for clean slate start. * Sign out all your
Google and phone brand accounts from your device so that Settings–>Accounts do
not show any sign-ins except WhatsApp/Signal/Telegram * Install ADB on your
Linux, Windows or Mac OS machine, simple guide:
https://www.xda-developers.com/install-adb-windows-macos-linux/
[https://www.xda-developers.com/install-adb-windows-macos-linux/] * Use
“Universal Android Debloater”
[https://gitlab.com/W1nst0n/universal-android-debloater] to easily debloat your
bloated phone. NOTE: Samsung users will lose Samsung Pay, as Samsung has been
caught and declares they sell this data:
https://www.sammobile.com/news/samsung-pay-new-privacy-policy-your-data-sold/
[https://www.sammobile.com/news/samsung-pay-new-privacy-policy-your-data-sold/]
* Install F-Droid app store from here [https://f-droid.org/en/] * Install
NetGuard app firewall (see NOTE) from F-Droid and set it up with privacy based
DNS like AdGuard/Uncensored/Tenta/Quad9 DNS. NOTE: NetGuard with Energized
Ultimate [https://block.energized.pro/ultimate/formats/hosts.txt] HOSTS file
with any one of the above mentioned DNS providers is the ultimate solution.
NOTE: Download the Energized Ultimate hosts file from
https://github.com/EnergizedProtection/block
[https://github.com/EnergizedProtection/block] and store it on phone beforehand.
This will be used either for NetGuard or Invizible, whichever is picked later
on. (FOR ADVANCED USERS) If you know how to merge HOSTS rules in one text file,
you can merge Xtreme addon pack from Energized GitHub. You can also experiment
with the Porn and Malicious IP domain lists. NOTE: Set DNS provider address in
Settings -> Advanced settings --> VPN IPv4, IPv6 and DNS * Install Invizible Pro
from F-Droid (LONG SECTION FOR THIS BELOW) * In F-Droid store, open Repositories
via the 3 dot menu on top right and add the following repositories below: 1.
https://gitlab.com/rfc2822/fdroid-firefox
[https://gitlab.com/rfc2822/fdroid-firefox] 2.
https://apt.izzysoft.de/fdroid/index.php
[https://apt.izzysoft.de/fdroid/index.php] 3.
https://guardianproject.info/fdroid/repo/
[https://guardianproject.info/fdroid/repo/] Go back to F-Droid store home
screen, and hit the update button beside the 3 dot menu. (This may vary if you
have newer F-Droid store app with new user interface.) -----
Lemmy unfortunately has a word limit for posts, and I had to break my post into 5 parts, 4 as comments, to be able to post it. So, comments and questions can be put here.
Because the issue is trusting an entity like Google, of all entities, that lies quite a lot. Android and Chromium codebases are open, which is precisely why there is trust in them. Titan M is all marketing until it its hardware can be inspected by an independent competent party. Also, Apple’s T2 was a fortress, until it was not. Same goes for all Snapdragon chips back to 2006 when Hexagon DSD got hacked. Intel ME? Really secure. Having extra proprietary attack surface in the name of security, when it is closed source security, is a bullet one should dodge.
As I always say, closed source security is not security, but a disaster waiting to happen.
But my point here is all of the devices you recommend use proprietary microcode at some level or another. Why trust a security chip any less than the radio firmware when it comes to nefarious vendor backdoors?
As far as google devices go, they’re the only ones (except for some oneplus phones AFAIK) that allow you to use custom signed keys and relock your bootloader. As far as attack surfaces go, that allows you to plug a pretty big one if you want to use a hardened android release like graphene. If you’re worried about security and privacy this is your best bet as long as android rules the mobile device world.
I’m optimistic for the future of native linux mobile devices,but I have been saying that since I bought a brand new N900 15 years ago. Hopefully graphene follows their roadmap to abandon android for native linux when it becomes more feasible. I just wouldn’t trust any vendor supplied firmware, no matter how degoogled you make it, and try to use devices which allow you to relock the bootloader with your own keys.
I do not agree with GrapheneOS’ lead developer’s vision, his attitude towards community or any of his supporters who are a toxic cult at this point. He and his minions more often than simply lie and grift about how, since there is enough proprietary blobs, we should add a whole piece of proprietary blackbox in the name of security chip on top of it, made by Google. This is a NSA slave that provides for USA military’s inhuman activities using the smartphone metadata they collect on us, as admitted by CIA former head Hayden.
Also, this masterlist comment, that I formulated over 3 years of interaction, should reveal to you the reality of madaidan, cn3m and all kinds of sockpuppets that originate from GrapheneOS community that claim in third person they are security experts https://lemmy.ml/post/73800/comment/66676
Edit: forgot this one, nobody talks about this for a supposed ROM for activist level threat model https://np.reddit.com/r/privacytoolsIO/comments/pjl4bh/what_is_your_opinion_of_grapheneos_conforming_to/
What does the dev not being a nice guy have to do with device security?
How is google collecting my metadata if they have no acesss to my device? Pixel+graphene is still a much better option than any stock firmware.
Feel free to crack it open and prove me wrong. I’m sure they have some good bounties you can collect on.
Also oh no camera noise boo hoo that proves graphene is in the pocket of Japanese government? You’re really reaching with that one.
I think I already showed you the issues above, but it is upto you to acknowledge them. Some do, some do not. Many get driven away from GrapheneOS on a regular basis due to receiving no technical support, and only hostility from community upon asking for support. And Pixels with GrapheneOS are not audited by any independent authority for those big claims of big security and best combo and all that marketing buzzwords.
Unless you are willing to purposely reduce it to a mere behaviour issue, you could easily see what all is wrong here. Micay bans and blocks people and leaves his minions and sockpuppet army to harass people that criticise him as well, no matter what social media platform.
I see a madaidan-tier argument, I flick it in the bin. Not going to engage in this kind of intellectual dishonesty.
I have not seen ONE open source community custom ROM in my life that implements such kind of functionality that caters to a government’s rules, let alone a security/anonymity ROM with a niche audience that hates such shenanigans in the first place. Even if it may nit be conspiratorial, it makes me very suspicious in even thinking of touching it with a 10 foot pole, and then people come to bash me just for pointing out this nonsense vision of the developer. Cultist stuff is not meant for an open community, it belongs to cults that obey instead of thinking.
Yeah I would have banned you too. It seems like you simply have a bone to pick with strcat since you got banned.
Your arguments are cyclical and you have not given any valid evidence towards pixel devices being backdoorerd or graphene being google/NSA/CIA/etc shills.
Also I’m pretty sure most of the stock ROMs you recommend keeping all have cameras with shutter sounds.
If you hate google so much then why are you recommending ANY android devices?
EDIT: just to test it, I muted all sounds on my phone and tried taking a picture. Guess what? No shutter sounds.
Sure, I am picking a bone. Go express your love to strcat, I have no time for trolls that worship him and his grifty cult that bans any people that question him.
Want to be a mental gymnast? 2022 Olympics are coming soon. I am not one, so I no longer want to compete with you.
In case you want to delete your comments…
screenshot
I think my ‘mental gymnastics’ are actually valid criticisms. Honestly I want to know why if you’re so worried about privacy and security then why not just reccomend a Linux device with no ties to google? Or better yet, no connected devices since its super easy for the gubmebt to track LTE signals.
Every device you recommended is an android device yet you claim that google is the enemy. Why wouldn’t you also assume that these stock vendor ROMs have backdoors in them as well? Just degoogling and using fdroid isn’t enough when some random company holds the keys to your device.