(1/5)
Edit(11/1/2022): * MIUI has no biometric Lockdown, solution. * FFUpdater and UntrackMe apps recommended. * Added back Vinyl Music Player.
NOTE (June) 15/06/2020: r_privacy moderator trai_dep revengefully deleted my highly gilded 1.0 guide post before.
NOTE: I will NOT respond to prejudiced and political trolls.
Hello! It took a while before I could gather enough upgrades to create this fourth iteration of the smartphone guide so many people love. It seems to have benefitted many people, and it was only a matter of time before things got spicier.
It is time to, once again, shake up the expectations of how much privacy, security and anonymity you can achieve on a non rooted smartphone, even compared to all those funky “security” custom ROMs. It is time to get top grade levels of privacy in the hands (pun intended) of all you smartphone users.
Steps are as always easy to apply if you follow the guide, which is a pivotal foundation of this guide I started 2 years ago. After all, what is a guide if you feel unease in even being able to follow its lead?
Unlike last year, I want to try and fully rewrite the guide wherever possible, but some parts will seem similar obviously, as this, while technically being an incremental improvement, is also a massive jump for darknet users. This version of the guide took a while compared to the previous versions.
A kind request to share this guide to any privacy seeker.
User and device requirement
- ANY Android 9+ device (Android 10+ recommended for better security)
- knowledge of how to copy-paste commands in Linux or Mac Terminal/MS-DOS Command Prompt (for ADB, it is very simple, trust me)
- For intermediate tech users: typing some URLs and saving them in a text file
What brings this fourth iteration? Was the previous version not good enough?
No, it was not, just like last time. There is always room for improvement, but I may have started to encounter law of diminishing returns, just like Moore’s Law has started to fail with desktop CPU transistor count advancements. This does not mean I am stopping, but upgrades might get marginal from here on. The upgrades we now have are less in number, higher in quality. So, we have a lot explanation to read and understand this time around.
A summary of new additions to the 3.0 guide:
- Update to the Apple section
- Many additions in section for app recommendations and replacements
- NetGuard replaced with Invizible Pro (this is massive)
- A colossal jump in your data security in the event of a possible physical phone theft using a couple applications
- An attempt at teaching the importance of Android/AOSP’s killswitch feature for VPNs/firewalls
- (FOR XIAOMI USERS) How to configure Work Profile, as Second Space causes issues, and adding back biometric Lockdown
- How to be able to copy files from work profile to main user storage without Shelter/Insular’s Shuttle service
- Some changes in phone brand recommendations
- Caveat(s)
Why not Apple devices?
iPhone does not allow you to have privacy due to its blackbox nature, and is simply a false marketing assurance by Apple to you. Recently, an unpatchable hardware flaw was discovered in Apple’s T1 and T2 “security” chips, rendering Apple devices critically vulnerable.
Also, they recently dropped plan for encrypting iCloud backups after FBI complained. They also collect and sell data quite a lot. Siri still records conversations 9 months after Apple promised not to do it. Apple Mail app is vulnerable, yet Apple stays in denial.
Also, Apple sells certificates to third-party developers that allow them to track users, The San Ferdandino shooter publicity stunt was completely fraudulent, and Louis Rossmann dismantled Apple’s PR stunt “repair program”.
Apple’s authorised repair leaked a customer’s sex tape during iPhone repair. This is how much they respect your privacy. You want to know how much more they respect your privacy? Apple’s Big Sur(veillance) fiasco seemed not enough, it seems. Still not enough to make your eyes pop wide open?
Apple’s CSAM mandatory scanning of your local storage is a fiasco that will echo forever. This blog article should be of help. But they lied how their system was never hacked. I doubt. They even removed CSAM protection references off of their website for some reason.
Pretty sure atleast the most coveted privacy innovation of App Tracking protection with one button tracking denial would work, right? Pure. Privacy. Theater.
Surely this benevolent company blocked and destroyed Facebook and Google’s ad network ecosystem by blocking all those bad trackers and ads. Sigh. Nope. Now it is just Apple having monopoly over your monetised data.
Also, Android’s open source nature is starting to pay off in the long run. Apple 0-day exploits are far cheaper to do than Android.
LET’S GO!!!
ALL users must follow these steps except the “FOR ADVANCED/INTERMEDIATE USERS” tagged points or sections.
Firstly, if your device is filled to the brim or used for long time, I recommend backing up your data and factory resetting for clean slate start.
-
Sign out all your Google and phone brand accounts from your device so that Settings–>Accounts do not show any sign-ins except WhatsApp/Signal/Telegram
-
Install ADB on your Linux, Windows or Mac OS machine, simple guide: https://www.xda-developers.com/install-adb-windows-macos-linux/
-
Use “Universal Android Debloater” to easily debloat your bloated phone.
NOTE: Samsung users will lose Samsung Pay, as Samsung has been caught and declares they sell this data: https://www.sammobile.com/news/samsung-pay-new-privacy-policy-your-data-sold/
-
Install F-Droid app store from here
-
Install NetGuard app firewall (see NOTE) from F-Droid and set it up with privacy based DNS like AdGuard/Uncensored/Tenta/Quad9 DNS.
NOTE: NetGuard with Energized Ultimate HOSTS file with any one of the above mentioned DNS providers is the ultimate solution.
NOTE: Download the Energized Ultimate hosts file from https://github.com/EnergizedProtection/block and store it on phone beforehand. This will be used either for NetGuard or Invizible, whichever is picked later on.
(FOR ADVANCED USERS) If you know how to merge HOSTS rules in one text file, you can merge Xtreme addon pack from Energized GitHub. You can also experiment with the Porn and Malicious IP domain lists.
NOTE: Set DNS provider address in Settings -> Advanced settings --> VPN IPv4, IPv6 and DNS
-
Install Invizible Pro from F-Droid (LONG SECTION FOR THIS BELOW)
-
In F-Droid store, open Repositories via the 3 dot menu on top right and add the following repositories below:
Go back to F-Droid store home screen, and hit the update button beside the 3 dot menu. (This may vary if you have newer F-Droid store app with new user interface.)
(5/5)
Realme: Decent phones and can be debloated using Oppo/Vivo profiles in Debloater tool. The debloater tool does not cover Realme directly. Beware of preloaded Google Dialer spyware and its two-party consent useless call recording feature. Status: decent devices.
LG: less stock-y software, still good. Good cameras. display too. But the brand itself has died. Status: RIP LG.
Nokia: a bit of skepticism here with them helping spy with nexus with Russia’s MTS and recently found Chinese telemetry as well, but nothing that NetGuard cannot stop by blocking domains via HOSTS from interacting with your device. However, Nokia does not allow any bootloader unlocks and their customer support and OS updation schedule is beyond horrendous. Status: AVOID.
Google: In general an evil megacorp, Titan M security chip is self-claimed to be great on Pixels, but there is no way to verify if the microcode it contains is the same as that open sourced by Google. If you trust the security of Titan M chip, you might as well trust Apple’s T2/M2 security chips with unfixable flaws or the Intel ME/AMT security disasters everybody knows.
Having faith in Google’s promise of their proprietary closed source chip being clean is like having faith in cyanide not killing a person. Moreover, they are known as:
NSA partner and collecting data and spy on users in googolplex capacity
AI used by US military for drone bombing in foreign countries based on metadata Google collects on smartphones
use dark patterns in their software to make users accept their TOS to spy
repeated lies about how their data collection works claiming anonymity
forcing users to use their Play Services which is spyware and scareware
monopolising the web and internet via AMP
use of non standard web browser libraries and known attempts to cripple lone standing ethical competitors like Firefox and Gecko web engine (now with Microsoft making their default Edge Chromium-based too)
CAVEATS
With Invizible Pro, I was unable to get KDE Connect working through it. With NetGuard, I was able to simply let KDE Connect pass through and ignore firewalling and let it work. If KDE Connect notifications and constant file sharing and clipboard sharing are more important to you, tough luck.
You can still of course not use a VPN provider without disabling Invizible Pro or NetGuard from main user profile’s VPN slot.
With using a VPN provider instead of Invizible’s Tor or I2P routing, you are left with AOSP/Android’s Private DNS feature as your native ad/tracker blocking defense mechanism. Each time, you have to turn on Private DNS when using VPN provider, and turn it back off when using Invizible or NetGuard on main user profile.
Invizible Pro has become one of the cornerstones for this guide, and thus if its development ceases, the guide will have to resort to its fork, or resort to Orbot for Tor tunnelling, which has plenty issues otherwise covered by Invizible. Also, NetGuard is a fallback if Invizible development dies off, which cannot do Tor or I2P darknet routing.
CONCLUSION
TL;DR there is no summary, privacy is an indepth topic and you must take a couple of hours to go through this simple guide, as long as it looks it should clear all your concerns with smartphone privacy.
This is the best you can do without rooting or modding a phone, and it is working for me since two years now, personally tested and verified on my bootloader locked Huawei P30 Lite.
I have a history of rooting and modding phones, one being an Honor 6X before Huawei disabled unlocking policy, one being a Xiaomi and one being a Lenovo before that. Also, one Samsung Galaxy S2 long time ago.
Credit to /u/w1nst0n_fr for the Universal Android Debloater (authorised me to use his tool). Hope this guide serves as a great tool for any privacy seeker.