(1/3) Locking post as Lemmy allows only 5000 word posts, rest guide is in nested comment. Making separate post for this post for comment section.

Hello! I am back with the third version of the guide I started last year with the aim of getting nearly top grade levels of privacy in the hands (pun intended) of all smartphone users, focused on steps that normal, average people with basic tech knowledge can apply.

This version of the guide is fundamentally an incremental improvement, so some parts of the guide may seem copy pasted, but they are supposed to be that way for obvious reasons.

A kind request to share this guide to any privacy seeker.

#User and device requirement

  • ANY Android 9+ device (Android 10+ recommended for better security)
  • knowledge of how to copy-paste commands in Linux or Mac Terminal/MS-DOS Command Prompt (for ADB, it is very simple, trust me)
  • For intermediate tech users: typing some URLs and saving them in a text file

#What brings this third iteration? Was the previous guide not good enough?

No, it was not. There is always room for improvement, and it has been 6 months since the last edit I made in the 2.0 guide. The new changes warranted a new version of the guide, as lot of things changed. If I simply made the edit in previous one, people would have skimmed, glossed over or not noticed.

A basic summary of new additions to the 2.0 guide:

  • A better photo collage of and how to create a DIY camera cover for notched phones
  • introducing an app that locally shows history about lock screen, permissions, 3.5 jack plug and camera/mic access, thus replacing “Privacy Indicators” app
  • how to block trackers for any app in the future using an app/database called Exodus
  • how to get KDE Connect working for your phone to connect to computer, to avoid using SHAREit, AirDroid and such programs
  • how to debloat Work user profile in Android, which is separate from the main admin user profile we use
  • how to be able to use two VPNs or firewalls on a non root device for ultimate compartmentalisation
  • utilising Android/AOSP’s VPN Always-on Lockdown traffic feature on VPNs/firewalls to prevent any packet leakage
  • a quick note on how I set up and use WhatsApp to mitigate effects of its horrible privacy policy

#Why not Apple devices?

iPhone does not allow you to have privacy due to its blackbox nature, and is simply a false marketing assurance by Apple to you. Recently, an unpatchable hardware flaw was discovered in Apple’s T1 and T2 “security” chips, rendering Apple devices critically vulnerable.

17/9/2020: Apple gave the FBI access to the iCloud account of a protester accused of setting police cars on fire.

Also, they recently dropped plan for encrypting iCloud backups after FBI complained. They also collect and sell data quite a lot. Siri still records conversations 9 months after Apple promised not to do it. Apple Mail app is vulnerable, yet Apple stays in denial.

Also, Apple sells certificates to third-party developers that allow them to track users, The San Ferdandino shooter publicity stunt was completely fraudulent, and Louis Rossmann dismantled Apple’s PR stunt “repair program”.

Also, Android’s open source nature is starting to pay off in the long run. Apple 0-day exploits are far cheaper to do than Android.


#LET’S GO!!!

ALL users must follow these steps except the “FOR ADVANCED/INTERMEDIATE USERS” tagged points or sections.

Firstly, if your device is filled to the brim or used for long time, I recommend backing up your data and factory resetting for clean slate start.

NOTE: Samsung users will lose Samsung Pay, as Samsung has been caught and declares they sell this data: https://www.sammobile.com/news/samsung-pay-new-privacy-policy-your-data-sold/

  • Install F-Droid app store from here

  • Install NetGuard app firewall (see NOTE) from F-Droid and set it up with privacy based DNS like AdGuard/Uncensored/Tenta/Quad9 DNS.

NOTE: NetGuard with Energized Ultimate HOSTS file with any one of the above mentioned DNS providers is the ultimate solution.

(FOR ADVANCED USERS) If you know how to merge HOSTS rules in one text file, you can merge Xtreme addon pack from [Energized GitHub] (https://github.com/EnergizedProtection/block). You can also experiment with the Porn and Malicious IP domain lists.

NOTE: Set DNS provider address in Settings -> Advanced settings --> VPN IPv4, IPv6 and DNS

  • In F-Droid store, open Repositories via the 3 dot menu on top right and add the following links below:
  1. https://rfc2822.gitlab.io/fdroid-firefox/fdroid/repo?fingerprint=8F992BBBA0340EFE6299C7A410B36D9C8889114CA6C58013C3587CDA411B4AED

  2. https://apt.izzysoft.de/fdroid/repo?fingerprint=3BF0D6ABFEAE2F401707B6D966BE743BF0EEE49C2561B9BA39073711F628937A

  3. https://guardianproject.info/fdroid/repo?fingerprint=B7C2EEFD8DAC7806AF67DFCD92EB18126BC08312A7F2D6F3862E46013C7A6135

Go back to F-Droid store home screen, and hit the update button beside the 3 dot menu.


###LIST OF APPS TO GET

  • Get Firefox Beta web browser from F-Droid (install uBlock Origin addon inside (if technically advanced, try doing this)). Also get Firefox Klar if you like a separate incognito browser.

  • Get Aurora Store from F-Droid for apps from Play Store without actually using Play Store, use Anonymous option to sign in

  • for third party APKs source them only from APKMirror OR APKPure OR APKMonk, quite trusted, BUT TRY AND AVOID IF POSSIBLE

  • Get Vigilante from F-Droid for iOS 14 like camera/mic dot indicator feature and local history logging of screen locking, permissions, camera/mic usage and so on

  • Get OSMAnd+ from F-Droid or Qwant Maps inside web browser for maps and/or print physical maps if you live and travel in one or two states or districts.

NOTE: Qwant Maps has better search results than OSMAnd+

  • Get PilferShush Jammer from F-Droid to block microphone (use this in malls, restaurants or such public places if you can to prevent beacon tracking)

  • Get OpenBoard (user friendly) OR AnySoftKeyboard (nerd friendly) from F-Droid instead of Google GBoard, Microsoft SwiftKey and so on, they are closed source keylogger USA spyware

  • Get KDE Connect for computer-from/to-phone internet less file sharing, on a personal/local WiFi hotspot, available for Linux/Windows/MacOS/Android

  • Get TrebleShot instead of SHAREIt for phone to phone file sharing

  • Get K-9 Mail or FairEmail as e-mail client

  • Get NewPipe for YouTube watching, or YouTube in Firefox Beta/Klar

  • Get QKSMS from F-Droid as SMS client app

  • Get Shelter from F-Droid to sandbox potential apps that you must use (eg WhatsApp or Discord or Signal)

  • Get SuperFreezZ from F-Droid to freeze any apps from running in background

  • Get Librera Pro from F-Droid for PDF reader

  • Get ImgurViewer from F-Droid for opening reddit/imgur/other image links without invasive tracking

  • Get BarInsta from F-Droid for opening Instagram profiles or pictures without invasive tracking (thanks u/sad_plan)

  • Get GreenTooth from F-Droid to set Bluetooth to disable after you have used it

  • Get Material Files or Simple File Manager from F-Droid for file manager app

  • Get ImagePipe from F-Droid if you share lot of pictures, and want to clear EXIF metadata snooping (often photos contain phone model, location, time, date)

  • Get Note Crypt Pro from F-Droid for encrypted note taking app

  • Get Vinyl Music Player from F-Droid for music player

  • Get VLC from F-Droid for video player

  • Get AppOpsX from F-Droid for managing permissions for all apps

  • (FOR ADVANCED USERS) Get App Manager from Izzy’s F-Droid repo (here) to inspect app’s manifest, trackers, activities, receivers, services and even signatures via Exodus Privacy built-in, all without root

  • (FOR ADVANCED USERS) Get Warden from Izzy’s F-Droid repo (here) for checking loggers (rest app is inferior to App Manager)


  • @TheAnonymouseJokerOPM
    link
    7
    edit-2
    3 years ago

    (2/3)

    ###CRITICAL FOR CLIPBOARD, LOCATION AND OTHER APP FUNCTION BLOCKING

    This solves the problem of clipboard and coarse location snooping among other things.

    AppOpsX is a free, open source app that allows to manage granular app permissions not visible normally, with the help of ADB authorisation without root. This app can finely control what granular information apps can access on your phone, which is not shown in app permissions regularly accessible to us.

    Now that you would have set up your phone with installing apps, now is a good time to perform this procedure.

    Step 1: Install AppOpsX from F-Droid. (https://f-droid.org/en/packages/com.zzzmode.appopsx/)

    Step 2: Plug phone to computer, and enable USB debugging in Settings --> Developer Options (you probably already did this in the starting of the guide)

    Step 3: Keep phone plugged into computer until the end of this procedure! Open AppOpsX app.

    Step 4: On computer, type commands in order:

    adb devices

    adb tcpip 5555

    adb shell sh /sdcard/Android/data/com.zzzmode.appopsx/opsx.sh &

    Step 5: Now open “AppOpsX” app, and:

    • disable “read clipboard” for apps except your messengers, notepad, office suite, virtual keyboard, clipboard monitor apps et al.

    NOTE: Most apps that have text field to copy/paste text require this permission.

    • disable “modify clipboard” for every app except for your virtual keyboard or office suite app or clipboard monitor/stack special apps.

    • disable “GPS”, “precise location”, “approximate location” and “coarse location” for every app except your maps app (Firefox and OSMAnd+)

    • disable “calendar” for every app except your calendar and email app

    • disable “read contacts”, “modify contacts” and “get contacts” for every app except your “Phone”, “Phone Services”, “Phone/Messaging Storage”, contacts and messenger apps

    • disable all “send/receive/view messages” permissions for every app except “Phone”, “Phone Services”, “Phone/Messaging Storage”, QKSMS, contacts, dialler and messenger apps

    • disable “body sensors” and “recognise physical activity” for every app except games needing gyroscope, or any compass dependent app like camera or bubble leveling app

    • disable “camera” for every app except your camera and messenger apps

    • disable “record audio” for every app except camera, recorder, dialler and messenger apps

    • disable all “Phone” permissions for apps except your SMS app (like QKSMS) and Contacts, Dialler and call recorder apps

    • disable “change WiFi state” for every app except file sharing apps (like TrebleShot)

    • disable “display over other apps” for any third party app not from F-Droid

    • disable “read storage” and “write storage” for apps except file manager, file sharing app and messenger apps

    • enable all permissions for “Phone”, “Phone Services” and “Phone/Messaging Storage” system apps, critical for cell radio calling and sending SMS

    Step 6: Profit! Now you can plug off phone from computer.

    NOTE: Remember to use AppOpsX everytime you install a new app outside of F-Droid store, which is done not too often by people.


    #HOW TO USE NETGUARD

    By default, all apps will be blacklisted from WiFi and mobile data access.

    If not, go to Settings via 3 dot menu --> Defaults (white/blacklist) --> Toggle on “Block WiFi”, “Block mobile” and “Block roaming”

    Whitelist your web browsers, messengers (WhatsApp, Zoom et al), file sharing apps, download managers, “Aurora Store” app and any game if needs internet and give them WiFi and mobile data access.

    Also, whitelist “Downloads” and “Download Manager” as these are system apps that allow web browsers and other apps without built-in downloader to download files. Whitelisting this will keep apps and system stable.


    #HOW TO USE ANDROID’S LOCKDOWN TRAFFIC FEATURE ON VPNS/FIREWALLS?

    Go to system settings VPN section. You should see a list of VPNs and firewalls you have.

    • Tap hold the VPN/firewall you want to apply this setting on
    • Edit
    • Turn on “Always-on VPN” and “Only allow connections through VPN”

    This will ensure that zero network traffic flows out of firewalls or VPNs you use.

    In case you lose your WiFi or cell data connection, you may need to turn off WiFi or cell data, turn off the above settings, then turn on the firewall/VPN, turn on WiFi/cell data and then lockdown again.

    This is cumbersome but provides extra protection against privacy/anonymity issues.


    #HOW TO DIY CAMERA COVER FOR YOUR PHONE AND LAPTOP

    My setup: https://lemmy.ml/pictrs/image/ZWF9KqLntp.jpg

    You need some black chart paper, a scissors, some aluminium tinfoil, a roll of 3M invisible tape and cellophane standard tape and a paper cutter.

    For phone, you should have a protective case like I do for the rear camera flap cover. Look at your camera design and ensure to get two large rectangle cutouts of black chart paper enough to cover them up including the tiny crease folds. Put those two pieces on top of each other, use the cellophane tape to seal them together. Stick this flap inside of the phone case.

    Use the paper cutter to cut off a tiny portion for using the LED flash as torch, without the need to remove the flap.

    Now you have your own made rear camera cover for as long as you have the phone, and can make one for any phone too!

    For front camera cover, take aluminium tinfoil cutout to cover about the area of your front camera sensor, and stick it using the 3M invisible tape. Trim according to arrangement of screen icons. Why not cellophane tape? It leaves gummy residue over time while this does not. This cover can need replacement every month but is simple to do.

    For laptop, take aluminium tinfoil about the size of your laptop webcam, and just like phone front camera, take 3M invisible tape and stick onto it. Trim the tape according to the bezels of laptop chassis. Enjoy!


    #HOW TO USE KDE CONNECT ON PHONE THROUGH NETGUARD FIREWALL?

    Open NetGuard, expand the KDE Connect entry via the V shaped icon on left of app entry, and uncheck “Apply rules and conditions”. It is a safe app.


    #HOW TO USE TWO VPNS/FIREWALLS WITHOUT ROOT ON ANDROID? (FOR ADVANCED USERS)

    Using Shelter app we installed, we had set up the Work Profile for WhatsApp, Discord and such apps. We will simply clone install NetGuard from the main profile into work profile.

    Now we have two separate firewalls. Using this method, you can segregate all your account based invasive corporation messaging apps into the work profile, and even Tor-ify the main profile!

    Simply put, you can put privacy invasive apps in work profile and clean open source apps and any (closed source) disabled internet apps in main profile. Compartmentalisation is very much possible. You can even achieve anonymity via this process.


    #HOW TO DEBLOAT WORK USER PROFILE APPS, JUST LIKE MAIN USER PROFILE?

    #If you get the newest release of Universal Android Debloater tool, you will NOT need this section. Thanks u/w1nst0n_fr ! Use v 2.3.1 debloat_script.sh in newer tool releases if you want the ability to debloat separately different user accounts on Android phone.

    You would think what does this even mean. Android basically allows to create user accounts like in Linux/Windows/MacOS computer. So when you create a Work user profile, it is simply a separate user account but with partitioned disk space, unlike common partitions (D: or E: drive) normally accessible on computer.

    So, when you create this work user, a set of system apps gets cloned onto the work profile, just main/admin profile on phone. You have to debloat apps here as well.

    In the Universal Android Debloater app that we saw at the start of guide, we download the ZIP file of the tool.

    * Extract the ZIP * Open the extracted files * Open in notepad/gedit text editor the file “debloat_script.sh” * Around line 40, you will see these lines in MAIN SCRIPT section:

    # Legacy support

    readonly ...

    readonly ...

    readonly ...

    * Edit this line from:

    readonly OPTION_NEEDED=$( ((OLDER_THAN_ANDROID_5)) && echo "" || echo "--user 0" ) # '--user 0' option doesn't work sometimes

    to:

    readonly OPTION_NEEDED=$( ((OLDER_THAN_ANDROID_5)) && echo "" || echo "--user 10" ) # '--user 10' option doesn't work sometimes

    * Save the script text file and close it.

    * Execute the script as usual by connecting phone to computer, authorising USB debugging access as noted in the step 1 and 2 of “CRITICAL FOR CLIPBOARD, LOCATION AND OTHER APP FUNCTION BLOCKING” AppOpsX guide section.

    * Run the script normally and debloat apps.

    We simply changed the user that the debloater tool works on, from main user to work user account.

    In case it does not work, fallback. Run the following command after phone is connected to computer and USB debugging is on:

    adb shell pm list users

    Notice the user ID number, for main account it is always 0 (zero). For work user and other users, the ID number may NOT be 10. So change the number 10 above to whatever this ID number is.


    #HOW TO BLOCK TRACKERS FOR ANY APP USING EXODUS DATABASE (FOR INTERMEDIATE USERS)

    Using Exodus Privacy database is easy, but it is not used meaningfully by users other than opening the app/website database for self satisfaction purpose, and making themselves feel nerdy.

    For each app, there is a tracker section that lists URLs. Notice these URL domains, and put them in your HOSTS rules file to block these trackers. This can also work on apps like WhatsApp and Discord, basically any app. It helps mitigate a lot of spying network traffic.


    • @TheAnonymouseJokerOPM
      link
      93 years ago

      (3/3)

      #HOW DO I USE WHATSAPP TO MITIGATE EFFECTS OF ITS HORRIBLE PRIVACY POLICY? (FOR BASIC/INTERMEDIATE USERS)

      • I used an OTG USB to copy the local WhatsApp backup database from main user to Work user profile.
      • Cloned WhatsApp into Shelter Work profile, uninstalled it from main user, copied beforehand the WhatsApp backup in Work user’s internal memory --> WhatsApp/Databases/ (created these folders using file manager app also cloned to Work user account)
      • Opened and setup WhatsApp, so now it can auto detect the chat backup and restore it
      • Now I have WhatsApp in Shelter Work Profile, with no permission access outside of Contacts.
      • It can temporarily get Storage access if I want to view a photo or video someone sent me.
      • The storage access it gets is only the storage in work user profile, separate from main user internal storage or SD card
      • Trackers are blocked using manual HOSTS file entries (ADVANCED USERS refer to section above)
      • Cameras are physically covered (refer to DIY camera cover section)
      • I use WhatsApp once a week and turn off internet and WiFi for it via NetGuard I set up in Work profile

      #WHICH PHONE BRANDS ARE GOOD AND BAD? (FACTS)

      Now we will need to evaluate what manufacturers are relatively safe, no appeasing, I will be blunt. I will make tier lists to help. I will give explanation for each, so read before jumping with pitchforks.

      NOTE: If you have anti-Chinese political allergy, kindly read facts, or choose the other non-Chinese options listed. YOU HAVE 7 WESTERN OPTIONS TO 5 CHINESE OPTIONS. I will NOT respond to prejudiced and political trolls.

      Tier 1: Asus, Nokia, Motorola, Sony, LG, FairPhone, Huawei/Honor

      Tier 2: OnePlus, Oppo, Vivo, Realme, Xiaomi, Samsung

      Tier NOPE NOT AT ALL: Google

      Asus, Sony, Motorola: their software is nearly stock, and as such quite beneficial and peace of mind assuring. Status: good.

      LG: less stock-y software, still good. Good cameras. display too. Status: good.

      Nokia: a bit of skepticism here with them helping spy with nexus with Russia’s MTS and recently found Chinese telemetry as well, but nothing that NetGuard cannot stop by blocking domains via HOSTS from interacting with your device. Status: Potential issues, can be mitigated.

      FairPhone: Clean software, ethical, recyclable components, good phone but bit extra price for midrange hardware. Status: good.

      Huawei: (still no evidence by US government after two years of market protectionism ban, contrary to what Sinophobic US/14 Eyes propaganda and condemned joke research papers (refer to this for why), may make you believe, most countries are allowing them for 5G participation, there is absolutely ZERO EVIDENCE against specifically Huawei (does not count other Chinese companies), earlier ironically audited by UK GCHQ to be safe and on any of their global devices, to date there has been no telemetry found IFF you do NOT use Huawei ID account or any Huawei services (as instructed above). I have an OpenKirin rooted unlocked Honor 6X, and now a locked P30 Lite to confirm this.

      If Huawei’s CEO is a former PLA technician, so do plenty US companies. What does it prove? Typical moral rocks thrown by politicians that polarise people like you and me for their global hegemony politics.

      NOTE: Real reason for this propaganda ban is USA could not monopolise 5G unlike it did 4G, and so they are playing their cards to put China out of commission. And Huawei did not steal 5G from USA, since USA does not even have a proper 5G vendor yet.

      To add, for the rest of world outside China it is better to own hardware device from a country which has no jurisdiction over them, and you can use their phones without Huawei and Google accounts very safely. BONUS: baseband modem not associated with NSA. Also, good cameras, battery, display and performance in general. Status: easily debloatable and good.

      Samsung: Quite the disaster in bloatware and spyware. Multiple issues with Qihoo 360 on phones with IMEI MAC sent over HTTP, Samsung Pay selling user data with no optout till now, Replicant devs discovering backdoors, Knox hardware blackbox with no idea what microcode it runs, certification from NSA even worrying, lockscreen and notification ads in OneUI, ads on Smart TVs, this all accounts to being quite shady company, but NetGuard can mitigate it. Status: avoid for other brands if possible.

      Xiaomi: They have quite a bit of telemetry in their MIUI skin, similar to Samsung. Now they have tracking in Incognito Mode in their Browser as well. Status: avoid unless you implement my guide properly.

      OnePlus, Oppo, Vivo: They have considerably less telemetry and ads, better than Samsung and Xiaomi. Status: potential but passable for now.

      Realme: Decent phones and can be debloated using Oppo/Vivo profiles in Debloater tool. The debloater tool does not cover Realme directly. Status: avoid if possible.

      Google: In general an evil megacorp, Titan M security chip is self-claimed to be great on Pixels, but there is no way to verify if the microcode it contains is the same as that open sourced by Google. If you trust the security of Titan M chip, you might as well trust Apple’s T2/M2 security chips with unfixable flaws or the Intel ME/AMT security disasters everybody knows.

      Having faith in Google’s promise of their proprietary closed source chip being clean is like having faith in cyanide not killing a person. Moreover, they are known as:

      • NSA partner and collecting data and spy on users in googolplex capacity

      • AI used by US military for drone bombing in foreign countries based on metadata Google collects on smartphones

      • use dark patterns in their software to make users accept their TOS to spy

      • repeated lies about how their data collection works claiming anonymity

      • forcing users to use their Play Services which is spyware and scareware

      • monopolising the web and internet via AMP

      • use of non standard web browser libraries and known attempts to cripple lone standing ethical competitors like Firefox and Gecko web engine (now with Microsoft making their default Edge Chromium-based too)


      TL;DR there is no summary, privacy is an indepth topic and you must take a couple of hours to go through this simple guide, as long as it looks it should clear all your concerns with smartphone privacy.

      This is the best you can do without rooting or modding a phone, and it is working for me since almost a year now, personally tested and verified on my locked P30 Lite.

      I have a history of rooting and modding phones, one being an Honor 6X before Huawei disabled unlocking policy, one being a Xiaomi and one being a Lenovo before that. Also, one Samsung Galaxy S2 long time ago.

      Credit to /u/w1nst0n for the Universal Android Debloater (authorised me to use his tool). Hope this guide serves as a great tool for any privacy seeker.

      #NOTE: I will NOT respond to prejudiced and political trolls.