đŸ Archived View for novaburst.tilde.cafe âș blog âș non-root-android-hardening-v4 captured on 2023-12-28 at 15:06:32. Gemini links have been rewritten to link to archived content
âŹ ïž Previous capture (2022-04-28)
-=-=-=-=-=-=-
[Written in December 25, 2021 and edited in January 11, 2022 by TheAnonymouseJoker]
NOTE: I will NOT respond to prejudiced and political trolls.
Hello! It took a while before I could gather enough upgrades to create this fourth iteration of the smartphone guide so many people love. It seems to have benefitted many people, and it was only a matter of time before things got spicier.
It is time to, once again, shake up the expectations of how much privacy, security and anonymity you can achieve on a non rooted smartphone, even compared to all those funky âsecurityâ custom ROMs. It is time to get top grade levels of privacy in the hands (pun intended) of all you smartphone users.
Steps are as always easy to apply if you follow the guide, which is a pivotal foundation of this guide I started 2 years ago. After all, what is a guide if you feel unease in even being able to follow its lead?
Unlike last year, I want to try and fully rewrite the guide wherever possible, but some parts will seem similar obviously, as this, while technically being an incremental improvement, is also a massive jump for darknet users. This version of the guide took a while compared to the previous versions.
A kind request to share this guide to any privacy seeker.
User and device requirement
ANY Android 9+ device (Android 10+ recommended for better security) knowledge of how to copy-paste commands in Linux or Mac Terminal/MS-DOS Command Prompt (for ADB, it is very simple, trust me) For intermediate tech users: typing some URLs and saving them in a text file
What brings this fourth iteration? Was the previous version not good enough?
No, it was not, just like last time. There is always room for improvement, but I may have started to encounter law of diminishing returns, just like Mooreâs Law has started to fail with desktop CPU transistor count advancements. This does not mean I am stopping, but upgrades might get marginal from here on. The upgrades we now have are less in number, higher in quality. So, we have a lot explanation to read and understand this time around.
A summary of new additions to the 3.0 guide:
Update to the Apple section
Many additions in section for app recommendations and replacements
NetGuard replaced with Invizible Pro (this is massive)
A colossal jump in your data security in the event of a possible physical phone theft using a couple applications
An attempt at teaching the importance of Android/AOSPâs killswitch feature for VPNs/firewalls
(FOR XIAOMI USERS) How to configure Work Profile, as Second Space causes issues, and adding back biometric Lockdown
How to be able to copy files from work profile to main user storage without Shelter/Insularâs Shuttle service
Some changes in phone brand recommendations
Caveat(s)
Why not Apple devices?
iPhone does not allow you to have privacy due to its blackbox nature, and is simply a false marketing assurance by Apple to you. Recently, an unpatchable hardware flaw was discovered in Appleâs T1 and T2 âsecurityâ chips, rendering Apple devices critically vulnerable.
Also, they recently dropped plan for encrypting iCloud backups after FBI complained. They also collect and sell data quite a lot. Siri still records conversations 9 months after Apple promised not to do it. Apple Mail app is vulnerable, yet Apple stays in denial.
Also, Apple sells certificates to third-party developers that allow them to track users, The San Ferdandino shooter publicity stunt was completely fraudulent, and Louis Rossmann dismantled Appleâs PR stunt ârepair programâ.
Apple gave the FBI access to the iCloud account of a protester accused of setting police cars on fire.
Appleâs authorised repair leaked a customerâs sex tape during iPhone repair. This is how much they respect your privacy. You want to know how much more they respect your privacy? Appleâs Big Sur(veillance) fiasco seemed not enough, it seems. Still not enough to make your eyes pop wide open?
Appleâs CSAM mandatory scanning of your local storage is a fiasco that will echo forever. This blog article should be of help. But they lied how their system was never hacked. I doubt. They even removed CSAM protection references off of their website for some reason.
Pretty sure atleast the most coveted privacy innovation of App Tracking protection with one button tracking denial would work, right? Pure. Privacy. Theater.
Surely this benevolent company blocked and destroyed Facebook and Googleâs ad network ecosystem by blocking all those bad trackers and ads. Sigh. Nope. Now it is just Apple having monopoly over your monetised data.
Also, Androidâs open source nature is starting to pay off in the long run. Apple 0-day exploits are far cheaper to do than Android.
LETâS GO!!!
ALL users must follow these steps except the âFOR ADVANCED/INTERMEDIATE USERSâ tagged points or sections.
Firstly, if your device is filled to the brim or used for long time, I recommend backing up your data and factory resetting for clean slate start.
Sign out all your Google and phone brand accounts from your device so that Settingsâ>Accounts do not show any sign-ins except WhatsApp/Signal/Telegram
Install ADB on your Linux, Windows or Mac OS machine, simple guide: https://www.xda-developers.com/install-adb-windows-macos-linux/
Use âUniversal Android Debloaterâ to easily debloat your bloated phone. NOTE: Samsung users will lose Samsung Pay, as Samsung has been caught and declares they sell this data: https://www.sammobile.com/news/samsung-pay-new-privacy-policy-your-data-sold/
Install F-Droid app store from here
Install NetGuard app firewall (see NOTE) from F-Droid and set it up with privacy based DNS like AdGuard/Uncensored/Tenta/Quad9 DNS. NOTE: NetGuard with Energized Ultimate HOSTS file with any one of the above mentioned DNS providers is the ultimate solution.
NOTE: Download the Energized Ultimate hosts file from https://github.com/EnergizedProtection/block and store it on phone beforehand. This will be used either for NetGuard or Invizible, whichever is picked later on.
(FOR ADVANCED USERS) If you know how to merge HOSTS rules in one text file, you can merge Xtreme addon pack from Energized GitHub. You can also experiment with the Porn and Malicious IP domain lists.
NOTE: Set DNS provider address in Settings -> Advanced settings â> VPN IPv4, IPv6 and DNS
Install Invizible Pro from F-Droid (LONG SECTION FOR THIS BELOW) In F-Droid store, open Repositories via the 3 dot menu on top right and add the following repositories below:
https://gitlab.com/rfc2822/fdroid-firefox
https://apt.izzysoft.de/fdroid/index.php
https://guardianproject.info/fdroid/repo/
Go back to F-Droid store home screen, and hit the update button beside the 3 dot menu. (This may vary if you have newer F-Droid store app with new user interface.)
LIST OF F-DROID APPS TO GET
Get Mull web browser, a telemetry free fork of Firefox browser, from F-Droid (install uBlock Origin addon inside (if technically advanced, try doing this)).
Get FFUpdater to get Firefox Klar and various Chromium based browsers
Get Aurora Store for apps from Play Store without actually using Play Store, use Anonymous option to sign in for third party APKs source them only from APKMirror OR APKPure OR APKMonk, quite trusted, BUT TRY AND AVOID IF POSSIBLE
Get Privacy Indicators or Vigilante for iOS 14 like camera/mic dot indicator feature and local history logging of screen locking, permissions, camera/mic usage and so on
Get OSMAnd+ for maps and/or print physical maps if you live and travel in one or two states or districts. NOTE: Can consider Organic Maps but it is not a finished product at the moment.
Get PilferShush Jammer to block microphone abuse (Passive mode only)
Get OpenBoard (user friendly) OR AnySoftKeyboard (geek/nerd friendly) instead of Google GBoard, Microsoft SwiftKey and so on, they are closed source keylogger USA spyware NOTE: FlorisBoard 0.3.14-stable memory management did not work well in my testing, out of memory crashes too often, will edit if it gets good, maybe betas solved this issue
Get KDE Connect for computer-from/to-phone internet less file sharing, on a personal/local WiFi hotspot, available for Linux/Windows/MacOS/Android
Get SnapDrop instead of SHAREIt for phone to phone file sharing
Get Private Lock (NOTE: this will be useful later in guide)
Get K-9 Mail or FairEmail as e-mail client
Get NewPipe for YouTube watching, or YouTube in Firefox Beta/Klar
Get QKSMS as SMS client app
Get Shelter to sandbox potential apps that you must use (eg WhatsApp or Discord or Signal)
Get SuperFreezZ to freeze any apps from running in background
Get Librera Pro and Document Viewer for PDF/document reading needs
Get ImgurViewer for opening reddit/imgur/other image links without invasive tracking
Get BarInsta for opening Instagram profiles or pictures without invasive tracking (thanks u/sad_plan) (NOTE: Barinsta development ended after Facebookâs C&D letter, and anonymous access is massively throttled by Facebook now)
Get GreenTooth to set Bluetooth to disable after you have used it
Get Material Files or Simple File Manager for file manager app
Get UntrackMe to preview and sanitise any URLs from trackers
Get ImagePipe if you share lot of pictures, and want to clear EXIF metadata snooping (often photos contain phone model, location, time, date). This app allows setting specific preset for image name, resolution and compressed quality.
Get Scrambled EXIF if you want a simpler app for metadata cleaning compared to ImagePipe. It has none of the forementioned ImagePipe features.
Get Standard Notes or Joplin for encrypted markdown note taking app
Get Vinyl Music Player for a solid music player (Shuttle+, Auxio alternatives)
Get VLC and/or MPV for video player
Get Barcode Scanner by ZXing Team or BinaryEye by Markus Fisch for QR/barcode scanning
Get DiskUsage for managing and cleaning up of storage space
Get Easy Watermark for custom, easy watermarking of photos to avoid abuse of any photos you share with others
For Reddit usage, Infinity and RedReader are great app clients, as is Stealth (only for non account browsing)
Get Calculator++ and Unit Converter Ultimate for your needs, as app names suggest
Get AppOpsX for managing permissions for all apps
(FOR ADVANCED USERS) Get App Manager from Izzyâs F-Droid repo (here) to inspect appâs manifest, trackers, activities, receivers, services and even signatures via Exodus Privacy built-in, all without root
(FOR ADVANCED USERS) Get Warden from Izzyâs F-Droid repo (here) for checking loggers (rest app is inferior to App Manager)
CRITICAL FOR CLIPBOARD, LOCATION AND OTHER APP FUNCTION BLOCKING
This solves the problem of clipboard and coarse location snooping among other things.
AppOpsX is a free, open source app that allows to manage granular app permissions not visible normally, with the help of ADB authorisation without root. This app can finely control what granular information apps can access on your phone, which is not shown in app permissions regularly accessible to us.
Now that you would have set up your phone with installing apps, now is a good time to perform this procedure.
Step 1: Install AppOpsX from F-Droid. (https://f-droid.org/en/packages/com.zzzmode.appopsx/)
Step 2: Plug phone to computer, and enable USB debugging in Settings â> Developer Options (you probably already did this in the starting of the guide)
Step 3: Keep phone plugged into computer until the end of this procedure! Open AppOpsX app.
Step 4: On computer, type commands in order:
adb devices
adb tcpip 5555
adb shell sh /sdcard/Android/data/com.zzzmode.appopsx/opsx.sh &
Step 5: Now open âAppOpsXâ app, and:
disable âread clipboardâ for apps except your messengers, notepad, office suite, virtual keyboard, clipboard monitor apps et al. NOTE: Most apps that have text field to copy/paste text require this permission.
disable âmodify clipboardâ for every app except for your virtual keyboard or office suite app or clipboard monitor/stack special apps.
disable âGPSâ, âprecise locationâ, âapproximate locationâ and âcoarse locationâ for every app except your maps app (Firefox and OSMAnd+)
disable âcalendarâ for every app except your calendar and email app
disable âread contactsâ, âmodify contactsâ and âget contactsâ for every app except your âPhoneâ, âPhone Servicesâ, âPhone/Messaging Storageâ, contacts and messenger apps
disable all âsend/receive/view messagesâ permissions for every app except âPhoneâ, âPhone Servicesâ, âPhone/Messaging Storageâ, QKSMS, contacts, dialler and messenger apps
disable âbody sensorsâ and ârecognise physical activityâ for every app except games needing gyroscope, or any compass dependent app like camera or bubble leveling app
disable âcameraâ for every app except your camera and messenger apps
disable ârecord audioâ for every app except camera, recorder, dialler and messenger apps
disable all âPhoneâ permissions for apps except your SMS app (like QKSMS) and Contacts, Dialler and call recorder apps
disable âchange WiFi stateâ for every app except file sharing apps (like TrebleShot)
disable âdisplay over other appsâ for any third party app not from F-Droid
disable âread storageâ and âwrite storageâ for apps except file manager, file sharing app and messenger apps
enable all permissions for âPhoneâ, âPhone Servicesâ and âPhone/Messaging Storageâ system apps, critical for cell radio calling and sending SMS
Step 6: Profit! Now you can plug off phone from computer.
NOTE: Remember to use AppOpsX everytime you install a new app outside of F-Droid store, which is done not too often by people.
WHAT IS ANDROIDâS VPN LOCKDOWN TRAFFIC/KILLSWITCH FEATURE AND HOW TO USE IT FOR VPNS/FIREWALLS?
VPN Lockdown killswitch is an AOSP/Android system level feature that allows you to prevent any leakage of data packets from the internet traffic your device generates. This is important because apps and trackers like to track you, as well as your ISP likes to keep note of websites you visit. This feature allows to prevent ISP level or country level censorship and allows free access to internet (or even darknets) without any issues. This is an underrated and amazing feature not discussed much, and has been a staple of my guide for a year now.
Go to system settings VPN section. You should see a list of VPNs and firewalls you have.
Tap hold the VPN/firewall you want to apply this setting on Edit Turn on âAlways-on VPNâ and âOnly allow connections through VPNâ This will ensure that zero network traffic flows out of firewalls or VPNs you use.
HOW TO USE NETGUARD FOR THE PRIVATE, SECURE EXPERIENCE?
By default, all apps will be blacklisted from WiFi and mobile data access.
If not, go to Settings via 3 dot menu â> Defaults (white/blacklist) â> Toggle on âBlock WiFiâ, âBlock mobileâ and âBlock roamingâ
Whitelist your web browsers, messengers (WhatsApp, Zoom et al), file sharing apps, download managers, âAurora Storeâ app and any game if needs internet and give them WiFi and mobile data access.
HOW TO CONFIGURE INVIZIBLE PRO AND NETGUARD TOGETHER FOR THE PRIVATE, SECURE AND ANONYMOUS EXPERIENCE? (ADVANCED USERS ONLY | CASUAL USERS READ WARNING BELOW)
WARNING: Kindly understand that if you do not understand Tor or I2P, please try and learn about these darknets first. These darknets, as free as they are in terms of freedom, are also laid with landmines in the form of various kinds of questionable content that is hosted on various websites. With great power (freedom), comes great responsibility. Time and time again, its users have proved that most do not understand that every website they visit, every link they open, and just about every action done during the usage of darknets can have real life consequences. This includes the utmost professional whistleblowers and journalists.
Now that I have scared off the ones that should not bother with this section⊠apparently, NetGuard is quite a simple yet effective, and feature loaded firewall, including its DNS and proxy configuration and packet filtering capabilities. What it is not though, is a Tor or I2P darknet tunnel, and does not provide preset DNSCrypt protection or various MITM protections. NetGuard cannot block kernel level internet access either.
Enter Invizible Pro, the Swiss Army Knife. Normal internet/clearnet, but DNSCrypt-ed? Tor? I2P? Enjoy all of them together.
I am not being dramatic at all with this section. This is how big a jump it is from NetGuard, which was a colossal jump from the likes of Blokada or AdGuard or DNS66 or PersonalDNSFilter. This is an incomparable jump, with one condition - you have to be able to correctly configure and use Invizible. And it took a while for me to understand, since it is a giant networking firewall, and houses an ecosystem of its own. I am going to fulfill this condition for you, and provide you the ultimate compartmentalised experience on just about any non root, standard Android smartphone.
What we are firstly going to do is get NetGuard out of the way. Since NetGuard is installed, clone it to Work Profile via Shelter/Insular and put your common messaging apps (that require phone number like WhatsApp, Discord, Signal, Telegram) in Work Profile. Firewall everything out except these applications in your Work Profile NetGuard firewall, and as specified in âANDROIDâS VPN LOCKDOWN KILLSWITCHâ section above, turn on just the âAlways-on VPNâ setting for Work Profile NetGuard.
With this, our ordinary messenger apps that work without anonymity are separated from rest of the system. And we can move onto configuring the Invizible Pro I made you install at the beginning alongside NetGuard.
Invizible Pro allows you to do MANY things with MANY settings, in a nutshell. The default configuration is supposed to be the way it is for someone unknowingly installing it. If you do not desire to play with and mess up with anonymity minefields, a good reminder is to go back and use NetGuard and ignore this section.
Now that I have managed to get an iron gripping attention on the ones okay with and comfortable using darknets on TailsOS on a USB or Tor Browser on Linux, we can get started with the configuration process, that is a bunch of toggles and some more. Letâs go!
The interface is simple, the configurations not so much. Since we have a non rooted phone, we pick the default VPN mode using the 3 dot menu at top right corner. Using the âANDROIDâS VPN LOCKDOWN KILLSWITCHâ section above in guide, we firstly lock down Invizible with both options in phoneâs system settings for VPNs. This ensures zero leakage, what we require.
The hamburger menu on top left is where the chaos starts, and here we configure a lot of stuff.
Firstly, we go to DNSCrypt Settings. In the third section, select all 3 - require_dnssec, nolog and nofilter. This allows for the best DNS options.
Now, scroll to âPattern-based blocking (blacklist)â section.
Since I told at the beginning to download a copy of Energized Ultimate hosts ruleset text file, I am assuming we have that on local phone storage. It has 600K-1M ad, tracker and malware domains we will blacklist for some extra security and network performance. This will be imported with the âimport blacklistâ option. Our job is done here.
Secondly, we go to Fast Settings. Turn on âStart DNSCrypt on bootâ, and if you wish you can turn it on for Tor if you use Tor too much. I do not use Tor all the time, so I can keep it off, and switch as I wish. Now we select our DNSCrypt servers. I have a bunch of Uncensored DNS providers selected, among others, as it has also been a staple of my guide since the past 2 years (where I mention DNS providers at beginning of guide). Change your DNS providers if needed with time, and check news about any breaches for DNS providers you use, just to be on safe side.
At the bottom of Fast Settings section, keep the automatic updates for Invizible on. You can choose to update it via Tor if you live in a dangerous country, doing high threat model stuff (refer to threat model guide here).
Thirdly, we go to Common Settings, and turn on all 3 toggles in MITM attack detection section - ARP spoofing detection, block internet[âŠ] and DNS rebinding protection.
Fourthly, we go to Firewall. You can see âUserâ and âSystemâ buttons that imply categorically the kinds of apps on phone. This needs to be broken into 2 parts:
âSYSTEMâ Tap the âSystemâ category and wait for few seconds for app list to show. Blacklist/uncheck everything with the second empty checkbox, or the 6th toggle box. Then whitelist all 4 network permissions (WLAN, WiFi, Data and Roaming symbols) for âKernelâ, âInternet Time serversâ, âDNSâ and âVPNâ packages. If you use WiFi Direct and Miracast, turn on only WLAN and WiFi permissions for âWiFi Directâ and âAndroid System, Call Management, Device connection serviceâŠâ packages (latter is a collection of tied together system packages).
âUSERâ Now, tap the âUserâ category and wait for few seconds for app list to show. Blacklist/uncheck all apps and then select apps you want to give internet access to. Toggle all 4 network permissions for any such apps (WLAN, WiFi, Data and Roaming symbols). In case of non-FOSS apps you use, make a choice yourself. Apps that do not need internet can be safely used this way.
HOW TO SAFEGUARD YOUR DATA FROM FINGERPRINT/FACE RECOGNITION ABUSE IN THE EVENT OF A PHYSICAL PHONE SNATCH?
This is a common scenario, much more common than one thinks. Accidents happen, and what you value more than a stolen phone is the potential abuse of your intimate photos or videos or messages inside it. It so happens that we all love fingerprint and/or face unlocking biometric security methods. However, this poses a problem against a well equipped physical attacker that could go to lengths of cutting off your fingers to unlock the snatched phone. I am going to provide a solution against that.
Google (Android) and Apple (iOS) developed features that allow quick disabling of your fingerprint sensor for unlocking the phone. This is how it works for both at the moment:
Android: hold power key for 4-5 seconds and select âLockdownâ option iOS: press power key 5 times quickly However, you rarely have so much time in the heat of the moment, so as to perform those above steps. While iOS is a dictatorial walled garden, Android allows a FOSS community culture to breed some innovative solutions to problems, which makes it an incomparably superior mobile OS platform. I listed an app Private Lock above in the guide, and this F-Droid app is going to help us.
The app works by utilising the accelerometer, and depending on the sensitivity you set, even the slightest flick or shake of your hand will allow the app to activate Lockdown mode, being a device administrator of the phone. No need to hold power key for 5 seconds, none of that. This app works both during screen on, and screen off (for latter you turn it on in settings). The phone, after being locked by this app on physical motion, FORCEFULLY REQUIRES A PIN OR PASSWORD. Biometrics can no longer be abused, and the PIN is in your control.
NOTE: Test the sensitivity you want to set atleast 50-100 times by yourself by imagining a phone snatch, and set it and forget it. The app always stays on and uses negligible battery power. In case of those power saver functions, exclude the app from those settings.
HOW TO DIY CAMERA COVER FOR YOUR PHONE AND LAPTOP
My setup: https://lemmy.ml/pictrs/image/ZWF9KqLntp.jpg
You need some black chart paper, a scissors, some aluminium tinfoil, a roll of 3M invisible tape and cellophane standard tape and a paper cutter.
For phone, you should have a protective case like I do for the rear camera flap cover. Look at your camera design and ensure to get two large rectangle cutouts of black chart paper enough to cover them up including the tiny crease folds. Put those two pieces on top of each other, use the cellophane tape to seal them together. Stick this flap inside of the phone case.
Use the paper cutter to cut off a tiny portion for using the LED flash as torch, without the need to remove the flap.
Now you have your own made rear camera cover for as long as you have the phone, and can make one for any phone too!
For front camera cover, take aluminium tinfoil cutout to cover about the area of your front camera sensor, and stick it using the 3M invisible tape. Trim according to arrangement of screen icons. Why not cellophane tape? It leaves gummy residue over time while this does not. This cover can need replacement every month but is simple to do.
For laptop, take aluminium tinfoil about the size of your laptop webcam, and just like phone front camera, take 3M invisible tape and stick onto it. Trim the tape according to the bezels of laptop chassis. Enjoy!
HOW TO USE TWO VPNS/FIREWALLS WITHOUT ROOT ON ANDROID? (FOR ADVANCED USERS)
Using Shelter app we installed, we had set up the Work Profile for WhatsApp, Discord and such apps. We will simply clone install NetGuard from the main profile into work profile.
Now we have two separate firewalls. Using this method, you can segregate all your account based invasive corporation messaging apps into the work profile, and even Tor-ify the main profile!
Simply put, you can put privacy invasive apps in work profile and clean open source apps and any (closed source) disabled in
Next: Software recommendations
---