(1/5)

Edit(11/1/2022): * MIUI has no biometric Lockdown, solution. * FFUpdater and UntrackMe apps recommended. * Added back Vinyl Music Player.

NOTE (June) 15/06/2020: r_privacy moderator trai_dep revengefully deleted my highly gilded 1.0 guide post before.

NOTE: I will NOT respond to prejudiced and political trolls.

Hello! It took a while before I could gather enough upgrades to create this fourth iteration of the smartphone guide so many people love. It seems to have benefitted many people, and it was only a matter of time before things got spicier.

It is time to, once again, shake up the expectations of how much privacy, security and anonymity you can achieve on a non rooted smartphone, even compared to all those funky “security” custom ROMs. It is time to get top grade levels of privacy in the hands (pun intended) of all you smartphone users.

Steps are as always easy to apply if you follow the guide, which is a pivotal foundation of this guide I started 2 years ago. After all, what is a guide if you feel unease in even being able to follow its lead?

Unlike last year, I want to try and fully rewrite the guide wherever possible, but some parts will seem similar obviously, as this, while technically being an incremental improvement, is also a massive jump for darknet users. This version of the guide took a while compared to the previous versions.

A kind request to share this guide to any privacy seeker.

User and device requirement

  • ANY Android 9+ device (Android 10+ recommended for better security)
  • knowledge of how to copy-paste commands in Linux or Mac Terminal/MS-DOS Command Prompt (for ADB, it is very simple, trust me)
  • For intermediate tech users: typing some URLs and saving them in a text file

What brings this fourth iteration? Was the previous version not good enough?

No, it was not, just like last time. There is always room for improvement, but I may have started to encounter law of diminishing returns, just like Moore’s Law has started to fail with desktop CPU transistor count advancements. This does not mean I am stopping, but upgrades might get marginal from here on. The upgrades we now have are less in number, higher in quality. So, we have a lot explanation to read and understand this time around.

A summary of new additions to the 3.0 guide:

  • Update to the Apple section
  • Many additions in section for app recommendations and replacements
  • NetGuard replaced with Invizible Pro (this is massive)
  • A colossal jump in your data security in the event of a possible physical phone theft using a couple applications
  • An attempt at teaching the importance of Android/AOSP’s killswitch feature for VPNs/firewalls
  • (FOR XIAOMI USERS) How to configure Work Profile, as Second Space causes issues, and adding back biometric Lockdown
  • How to be able to copy files from work profile to main user storage without Shelter/Insular’s Shuttle service
  • Some changes in phone brand recommendations
  • Caveat(s)

Why not Apple devices?

iPhone does not allow you to have privacy due to its blackbox nature, and is simply a false marketing assurance by Apple to you. Recently, an unpatchable hardware flaw was discovered in Apple’s T1 and T2 “security” chips, rendering Apple devices critically vulnerable.

Also, they recently dropped plan for encrypting iCloud backups after FBI complained. They also collect and sell data quite a lot. Siri still records conversations 9 months after Apple promised not to do it. Apple Mail app is vulnerable, yet Apple stays in denial.

Also, Apple sells certificates to third-party developers that allow them to track users, The San Ferdandino shooter publicity stunt was completely fraudulent, and Louis Rossmann dismantled Apple’s PR stunt “repair program”.

Apple gave the FBI access to the iCloud account of a protester accused of setting police cars on fire.

Apple’s authorised repair leaked a customer’s sex tape during iPhone repair. This is how much they respect your privacy. You want to know how much more they respect your privacy? Apple’s Big Sur(veillance) fiasco seemed not enough, it seems. Still not enough to make your eyes pop wide open?

Apple’s CSAM mandatory scanning of your local storage is a fiasco that will echo forever. This blog article should be of help. But they lied how their system was never hacked. I doubt. They even removed CSAM protection references off of their website for some reason.

Pretty sure atleast the most coveted privacy innovation of App Tracking protection with one button tracking denial would work, right? Pure. Privacy. Theater.

Surely this benevolent company blocked and destroyed Facebook and Google’s ad network ecosystem by blocking all those bad trackers and ads. Sigh. Nope. Now it is just Apple having monopoly over your monetised data.

Also, Android’s open source nature is starting to pay off in the long run. Apple 0-day exploits are far cheaper to do than Android.

LET’S GO!!!

ALL users must follow these steps except the “FOR ADVANCED/INTERMEDIATE USERS” tagged points or sections.

Firstly, if your device is filled to the brim or used for long time, I recommend backing up your data and factory resetting for clean slate start.

NOTE: Samsung users will lose Samsung Pay, as Samsung has been caught and declares they sell this data: https://www.sammobile.com/news/samsung-pay-new-privacy-policy-your-data-sold/

  • Install F-Droid app store from here

  • Install NetGuard app firewall (see NOTE) from F-Droid and set it up with privacy based DNS like AdGuard/Uncensored/Tenta/Quad9 DNS.

NOTE: NetGuard with Energized Ultimate HOSTS file with any one of the above mentioned DNS providers is the ultimate solution.

NOTE: Download the Energized Ultimate hosts file from https://github.com/EnergizedProtection/block and store it on phone beforehand. This will be used either for NetGuard or Invizible, whichever is picked later on.

(FOR ADVANCED USERS) If you know how to merge HOSTS rules in one text file, you can merge Xtreme addon pack from Energized GitHub. You can also experiment with the Porn and Malicious IP domain lists.

NOTE: Set DNS provider address in Settings -> Advanced settings --> VPN IPv4, IPv6 and DNS

  • Install Invizible Pro from F-Droid (LONG SECTION FOR THIS BELOW)

  • In F-Droid store, open Repositories via the 3 dot menu on top right and add the following repositories below:

  1. https://gitlab.com/rfc2822/fdroid-firefox

  2. https://apt.izzysoft.de/fdroid/index.php

  3. https://guardianproject.info/fdroid/repo/

Go back to F-Droid store home screen, and hit the update button beside the 3 dot menu. (This may vary if you have newer F-Droid store app with new user interface.)

  • @TheAnonymouseJokerOPM
    32 years ago

    (4/5)

    HOW TO USE TWO VPNS/FIREWALLS WITHOUT ROOT ON ANDROID? (FOR ADVANCED USERS)

    Using Shelter app we installed, we had set up the Work Profile for WhatsApp, Discord and such apps. We will simply clone install NetGuard from the main profile into work profile.

    Now we have two separate firewalls. Using this method, you can segregate all your account based invasive corporation messaging apps into the work profile, and even Tor-ify the main profile!

    Simply put, you can put privacy invasive apps in work profile and clean open source apps and any (closed source) disabled internet apps in main profile. Compartmentalisation is very much possible. You can even achieve anonymity via this process.

    HOW TO BLOCK TRACKERS FOR ANY APP USING EXODUS DATABASE (FOR INTERMEDIATE USERS)

    Using Exodus Privacy database is easy, but it is not used meaningfully by users other than opening the app/website database for self satisfaction purpose, and making themselves feel nerdy.

    For each app, there is a tracker section that lists URLs. Notice these URL domains, and put them in your HOSTS rules file to block these trackers. This can also work on apps like WhatsApp and Discord, basically any app. It helps mitigate a lot of spying network traffic.

    HOW DO I USE WHATSAPP TO MITIGATE EFFECTS OF ITS HORRIBLE PRIVACY POLICY? (FOR BASIC/INTERMEDIATE USERS)

    • I used an OTG USB to copy the local WhatsApp backup database from main user to Work user profile.
    • Cloned WhatsApp into Shelter Work profile, uninstalled it from main user, copied beforehand the WhatsApp backup in Work user’s internal memory --> WhatsApp/Databases/ (created these folders using file manager app also cloned to Work user account)
    • Opened and setup WhatsApp, so now it can auto detect the chat backup and restore it
    • Now I have WhatsApp in Shelter Work Profile, with no permission access outside of Contacts.
    • It can temporarily get Storage access if I want to view a photo or video someone sent me.
    • The storage access it gets is only the storage in work user profile, separate from main user internal storage or SD card
    • Trackers are blocked using manual HOSTS file entries (ADVANCED USERS refer to section above)
    • Cameras are physically covered (refer to DIY camera cover section)
    • I use WhatsApp once a week and turn off internet and WiFi for it via NetGuard I set up in Work profile

    HOW TO CONFIGURE XIAOMI DEVICES FOR WORK PROFILE, SINCE SECOND SPACE/DUAL APPS CAUSES CONFLICT WITH SHELTER/ISLAND/INSULAR? (ALSO A HACK FOR HOW TO COPY FILES FROM WORK PROFILE TO MAIN USER PROFILE)

    This is a widespread issue and causes many people trouble. Many people have even asked me about it on all kinds of places on the internet, besides the comments on 3.0 guide. The solution is to disable Second Space/Dual Apps first.

    NOTE: If you have WhatsApp there, first copy* (asterisk note below) your database file using a file manager app that can read access the whole internal storage. Then follow the above guide section “HOW DO I USE WHATSAPP TO MITIGATE EFFECTS OF ITS HORRIBLE PRIVACY POLICY?”, once we do the below stuff.

    So after disabling Second Space/Dual Apps, go to system settings and search for “Users” or “Work”, and you should find a listing similar to “Work Profile”. You have to go enable “Work Profile” user there, and then install Shelter/Insular/Island, whichever works. NEVER ENABLE SECOND SPACE FEATURE AGAIN.

    Now, follow the above guide section, and you can even reinstall WhatsApp since you have the chat database file backed up.

    • If you are unable to copy the file normally, you will need to install ToDoZip app from F-Droid for this workaround trick. Now, you open the ToDoZip app and give it storage permissions to be able to create ZIP files. With the file manager app that you cloned into Work Profile, you go to it and navigate to <STORAGE/WhatsApp/Databases/LATEST_DB_FILE>, select and share the file. The share menu will appear, and select/switch to personal profile, and select “Add To Zip” with the ToDoZip app logo. Wait for 2-5 minutes and the WhatsApp chat database file should appear inside a .ZIP file in /Downloads folder on your main internal storage. As you may have guessed, this workaround I had to invent works for copying any file from work profile storage to main storage, incase the Shelter/Insular Shuttle service does not work.

    HOW TO CONFIGURE MIUI TO HAVE MISSING BIOMETRIC LOCKDOWN FEATURE?

    Get AdminControl from F-Droid to reinvoke the AOSP feature back in action.

    WHICH PHONE BRANDS ARE GOOD AND BAD? (FACTS)

    Now we will need to evaluate what manufacturers are relatively safe, no appeasing, I will be blunt. I will make tier lists to help. I will give explanation for each, so read before jumping with pitchforks.

    NOTE: If you have anti-Chinese political allergy, kindly read facts, or choose the other non-Chinese options listed. YOU HAVE 7 WESTERN OPTIONS TO 5 CHINESE OPTIONS. I will NOT respond to prejudiced and political trolls.

    Tier 1: Asus, Motorola, Sony, FairPhone, Huawei/Honor (caveat)

    Tier 2: OnePlus, Oppo, Vivo, Realme, Xiaomi, Samsung, Nokia, LG

    Tier NOPE NOT AT ALL: Google

    Asus, Sony, Motorola: their software is nearly stock, and as such quite beneficial and peace of mind assuring. Status: good.

    FairPhone: Clean software, ethical, recyclable components, good phone but bit extra price for midrange hardware. Status: good.

    Huawei: still no evidence by US government after THREE years of market protectionism and US-China Cold War 2.0 ban, contrary to what Sinophobic US/14 Eyes propaganda and condemned joke research papers (refer to this for why), may make you believe, most countries are allowing them for 5G participation, there is absolutely ZERO EVIDENCE against specifically Huawei (does not count other Chinese companies), earlier ironically audited by UK GCHQ to be safe and on any of their global devices, to date there has been no telemetry found IFF you do NOT use Huawei ID account or any Huawei services (as instructed above). I have an OpenKirin rooted unlocked Honor 6X, and now a locked P30 Lite to confirm this.

    If Huawei’s CEO is a former PLA technician, so do plenty USA companies. What does it prove? Typical moral rocks thrown by politicians that polarise people like you and me for their global hegemony politics.

    If Huawei’s ban makes sense to you, then why was Xiaomi attempted to be banned, despite not selling any 5G equipment? Or, Honor, despite now being a separate brand with no 5G equipment selling, is being considered for a ban?

    NOTE: Real reason for this propaganda ban is USA could not backdoor 5G unlike it did 4G (check plenty NSA SIGINT documents), and so they are attempting to put China out of commission. And Huawei did not steal 5G from USA, since USA never had a proper 5G vendor for more than 2 years. And the ongoing US-China Cold War (due to global hegemonic shift) and growing McCarthyism sentiment among Westerners proves it easily.

    To add, for the rest of world outside China it is better to own hardware device from a country which has no jurisdiction over them, and you can use their phones without Huawei and Google accounts very safely. BONUS: baseband modem not associated with NSA. Also, good cameras, battery, display and performance in general. Status: easily debloatable and good.

    Samsung: Quite the disaster in bloatware and spyware. Multiple issues with Qihoo 360 on phones with IMEI MAC sent over HTTP, Samsung Pay selling user data with no optout till now, Replicant devs discovering backdoors, Knox hardware blackbox with no idea what microcode it runs, certification from NSA even worrying, lockscreen and notification ads in OneUI, ads on Smart TVs, this all accounts to being quite shady company, but NetGuard can mitigate it. Status: avoid for other brands if possible.

    Xiaomi: They have quite a bit of telemetry in their MIUI skin, similar to Samsung. Now they have tracking in Incognito Mode in their Browser as well.

    Xiaomi devices, if not rooted or flashed with custom ROM, also have an issue with installing Shelter/Insular/Island work profile apps. This is due to the Dual Apps feature preloaded into MIUI, and may need a workaround for Dual Apps to be removed or disabled from stock MIUI devices. They seem to be troublesome if you want to use VPNs for anonymity besides having apps like WhatsApp or Discord on phone. Please refer to dedicated section above on how to solve this issue. Status: avoid unless you can implement guide properly.

    OnePlus, Oppo, Vivo: They have considerably less telemetry and ads, better than Samsung and Xiaomi. Status: potential but decent brands.

    • @TheAnonymouseJokerOPM
      52 years ago

      (5/5)

      Realme: Decent phones and can be debloated using Oppo/Vivo profiles in Debloater tool. The debloater tool does not cover Realme directly. Beware of preloaded Google Dialer spyware and its two-party consent useless call recording feature. Status: decent devices.

      LG: less stock-y software, still good. Good cameras. display too. But the brand itself has died. Status: RIP LG.

      Nokia: a bit of skepticism here with them helping spy with nexus with Russia’s MTS and recently found Chinese telemetry as well, but nothing that NetGuard cannot stop by blocking domains via HOSTS from interacting with your device. However, Nokia does not allow any bootloader unlocks and their customer support and OS updation schedule is beyond horrendous. Status: AVOID.

      Google: In general an evil megacorp, Titan M security chip is self-claimed to be great on Pixels, but there is no way to verify if the microcode it contains is the same as that open sourced by Google. If you trust the security of Titan M chip, you might as well trust Apple’s T2/M2 security chips with unfixable flaws or the Intel ME/AMT security disasters everybody knows.

      Having faith in Google’s promise of their proprietary closed source chip being clean is like having faith in cyanide not killing a person. Moreover, they are known as:

      • NSA partner and collecting data and spy on users in googolplex capacity

      • AI used by US military for drone bombing in foreign countries based on metadata Google collects on smartphones

      • use dark patterns in their software to make users accept their TOS to spy

      • repeated lies about how their data collection works claiming anonymity

      • forcing users to use their Play Services which is spyware and scareware

      • monopolising the web and internet via AMP

      • use of non standard web browser libraries and known attempts to cripple lone standing ethical competitors like Firefox and Gecko web engine (now with Microsoft making their default Edge Chromium-based too)

      CAVEATS

      • With Invizible Pro, I was unable to get KDE Connect working through it. With NetGuard, I was able to simply let KDE Connect pass through and ignore firewalling and let it work. If KDE Connect notifications and constant file sharing and clipboard sharing are more important to you, tough luck.

      • You can still of course not use a VPN provider without disabling Invizible Pro or NetGuard from main user profile’s VPN slot.

      • With using a VPN provider instead of Invizible’s Tor or I2P routing, you are left with AOSP/Android’s Private DNS feature as your native ad/tracker blocking defense mechanism. Each time, you have to turn on Private DNS when using VPN provider, and turn it back off when using Invizible or NetGuard on main user profile.

      • Invizible Pro has become one of the cornerstones for this guide, and thus if its development ceases, the guide will have to resort to its fork, or resort to Orbot for Tor tunnelling, which has plenty issues otherwise covered by Invizible. Also, NetGuard is a fallback if Invizible development dies off, which cannot do Tor or I2P darknet routing.

      CONCLUSION

      TL;DR there is no summary, privacy is an indepth topic and you must take a couple of hours to go through this simple guide, as long as it looks it should clear all your concerns with smartphone privacy.

      This is the best you can do without rooting or modding a phone, and it is working for me since two years now, personally tested and verified on my bootloader locked Huawei P30 Lite.

      I have a history of rooting and modding phones, one being an Honor 6X before Huawei disabled unlocking policy, one being a Xiaomi and one being a Lenovo before that. Also, one Samsung Galaxy S2 long time ago.

      Credit to /u/w1nst0n_fr for the Universal Android Debloater (authorised me to use his tool). Hope this guide serves as a great tool for any privacy seeker.