Secure & Privacy Phone Setup

Choosing a phone

Right away, iPhones are out of the question. So we are left with two options: linux phones and android.

• Linux phones - As of this writing, we don't know many companies that make them. The main known ones are Fairphone, Volla, PinePhone and Librem. To waste no time: yes they are known for physical switches for mic/wifi/bluetooth, open source and ... That's probably it. The rest is probably only minuses such as: price (librem costs 1.5k), quality (screens, plastic itself, camera), but most importantly the operating system itself. Mobian/postmarketOS/Ubuntu Touch - they themselves have a lot of bugs that will affect only negatively on the experience of use (for example, that the phone will not come out of sleep mode, the microphone will not work, will not find the network others). And the applications that are currently available are very limited. It can only be fixed by increasing the user base who will actively submit bug reports and developers who will volunteer to fix it. But at the moment it is only worth watching.

• Android - These are already more familiar to many devices, with a wide choice of devices in terms of quality, functionality, etc. But here you need to look more closely at what kind of Android system the manufacturer (and not only) offers us. For example: Samsung has One UI, Xiaomi has MIUI and so on. But each of these shells has applications of the manufacturer, which may not be so private, very. Therefore, we will look at non-standard operating systems. So called: Custoum ROM. By the way, you also need to look at how much the manufacturer promises to update the android version, in terms of security.

At this point, it's hard to imagine a better phone than from the company that develops Android. Namely Google. Its latest flagship at the time of writing has 7 years of updates, support for Memory Tagging Extensions (MTE) and many others (like Android Verified Boot, 64-bit only) . But after all, google and privacy..... Yeah, yeah, yeah. So we're gonna go ahead and choose an Custoum ROM.

Choosing Custoum ROM

• GrapheneOS - the best of best variant for today. The most actively developing third-party firmware for the Pixel. With an amazing amount of features for more security. The latest of which at the time of writing: disabling data transfer through the single USB-C port at the hardware level by disabling the pins.

• CalyxOS - less actively developing project than GrapheneOS. It is closer to privacy than to security. But the project has some "dark situations" with GrapheneOS. In my eyes, the project has fallen.

• DivestOS - a project that's also more about privacy than security. But they have a great browser called Mull.

Installing the GrapheneOS

It's very easy. On the official site there is an option to install directly from the browser (even from another phone) for this you need only Chronium-based browser or hardcore version with installation via CLI.

Setting Up

"Mask The Hero"

Settings -> About Phone -> Device name - here you can change name of device to Adam's iPhone for example. It will prevent brand detection in Bluetooth & WiFi networks.

Air Guard

• Settings -> Network & Internet -> Internet -> Wi-Fi -> *Network name* and disable Auto-connect - this will prevent you from being attacked when attackers manipulate the network name, but will take away the convenience in the event of a disconnect.

• Settings -> Connected devices -> Connection preferences -> Bluetooth -> Turn off Bluetooth automatically - for example: after you get out of the car, do you need your phone to still be visible to others? Unless you have an active connection to a device, Bluetooth's role is at best only to track your location by other devices.

• Settings -> Network & Internet -> Private DNS and set one of this trusted open-source & no-log policy DNS operated by Mullvad.

Mo Hardening

• Settings -> Security

• • USB-C Port and set to Charging-only. You never know what kind of situation you're gonna find yourself in. But you can turn on the data transfer at any time.
• • Memory tagging in third-party apps and set Enable by default. You'd be surprised how much "shitty code" there is in popular applications.
• • Navite code debugging and set to Blocked by default. Why would Facebook/Instagram want to do that?
• • Scramble PIN input layout and set to On. An observer on the side can determine the approximate pin code digits without even seeing the screen, just the position of your finger. Prevent this.

Apps

Messenger

• Molly.IM - is Signal client fork without any blobs (like Google libs). Post-quantum encryption, usernames and ... centralization. Big minus is centralization, but at this point, there's no better option.

• SimpleX Chat - federated open-source messenger with strong E2EE and without any ID. At the time of writing, they have not yet implemented the post-quantum encryption algorithm and message delivery relay. Watching their roadmap.

• Briar - is Android only P2P E2EE open-source messenger with military-grade encryption what works over Tor. No calls, stickers, audio-messages. Text only.

• Keet - is E2EE closed source P2P messenger from Tether (Bitfinex/USDT). Yeah, not cool because it have closed source but if you believe them, it's based on their open-source project. Great availability and crystal clear calls.

• Jami - old but with active development open-source P2P E2EE messenger. But still not audited, have some critics.

Gallery

• Gallery - Light-weight Media Gallery app for Android made with Jetpack Compose.
• Fossify Gallery - same as previous but supports fingerprint lock

Encrypted Storage

• DroidFS - gocryptfs and CryFS container encryption; you can create photo inside container directly; import & export files/directories.

Music & Video

• SimpMusic - no ads & tracking YouTube Music client
• NewPipe - no ads & tracking YouTube client

Maps

• Organic Maps - open-source maps without telemetry & ads

Office

• LibreOffice - open-source project with active development, supports all formats (docx, doc, xlsx, xls, pptx ...)

Password Manager

• KeePassDX - KeePass client for android with Material Design. Supports YubiKey

Crypto Wallet

• Unstoppable Wallet - open-source non-custodial multi-wallet for Bitcoin, Ethereum, Binance Smart Chain, Avalanche, Solana and other blockchains. Without ads & trackers. Supports NFT & Tokens. Import & Export, Tor for more privacy and direct sync from blockchain or light-weight from node.

VPN

• Mullvad - audited with no-logs policy VPS service based in Sweden. Supports Bitcoin payments. Wireguard/OpenVPN with post-quantum encryption. 5$/month
• ProtonVPN - like Mullvad but requires creation account, can ask phone/email for verification. Based in Switzerland. 6$/month