Edit(11/1/2022): * MIUI has no biometric Lockdown, solution. * FFUpdater and UntrackMe apps recommended. * Added back Vinyl Music Player.

NOTE (June) 15/06/2020: r_privacy moderator trai_dep revengefully deleted my highly gilded 1.0 guide post before.

NOTE: I will NOT respond to prejudiced and political trolls.

Hello! It took a while before I could gather enough upgrades to create this fourth iteration of the smartphone guide so many people love. It seems to have benefitted many people, and it was only a matter of time before things got spicier.

It is time to, once again, shake up the expectations of how much privacy, security and anonymity you can achieve on a non rooted smartphone, even compared to all those funky “security” custom ROMs. It is time to get top grade levels of privacy in the hands (pun intended) of all you smartphone users.

Steps are as always easy to apply if you follow the guide, which is a pivotal foundation of this guide I started 2 years ago. After all, what is a guide if you feel unease in even being able to follow its lead?

Unlike last year, I want to try and fully rewrite the guide wherever possible, but some parts will seem similar obviously, as this, while technically being an incremental improvement, is also a massive jump for darknet users. This version of the guide took a while compared to the previous versions.

A kind request to share this guide to any privacy seeker.

User and device requirement

  • ANY Android 9+ device (Android 10+ recommended for better security)
  • knowledge of how to copy-paste commands in Linux or Mac Terminal/MS-DOS Command Prompt (for ADB, it is very simple, trust me)
  • For intermediate tech users: typing some URLs and saving them in a text file

What brings this fourth iteration? Was the previous version not good enough?

No, it was not, just like last time. There is always room for improvement, but I may have started to encounter law of diminishing returns, just like Moore’s Law has started to fail with desktop CPU transistor count advancements. This does not mean I am stopping, but upgrades might get marginal from here on. The upgrades we now have are less in number, higher in quality. So, we have a lot explanation to read and understand this time around.

A summary of new additions to the 3.0 guide:

  • Update to the Apple section
  • Many additions in section for app recommendations and replacements
  • NetGuard replaced with Invizible Pro (this is massive)
  • A colossal jump in your data security in the event of a possible physical phone theft using a couple applications
  • An attempt at teaching the importance of Android/AOSP’s killswitch feature for VPNs/firewalls
  • (FOR XIAOMI USERS) How to configure Work Profile, as Second Space causes issues, and adding back biometric Lockdown
  • How to be able to copy files from work profile to main user storage without Shelter/Insular’s Shuttle service
  • Some changes in phone brand recommendations
  • Caveat(s)

Why not Apple devices?

iPhone does not allow you to have privacy due to its blackbox nature, and is simply a false marketing assurance by Apple to you. Recently, an unpatchable hardware flaw was discovered in Apple’s T1 and T2 “security” chips, rendering Apple devices critically vulnerable.

Also, they recently dropped plan for encrypting iCloud backups after FBI complained. They also collect and sell data quite a lot. Siri still records conversations 9 months after Apple promised not to do it. Apple Mail app is vulnerable, yet Apple stays in denial.

Also, Apple sells certificates to third-party developers that allow them to track users, The San Ferdandino shooter publicity stunt was completely fraudulent, and Louis Rossmann dismantled Apple’s PR stunt “repair program”.

Apple gave the FBI access to the iCloud account of a protester accused of setting police cars on fire.

Apple’s authorised repair leaked a customer’s sex tape during iPhone repair. This is how much they respect your privacy. You want to know how much more they respect your privacy? Apple’s Big Sur(veillance) fiasco seemed not enough, it seems. Still not enough to make your eyes pop wide open?

Apple’s CSAM mandatory scanning of your local storage is a fiasco that will echo forever. This blog article should be of help. But they lied how their system was never hacked. I doubt. They even removed CSAM protection references off of their website for some reason.

Pretty sure atleast the most coveted privacy innovation of App Tracking protection with one button tracking denial would work, right? Pure. Privacy. Theater.

Surely this benevolent company blocked and destroyed Facebook and Google’s ad network ecosystem by blocking all those bad trackers and ads. Sigh. Nope. Now it is just Apple having monopoly over your monetised data.

Also, Android’s open source nature is starting to pay off in the long run. Apple 0-day exploits are far cheaper to do than Android.


ALL users must follow these steps except the “FOR ADVANCED/INTERMEDIATE USERS” tagged points or sections.

Firstly, if your device is filled to the brim or used for long time, I recommend backing up your data and factory resetting for clean slate start.

NOTE: Samsung users will lose Samsung Pay, as Samsung has been caught and declares they sell this data: https://www.sammobile.com/news/samsung-pay-new-privacy-policy-your-data-sold/

  • Install F-Droid app store from here

  • Install NetGuard app firewall (see NOTE) from F-Droid and set it up with privacy based DNS like AdGuard/Uncensored/Tenta/Quad9 DNS.

NOTE: NetGuard with Energized Ultimate HOSTS file with any one of the above mentioned DNS providers is the ultimate solution.

NOTE: Download the Energized Ultimate hosts file from https://github.com/EnergizedProtection/block and store it on phone beforehand. This will be used either for NetGuard or Invizible, whichever is picked later on.

(FOR ADVANCED USERS) If you know how to merge HOSTS rules in one text file, you can merge Xtreme addon pack from Energized GitHub. You can also experiment with the Porn and Malicious IP domain lists.

NOTE: Set DNS provider address in Settings -> Advanced settings --> VPN IPv4, IPv6 and DNS

  • Install Invizible Pro from F-Droid (LONG SECTION FOR THIS BELOW)

  • In F-Droid store, open Repositories via the 3 dot menu on top right and add the following repositories below:

  1. https://gitlab.com/rfc2822/fdroid-firefox

  2. https://apt.izzysoft.de/fdroid/index.php

  3. https://guardianproject.info/fdroid/repo/

Go back to F-Droid store home screen, and hit the update button beside the 3 dot menu. (This may vary if you have newer F-Droid store app with new user interface.)




  • Get Mull web browser, a telemetry free fork of Firefox browser, from F-Droid (install uBlock Origin addon inside (if technically advanced, try doing this)).

  • Get FFUpdater to get Firefox Klar and various Chromium based browsers

  • Get Aurora Store for apps from Play Store without actually using Play Store, use Anonymous option to sign in

  • for third party APKs source them only from APKMirror OR APKPure OR APKMonk, quite trusted, BUT TRY AND AVOID IF POSSIBLE

  • Get Privacy Indicators or Vigilante for iOS 14 like camera/mic dot indicator feature and local history logging of screen locking, permissions, camera/mic usage and so on

  • Get OSMAnd+ for maps and/or print physical maps if you live and travel in one or two states or districts.

NOTE: Can consider Organic Maps but it is not a finished product at the moment.

  • Get PilferShush Jammer to block microphone abuse (Passive mode only)

  • Get OpenBoard (user friendly) OR AnySoftKeyboard (geek/nerd friendly) instead of Google GBoard, Microsoft SwiftKey and so on, they are closed source keylogger USA spyware

NOTE: FlorisBoard 0.3.14-stable memory management did not work well in my testing, out of memory crashes too often, will edit if it gets good, maybe betas solved this issue

  • Get KDE Connect for computer-from/to-phone internet less file sharing, on a personal/local WiFi hotspot, available for Linux/Windows/MacOS/Android

  • Get SnapDrop instead of SHAREIt for phone to phone file sharing

  • Get Private Lock (NOTE: this will be useful later in guide)

  • Get K-9 Mail or FairEmail as e-mail client

  • Get NewPipe for YouTube watching, or YouTube in Firefox Beta/Klar

  • Get QKSMS as SMS client app

  • Get Shelter to sandbox potential apps that you must use (eg WhatsApp or Discord or Signal)

  • Get SuperFreezZ to freeze any apps from running in background

  • Get Librera Pro and Document Viewer for PDF/document reading needs

  • Get ImgurViewer for opening reddit/imgur/other image links without invasive tracking

  • Get BarInsta for opening Instagram profiles or pictures without invasive tracking (thanks u/sad_plan) (NOTE: Barinsta development ended after Facebook’s C&D letter, and anonymous access is massively throttled by Facebook now)

  • Get GreenTooth to set Bluetooth to disable after you have used it

  • Get Material Files or Simple File Manager for file manager app

  • Get UntrackMe to preview and sanitise any URLs from trackers

  • Get ImagePipe if you share lot of pictures, and want to clear EXIF metadata snooping (often photos contain phone model, location, time, date). This app allows setting specific preset for image name, resolution and compressed quality.

  • Get Scrambled EXIF if you want a simpler app for metadata cleaning compared to ImagePipe. It has none of the forementioned ImagePipe features.

  • Get Standard Notes or Joplin for encrypted markdown note taking app

  • Get Vinyl Music Player for a solid music player (Shuttle+, Auxio alternatives)

  • Get VLC and/or MPV for video player

  • Get Barcode Scanner by ZXing Team or BinaryEye by Markus Fisch for QR/barcode scanning

  • Get DiskUsage for managing and cleaning up of storage space

  • Get Easy Watermark for custom, easy watermarking of photos to avoid abuse of any photos you share with others

  • For Reddit usage, Infinity and RedReader are great app clients, as is Stealth (only for non account browsing)

  • Get Calculator++ and Unit Converter Ultimate for your needs, as app names suggest

  • Get AppOpsX for managing permissions for all apps

  • (FOR ADVANCED USERS) Get App Manager from Izzy’s F-Droid repo (here) to inspect app’s manifest, trackers, activities, receivers, services and even signatures via Exodus Privacy built-in, all without root

  • (FOR ADVANCED USERS) Get Warden from Izzy’s F-Droid repo (here) for checking loggers (rest app is inferior to App Manager)


This solves the problem of clipboard and coarse location snooping among other things.

AppOpsX is a free, open source app that allows to manage granular app permissions not visible normally, with the help of ADB authorisation without root. This app can finely control what granular information apps can access on your phone, which is not shown in app permissions regularly accessible to us.

Now that you would have set up your phone with installing apps, now is a good time to perform this procedure.

Step 1: Install AppOpsX from F-Droid. (https://f-droid.org/en/packages/com.zzzmode.appopsx/)

Step 2: Plug phone to computer, and enable USB debugging in Settings --> Developer Options (you probably already did this in the starting of the guide)

Step 3: Keep phone plugged into computer until the end of this procedure! Open AppOpsX app.

Step 4: On computer, type commands in order:

adb devices

adb tcpip 5555

adb shell sh /sdcard/Android/data/com.zzzmode.appopsx/opsx.sh &

Step 5: Now open “AppOpsX” app, and:

  • disable “read clipboard” for apps except your messengers, notepad, office suite, virtual keyboard, clipboard monitor apps et al.

NOTE: Most apps that have text field to copy/paste text require this permission.

  • disable “modify clipboard” for every app except for your virtual keyboard or office suite app or clipboard monitor/stack special apps.

  • disable “GPS”, “precise location”, “approximate location” and “coarse location” for every app except your maps app (Firefox and OSMAnd+)

  • disable “calendar” for every app except your calendar and email app

  • disable “read contacts”, “modify contacts” and “get contacts” for every app except your “Phone”, “Phone Services”, “Phone/Messaging Storage”, contacts and messenger apps

  • disable all “send/receive/view messages” permissions for every app except “Phone”, “Phone Services”, “Phone/Messaging Storage”, QKSMS, contacts, dialler and messenger apps

  • disable “body sensors” and “recognise physical activity” for every app except games needing gyroscope, or any compass dependent app like camera or bubble leveling app

  • disable “camera” for every app except your camera and messenger apps

  • disable “record audio” for every app except camera, recorder, dialler and messenger apps

  • disable all “Phone” permissions for apps except your SMS app (like QKSMS) and Contacts, Dialler and call recorder apps

  • disable “change WiFi state” for every app except file sharing apps (like TrebleShot)

  • disable “display over other apps” for any third party app not from F-Droid

  • disable “read storage” and “write storage” for apps except file manager, file sharing app and messenger apps

  • enable all permissions for “Phone”, “Phone Services” and “Phone/Messaging Storage” system apps, critical for cell radio calling and sending SMS

Step 6: Profit! Now you can plug off phone from computer.

NOTE: Remember to use AppOpsX everytime you install a new app outside of F-Droid store, which is done not too often by people.


VPN Lockdown killswitch is an AOSP/Android system level feature that allows you to prevent any leakage of data packets from the internet traffic your device generates. This is important because apps and trackers like to track you, as well as your ISP likes to keep note of websites you visit. This feature allows to prevent ISP level or country level censorship and allows free access to internet (or even darknets) without any issues. This is an underrated and amazing feature not discussed much, and has been a staple of my guide for a year now.

Go to system settings VPN section. You should see a list of VPNs and firewalls you have.

  • Tap hold the VPN/firewall you want to apply this setting on
  • Edit
  • Turn on “Always-on VPN” and “Only allow connections through VPN”

This will ensure that zero network traffic flows out of firewalls or VPNs you use.


By default, all apps will be blacklisted from WiFi and mobile data access.

If not, go to Settings via 3 dot menu --> Defaults (white/blacklist) --> Toggle on “Block WiFi”, “Block mobile” and “Block roaming”

Whitelist your web browsers, messengers (WhatsApp, Zoom et al), file sharing apps, download managers, “Aurora Store” app and any game if needs internet and give them WiFi and mobile data access.




WARNING: Kindly understand that if you do not understand Tor or I2P, please try and learn about these darknets first. These darknets, as free as they are in terms of freedom, are also laid with landmines in the form of various kinds of questionable content that is hosted on various websites. With great power (freedom), comes great responsibility. Time and time again, its users have proved that most do not understand that every website they visit, every link they open, and just about every action done during the usage of darknets can have real life consequences. This includes the utmost professional whistleblowers and journalists.

Now that I have scared off the ones that should not bother with this section… apparently, NetGuard is quite a simple yet effective, and feature loaded firewall, including its DNS and proxy configuration and packet filtering capabilities. What it is not though, is a Tor or I2P darknet tunnel, and does not provide preset DNSCrypt protection or various MITM protections. NetGuard cannot block kernel level internet access either.

Enter Invizible Pro, the Swiss Army Knife. Normal internet/clearnet, but DNSCrypt-ed? Tor? I2P? Enjoy all of them together.

I am not being dramatic at all with this section. This is how big a jump it is from NetGuard, which was a colossal jump from the likes of Blokada or AdGuard or DNS66 or PersonalDNSFilter. This is an incomparable jump, with one condition - you have to be able to correctly configure and use Invizible. And it took a while for me to understand, since it is a giant networking firewall, and houses an ecosystem of its own. I am going to fulfill this condition for you, and provide you the ultimate compartmentalised experience on just about any non root, standard Android smartphone.

What we are firstly going to do is get NetGuard out of the way. Since NetGuard is installed, clone it to Work Profile via Shelter/Insular and put your common messaging apps (that require phone number like WhatsApp, Discord, Signal, Telegram) in Work Profile. Firewall everything out except these applications in your Work Profile NetGuard firewall, and as specified in “ANDROID’S VPN LOCKDOWN KILLSWITCH” section above, turn on just the “Always-on VPN” setting for Work Profile NetGuard.

With this, our ordinary messenger apps that work without anonymity are separated from rest of the system. And we can move onto configuring the Invizible Pro I made you install at the beginning alongside NetGuard.

Invizible Pro allows you to do MANY things with MANY settings, in a nutshell. The default configuration is supposed to be the way it is for someone unknowingly installing it. If you do not desire to play with and mess up with anonymity minefields, a good reminder is to go back and use NetGuard and ignore this section.

Now that I have managed to get an iron gripping attention on the ones okay with and comfortable using darknets on TailsOS on a USB or Tor Browser on Linux, we can get started with the configuration process, that is a bunch of toggles and some more. Let’s go!

The interface is simple, the configurations not so much. Since we have a non rooted phone, we pick the default VPN mode using the 3 dot menu at top right corner. Using the “ANDROID’S VPN LOCKDOWN KILLSWITCH” section above in guide, we firstly lock down Invizible with both options in phone’s system settings for VPNs. This ensures zero leakage, what we require.

The hamburger menu on top left is where the chaos starts, and here we configure a lot of stuff.

Firstly, we go to DNSCrypt Settings. In the third section, select all 3 - require_dnssec, nolog and nofilter. This allows for the best DNS options.

Now, scroll to “Pattern-based blocking (blacklist)” section.

Since I told at the beginning to download a copy of Energized Ultimate hosts ruleset text file, I am assuming we have that on local phone storage. It has 600K-1M ad, tracker and malware domains we will blacklist for some extra security and network performance. This will be imported with the “import blacklist” option. Our job is done here.

Secondly, we go to Fast Settings. Turn on “Start DNSCrypt on boot”, and if you wish you can turn it on for Tor if you use Tor too much. I do not use Tor all the time, so I can keep it off, and switch as I wish. Now we select our DNSCrypt servers. I have a bunch of Uncensored DNS providers selected, among others, as it has also been a staple of my guide since the past 2 years (where I mention DNS providers at beginning of guide). Change your DNS providers if needed with time, and check news about any breaches for DNS providers you use, just to be on safe side.

At the bottom of Fast Settings section, keep the automatic updates for Invizible on. You can choose to update it via Tor if you live in a dangerous country, doing high threat model stuff (refer to threat model guide here).

Thirdly, we go to Common Settings, and turn on all 3 toggles in MITM attack detection section - ARP spoofing detection, block internet[…] and DNS rebinding protection.

Fourthly, we go to Firewall. You can see “User” and “System” buttons that imply categorically the kinds of apps on phone. This needs to be broken into 2 parts:


Tap the “System” category and wait for few seconds for app list to show. Blacklist/uncheck everything with the second empty checkbox, or the 6th toggle box. Then whitelist all 4 network permissions (WLAN, WiFi, Data and Roaming symbols) for “Kernel”, “Internet Time servers”, “DNS” and “VPN” packages. If you use WiFi Direct and Miracast, turn on only WLAN and WiFi permissions for “WiFi Direct” and “Android System, Call Management, Device connection service…” packages (latter is a collection of tied together system packages).


Now, tap the “User” category and wait for few seconds for app list to show. Blacklist/uncheck all apps and then select apps you want to give internet access to. Toggle all 4 network permissions for any such apps (WLAN, WiFi, Data and Roaming symbols). In case of non-FOSS apps you use, make a choice yourself. Apps that do not need internet can be safely used this way.


This is a common scenario, much more common than one thinks. Accidents happen, and what you value more than a stolen phone is the potential abuse of your intimate photos or videos or messages inside it. It so happens that we all love fingerprint and/or face unlocking biometric security methods. However, this poses a problem against a well equipped physical attacker that could go to lengths of cutting off your fingers to unlock the snatched phone. I am going to provide a solution against that.

Google (Android) and Apple (iOS) developed features that allow quick disabling of your fingerprint sensor for unlocking the phone. This is how it works for both at the moment:

  • Android: hold power key for 4-5 seconds and select “Lockdown” option
  • iOS: press power key 5 times quickly

However, you rarely have so much time in the heat of the moment, so as to perform those above steps. While iOS is a dictatorial walled garden, Android allows a FOSS community culture to breed some innovative solutions to problems, which makes it an incomparably superior mobile OS platform. I listed an app Private Lock above in the guide, and this F-Droid app is going to help us.

The app works by utilising the accelerometer, and depending on the sensitivity you set, even the slightest flick or shake of your hand will allow the app to activate Lockdown mode, being a device administrator of the phone. No need to hold power key for 5 seconds, none of that. This app works both during screen on, and screen off (for latter you turn it on in settings). The phone, after being locked by this app on physical motion, FORCEFULLY REQUIRES A PIN OR PASSWORD. Biometrics can no longer be abused, and the PIN is in your control.

NOTE: Test the sensitivity you want to set atleast 50-100 times by yourself by imagining a phone snatch, and set it and forget it. The app always stays on and uses negligible battery power. In case of those power saver functions, exclude the app from those settings.


My setup: https://lemmy.ml/pictrs/image/ZWF9KqLntp.jpg

You need some black chart paper, a scissors, some aluminium tinfoil, a roll of 3M invisible tape and cellophane standard tape and a paper cutter.

For phone, you should have a protective case like I do for the rear camera flap cover. Look at your camera design and ensure to get two large rectangle cutouts of black chart paper enough to cover them up including the tiny crease folds. Put those two pieces on top of each other, use the cellophane tape to seal them together. Stick this flap inside of the phone case.

Use the paper cutter to cut off a tiny portion for using the LED flash as torch, without the need to remove the flap.

Now you have your own made rear camera cover for as long as you have the phone, and can make one for any phone too!

For front camera cover, take aluminium tinfoil cutout to cover about the area of your front camera sensor, and stick it using the 3M invisible tape. Trim according to arrangement of screen icons. Why not cellophane tape? It leaves gummy residue over time while this does not. This cover can need replacement every month but is simple to do.

For laptop, take aluminium tinfoil about the size of your laptop webcam, and just like phone front camera, take 3M invisible tape and stick onto it. Trim the tape according to the bezels of laptop chassis. Enjoy!




Using Shelter app we installed, we had set up the Work Profile for WhatsApp, Discord and such apps. We will simply clone install NetGuard from the main profile into work profile.

Now we have two separate firewalls. Using this method, you can segregate all your account based invasive corporation messaging apps into the work profile, and even Tor-ify the main profile!

Simply put, you can put privacy invasive apps in work profile and clean open source apps and any (closed source) disabled internet apps in main profile. Compartmentalisation is very much possible. You can even achieve anonymity via this process.


Using Exodus Privacy database is easy, but it is not used meaningfully by users other than opening the app/website database for self satisfaction purpose, and making themselves feel nerdy.

For each app, there is a tracker section that lists URLs. Notice these URL domains, and put them in your HOSTS rules file to block these trackers. This can also work on apps like WhatsApp and Discord, basically any app. It helps mitigate a lot of spying network traffic.


  • I used an OTG USB to copy the local WhatsApp backup database from main user to Work user profile.
  • Cloned WhatsApp into Shelter Work profile, uninstalled it from main user, copied beforehand the WhatsApp backup in Work user’s internal memory --> WhatsApp/Databases/ (created these folders using file manager app also cloned to Work user account)
  • Opened and setup WhatsApp, so now it can auto detect the chat backup and restore it
  • Now I have WhatsApp in Shelter Work Profile, with no permission access outside of Contacts.
  • It can temporarily get Storage access if I want to view a photo or video someone sent me.
  • The storage access it gets is only the storage in work user profile, separate from main user internal storage or SD card
  • Trackers are blocked using manual HOSTS file entries (ADVANCED USERS refer to section above)
  • Cameras are physically covered (refer to DIY camera cover section)
  • I use WhatsApp once a week and turn off internet and WiFi for it via NetGuard I set up in Work profile


This is a widespread issue and causes many people trouble. Many people have even asked me about it on all kinds of places on the internet, besides the comments on 3.0 guide. The solution is to disable Second Space/Dual Apps first.

NOTE: If you have WhatsApp there, first copy* (asterisk note below) your database file using a file manager app that can read access the whole internal storage. Then follow the above guide section “HOW DO I USE WHATSAPP TO MITIGATE EFFECTS OF ITS HORRIBLE PRIVACY POLICY?”, once we do the below stuff.

So after disabling Second Space/Dual Apps, go to system settings and search for “Users” or “Work”, and you should find a listing similar to “Work Profile”. You have to go enable “Work Profile” user there, and then install Shelter/Insular/Island, whichever works. NEVER ENABLE SECOND SPACE FEATURE AGAIN.

Now, follow the above guide section, and you can even reinstall WhatsApp since you have the chat database file backed up.

  • If you are unable to copy the file normally, you will need to install ToDoZip app from F-Droid for this workaround trick. Now, you open the ToDoZip app and give it storage permissions to be able to create ZIP files. With the file manager app that you cloned into Work Profile, you go to it and navigate to <STORAGE/WhatsApp/Databases/LATEST_DB_FILE>, select and share the file. The share menu will appear, and select/switch to personal profile, and select “Add To Zip” with the ToDoZip app logo. Wait for 2-5 minutes and the WhatsApp chat database file should appear inside a .ZIP file in /Downloads folder on your main internal storage. As you may have guessed, this workaround I had to invent works for copying any file from work profile storage to main storage, incase the Shelter/Insular Shuttle service does not work.


Get AdminControl from F-Droid to reinvoke the AOSP feature back in action.


Now we will need to evaluate what manufacturers are relatively safe, no appeasing, I will be blunt. I will make tier lists to help. I will give explanation for each, so read before jumping with pitchforks.

NOTE: If you have anti-Chinese political allergy, kindly read facts, or choose the other non-Chinese options listed. YOU HAVE 7 WESTERN OPTIONS TO 5 CHINESE OPTIONS. I will NOT respond to prejudiced and political trolls.

Tier 1: Asus, Motorola, Sony, FairPhone, Huawei/Honor (caveat)

Tier 2: OnePlus, Oppo, Vivo, Realme, Xiaomi, Samsung, Nokia, LG

Tier NOPE NOT AT ALL: Google

Asus, Sony, Motorola: their software is nearly stock, and as such quite beneficial and peace of mind assuring. Status: good.

FairPhone: Clean software, ethical, recyclable components, good phone but bit extra price for midrange hardware. Status: good.

Huawei: still no evidence by US government after THREE years of market protectionism and US-China Cold War 2.0 ban, contrary to what Sinophobic US/14 Eyes propaganda and condemned joke research papers (refer to this for why), may make you believe, most countries are allowing them for 5G participation, there is absolutely ZERO EVIDENCE against specifically Huawei (does not count other Chinese companies), earlier ironically audited by UK GCHQ to be safe and on any of their global devices, to date there has been no telemetry found IFF you do NOT use Huawei ID account or any Huawei services (as instructed above). I have an OpenKirin rooted unlocked Honor 6X, and now a locked P30 Lite to confirm this.

If Huawei’s CEO is a former PLA technician, so do plenty USA companies. What does it prove? Typical moral rocks thrown by politicians that polarise people like you and me for their global hegemony politics.

If Huawei’s ban makes sense to you, then why was Xiaomi attempted to be banned, despite not selling any 5G equipment? Or, Honor, despite now being a separate brand with no 5G equipment selling, is being considered for a ban?

NOTE: Real reason for this propaganda ban is USA could not backdoor 5G unlike it did 4G (check plenty NSA SIGINT documents), and so they are attempting to put China out of commission. And Huawei did not steal 5G from USA, since USA never had a proper 5G vendor for more than 2 years. And the ongoing US-China Cold War (due to global hegemonic shift) and growing McCarthyism sentiment among Westerners proves it easily.

To add, for the rest of world outside China it is better to own hardware device from a country which has no jurisdiction over them, and you can use their phones without Huawei and Google accounts very safely. BONUS: baseband modem not associated with NSA. Also, good cameras, battery, display and performance in general. Status: easily debloatable and good.

Samsung: Quite the disaster in bloatware and spyware. Multiple issues with Qihoo 360 on phones with IMEI MAC sent over HTTP, Samsung Pay selling user data with no optout till now, Replicant devs discovering backdoors, Knox hardware blackbox with no idea what microcode it runs, certification from NSA even worrying, lockscreen and notification ads in OneUI, ads on Smart TVs, this all accounts to being quite shady company, but NetGuard can mitigate it. Status: avoid for other brands if possible.

Xiaomi: They have quite a bit of telemetry in their MIUI skin, similar to Samsung. Now they have tracking in Incognito Mode in their Browser as well.

Xiaomi devices, if not rooted or flashed with custom ROM, also have an issue with installing Shelter/Insular/Island work profile apps. This is due to the Dual Apps feature preloaded into MIUI, and may need a workaround for Dual Apps to be removed or disabled from stock MIUI devices. They seem to be troublesome if you want to use VPNs for anonymity besides having apps like WhatsApp or Discord on phone. Please refer to dedicated section above on how to solve this issue. Status: avoid unless you can implement guide properly.

OnePlus, Oppo, Vivo: They have considerably less telemetry and ads, better than Samsung and Xiaomi. Status: potential but decent brands.



Realme: Decent phones and can be debloated using Oppo/Vivo profiles in Debloater tool. The debloater tool does not cover Realme directly. Beware of preloaded Google Dialer spyware and its two-party consent useless call recording feature. Status: decent devices.

LG: less stock-y software, still good. Good cameras. display too. But the brand itself has died. Status: RIP LG.

Nokia: a bit of skepticism here with them helping spy with nexus with Russia’s MTS and recently found Chinese telemetry as well, but nothing that NetGuard cannot stop by blocking domains via HOSTS from interacting with your device. However, Nokia does not allow any bootloader unlocks and their customer support and OS updation schedule is beyond horrendous. Status: AVOID.

Google: In general an evil megacorp, Titan M security chip is self-claimed to be great on Pixels, but there is no way to verify if the microcode it contains is the same as that open sourced by Google. If you trust the security of Titan M chip, you might as well trust Apple’s T2/M2 security chips with unfixable flaws or the Intel ME/AMT security disasters everybody knows.

Having faith in Google’s promise of their proprietary closed source chip being clean is like having faith in cyanide not killing a person. Moreover, they are known as:

  • NSA partner and collecting data and spy on users in googolplex capacity

  • AI used by US military for drone bombing in foreign countries based on metadata Google collects on smartphones

  • use dark patterns in their software to make users accept their TOS to spy

  • repeated lies about how their data collection works claiming anonymity

  • forcing users to use their Play Services which is spyware and scareware

  • monopolising the web and internet via AMP

  • use of non standard web browser libraries and known attempts to cripple lone standing ethical competitors like Firefox and Gecko web engine (now with Microsoft making their default Edge Chromium-based too)


  • With Invizible Pro, I was unable to get KDE Connect working through it. With NetGuard, I was able to simply let KDE Connect pass through and ignore firewalling and let it work. If KDE Connect notifications and constant file sharing and clipboard sharing are more important to you, tough luck.

  • You can still of course not use a VPN provider without disabling Invizible Pro or NetGuard from main user profile’s VPN slot.

  • With using a VPN provider instead of Invizible’s Tor or I2P routing, you are left with AOSP/Android’s Private DNS feature as your native ad/tracker blocking defense mechanism. Each time, you have to turn on Private DNS when using VPN provider, and turn it back off when using Invizible or NetGuard on main user profile.

  • Invizible Pro has become one of the cornerstones for this guide, and thus if its development ceases, the guide will have to resort to its fork, or resort to Orbot for Tor tunnelling, which has plenty issues otherwise covered by Invizible. Also, NetGuard is a fallback if Invizible development dies off, which cannot do Tor or I2P darknet routing.


TL;DR there is no summary, privacy is an indepth topic and you must take a couple of hours to go through this simple guide, as long as it looks it should clear all your concerns with smartphone privacy.

This is the best you can do without rooting or modding a phone, and it is working for me since two years now, personally tested and verified on my bootloader locked Huawei P30 Lite.

I have a history of rooting and modding phones, one being an Honor 6X before Huawei disabled unlocking policy, one being a Xiaomi and one being a Lenovo before that. Also, one Samsung Galaxy S2 long time ago.

Credit to /u/w1nst0n_fr for the Universal Android Debloater (authorised me to use his tool). Hope this guide serves as a great tool for any privacy seeker.

privatelife - privacy, security, freedom advocacy
Create a post

This community is meant to advocate privacy, security and freedom in an concise manner, free of prejudice bias, free of politics, free of cultist thoughts.

Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say. - Edward Snowden

Reddit: https://old.reddit.com/r/privatelife

Matrix: https://matrix.to/#/#privatelife:matrix.org

Telegram: https://t.me/r_privatelife


  1. Opinions are welcome, facts more so. Attack arguments, not people. Hating, baiting, trolling, flaming will be dealt with strictly.

  2. Discuss closed source software with caution. Advocating for it strongly (cult brigading) can be treated as violation of this rule.

  3. Editing titles of article links is strictly prohibited, unless and until the summarisation remains accurate to the context of the article or paper. Such link post will be removed without questioning.

  4. Targeting of any country, person or nation is strictly prohibited without valid reasoning. Evidence if not presented against the specific company/corporation/individual will be treated as personal attack and/or hate speech. This will result in a warning, then ban system.

  5. NO PERMA BANS! Ban system will work as follows:

1 day --> 3 day --> 1 week --> 2 weeks --> 3 weeks --> 1 month --> 3 months --> 6 months

Severity of the ban system will be dealt with based on degree of violation and circumstances.

  1. NO FACT-LESS EVIDENCES, NO FALSE RHETORIC Evidence has to be credible. The onus of this lies on the claimant. The same applies on the user who questions proven evidence. Violation of this rule will be dealt with strictly.

  2. Copycat posts serve to litter the community, increasing quantity and decreasing quality of posts. As such, posts will be removed. Repeated attempts will receive warning.

  • 1 user online
  • 1 user / day
  • 1 user / week
  • 1 user / month
  • 4 users / 6 months
  • 587 subscribers
  • 184 Posts
  • Modlog